S0544 HenBox
HenBox is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. HenBox has primarily been used to target Uyghurs, a minority Turkic ethnic group.1
| Item | Value |
|---|---|
| ID | S0544 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 17 December 2020 |
| Last Modified | 12 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1429 | Audio Capture | HenBox can access the device’s microphone.1 |
| mobile | T1623 | Command and Scripting Interpreter | - |
| mobile | T1623.001 | Unix Shell | HenBox can run commands as root.1 |
| mobile | T1533 | Data from Local System | HenBox can steal data from various sources, including chat, communication, and social media apps.1 |
| mobile | T1407 | Download New Code at Runtime | HenBox can load additional Dalvik code while running.1 |
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | HenBox has registered several broadcast receivers.1 |
| mobile | T1430 | Location Tracking | HenBox can track the device’s location.1 |
| mobile | T1575 | Native API | HenBox has contained native libraries.1 |
| mobile | T1406 | Obfuscated Files or Information | HenBox has obfuscated components using XOR, ZIP with a single-byte key or ZIP/Zlib compression wrapped with RC4 encryption.1 |
| mobile | T1424 | Process Discovery | HenBox can obtain a list of running processes.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.002 | Call Log | HenBox has collected all outgoing phone numbers that start with “86”.1 |
| mobile | T1636.003 | Contact List | HenBox can access the device’s contact list.1 |
| mobile | T1636.004 | SMS Messages | HenBox can intercept SMS messages.1 |
| mobile | T1418 | Software Discovery | HenBox can obtain a list of running apps.1 |
| mobile | T1426 | System Information Discovery | HenBox can collect device information and can check if the device is running MIUI on a Xiaomi device.1 |
| mobile | T1512 | Video Capture | HenBox can access the device’s camera.1 |
| mobile | T1633 | Virtualization/Sandbox Evasion | - |
| mobile | T1633.001 | System Checks | HenBox can detect if the app is running on an emulator.1 |