S0544 HenBox
HenBox is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. HenBox has primarily been used to target Uyghurs, a minority Turkic ethnic group.1
| Item | Value |
|---|---|
| ID | S0544 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 17 December 2020 |
| Last Modified | 12 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1433 | Access Call Log | HenBox has collected all outgoing phone numbers that start with “86”.1 |
| mobile | T1432 | Access Contact List | HenBox can access the device’s contact list.1 |
| mobile | T1413 | Access Sensitive Data in Device Logs | HenBox can monitor system logs.1 |
| mobile | T1418 | Application Discovery | HenBox can obtain a list of running apps.1 |
| mobile | T1402 | Broadcast Receivers | HenBox has registered several broadcast receivers.1 |
| mobile | T1429 | Capture Audio | HenBox can access the device’s microphone.1 |
| mobile | T1512 | Capture Camera | HenBox can access the device’s camera.1 |
| mobile | T1412 | Capture SMS Messages | HenBox can intercept SMS messages.1 |
| mobile | T1605 | Command-Line Interface | HenBox can run commands as root.1 |
| mobile | T1533 | Data from Local System | HenBox can steal data from various sources, including chat, communication, and social media apps.1 |
| mobile | T1476 | Deliver Malicious App via Other Means | HenBox has been distributed via third-party app stores.1 |
| mobile | T1407 | Download New Code at Runtime | HenBox can load additional Dalvik code while running.1 |
| mobile | T1523 | Evade Analysis Environment | HenBox can detect if the app is running on an emulator.1 |
| mobile | T1430 | Location Tracking | HenBox can track the device’s location.1 |
| mobile | T1444 | Masquerade as Legitimate Application | HenBox has masqueraded as VPN and Android system apps.1 |
| mobile | T1575 | Native Code | HenBox has contained native libraries.1 |
| mobile | T1406 | Obfuscated Files or Information | HenBox has obfuscated components using XOR, ZIP with a single-byte key or ZIP/Zlib compression wrapped with RC4 encryption.1 |
| mobile | T1424 | Process Discovery | HenBox can obtain a list of running processes.1 |
| mobile | T1426 | System Information Discovery | HenBox can collect device information and can check if the device is running MIUI on a Xiaomi device.1 |