Permhash — No Curls Necessary | Mandiant
Tags
country: Iran
maec-delivery-vectors: Watering Hole
attack-pattern: Data Datasets Dll Side-Loading - T1574.002 Hooking - T1617 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Python - T1059.006 Sms Messages - T1636.004 Software - T1592.002 Tool - T1588.002 Browser Extensions - T1176 Dll Side-Loading - T1073 Hooking - T1179 Hooking
Show in Graph
Common Information
Type Value
UUID 4a2079f8-1610-4528-8cbe-db665ab4fa67
Fingerprint 84529a82ccb8269d
Analysis status DONE
Considered CTI value 2
Text language
Published May 15, 2023, midnight
Added to db Nov. 6, 2023, 6:52 p.m.
Last updated Nov. 17, 2024, 5:50 p.m.
Headline Permhash — No Curls Necessary
Title Permhash — No Curls Necessary | Mandiant
Detected Hints/Tags/Attributes 71/3/15
Source URLs
Redirection Url
Details Source https://www.mandiant.com/resources/blog/permhash-no-curls-necessary
URL Provider
Details Provider Source level domain
Details mandiant.com www.mandiant.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details File 86 
manifest.json
Details File 172 
androidmanifest.xml
Details md5 1 
6affa6fc3d3f0f5269737a560971f060
Details md5 1 
1ba7a6eff1e897e0f77f1d7b0dfd3ff7
Details sha256 1 
bb9f069898e465a64e584a5770313597f7c8a12c4947438786374d861557a536
Details sha256 1 
9126f12ce5d0e610bb74da304b6bd0cd648428e59e74326fbd5affaa70d2257e
Details sha256 3 
d4d1b61f726a5b50365c8c18b2c5ac7ab34b3844e0d50112f386dfd875b6afac
Details Mandiant Uncategorized Groups 1 
UNC3873
Details Mandiant Uncategorized Groups 3 
UNC3559
Details Threat Actor Identifier - APT 115 
APT43
Details Threat Actor Identifier - APT 121 
APT42
Details Yara rule 1 
rule M_Hunting_Extension_Manifest_Permissions_1 {
	meta:
		author = "Mandiant"
		description = "Hunting for extension manifests with permissions."
		md5 = "b4a020208821c7e5bf99f8e3367897ba"
	strings:
		$a1 = /"manifest_version"\s*:\s*/
		$a2 = /"name"\s*:\s*/
		$a3 = /"version"\s*:\s*/
		$anchor = /"permissions"\s*:\s*/
		$s1 = /"author"\s*:\s*/
		$s2 = /"automation"\s*:\s*/
		$s3 = /"background"\s*:\s*/
		$s4 = /"chrome_settings_overrides"\s*:\s*/
		$s5 = /"chrome_url_overrides"\s*:\s*/
		$s6 = /"commands"\s*:\s*/
		$s7 = /"content_scripts"\s*:\s*/
		$s8 = /"content_security_policy"\s*:\s*/
		$s9 = /"cross_origin_embedder_policy"\s*:\s*/
		$s10 = /"cross_origin_opener_policy"\s*:\s*/
		$s11 = /"declarative_net_request"\s*:\s*/
		$s12 = /"devtools_page"\s*:\s*/
		$s13 = /"event_rules"\s*:\s*/
		$s14 = /"export"\s*:\s*/
		$s15 = /"externally_connectable"\s*:\s*/
		$s16 = /"file_browser_handlers"\s*:\s*/
		$s17 = /"file_system_provider_capabilities"\s*:\s*/
		$s18 = /"homepage_url"\s*:\s*/
		$s19 = /"host_permissions"\s*:\s*/
		$s20 = /"import"\s*:\s*/
		$s21 = /"incognito"\s*:\s*/
		$s22 = /"input_components"\s*:\s*/
		$s23 = /"key"\s*:\s*/
		$s24 = /"minimum_chrome_version"\s*:\s*/
		$s25 = /"oauth2"\s*:\s*/
		$s26 = /"omnibox"\s*:\s*/
		$s27 = /"optional_host_permissions"\s*:\s*/
		$s28 = /"optional_permissions"\s*:\s*/
		$s29 = /"options_page"\s*:\s*/
		$s30 = /"options_ui"\s*:\s*/
		$s32 = /"requirements"\s*:\s*/
		$s33 = /"sandbox"\s*:\s*/
		$s34 = /"short_name"\s*:\s*/
		$s35 = /"storage"\s*:\s*/
		$s36 = /"tts_engine"\s*:\s*/
		$s37 = /"update_url"\s*:\s*/
		$s38 = /"version_name"\s*:\s*/
		$s39 = /"web_accessible_resources"\s*:\s*/
		$s40 = /"action"\s*:\s*"/
		$s41 = /"default_locale"\s*:\s*"/
		$s42 = /"description"\s*:\s*"/
		$s43 = /"icons"\s*:\s*"/
	condition:
		filesize < 10KB and $anchor and (all of ($a*)) and (1 of ($s*))
}
Details Yara rule 1 
rule M_Hunting_BrowserExtension_CRX_1 {
	meta:
		author = "Mandiant"
		description = "Hunting for CRX extension files."
		md5 = "b07c560ac6ef98dd1d9fbce144bc62f6"
	strings:
		$a = "manifest.json"
		$crx = { 43 72 32 34 }
		$pk = { 50 4B 03 04 }
	condition:
		($crx at 0) and $a and (#pk > 1) and (for any i in (1 .. #pk) : ( $a at @pk[i] + 30 ))
}
Details Yara rule 1 
rule M_Hunting_ArchiveEngine_APK_1 {
	meta:
		author = "Mandiant"
		description = "Hunting for suspected APK files"
		md5 = "a04c2c3388da643ef67504ef8c6907fb"
	strings:
		$f1 = { 41 6E 64 72 6F 69 64 4D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B }
		$f2 = { 63 6C 61 73 73 65 73 2E 64 65 78 50 4B }
		$type = { 50 4B }
	condition:
		$type at 0 and all of them
}
Details Yara rule 1 
rule M_Hunting_ArchiveEngine_APK_Manifest_1 {
	meta:
		author = "Mandiant"
		description = "Hunting for suspected APK manifest files."
		md5 = "32f1ff7244ff5041f0db8613b97e24c4"
	strings:
		$type = { 03 00 08 00 }
		$s1 = "manifest" ascii fullword
		$f1 = "activity" ascii fullword
		$f2 = "service" ascii fullword
		$f3 = "receiver" ascii fullword
		$f4 = "provider" ascii fullword
	condition:
		$type at 0 and $s1 and (2 of ($f*))
}