BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)

BOULDSPY is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that BOULDSPY primarily targeted minority groups in Iran.(Citation: lookout_bouldspy_0423)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Archive Collected Data - T1532 (e3b936a4-6321-4172-9114-038a866362ec)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Clipboard Data - T1414 (c4b96c0b-cb58-497a-a1c2-bb447d79d692)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Out of Band Data - T1644 (ec4c4baa-026f-43e8-8f56-58c36f3162dd)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Event Triggered Execution - T1624 (d446b9f0-06a9-4a8d-97ee-298cfee84f14)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	1
Compromise Application Executable - T1577 (d3bc5020-f6a2-41c0-8ccb-5e563101b60c)	Attack Pattern	BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Boot or Logon Initialization Scripts - T1398 (46d818a5-67fa-4585-a7fc-ecf15376c8d5)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc)	Attack Pattern	1
Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	1
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	1
BOULDSPY - S1079 (a2ee7d2d-fb45-44f3-8f67-9921c7810db1)	Malware	Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	1
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	2
Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	2
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	2
Internet Connection Discovery - T1422.001 (45a5fe76-eda3-4d40-8f22-c186efd6278d)	Attack Pattern	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	2
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80)	Attack Pattern	System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd)	Attack Pattern	2