Skip to content

Hide Navigation Hide TOC

Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41)

Sunbird is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Sunbird was first active in early 2017. While Sunbird and Hornbill overlap in core capabilities, Sunbird has a more extensive set of malicious features.(Citation: lookout_hornbill_sunbird_0221)

Cluster A Galaxy A Cluster B Galaxy B Level
Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Archive Collected Data - T1532 (e3b936a4-6321-4172-9114-038a866362ec) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Calendar Entries - T1636.001 (a9fa0d30-a8ff-45bf-922e-7720da0b7922) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760) Attack Pattern 1
Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Ingress Tool Transfer - T1544 (2bb20118-e6c0-41dc-a07c-283ea4dd0fb8) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern Sunbird - S1082 (feae299d-e34f-4fc9-8545-486d0905bd41) Malware 1
Abuse Elevation Control Mechanism - T1626 (08ea902d-ecb5-47ed-a453-2798057bb2d3) Attack Pattern Device Administrator Permissions - T1626.001 (9c049d7b-c92a-4733-9381-27e2bd2ccadc) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Calendar Entries - T1636.001 (a9fa0d30-a8ff-45bf-922e-7720da0b7922) Attack Pattern 2
Command and Scripting Interpreter - T1623 (29f1f56c-7b7a-4c14-9e39-59577ea2743c) Attack Pattern Unix Shell - T1623.001 (693cdbff-ea73-49c6-ac3f-91e7285c31d1) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 2