Resubmissions

29-04-2024 16:39

240429-t5y2nsfc99 10

22-03-2024 02:09

240322-ck49hshb5z 8

General

  • Target

    .apk

  • Size

    3.6MB

  • Sample

    240429-t5y2nsfc99

  • MD5

    3b2bffa809e1332c8b77f91add1a7374

  • SHA1

    cf0489ae4122584fcc510ca1c6c93ba8c0405899

  • SHA256

    bff0087b9e9d47e64841c0fd32d89c521d1ff4065d695472c7c107ef620ac9ba

  • SHA512

    6a74cb476d094958b66b73501ccd961601d1bee0c2f86ef453ccde2dd9c2cf1c53437df8bfa6c1d64f212b27e6f8087b8d1d64ebda3d1582a6150513e2d98531

  • SSDEEP

    98304:88zYcEK7XH8yVw98Mbwb81jjrcz7dpN9hB/W+3e+NQGAytLu/:88nEK7XH8yOhjI99j++uG+/

Malware Config

Extracted

Family

truthspy

C2

http://protocol-a.thetruthspy.com/protocols/get_synx_now.aspx

http://protocol-a.thetruthspy.com/protocols/getsetting.aspx

https://thetruth-db94a-default-rtdb.firebaseio.com

https://thetruth-db94a.firebaseio.com

Extracted

Family

truthspy

C2

http://protocol-a946.thetruthspy.com/protocols

Targets

    • Target

      .apk

    • Size

      3.6MB

    • MD5

      3b2bffa809e1332c8b77f91add1a7374

    • SHA1

      cf0489ae4122584fcc510ca1c6c93ba8c0405899

    • SHA256

      bff0087b9e9d47e64841c0fd32d89c521d1ff4065d695472c7c107ef620ac9ba

    • SHA512

      6a74cb476d094958b66b73501ccd961601d1bee0c2f86ef453ccde2dd9c2cf1c53437df8bfa6c1d64f212b27e6f8087b8d1d64ebda3d1582a6150513e2d98531

    • SSDEEP

      98304:88zYcEK7XH8yVw98Mbwb81jjrcz7dpN9hB/W+3e+NQGAytLu/:88nEK7XH8yOhjI99j++uG+/

    • Truthspy

      Truthspy is an Android stalkerware.

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    • Registers a broadcast receiver at runtime (usually for listening for system events)

    • Acquires the wake lock

    • Checks if the internet connection is available

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Mobile v15

Tasks