Analysis Overview
SHA256
7ae5b896cfa90e89bb97c94d9438cde9e9c107204ace3e58cdbde7dbadaa4562
Threat Level: Known bad
The file 7ae5b896cfa90e89bb97c94d9438cde9e9c107204ace3e58cdbde7dbadaa4562 was found to be: Known bad.
Malicious Activity Summary
Truthspy family
Truthspy
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Registers a broadcast receiver at runtime (usually for listening for system events)
Declares broadcast receivers with permission to handle system events
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-01 15:24
Signatures
Truthspy family
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. | android.permission.PROCESS_OUTGOING_CALLS | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read the user's calendar data. | android.permission.READ_CALENDAR | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-01 15:24
Reported
2024-05-01 15:27
Platform
android-x86-arm-20240221-en
Max time kernel
37s
Max time network
136s
Command Line
Signatures
Truthspy
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.guest
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | protocol-a60.guestspy.com | udp |
Files
/data/data/com.guest/databases/core.db
| MD5 | c7b5801f4970b944a556dda8d75097f6 |
| SHA1 | ab62d5c3d60940ac286f019fecd21f822af864f2 |
| SHA256 | cc9e08d0728cef73f1f391fc1486845d285b6a14d778ef14c0ac2401e6b3fde0 |
| SHA512 | 6ac93f5393ce957d0be7de34145f433285f6ee37f6037f174f4532502da62218dddfc0e32883bf94830b4c79f63aa16cf10b3fa7b6eb4187b72f7703b6e0f0c1 |