Analysis

  • max time kernel
    48s
  • max time network
    130s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    16-05-2024 02:07

General

  • Target

    cd5c46c49c436ff6caa16a0bba9751b4024e6799112dd83de94bdb0e611e41cc.apk

  • Size

    3.0MB

  • MD5

    50370307adf849ed8db647456c79c9e3

  • SHA1

    df5395cd26bbcce3e4753c22b4735a6c369292b4

  • SHA256

    cd5c46c49c436ff6caa16a0bba9751b4024e6799112dd83de94bdb0e611e41cc

  • SHA512

    8753d586e80c855b59cc982f36d83678e83f4a7b509ba4259788c52bee2aa41d21ae5df4bc72ddc6d6a89947c3e65bc8a31838ab8acc76b4d2f38a5498259123

  • SSDEEP

    98304:lL0mCncdjDPDSpd4Z0ZLMcRku3+knMY8Va:VAcdjDr0A0LMwku3+MMY8A

Malware Config

Signatures

  • TiSpy

    TiSpy is an Android stalkerware.

  • Requests cell location 2 TTPs 1 IoCs

    Uses Android APIs to to get current cell location.

  • Loads dropped Dex/Jar 1 TTPs 6 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs

Processes

  • com.kazuvija.bgtfxdop
    1⤵
    • Requests cell location
    • Loads dropped Dex/Jar
    • Queries information about the current Wi-Fi connection
    • Queries information about the current nearby Wi-Fi networks
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Checks if the internet connection is available
    PID:4252
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kazuvija.bgtfxdop/files/dex/f9701cd839f479ab.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.kazuvija.bgtfxdop/files/dex/oat/x86/f9701cd839f479ab.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4319
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kazuvija.bgtfxdop/files/dex/wpaLZCRErwZPtcmlk.zip --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.kazuvija.bgtfxdop/files/dex/oat/x86/wpaLZCRErwZPtcmlk.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4343

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.kazuvija.bgtfxdop/databases/privatesms.db

    Filesize

    16KB

    MD5

    3621ce0aa81e37bc5c80e2cf881f1dd0

    SHA1

    00365f82dcada94caea07443656848baf60b3bd9

    SHA256

    8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5

    SHA512

    76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

  • /data/data/com.kazuvija.bgtfxdop/databases/privatesms.db-journal

    Filesize

    512B

    MD5

    9a073586ecfb6010660bb970fab6d73f

    SHA1

    137618b8d321f07d09fcd770337b725214224421

    SHA256

    dc76e70c68432de353049fa5d7f484eb3c9d31e40636b5d45b1c3416588d33fa

    SHA512

    f97dbc0fa8f55e4cca737f892ed158f38708b44bd126da005e118f69c25f72349e80d9a66838e17b7483f62e1f9b92d4f3d28badd95dd79eedcb6e0e8dd71db9

  • /data/data/com.kazuvija.bgtfxdop/databases/privatesms.db-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.kazuvija.bgtfxdop/databases/privatesms.db-wal

    Filesize

    28KB

    MD5

    d0fe58056ec245ff67d8e59b9da3083d

    SHA1

    c1a465c96c20abd658f0264b1219eb01b7908c40

    SHA256

    3b2784c1c759d22f1229e27653354eae404b4bb61a02078fbdd8a78cbd1fe9af

    SHA512

    4f7c589b1d6f17788a3b8ec936f4e39e0ad3b7651810b79800fb949be65df78f9bcba0a8636001b8a5879f96a3133ed4e5243ffd365bb049d3fb4801b4045896

  • /data/data/com.kazuvija.bgtfxdop/files/476426.so

    Filesize

    145KB

    MD5

    4e8f77cd5768d63eebb60e7cbc0440aa

    SHA1

    43fc88de7cdbd6bb30d4d16d0534b96a41ccab5a

    SHA256

    686e1f8998d71c5322a9944e3b36d89837ee501083b8770a42465dcc3e52cb06

    SHA512

    187b0b2980498b93887def826b8ed3ce29c94a7c9d0ebf0c580bd578cd958d88743097ad04fb1bbf292537f197bf2537009241616e08c02a4fbaeb65c59f74c5

  • /data/data/com.kazuvija.bgtfxdop/files/dex/f9701cd839f479ab.zip

    Filesize

    548KB

    MD5

    d7c7cdb24ad1a91efdac6edac26718d3

    SHA1

    07438995a3849106f48cb921709821b81983da84

    SHA256

    3f586069b749e3d452d983ac682d1172d0008561dab1e89c62a897782da09f38

    SHA512

    19da10353691d6fe1c7fd18b7208833b075d47bbf81f271f57143c819feb98242af3c32b4c0bdb3e4d2d2bdda8560e788cdf212e347df14c3bdd32269cdb11cf

  • /data/data/com.kazuvija.bgtfxdop/files/dex/pro_btn_bg_animation_img_0.jpg.zip

    Filesize

    8KB

    MD5

    7c20a2b01bf3f9df1f0abb72ebbe82be

    SHA1

    e601b2e41434623edbeece32867517a3cdec5449

    SHA256

    1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e

    SHA512

    3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4

  • /data/data/com.kazuvija.bgtfxdop/files/dex/wpaLZCRErwZPtcmlk.zip

    Filesize

    649KB

    MD5

    301af54524d2ec400a5e4b9a00d28f63

    SHA1

    3c7dd366cbb9c2efcdc5f006e0b4067c420aa405

    SHA256

    dda236be4fe731530c6473fb4d526e1bb958745b85cf3a84f8f432c75eb0b879

    SHA512

    71950f93a8ec4ede9f64c03255aa43976a4f44f7adbc304f4ceabd17b2879b36803f33a3baf5f4c3933ac68f357644f2995dd05d49b5927f3c4fdf70b0695462

  • /data/data/com.kazuvija.bgtfxdop/logs/Sistema1715825334610.log

    Filesize

    15KB

    MD5

    11080edebc781eef95d3e7a4f564b8b6

    SHA1

    b30b5e1b2b68ce8cd76d269b02d3a296ffb9cb7b

    SHA256

    3d34ca1d738a168b0affbca0b7fc4094f07b801db7d19fab6a5066c1df8c8c9a

    SHA512

    7b39c5c7a2cf249c01dd93a781bf59cdb19b840dee61dc23edefebf5fc9f19c811759c35309e351b1c15de340ee1ecb50d38347505e9d172e431f0b9d7bb23e2

  • /data/user/0/com.kazuvija.bgtfxdop/files/dex/f9701cd839f479ab.zip

    Filesize

    1.3MB

    MD5

    fde32c10e795aae479dfd073dfd253e8

    SHA1

    2e540320a57d56826b05f62d7b17c9fe4607c461

    SHA256

    ba43400e2112282d71246ef4db2c5fb23727547e49465174bba4787238eba389

    SHA512

    68b5fe13c77d0044dd5020d04ca8f00d3c81a2c64eaac085e48ae254f96c4b127c8c9106f27dddfd72bf51ce10887825bacfc58d239d29be0503352040b3009e

  • /data/user/0/com.kazuvija.bgtfxdop/files/dex/f9701cd839f479ab.zip

    Filesize

    1.3MB

    MD5

    9a650627a2c813a790ba4f8cb0943d4a

    SHA1

    e8d4542a5de038522f06d48de34917466d82e744

    SHA256

    9457d51859c571b49a4c96052ec65d4f830451f6cb47b0300bde0f32bcad05c1

    SHA512

    0715f9be2ed7ca4a2f5376cc996477d2a592ac98a23973cdc2c05f00571a5628fd96ea2b964ff8dff302463725eb82f643b4071ea9b8ee63e763e102bc59ee4e

  • /data/user/0/com.kazuvija.bgtfxdop/files/dex/wpaLZCRErwZPtcmlk.zip

    Filesize

    1.7MB

    MD5

    f0ed25a659560ad30bcb41fdca914e4d

    SHA1

    c824cdf9c9ba8bcb62d58b48bf3b713bf700a2b3

    SHA256

    cd696ff0fb8ada72f0c70481d3b993d0810497633829ca203f470d387c2a4f8f

    SHA512

    f71b5ba45712ee45aed2b667985160f3e620372229712b202c312ac991886b06291d81c094ca7223a7ac299c06b6599839708c2d2a7ef5221dd2569ccf562d65

  • /data/user/0/com.kazuvija.bgtfxdop/files/dex/wpaLZCRErwZPtcmlk.zip

    Filesize

    1.7MB

    MD5

    488cfd6c31269f83c81217ad02031279

    SHA1

    e38a209a28c76cca966dfb5a3b7fef8609145928

    SHA256

    7589f9c6eb10f0f495d369889f2e817af256e018c8cc43741793669dcb6ecc76

    SHA512

    177469cf2aa324ff525a8ae9571a1d9e16f3816225f308548f946ac133c4670b90b81503954d2048f4894a4895af6a3d84d75cb47412fcaf9e1e6fe2757363da