Analysis

  • max time kernel
    47s
  • max time network
    143s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    17-05-2024 01:57

General

  • Target

    cd5c46c49c436ff6caa16a0bba9751b4024e6799112dd83de94bdb0e611e41cc.apk

  • Size

    3.0MB

  • MD5

    50370307adf849ed8db647456c79c9e3

  • SHA1

    df5395cd26bbcce3e4753c22b4735a6c369292b4

  • SHA256

    cd5c46c49c436ff6caa16a0bba9751b4024e6799112dd83de94bdb0e611e41cc

  • SHA512

    8753d586e80c855b59cc982f36d83678e83f4a7b509ba4259788c52bee2aa41d21ae5df4bc72ddc6d6a89947c3e65bc8a31838ab8acc76b4d2f38a5498259123

  • SSDEEP

    98304:lL0mCncdjDPDSpd4Z0ZLMcRku3+knMY8Va:VAcdjDr0A0LMwku3+MMY8A

Malware Config

Signatures

  • TiSpy

    TiSpy is an Android stalkerware.

  • Requests cell location 2 TTPs 1 IoCs

    Uses Android APIs to to get current cell location.

  • Loads dropped Dex/Jar 1 TTPs 6 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs

Processes

  • com.kazuvija.bgtfxdop
    1⤵
    • Requests cell location
    • Loads dropped Dex/Jar
    • Queries information about the current Wi-Fi connection
    • Queries information about the current nearby Wi-Fi networks
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Checks if the internet connection is available
    PID:4264
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kazuvija.bgtfxdop/files/dex/f9701cd839f479ab.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.kazuvija.bgtfxdop/files/dex/oat/x86/f9701cd839f479ab.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4291
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.kazuvija.bgtfxdop/files/dex/wpaLZCRErwZPtcmlk.zip --output-vdex-fd=44 --oat-fd=47 --oat-location=/data/user/0/com.kazuvija.bgtfxdop/files/dex/oat/x86/wpaLZCRErwZPtcmlk.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4315

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.kazuvija.bgtfxdop/databases/privatesms.db

    Filesize

    16KB

    MD5

    3621ce0aa81e37bc5c80e2cf881f1dd0

    SHA1

    00365f82dcada94caea07443656848baf60b3bd9

    SHA256

    8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5

    SHA512

    76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

  • /data/data/com.kazuvija.bgtfxdop/databases/privatesms.db-journal

    Filesize

    512B

    MD5

    e44ff5cd433cf3a0f7420bc4327c801b

    SHA1

    ccbca8bba6963b5edb84c33905c6aa5265e2cb49

    SHA256

    31062b9dad5e201d0bfb11fe56fd03cb598ae4225cf10cf8fc72aac4a83cbc07

    SHA512

    d9fb52d87a0d57f07beda47c7c88a822d1e672f4a988bc28adc5f05e915d1df09b433db49017821b3c00b685ff80ea79395b7dc98e48175cc814da76b6112020

  • /data/data/com.kazuvija.bgtfxdop/databases/privatesms.db-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.kazuvija.bgtfxdop/databases/privatesms.db-wal

    Filesize

    28KB

    MD5

    68e95f25050b23f9b51a01c409e76e48

    SHA1

    75351ce002bedb547017b2795b4471efc7ffd715

    SHA256

    9c3056adee48388d99bbe52fe833a53ac2bcc09cb11515d2607bbee7609b7376

    SHA512

    7ccbc814fee4dbbb39abddda9c8d2d3579a23f51e03f5fb4fe3e1ca409d497801bb389a43e45e569086e3a2b924d0991938598b75eac050192efda10e93a4755

  • /data/data/com.kazuvija.bgtfxdop/files/476426.so

    Filesize

    145KB

    MD5

    4e8f77cd5768d63eebb60e7cbc0440aa

    SHA1

    43fc88de7cdbd6bb30d4d16d0534b96a41ccab5a

    SHA256

    686e1f8998d71c5322a9944e3b36d89837ee501083b8770a42465dcc3e52cb06

    SHA512

    187b0b2980498b93887def826b8ed3ce29c94a7c9d0ebf0c580bd578cd958d88743097ad04fb1bbf292537f197bf2537009241616e08c02a4fbaeb65c59f74c5

  • /data/data/com.kazuvija.bgtfxdop/files/dex/f9701cd839f479ab.zip

    Filesize

    548KB

    MD5

    d7c7cdb24ad1a91efdac6edac26718d3

    SHA1

    07438995a3849106f48cb921709821b81983da84

    SHA256

    3f586069b749e3d452d983ac682d1172d0008561dab1e89c62a897782da09f38

    SHA512

    19da10353691d6fe1c7fd18b7208833b075d47bbf81f271f57143c819feb98242af3c32b4c0bdb3e4d2d2bdda8560e788cdf212e347df14c3bdd32269cdb11cf

  • /data/data/com.kazuvija.bgtfxdop/files/dex/pro_btn_bg_animation_img_0.jpg.zip

    Filesize

    8KB

    MD5

    7c20a2b01bf3f9df1f0abb72ebbe82be

    SHA1

    e601b2e41434623edbeece32867517a3cdec5449

    SHA256

    1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e

    SHA512

    3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4

  • /data/data/com.kazuvija.bgtfxdop/files/dex/wpaLZCRErwZPtcmlk.zip

    Filesize

    649KB

    MD5

    301af54524d2ec400a5e4b9a00d28f63

    SHA1

    3c7dd366cbb9c2efcdc5f006e0b4067c420aa405

    SHA256

    dda236be4fe731530c6473fb4d526e1bb958745b85cf3a84f8f432c75eb0b879

    SHA512

    71950f93a8ec4ede9f64c03255aa43976a4f44f7adbc304f4ceabd17b2879b36803f33a3baf5f4c3933ac68f357644f2995dd05d49b5927f3c4fdf70b0695462

  • /data/data/com.kazuvija.bgtfxdop/logs/Sistema1715911051845.log

    Filesize

    15KB

    MD5

    ff1455377c2c8a9edae668ba457a175f

    SHA1

    40669fedfb33e2828c5446fdf422a0b6fc249c9e

    SHA256

    d2d8639b4b668cc44fbb4b31b426e073e4d324fc833a5f3eb4c46d0211cff13e

    SHA512

    def87da15be44f1026d616a64c2babc898fd33c48d09a750a8563d6854f7ac4a63fb6474a5da1e6453b552630df2d1b0999e06b3d165eaa2352d1d8ca1ebc14d

  • /data/user/0/com.kazuvija.bgtfxdop/files/dex/f9701cd839f479ab.zip

    Filesize

    1.3MB

    MD5

    fde32c10e795aae479dfd073dfd253e8

    SHA1

    2e540320a57d56826b05f62d7b17c9fe4607c461

    SHA256

    ba43400e2112282d71246ef4db2c5fb23727547e49465174bba4787238eba389

    SHA512

    68b5fe13c77d0044dd5020d04ca8f00d3c81a2c64eaac085e48ae254f96c4b127c8c9106f27dddfd72bf51ce10887825bacfc58d239d29be0503352040b3009e

  • /data/user/0/com.kazuvija.bgtfxdop/files/dex/f9701cd839f479ab.zip

    Filesize

    1.3MB

    MD5

    9a650627a2c813a790ba4f8cb0943d4a

    SHA1

    e8d4542a5de038522f06d48de34917466d82e744

    SHA256

    9457d51859c571b49a4c96052ec65d4f830451f6cb47b0300bde0f32bcad05c1

    SHA512

    0715f9be2ed7ca4a2f5376cc996477d2a592ac98a23973cdc2c05f00571a5628fd96ea2b964ff8dff302463725eb82f643b4071ea9b8ee63e763e102bc59ee4e

  • /data/user/0/com.kazuvija.bgtfxdop/files/dex/wpaLZCRErwZPtcmlk.zip

    Filesize

    1.7MB

    MD5

    f0ed25a659560ad30bcb41fdca914e4d

    SHA1

    c824cdf9c9ba8bcb62d58b48bf3b713bf700a2b3

    SHA256

    cd696ff0fb8ada72f0c70481d3b993d0810497633829ca203f470d387c2a4f8f

    SHA512

    f71b5ba45712ee45aed2b667985160f3e620372229712b202c312ac991886b06291d81c094ca7223a7ac299c06b6599839708c2d2a7ef5221dd2569ccf562d65

  • /data/user/0/com.kazuvija.bgtfxdop/files/dex/wpaLZCRErwZPtcmlk.zip

    Filesize

    1.7MB

    MD5

    488cfd6c31269f83c81217ad02031279

    SHA1

    e38a209a28c76cca966dfb5a3b7fef8609145928

    SHA256

    7589f9c6eb10f0f495d369889f2e817af256e018c8cc43741793669dcb6ecc76

    SHA512

    177469cf2aa324ff525a8ae9571a1d9e16f3816225f308548f946ac133c4670b90b81503954d2048f4894a4895af6a3d84d75cb47412fcaf9e1e6fe2757363da