Analysis
-
max time kernel
47s -
max time network
159s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
31-05-2024 01:03
Static task
static1
Behavioral task
behavioral1
Sample
149e43eacb61a1827ee4bc121e8de586fc0161cc23e5d7c13bc8426b17e350b2.apk
Resource
android-x86-arm-20240514-en
General
-
Target
149e43eacb61a1827ee4bc121e8de586fc0161cc23e5d7c13bc8426b17e350b2.apk
-
Size
2.4MB
-
MD5
fcb3a66bcd553db071efd440220572e5
-
SHA1
5913843e782e8b1f8b0e69f1a50bb1b1fb1b8a0c
-
SHA256
149e43eacb61a1827ee4bc121e8de586fc0161cc23e5d7c13bc8426b17e350b2
-
SHA512
e2b03637bd5cd2a56f7baa1348ea42848c2dbf5d854f8db3dfefcb4f1da647f3effdedd2422141af07c271c142fa8201b29e5b9b5e3a2259e0bea2d47e5f7563
-
SSDEEP
49152:Map09YS76tl9YHKDUJ4iASylo/jkLYJETWt5ZePg3vuO:MaOrmtl9UKDsKeAc5ZrfuO
Malware Config
Extracted
tispy
https://brunoespiao.com.br/esp/appprofile.jsp
Signatures
-
TiSpy
TiSpy is an Android stalkerware.
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.frpcjtxj.gdfnzbgq/files/dex/oompgRzRYNDbJqWLs.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.frpcjtxj.gdfnzbgq/files/dex/oat/x86/oompgRzRYNDbJqWLs.odex --compiler-filter=quicken --class-loader-context=&com.frpcjtxj.gdfnzbgqioc pid process /data/user/0/com.frpcjtxj.gdfnzbgq/files/dex/oompgRzRYNDbJqWLs.zip 4360 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.frpcjtxj.gdfnzbgq/files/dex/oompgRzRYNDbJqWLs.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.frpcjtxj.gdfnzbgq/files/dex/oat/x86/oompgRzRYNDbJqWLs.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.frpcjtxj.gdfnzbgq/files/dex/oompgRzRYNDbJqWLs.zip 4331 com.frpcjtxj.gdfnzbgq -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.frpcjtxj.gdfnzbgqdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.frpcjtxj.gdfnzbgq -
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
Processes:
com.frpcjtxj.gdfnzbgqdescription ioc process Framework service call android.net.wifi.IWifiManager.getScanResults com.frpcjtxj.gdfnzbgq -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.frpcjtxj.gdfnzbgqdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.frpcjtxj.gdfnzbgq -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.frpcjtxj.gdfnzbgqdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.frpcjtxj.gdfnzbgq -
Acquires the wake lock 1 IoCs
Processes:
com.frpcjtxj.gdfnzbgqdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.frpcjtxj.gdfnzbgq -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
com.frpcjtxj.gdfnzbgqdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.frpcjtxj.gdfnzbgq
Processes
-
com.frpcjtxj.gdfnzbgq1⤵
- Requests cell location
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.frpcjtxj.gdfnzbgq/files/dex/oompgRzRYNDbJqWLs.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.frpcjtxj.gdfnzbgq/files/dex/oat/x86/oompgRzRYNDbJqWLs.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.frpcjtxj.gdfnzbgq/databases/privatesms.dbFilesize
16KB
MD53621ce0aa81e37bc5c80e2cf881f1dd0
SHA100365f82dcada94caea07443656848baf60b3bd9
SHA2568620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA51276bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf
-
/data/data/com.frpcjtxj.gdfnzbgq/databases/privatesms.db-journalFilesize
512B
MD58f867550f270f0f4d0e84a71e34ce44b
SHA1450d74b69512a6c4cb091120e285951bff2e5f5e
SHA256d3144c0150154f9bcafef8d3adac51606178022e5d801b25bc1a57f5f579b281
SHA51214223c0aa07dd7aae5236fe15e482c8f0afc3c7742940d594233cabc17daea396582e9bac7d64af9a59e389b4e1c15894f8a0d94964318cc694cd77caa959559
-
/data/data/com.frpcjtxj.gdfnzbgq/databases/privatesms.db-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.frpcjtxj.gdfnzbgq/databases/privatesms.db-walFilesize
28KB
MD5b5c8d257f9b6e72834b950e2687db888
SHA112888339496a9614812b2230fbeb74a6317fff13
SHA2560a363c9101640e5cf3b768b424b5bffa5c74a09cf725075d74b9a89a0bc62971
SHA5120acd2a56a313d3c4f966c64db73b7760e294ebe3d37b1a7ff779bd95fdff5876129a68dfef5060b4326c8ccfe72cffb9040d0b9ecd276fbfb6e1ae1be0c8735c
-
/data/data/com.frpcjtxj.gdfnzbgq/files/476951.soFilesize
145KB
MD5370a3e30a21ae1845bd772a66bc3e4ca
SHA18662426d06d3ed6fedba90086290b48c827e9a02
SHA2567eb75c6e78721b16289e92a4fca68a582278e181ca8a6036d2149f2f16dcee80
SHA512f706249383221e2d395ac01704ee8dd7c112677567876a731938576f05806e11d9c039506aa12f44f70b86b1e8ca9c04b60a39bc1b74a2e2c32e0894e61b0775
-
/data/data/com.frpcjtxj.gdfnzbgq/files/Background/black-wallpapers-for-smartphone-102-700x990.jpgFilesize
3KB
MD54651e1fd4234ee465d6fe6349f2e178d
SHA11a86fbd1edd11fa983155172d484959760c1fc0e
SHA256725ccd777793d5b05707aa28438b58a021c15b0f9cf47ace83aada6ea93a921b
SHA5126962571dbc91930f4624e3c80e1ab7a5ac23f8f13ccb4587d1619c5d5f8e9731974ae954e8b9ba2e86084f8e797c6a9d49267667a98e47bd7af9e0af29686b0c
-
/data/data/com.frpcjtxj.gdfnzbgq/files/dex/oompgRzRYNDbJqWLs.zipFilesize
531KB
MD5780973605310bfd547e99d3049ca8fd1
SHA1364a1bcc78283899559781fb27179e7d28a4c56e
SHA2566804565aa8a5673a0274b73d08b111028d4402599dd5e8e3cc4a78516f8490ae
SHA512d7913807a73c90b47f420710599232d980625fd8e87b23d1379579925c5b7b9232cd76950b370bb8fb433def938fba7d915536b385d2dee787ff831e0a813233
-
/data/data/com.frpcjtxj.gdfnzbgq/logs/Sistema1717117422938.logFilesize
17KB
MD5d1eb1bbf124b820a4488530fec0af951
SHA1c86219e993d0498d0987b928ece7a7b0b15bb4f8
SHA256f4fcce1a5c0aa7d30958338f158cd011aab9de826e490b975d1cc8997489ed33
SHA51216e3d3dc2fd9c3e142c88bf0313d1a13bdefa08c1a281c8c4fb39fce08a6239373978f7b430af19f24ceee2f3d7a03ce411d8a61517a241ede5ab7913b63bd3f
-
/data/user/0/com.frpcjtxj.gdfnzbgq/files/dex/oompgRzRYNDbJqWLs.zipFilesize
1.3MB
MD524f203c2048a44f9cb11cb7b932fb6ce
SHA11a55fb180d25a4be776a6aa3f337bdda570d52f6
SHA256c6e1f423145cd16b6cf3724787acc17ec5f77f8ad5c310d5fdddd78f98738cb1
SHA5125b2818a640e2384dd1653e8ad6081dddded4ecc4bff304e7080ad3d5a986a58b58a05eb1a3c161a3065eae0bedafa62272c552742e893c75daeba062cae4fa72
-
/data/user/0/com.frpcjtxj.gdfnzbgq/files/dex/oompgRzRYNDbJqWLs.zipFilesize
1.3MB
MD5eb1350ff92300ea6f2c46e5d40d64ee2
SHA17640e2bd7e7ed51438847f2700f4d7d3caa0c6c1
SHA256268bdbb9fbaef09c2db7ea2fccbff58e3036213408a47575c508b415aabc01ff
SHA512de621c4584047e1835cee6515b98f62415571ab855f17a4cdd527b6e64dcd427d0bc3e90b8ff2862583b3cf08c6bb2cfd4277ed3f73dbf8a48e9be30a98a0f12