Malware Analysis Report

2024-09-09 12:34

Sample ID 240531-csec3acg92
Target 8b8351f544ec6727484b42715dfb1b205d78fc466f228928df62c81e68cec34b
SHA256 8b8351f544ec6727484b42715dfb1b205d78fc466f228928df62c81e68cec34b
Tags
tispy collection discovery evasion infostealer persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b8351f544ec6727484b42715dfb1b205d78fc466f228928df62c81e68cec34b

Threat Level: Known bad

The file 8b8351f544ec6727484b42715dfb1b205d78fc466f228928df62c81e68cec34b was found to be: Known bad.

Malicious Activity Summary

tispy collection discovery evasion infostealer persistence spyware trojan

TiSpy

Requests cell location

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Queries information about the current nearby Wi-Fi networks

Queries the phone number (MSISDN for GSM devices)

Checks if the internet connection is available

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Acquires the wake lock

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-31 02:20

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 02:20

Reported

2024-05-31 02:23

Platform

android-x86-arm-20240514-en

Max time kernel

48s

Max time network

131s

Command Line

com.isrigzxj.cbtqprrg

Signatures

TiSpy

trojan infostealer spyware tispy

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip N/A N/A
N/A /data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip N/A N/A
N/A /data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip N/A N/A
N/A /data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip N/A N/A
N/A /data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip N/A N/A
N/A /data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.isrigzxj.cbtqprrg

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/oat/x86/4e980369f2fbb29b.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/oat/x86/inhsgJPxCwtVVqzwD.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.3:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip

MD5 62c866a108367ae783d929466f09e520
SHA1 b10089574302e09e181b115e6d8f459a0ddb1289
SHA256 4b44d4e08342d15ddd6dd119633b02ad8eac9181595ef67e26f30a4c6b006377
SHA512 e4822da4a14907b0ee374ee08a6cc6becfa3b4b126b5f905374dc5233acf57da2bb42050f751a45a5a2d42d79b61eb075ee414d8143a7a7dc707855de30459c8

/data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip

MD5 1d68cee2d48c35b6d1ecab77514c7038
SHA1 0bfe331e5587925f8c059ae1d49c6f74dd46b6df
SHA256 5a97c14f0f065e1a76385da045cbde4eb796b0e7fb14108a26158a6db5484d94
SHA512 9220c3e5cce2e45738d30a8c0b50b9398d4ee6f7ed67ca3e15aa16608dfb148aaefceadc8f2d4c2862f0e53d5411cf75ab231972d8ea93f80ee8da4714e8f95e

/data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip

MD5 5d406a89b3f279a04a4979a8e2616285
SHA1 f113cce18c373f2ebf5547512fd9113000595782
SHA256 b7f516dd7642d84757bd90344056ab33023461bef6aa83c6525f8e690a5fd2cc
SHA512 c11f99cbf360960e99cbf75cf83b604291e71b7881bdf6d864dfce8bb6f58c697e8473f045b88d54905d8118a3a2aacf4a4ebd60145ca8fd18078495b5fef933

/data/data/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip

MD5 47ceb452a01d8c194fa7f533c3e61419
SHA1 042ec91a633cfef544f19962000220b8d1803465
SHA256 e33014c1ea38fe32cd60a59859fad9221be4da7dd964b1d05d350b3cd396d8be
SHA512 8097fe583cf1edeb60d892471b6b0e84e35dd431e096e53ae505f69ba3be5b572a7d55723f2214dff8556ab32c7c08420305600fd67cf2b564ec60de84141d07

/data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip

MD5 2c9a66cccee940a9d97e022d58e42a31
SHA1 41b803435dcd32c6a9d34b3cdc0a5303f558462a
SHA256 bef099bbba7d5eef8f99a2a604da109fab85b1acfc548494fdcf9a5b70ff711f
SHA512 aca9db3a864f49d50ae061bcce01cef6b8fd9c9fefcb5cce6ffadfef18ed64abb09c01da84bb7abc8e5251f989b06d556a19d91b708a88b010aefef155312429

/data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip

MD5 bc6c40ec39e4232f450c7130aee50f86
SHA1 c69aa5570e552b87c8daf20b6e4aa870b3954bb0
SHA256 eb81cf25922948ce723b7c6660933eb4029f52c808e7d84e2e8cff2eb0749a0b
SHA512 2f3e2aa11d682972a59e3a4929433cb31ed1bce2e5a76dfcbadba2c02cb3df6b65e029c9b60613542ecbfba8578cf8884d88a5b4f5eac53695a17a5838721e78

/data/data/com.isrigzxj.cbtqprrg/files/dex/pro_btn_bg_animation_img_0.jpg.zip

MD5 7c20a2b01bf3f9df1f0abb72ebbe82be
SHA1 e601b2e41434623edbeece32867517a3cdec5449
SHA256 1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e
SHA512 3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4

/data/data/com.isrigzxj.cbtqprrg/files/476930.so

MD5 f74953102f58b152b02f105be430863b
SHA1 aa8ffd18a7b41d78b70dd02c66e99c8d46936647
SHA256 e7bf368d0b6f671b30a52659c1c0808efedd80f9d6ab2d7ebf7d135eb4f018cf
SHA512 d6251a916869a1474531e56e910b38988f650ae8c74d6ce64e35d5ce63ce5a99d120c6c0dc0b7854c964716d33ae577560be46a44302304cc00751e41df93310

/data/data/com.isrigzxj.cbtqprrg/logs/Sistema1717122020026.log

MD5 7613dfc2de51741e8dc9e0d1d1f4d5db
SHA1 28126f1dff5fe7a74c46473a435635dd5ee6337e
SHA256 a1428257ab06f9fae2758db8b7aeb2efe4d3d355c4483458381f6f6fb88b7f84
SHA512 9899bf346d04128311f1813384d604e55f6fa9536b9332b3508bb2a7a076f855c2edf142a6b8d9cea9b0e3eec46cbba65163f2c6cbdbb6ee93351f68dbc48f4a

/data/data/com.isrigzxj.cbtqprrg/databases/privatesms.db-journal

MD5 bd5cfbd4b82d4616a53f58a55d40241a
SHA1 a9565659c95d1e5e4a002cba1501fe11376b5ccf
SHA256 977e83d9af268fd2576ac3dc4a3f6f758232b3066a163a8d9bbfe2ef3cc3d08c
SHA512 4c2c6711a5a682b324cf8cb557038a0d4bdbc5cf4aee669924eec3f64d47ea8e68a465d09e0213fb8bf2d55a4401217337631a8c13cf4f70521bfa37f73870d0

/data/data/com.isrigzxj.cbtqprrg/databases/privatesms.db

MD5 3621ce0aa81e37bc5c80e2cf881f1dd0
SHA1 00365f82dcada94caea07443656848baf60b3bd9
SHA256 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA512 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

/data/data/com.isrigzxj.cbtqprrg/databases/privatesms.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.isrigzxj.cbtqprrg/databases/privatesms.db-wal

MD5 2ff847fd33eaedf58695631e001c27a9
SHA1 f75a8a3711dc168ce88740ebac29548291586197
SHA256 c352aa9b9c64f9eb65500efb33e0197a39500e7c28307adc05631104d24eaa4b
SHA512 68d9cf1d11beba4ffc38a33d78220ad5eb217e458796db49269b36287bef5a777cc6a0ce6a5030e91d4d485640ad86ddc3560180f46baa8aa5ddca7072db1a17