Malware Analysis Report

2024-09-09 12:34

Sample ID 240601-cp5qvafb42
Target bruno-wi1.apk
SHA256 56ac1ccbc457e6e9b335207c0378624898a44af93464c1b6d8a973cea60fdac6
Tags
tispy collection discovery evasion infostealer persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56ac1ccbc457e6e9b335207c0378624898a44af93464c1b6d8a973cea60fdac6

Threat Level: Known bad

The file bruno-wi1.apk was found to be: Known bad.

Malicious Activity Summary

tispy collection discovery evasion infostealer persistence spyware trojan

TiSpy

Requests cell location

Checks memory information

Loads dropped Dex/Jar

Queries information about the current nearby Wi-Fi networks

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Declares broadcast receivers with permission to handle system events

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

Declares services with permission to bind to the system

Acquires the wake lock

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 02:16

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 02:16

Reported

2024-06-01 02:19

Platform

android-x86-arm-20240514-en

Max time kernel

48s

Max time network

150s

Command Line

com.fcvyuwiw.stdonrxk

Signatures

TiSpy

trojan infostealer spyware tispy

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.fcvyuwiw.stdonrxk/files/dex/MNVFqcxoXFEZENVGT.zip N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.fcvyuwiw.stdonrxk

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 brunoespiao.com.br udp
US 104.21.49.104:443 brunoespiao.com.br tcp
US 1.1.1.1:53 thypix.com udp
US 172.67.190.180:443 thypix.com tcp
US 1.1.1.1:53 pc.brunoespiao.com.br udp
US 34.200.160.51:443 pc.brunoespiao.com.br tcp
US 34.200.160.51:443 pc.brunoespiao.com.br tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.fcvyuwiw.stdonrxk/files/dex/MNVFqcxoXFEZENVGT.zip

MD5 922ad83b5039e38ecd4774f016717683
SHA1 b2250d3656d7a52153e3cc31286a35705803f83d
SHA256 c65bf1478e7a981a0099ff6dd4275812bf6a7646a4f5e2320f37715ab58698c9
SHA512 152699fdf64bda70b1af6755a78124d7c7c014722dfa70c77b5f58b91d5c2d688bac47d9c3313987e4cf4aaf135f9705662804fb49be670200136ee798ed2fae

/data/user/0/com.fcvyuwiw.stdonrxk/files/dex/MNVFqcxoXFEZENVGT.zip

MD5 e7ee3979342fa1be7e141365a8e55a1f
SHA1 b7f478159c3d3c889708dfdc3ec421dee861a7d9
SHA256 0c609db44c13400d4257d3406e82569b0d154c2e2d2ef11e51d3fc82ce038b81
SHA512 cf76dac1f18e5a446c1cd331c1054ed20d1cba2e2d4d4ba88355e367b81459245b9c697734eb78a8d2112bb120528f7ea3f4b5ca58c1c3b1cedeb755af5c510e

/data/data/com.fcvyuwiw.stdonrxk/files/476999.so

MD5 5659b3163253283bf73f6a520a8063ab
SHA1 9a37028465631f04fb9d94906dc5493fc3f0c394
SHA256 dd4d34f790692a264cb783f8580d290cfa9d003809e2894b8fb456597b6d9108
SHA512 68c4f593fe8309333338d27708b5de2e1ad9e60e082d1b567681268b129f4e4bc3da21b9a255a370e4b537d243c9a94652c42798e4bf7d1366def29634974f4a

/data/data/com.fcvyuwiw.stdonrxk/logs/Sistema1717208176246.log

MD5 4362f97ca1524a0be59dcfc86fac90d5
SHA1 9b8dcdf7c3ab7627869991cb0c8819de48b0f5e4
SHA256 c8ab50a84432e42b13d574ff6c5a3ad8b73bd5818c3d7f2fa13c151a5e18dfda
SHA512 ab76efb9a94254bd77c4285f1cb1b70f4f3d84fbfcf1bb91ad15e96a42684e727682f19c592c9bdb81bcfd361c2444d521234e1f3c35f4abac437af27bf7da48

/data/data/com.fcvyuwiw.stdonrxk/files/Background/black-wallpapers-for-smartphone-102-700x990.jpg

MD5 4651e1fd4234ee465d6fe6349f2e178d
SHA1 1a86fbd1edd11fa983155172d484959760c1fc0e
SHA256 725ccd777793d5b05707aa28438b58a021c15b0f9cf47ace83aada6ea93a921b
SHA512 6962571dbc91930f4624e3c80e1ab7a5ac23f8f13ccb4587d1619c5d5f8e9731974ae954e8b9ba2e86084f8e797c6a9d49267667a98e47bd7af9e0af29686b0c

/data/data/com.fcvyuwiw.stdonrxk/databases/privatesms.db-journal

MD5 71dcf601d7c18ca7d5027a85d342b59c
SHA1 def1c58a18e03fe71fc17cd2f1e85760d2c076df
SHA256 8e86fbe161581f9f15700b67e3910956b96aee204dd87c802f02eb8474aa79ee
SHA512 cb22c155fbd0c7a5391af3e23ec295c942c82e1b91d4172a62a63fba68ef18b88225defd94dd4626c6e0f62fef5782c95e541a3fc857620f8e7d1660eeaa56bf

/data/data/com.fcvyuwiw.stdonrxk/databases/privatesms.db

MD5 3621ce0aa81e37bc5c80e2cf881f1dd0
SHA1 00365f82dcada94caea07443656848baf60b3bd9
SHA256 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA512 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

/data/data/com.fcvyuwiw.stdonrxk/databases/privatesms.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.fcvyuwiw.stdonrxk/databases/privatesms.db-wal

MD5 79ac72fe8ae05d1e91237489a8874837
SHA1 a2e2f813817921ba31accca758b3f4452fd27649
SHA256 bd8cb340cde1c6bb492e2ef34785736963c4e2e2eabadd8e8513506422f8238e
SHA512 09d60a41359e2168de6c48c12111c871d2456a5ff3789b39ca1e2c29a5365a306b81a23998578c19a3b20da5c71bc34cc7eb817e442cd8406fe003ac2e253249