Analysis
-
max time kernel
47s -
max time network
145s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
02-06-2024 02:05
Static task
static1
Behavioral task
behavioral1
Sample
8b8351f544ec6727484b42715dfb1b205d78fc466f228928df62c81e68cec34b.apk
Resource
android-x86-arm-20240514-en
General
-
Target
8b8351f544ec6727484b42715dfb1b205d78fc466f228928df62c81e68cec34b.apk
-
Size
3.7MB
-
MD5
78c51f9e1e00e8946c9017adf4a47a1c
-
SHA1
05141b68f90819c403d358028eed205ab1fc953c
-
SHA256
8b8351f544ec6727484b42715dfb1b205d78fc466f228928df62c81e68cec34b
-
SHA512
782ae666c349d6a142bf73e8a32b5248754fe5c6aed1813546880d82dbc7fa7e70d5d0c6109b654af4517bfbb59be602e8e54343d814bac3e4ece3190b07e160
-
SSDEEP
49152:hmXG9PEvhjAoB5PKJGQAs+79Q1TCrKF5AM1OshSBKkWiQeFs9fxI0LRbJxe9Je:hmXGiZj7PzQZ1TvlhSBKcQ39prl7ue
Malware Config
Signatures
-
TiSpy
TiSpy is an Android stalkerware.
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
-
Loads dropped Dex/Jar 1 TTPs 6 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/oat/x86/4e980369f2fbb29b.odex --compiler-filter=quicken --class-loader-context=&com.isrigzxj.cbtqprrg/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip --output-vdex-fd=43 --oat-fd=47 --oat-location=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/oat/x86/inhsgJPxCwtVVqzwD.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip 4328 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/oat/x86/4e980369f2fbb29b.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip 4284 com.isrigzxj.cbtqprrg /data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip 4352 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip --output-vdex-fd=43 --oat-fd=47 --oat-location=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/oat/x86/inhsgJPxCwtVVqzwD.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip 4284 com.isrigzxj.cbtqprrg /data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip 4284 com.isrigzxj.cbtqprrg /data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip 4284 com.isrigzxj.cbtqprrg -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.isrigzxj.cbtqprrgdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.isrigzxj.cbtqprrg -
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
Processes:
com.isrigzxj.cbtqprrgdescription ioc process Framework service call android.net.wifi.IWifiManager.getScanResults com.isrigzxj.cbtqprrg -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.isrigzxj.cbtqprrgdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.isrigzxj.cbtqprrg -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.isrigzxj.cbtqprrgdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.isrigzxj.cbtqprrg -
Acquires the wake lock 1 IoCs
Processes:
com.isrigzxj.cbtqprrgdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.isrigzxj.cbtqprrg -
Checks if the internet connection is available 1 TTPs 1 IoCs
Processes:
com.isrigzxj.cbtqprrgdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.isrigzxj.cbtqprrg -
Reads information about phone network operator. 1 TTPs
Processes
-
com.isrigzxj.cbtqprrg1⤵
- Requests cell location
- Loads dropped Dex/Jar
- Queries information about the current Wi-Fi connection
- Queries information about the current nearby Wi-Fi networks
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/oat/x86/4e980369f2fbb29b.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip --output-vdex-fd=43 --oat-fd=47 --oat-location=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/oat/x86/inhsgJPxCwtVVqzwD.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.isrigzxj.cbtqprrg/databases/privatesms.dbFilesize
16KB
MD53621ce0aa81e37bc5c80e2cf881f1dd0
SHA100365f82dcada94caea07443656848baf60b3bd9
SHA2568620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA51276bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf
-
/data/data/com.isrigzxj.cbtqprrg/databases/privatesms.db-journalFilesize
512B
MD52649477b88ad552318a2b33727445524
SHA15455685e7577a779c77020c996bfd3d944cad591
SHA25617ef5ac335cb4f178b8548fc96cb5848bc6fd4818c16729cb95f1e2ee3dc46cb
SHA512d13ee32ddc1ea836d06473829e51929a351b2fa21d5a32b269d6265f3870ece7314907112d4522c064c646184f7604d9316f29b36318320e7544a67593f35033
-
/data/data/com.isrigzxj.cbtqprrg/databases/privatesms.db-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.isrigzxj.cbtqprrg/databases/privatesms.db-walFilesize
28KB
MD503c0e5bddaa42f8df6d387ca9e46a920
SHA1bbc161d9e01b36cc82e285df1d7ddf9b06ee346b
SHA2566b81c7069560cf7f1bd550969312573350c3c71a954e3f1162826986951d2846
SHA512cfb52b7d38b21276927f910f33e08dedb132ce07aa730cef8e4c11e3b565cda4962b1517b80ab18e44e74d880cdb71ac5407e421d50cc3c4a7a401f059e4d809
-
/data/data/com.isrigzxj.cbtqprrg/files/476930.soFilesize
145KB
MD5f74953102f58b152b02f105be430863b
SHA1aa8ffd18a7b41d78b70dd02c66e99c8d46936647
SHA256e7bf368d0b6f671b30a52659c1c0808efedd80f9d6ab2d7ebf7d135eb4f018cf
SHA512d6251a916869a1474531e56e910b38988f650ae8c74d6ce64e35d5ce63ce5a99d120c6c0dc0b7854c964716d33ae577560be46a44302304cc00751e41df93310
-
/data/data/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zipFilesize
549KB
MD562c866a108367ae783d929466f09e520
SHA1b10089574302e09e181b115e6d8f459a0ddb1289
SHA2564b44d4e08342d15ddd6dd119633b02ad8eac9181595ef67e26f30a4c6b006377
SHA512e4822da4a14907b0ee374ee08a6cc6becfa3b4b126b5f905374dc5233acf57da2bb42050f751a45a5a2d42d79b61eb075ee414d8143a7a7dc707855de30459c8
-
/data/data/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zipFilesize
649KB
MD547ceb452a01d8c194fa7f533c3e61419
SHA1042ec91a633cfef544f19962000220b8d1803465
SHA256e33014c1ea38fe32cd60a59859fad9221be4da7dd964b1d05d350b3cd396d8be
SHA5128097fe583cf1edeb60d892471b6b0e84e35dd431e096e53ae505f69ba3be5b572a7d55723f2214dff8556ab32c7c08420305600fd67cf2b564ec60de84141d07
-
/data/data/com.isrigzxj.cbtqprrg/files/dex/pro_btn_bg_animation_img_0.jpg.zipFilesize
8KB
MD57c20a2b01bf3f9df1f0abb72ebbe82be
SHA1e601b2e41434623edbeece32867517a3cdec5449
SHA2561a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e
SHA5123faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4
-
/data/data/com.isrigzxj.cbtqprrg/logs/Sistema1717293931305.logFilesize
15KB
MD5d59c198e3c2a0ef4c50989ac15582e54
SHA1bf7560349633a15c4a164f1b3024b1a11ff6ec81
SHA256306c7676273eaf8d37a9ecb38898aed27d39edc6f07475e78bf9094a5b4922bc
SHA5120a31a2791f5f38a329e32be4c61c67dc182ea7a0f15dc83f90534f76e9fe342490f732609f0c2a0f341e6d525baede6a1b0e8dbcce360d28193b6b0de1f36bcc
-
/data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zipFilesize
1.3MB
MD55d406a89b3f279a04a4979a8e2616285
SHA1f113cce18c373f2ebf5547512fd9113000595782
SHA256b7f516dd7642d84757bd90344056ab33023461bef6aa83c6525f8e690a5fd2cc
SHA512c11f99cbf360960e99cbf75cf83b604291e71b7881bdf6d864dfce8bb6f58c697e8473f045b88d54905d8118a3a2aacf4a4ebd60145ca8fd18078495b5fef933
-
/data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zipFilesize
1.3MB
MD51d68cee2d48c35b6d1ecab77514c7038
SHA10bfe331e5587925f8c059ae1d49c6f74dd46b6df
SHA2565a97c14f0f065e1a76385da045cbde4eb796b0e7fb14108a26158a6db5484d94
SHA5129220c3e5cce2e45738d30a8c0b50b9398d4ee6f7ed67ca3e15aa16608dfb148aaefceadc8f2d4c2862f0e53d5411cf75ab231972d8ea93f80ee8da4714e8f95e
-
/data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zipFilesize
1.7MB
MD5bc6c40ec39e4232f450c7130aee50f86
SHA1c69aa5570e552b87c8daf20b6e4aa870b3954bb0
SHA256eb81cf25922948ce723b7c6660933eb4029f52c808e7d84e2e8cff2eb0749a0b
SHA5122f3e2aa11d682972a59e3a4929433cb31ed1bce2e5a76dfcbadba2c02cb3df6b65e029c9b60613542ecbfba8578cf8884d88a5b4f5eac53695a17a5838721e78
-
/data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zipFilesize
1.7MB
MD52c9a66cccee940a9d97e022d58e42a31
SHA141b803435dcd32c6a9d34b3cdc0a5303f558462a
SHA256bef099bbba7d5eef8f99a2a604da109fab85b1acfc548494fdcf9a5b70ff711f
SHA512aca9db3a864f49d50ae061bcce01cef6b8fd9c9fefcb5cce6ffadfef18ed64abb09c01da84bb7abc8e5251f989b06d556a19d91b708a88b010aefef155312429