Analysis Overview
SHA256
8b8351f544ec6727484b42715dfb1b205d78fc466f228928df62c81e68cec34b
Threat Level: Known bad
The file 8b8351f544ec6727484b42715dfb1b205d78fc466f228928df62c81e68cec34b was found to be: Known bad.
Malicious Activity Summary
TiSpy
Queries information about the current nearby Wi-Fi networks
Queries the phone number (MSISDN for GSM devices)
Requests cell location
Loads dropped Dex/Jar
Declares broadcast receivers with permission to handle system events
Queries information about active data network
Acquires the wake lock
Queries information about the current Wi-Fi connection
Queries the mobile country code (MCC)
Declares services with permission to bind to the system
Requests dangerous framework permissions
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-06 02:28
Signatures
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
| Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. | android.permission.BIND_NOTIFICATION_LISTENER_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows the app to answer an incoming phone call. | android.permission.ANSWER_PHONE_CALLS | N/A | N/A |
| Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. | android.permission.PROCESS_OUTGOING_CALLS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to read the user's calendar data. | android.permission.READ_CALENDAR | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to collect component usage statistics. | android.permission.PACKAGE_USAGE_STATS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 02:27
Reported
2024-06-06 02:31
Platform
android-x86-arm-20240603-en
Max time kernel
47s
Max time network
132s
Command Line
Signatures
TiSpy
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip | N/A | N/A |
| N/A | /data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip | N/A | N/A |
| N/A | /data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip | N/A | N/A |
| N/A | /data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip | N/A | N/A |
| N/A | /data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip | N/A | N/A |
| N/A | /data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.isrigzxj.cbtqprrg
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/oat/x86/4e980369f2fbb29b.odex --compiler-filter=quicken --class-loader-context=&
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.isrigzxj.cbtqprrg/files/dex/oat/x86/inhsgJPxCwtVVqzwD.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.234:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
Files
/data/data/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip
| MD5 | 62c866a108367ae783d929466f09e520 |
| SHA1 | b10089574302e09e181b115e6d8f459a0ddb1289 |
| SHA256 | 4b44d4e08342d15ddd6dd119633b02ad8eac9181595ef67e26f30a4c6b006377 |
| SHA512 | e4822da4a14907b0ee374ee08a6cc6becfa3b4b126b5f905374dc5233acf57da2bb42050f751a45a5a2d42d79b61eb075ee414d8143a7a7dc707855de30459c8 |
/data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip
| MD5 | 1d68cee2d48c35b6d1ecab77514c7038 |
| SHA1 | 0bfe331e5587925f8c059ae1d49c6f74dd46b6df |
| SHA256 | 5a97c14f0f065e1a76385da045cbde4eb796b0e7fb14108a26158a6db5484d94 |
| SHA512 | 9220c3e5cce2e45738d30a8c0b50b9398d4ee6f7ed67ca3e15aa16608dfb148aaefceadc8f2d4c2862f0e53d5411cf75ab231972d8ea93f80ee8da4714e8f95e |
/data/user/0/com.isrigzxj.cbtqprrg/files/dex/4e980369f2fbb29b.zip
| MD5 | 5d406a89b3f279a04a4979a8e2616285 |
| SHA1 | f113cce18c373f2ebf5547512fd9113000595782 |
| SHA256 | b7f516dd7642d84757bd90344056ab33023461bef6aa83c6525f8e690a5fd2cc |
| SHA512 | c11f99cbf360960e99cbf75cf83b604291e71b7881bdf6d864dfce8bb6f58c697e8473f045b88d54905d8118a3a2aacf4a4ebd60145ca8fd18078495b5fef933 |
/data/data/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip
| MD5 | 47ceb452a01d8c194fa7f533c3e61419 |
| SHA1 | 042ec91a633cfef544f19962000220b8d1803465 |
| SHA256 | e33014c1ea38fe32cd60a59859fad9221be4da7dd964b1d05d350b3cd396d8be |
| SHA512 | 8097fe583cf1edeb60d892471b6b0e84e35dd431e096e53ae505f69ba3be5b572a7d55723f2214dff8556ab32c7c08420305600fd67cf2b564ec60de84141d07 |
/data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip
| MD5 | 2c9a66cccee940a9d97e022d58e42a31 |
| SHA1 | 41b803435dcd32c6a9d34b3cdc0a5303f558462a |
| SHA256 | bef099bbba7d5eef8f99a2a604da109fab85b1acfc548494fdcf9a5b70ff711f |
| SHA512 | aca9db3a864f49d50ae061bcce01cef6b8fd9c9fefcb5cce6ffadfef18ed64abb09c01da84bb7abc8e5251f989b06d556a19d91b708a88b010aefef155312429 |
/data/user/0/com.isrigzxj.cbtqprrg/files/dex/inhsgJPxCwtVVqzwD.zip
| MD5 | bc6c40ec39e4232f450c7130aee50f86 |
| SHA1 | c69aa5570e552b87c8daf20b6e4aa870b3954bb0 |
| SHA256 | eb81cf25922948ce723b7c6660933eb4029f52c808e7d84e2e8cff2eb0749a0b |
| SHA512 | 2f3e2aa11d682972a59e3a4929433cb31ed1bce2e5a76dfcbadba2c02cb3df6b65e029c9b60613542ecbfba8578cf8884d88a5b4f5eac53695a17a5838721e78 |
/data/data/com.isrigzxj.cbtqprrg/files/dex/pro_btn_bg_animation_img_0.jpg.zip
| MD5 | 7c20a2b01bf3f9df1f0abb72ebbe82be |
| SHA1 | e601b2e41434623edbeece32867517a3cdec5449 |
| SHA256 | 1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e |
| SHA512 | 3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4 |
/data/data/com.isrigzxj.cbtqprrg/files/476930.so
| MD5 | f74953102f58b152b02f105be430863b |
| SHA1 | aa8ffd18a7b41d78b70dd02c66e99c8d46936647 |
| SHA256 | e7bf368d0b6f671b30a52659c1c0808efedd80f9d6ab2d7ebf7d135eb4f018cf |
| SHA512 | d6251a916869a1474531e56e910b38988f650ae8c74d6ce64e35d5ce63ce5a99d120c6c0dc0b7854c964716d33ae577560be46a44302304cc00751e41df93310 |
/data/data/com.isrigzxj.cbtqprrg/logs/Sistema1717640921508.log
| MD5 | 7bc40ace279d4457752bbf725697c27a |
| SHA1 | e836b287dbe002ac48c20129c4503ec5e8482354 |
| SHA256 | f29754e44eb5fc4fcb3c1983aee6ae22f6c1a73ee38e8d46b50001ba721b990c |
| SHA512 | b77b3b5833bd9c9f32980bc03ce6b61f73879d87f190001bcd6314ee8b7bd12b90a7f388b93e3422ccba0da33c5008036e9f694f97df9af9bbbb3489a4862f06 |
/data/data/com.isrigzxj.cbtqprrg/databases/privatesms.db-journal
| MD5 | 05fedf6419fdbb2c324c2fc3e325a3de |
| SHA1 | eb657778ecc5e2bbbce16321c36c687037a3b35e |
| SHA256 | 18d823fa13e53efb272647b817c023c57386a2bc5c928ed25df9e4c17b07de0c |
| SHA512 | 232221f81d20c7072429a4e1c81c0abed59f8c082913bc9db53ed51b84a3a17c560737a6b7fbeb32df1f12c010a30106a5b30f6e5cc039e6ae5c78bc0eae26b8 |
/data/data/com.isrigzxj.cbtqprrg/databases/privatesms.db
| MD5 | 3621ce0aa81e37bc5c80e2cf881f1dd0 |
| SHA1 | 00365f82dcada94caea07443656848baf60b3bd9 |
| SHA256 | 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5 |
| SHA512 | 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf |
/data/data/com.isrigzxj.cbtqprrg/databases/privatesms.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.isrigzxj.cbtqprrg/databases/privatesms.db-wal
| MD5 | 56c432f420ec09409cfd3c512a70d4bb |
| SHA1 | 4d4e8f35a0de7e3ddf2dc8afea9cd76e1d7656aa |
| SHA256 | f98c250a66fa06d6ad766d312c94a4aa5322f12137d1267682f6cbdaf0f99230 |
| SHA512 | 483cd96740ac50854aeee73aec4fb3574ca68c07c648b08b39a56a5e7de46e09a7b8975f29c132fe28ae7f5021406f219f528a32b3453d62e85ec2db9c154000 |