Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    46s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240603-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240603-enlocale:en-usos:android-9-x86system
  • submitted
    09/06/2024, 02:37 UTC

General

  • Target

    f1650d7488a50d35593c1abd1820a65c2369c8a46cbe5c283054d64cc5628a25.apk

  • Size

    2.4MB

  • MD5

    b4b02386646deb9cf7e9550dec0f9700

  • SHA1

    10d031670eceddbd4498b2da75ad28b2a2a5ce77

  • SHA256

    f1650d7488a50d35593c1abd1820a65c2369c8a46cbe5c283054d64cc5628a25

  • SHA512

    e07f6ca9fea4141a3ef15746eb9cfbf9026a4b5598795c7151f71082535a895d84be753ffccf091ea48386476e58cebd7dd2b5d287665484927c1c9b825d8a2b

  • SSDEEP

    49152:+oUQbLSzFXcKcTmvXG2WD09ec6keGp6O4hkna:+o/KzFg4XG2d9lTpx4hua

Malware Config

Extracted

Family

tispy

C2

https://brunoespiao.com.br/esp/appprofile.jsp

Signatures

  • TiSpy

    TiSpy is an Android stalkerware.

  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Requests cell location 2 TTPs 1 IoCs

    Uses Android APIs to to get current cell location.

  • Acquires the wake lock 1 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.tndmcphn.pbflhqvr
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about the current nearby Wi-Fi networks
    • Requests cell location
    • Acquires the wake lock
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4280
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tndmcphn.pbflhqvr/files/dex/mZvjrMfQEACRdAhUt.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.tndmcphn.pbflhqvr/files/dex/oat/x86/mZvjrMfQEACRdAhUt.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4306

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.10
  • flag-us
    DNS
    brunoespiao.com.br
    Remote address:
    1.1.1.1:53
    Request
    brunoespiao.com.br
    IN A
    Response
    brunoespiao.com.br
    IN A
    172.67.189.189
    brunoespiao.com.br
    IN A
    104.21.49.104
  • flag-us
    GET
    https://brunoespiao.com.br/esp/appprofile.jsp
    Remote address:
    172.67.189.189:443
    Request
    GET /esp/appprofile.jsp HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: brunoespiao.com.br
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200
    Date: Sun, 09 Jun 2024 02:38:52 GMT
    Content-Type: application/json;charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: JSESSIONID=DF6CDFD538FDB8A79F5AEA6D6A1D2F72; Path=/esp; HttpOnly
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AjgoWs92hjyCvX8Z0kmnUHb7cs6F2%2B4ZDcf671Emz46tRMgoPkbbZAn%2Be8qjPnNugmD854jkDMXXyhg9uFgnlFKB1DLBHIE9GBQ8efHL14VancuTQrWOQ5W%2FfQGNEG%2Bq5CyTCGw%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 890dbf76ddb793f0-LHR
    Content-Encoding: gzip
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    thypix.com
    Remote address:
    1.1.1.1:53
    Request
    thypix.com
    IN A
    Response
    thypix.com
    IN A
    172.67.190.180
    thypix.com
    IN A
    104.21.19.250
  • flag-us
    GET
    https://thypix.com/wp-content/uploads/2021/01/black-wallpapers-for-smartphone-102-700x990.jpg
    Remote address:
    172.67.190.180:443
    Request
    GET /wp-content/uploads/2021/01/black-wallpapers-for-smartphone-102-700x990.jpg HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: thypix.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Sun, 09 Jun 2024 02:38:52 GMT
    Content-Type: image/jpeg
    Content-Length: 3828
    Connection: keep-alive
    last-modified: Thu, 04 Aug 2022 13:34:51 GMT
    etag: "62ebcafb-ef4"
    x-powered-by: PleskLin
    Cache-Control: max-age=31536000
    CF-Cache-Status: HIT
    Age: 3264
    Accept-Ranges: bytes
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sx5lO0cC0Hd5BxAZG%2FFHMs4UYiPThspGPPJJfWYj4pCw6HbSjloZvFJx7C7LWxUYnfxP6jEBkj%2BdZe%2BFdLqfzc%2BnbeyVvnOyEcPlmN2HlEvF5VtPZ%2FzCfsxwmxDv"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Vary: Accept-Encoding
    Server: cloudflare
    CF-RAY: 890dbf7a8d9d640f-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    pc.brunoespiao.com.br
    Remote address:
    1.1.1.1:53
    Request
    pc.brunoespiao.com.br
    IN A
    Response
    pc.brunoespiao.com.br
    IN A
    34.200.160.51
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    172.217.16.238
  • 142.250.187.234:443
    tls, https
    202 B
    40 B
    1
    1
  • 172.67.189.189:443
    https://brunoespiao.com.br/esp/appprofile.jsp
    tls, http
    970 B
    7.0kB
    9
    10

    HTTP Request

    GET https://brunoespiao.com.br/esp/appprofile.jsp

    HTTP Response

    200
  • 172.67.190.180:443
    https://thypix.com/wp-content/uploads/2021/01/black-wallpapers-for-smartphone-102-700x990.jpg
    tls, http
    1.1kB
    10.2kB
    11
    12

    HTTP Request

    GET https://thypix.com/wp-content/uploads/2021/01/black-wallpapers-for-smartphone-102-700x990.jpg

    HTTP Response

    200
  • 34.200.160.51:443
    pc.brunoespiao.com.br
    tls
    1.4kB
    10.1kB
    12
    13
  • 142.250.200.46:443
    tls, https
    858 B
    40 B
    1
    1
  • 172.217.16.238:443
    android.apis.google.com
    tls
    4.7kB
    8.8kB
    14
    22
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
    288 B
    1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    172.217.16.234
    142.250.178.10
    216.58.212.234
    142.250.187.202
    216.58.201.106
    216.58.204.74
    142.250.200.10
    142.250.200.42
    142.250.179.234
    216.58.213.10
    142.250.187.234
    142.250.180.10
    172.217.169.10

  • 1.1.1.1:53
    brunoespiao.com.br
    dns
    64 B
    96 B
    1
    1

    DNS Request

    brunoespiao.com.br

    DNS Response

    172.67.189.189
    104.21.49.104

  • 1.1.1.1:53
    thypix.com
    dns
    56 B
    88 B
    1
    1

    DNS Request

    thypix.com

    DNS Response

    172.67.190.180
    104.21.19.250

  • 1.1.1.1:53
    pc.brunoespiao.com.br
    dns
    67 B
    83 B
    1
    1

    DNS Request

    pc.brunoespiao.com.br

    DNS Response

    34.200.160.51

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    172.217.16.238

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.tndmcphn.pbflhqvr/databases/privatesms.db

    Filesize

    16KB

    MD5

    3621ce0aa81e37bc5c80e2cf881f1dd0

    SHA1

    00365f82dcada94caea07443656848baf60b3bd9

    SHA256

    8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5

    SHA512

    76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

  • /data/data/com.tndmcphn.pbflhqvr/databases/privatesms.db-journal

    Filesize

    512B

    MD5

    aa7b5fc680c2fe9abacf5aac9de40f14

    SHA1

    e709f72b47d1b5f7548f1800fc5b6ac48af70f89

    SHA256

    374cfcbfc94053645163f8382592b3d936c1bc6443e160e783d423605a7ba3d0

    SHA512

    c8e96e292d39cc9a3c33eaf16a425f48e81c07f20f0084298a66c2be2236e635c4b4d5a7e2a2ac010bc95183d5c3aed53d108ea6acd318c0598eb408dcb088a8

  • /data/data/com.tndmcphn.pbflhqvr/databases/privatesms.db-shm

    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.tndmcphn.pbflhqvr/databases/privatesms.db-wal

    Filesize

    28KB

    MD5

    8455c5727eb7275c150ca83cecf9e592

    SHA1

    2413c2ce50e20be681e43ba71d8b2cbbf12b72e3

    SHA256

    e2dc051941c52aa261ce557e79a85bea40147bb622df2df0a13cb20a3771aaa9

    SHA512

    d11e65f31a09c8afee2df93f5ddb759b58f04a40568842dfd34f5cfbc7d4c44ba1fb3cd37339b3506042bcb26ae1afbd84b7b1a64c3773f9f50d769b5ba68c03

  • /data/data/com.tndmcphn.pbflhqvr/files/477191.so

    Filesize

    145KB

    MD5

    db19ee2f80237c276d3a65e038ff3fb1

    SHA1

    14c53162b67a5083fca05658fabc6e441dc49008

    SHA256

    269409d57e6375570c700392230a7534bcba9fc62e7bc83bfe7f7ec7be8592a6

    SHA512

    1318713c9a9f56de9bf08641f3c4177f3b8230ceb7abb7cc4db710363e8c6415dbb828834ad837f9d2e91ffe1546e8ba20c4b2e46957becac7ac08b25b2792c5

  • /data/data/com.tndmcphn.pbflhqvr/files/Background/black-wallpapers-for-smartphone-102-700x990.jpg

    Filesize

    3KB

    MD5

    4651e1fd4234ee465d6fe6349f2e178d

    SHA1

    1a86fbd1edd11fa983155172d484959760c1fc0e

    SHA256

    725ccd777793d5b05707aa28438b58a021c15b0f9cf47ace83aada6ea93a921b

    SHA512

    6962571dbc91930f4624e3c80e1ab7a5ac23f8f13ccb4587d1619c5d5f8e9731974ae954e8b9ba2e86084f8e797c6a9d49267667a98e47bd7af9e0af29686b0c

  • /data/data/com.tndmcphn.pbflhqvr/files/dex/mZvjrMfQEACRdAhUt.zip

    Filesize

    531KB

    MD5

    50d78e1dbc1066e433cfbdb728e00dc4

    SHA1

    f61fea7711c841c6064dd39a25deecda9da842de

    SHA256

    721e09d908922941752b942669f1edbe3f5cd3221179ea6fd5ed6de24b87b088

    SHA512

    b3050eedc5fadcc866d6c8cbbae3d915249c68ed07bb628af0dc887d0bf32fdd95dc8d3372e65f9738a0a1d4cb9265e481eca505b7a7572a7c05c39b9439794d

  • /data/data/com.tndmcphn.pbflhqvr/logs/Sistema1717900728635.log

    Filesize

    17KB

    MD5

    30d8e41fdc6e7553db5f3f30e44352f7

    SHA1

    453d783871412c0bf1dc17bb78f2f038f5e5cf23

    SHA256

    fdf19fc26235742492419eeb33b7c6631883ba0f85ea9a4456e5e77ab276b651

    SHA512

    71b632307a643074657ae8a971f60e903666090e717ecd8dab583aa3d1bee2482e203a4ad86f99b697817111e7c528e4d7c6fb5adec6f3936e7300f601b3ce5c

  • /data/user/0/com.tndmcphn.pbflhqvr/files/dex/mZvjrMfQEACRdAhUt.zip

    Filesize

    1.3MB

    MD5

    9939a81a288cf2ced10c58a7e3216693

    SHA1

    86af39bd7afbb6a0fc8b8f09f24e9607de906aad

    SHA256

    177488b2ac624ad6625bc3282bada9d76b39471dc7a0399a6893dcc8077cf470

    SHA512

    3485e2a2bd00fe598600ab160d9dec14ac4b2dcde3c1e8f0b4326390fe688f624b9713a916c6f5a98fa71867e8e92632f5dc6b989cb74d17fdedb28c92464779

  • /data/user/0/com.tndmcphn.pbflhqvr/files/dex/mZvjrMfQEACRdAhUt.zip

    Filesize

    1.3MB

    MD5

    2605a6c20bab31f5a26fb2551c7f1ed3

    SHA1

    f277f85d168e55c47f5fb45b05411b9ce4e25dc6

    SHA256

    f4d0f6519ed32f434ec071a2c0e861f00deaefbe023b4e2ba5e208f953da5d2c

    SHA512

    bcabbaf1111ac4d88bf3df0569d42f4fa91b491ec4fb4a914462f8c071acc8dd8b34a8fee2012a8d3e2e4f20910c8f08f320c012f1160f4d528b72120e2e146f

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.