Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
46s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240603-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240603-enlocale:en-usos:android-9-x86system -
submitted
09/06/2024, 02:37 UTC
Static task
static1
Behavioral task
behavioral1
Sample
f1650d7488a50d35593c1abd1820a65c2369c8a46cbe5c283054d64cc5628a25.apk
Resource
android-x86-arm-20240603-en
General
-
Target
f1650d7488a50d35593c1abd1820a65c2369c8a46cbe5c283054d64cc5628a25.apk
-
Size
2.4MB
-
MD5
b4b02386646deb9cf7e9550dec0f9700
-
SHA1
10d031670eceddbd4498b2da75ad28b2a2a5ce77
-
SHA256
f1650d7488a50d35593c1abd1820a65c2369c8a46cbe5c283054d64cc5628a25
-
SHA512
e07f6ca9fea4141a3ef15746eb9cfbf9026a4b5598795c7151f71082535a895d84be753ffccf091ea48386476e58cebd7dd2b5d287665484927c1c9b825d8a2b
-
SSDEEP
49152:+oUQbLSzFXcKcTmvXG2WD09ec6keGp6O4hkna:+o/KzFg4XG2d9lTpx4hua
Malware Config
Extracted
tispy
https://brunoespiao.com.br/esp/appprofile.jsp
Signatures
-
TiSpy
TiSpy is an Android stalkerware.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tndmcphn.pbflhqvr/files/dex/mZvjrMfQEACRdAhUt.zip 4306 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tndmcphn.pbflhqvr/files/dex/mZvjrMfQEACRdAhUt.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.tndmcphn.pbflhqvr/files/dex/oat/x86/mZvjrMfQEACRdAhUt.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.tndmcphn.pbflhqvr/files/dex/mZvjrMfQEACRdAhUt.zip 4280 com.tndmcphn.pbflhqvr -
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
description ioc Process Framework service call android.net.wifi.IWifiManager.getScanResults com.tndmcphn.pbflhqvr -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.tndmcphn.pbflhqvr -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.tndmcphn.pbflhqvr -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.tndmcphn.pbflhqvr -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.tndmcphn.pbflhqvr -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.tndmcphn.pbflhqvr -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver com.tndmcphn.pbflhqvr -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.tndmcphn.pbflhqvr -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.tndmcphn.pbflhqvr
Processes
-
com.tndmcphn.pbflhqvr1⤵
- Loads dropped Dex/Jar
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4280 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tndmcphn.pbflhqvr/files/dex/mZvjrMfQEACRdAhUt.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.tndmcphn.pbflhqvr/files/dex/oat/x86/mZvjrMfQEACRdAhUt.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4306
-
Network
-
Remote address:1.1.1.1:53Requestsemanticlocation-pa.googleapis.comIN AResponsesemanticlocation-pa.googleapis.comIN A172.217.16.234semanticlocation-pa.googleapis.comIN A142.250.178.10semanticlocation-pa.googleapis.comIN A216.58.212.234semanticlocation-pa.googleapis.comIN A142.250.187.202semanticlocation-pa.googleapis.comIN A216.58.201.106semanticlocation-pa.googleapis.comIN A216.58.204.74semanticlocation-pa.googleapis.comIN A142.250.200.10semanticlocation-pa.googleapis.comIN A142.250.200.42semanticlocation-pa.googleapis.comIN A142.250.179.234semanticlocation-pa.googleapis.comIN A216.58.213.10semanticlocation-pa.googleapis.comIN A142.250.187.234semanticlocation-pa.googleapis.comIN A142.250.180.10semanticlocation-pa.googleapis.comIN A172.217.169.10
-
Remote address:1.1.1.1:53Requestbrunoespiao.com.brIN AResponsebrunoespiao.com.brIN A172.67.189.189brunoespiao.com.brIN A104.21.49.104
-
Remote address:172.67.189.189:443RequestGET /esp/appprofile.jsp HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: brunoespiao.com.br
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: JSESSIONID=DF6CDFD538FDB8A79F5AEA6D6A1D2F72; Path=/esp; HttpOnly
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AjgoWs92hjyCvX8Z0kmnUHb7cs6F2%2B4ZDcf671Emz46tRMgoPkbbZAn%2Be8qjPnNugmD854jkDMXXyhg9uFgnlFKB1DLBHIE9GBQ8efHL14VancuTQrWOQ5W%2FfQGNEG%2Bq5CyTCGw%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 890dbf76ddb793f0-LHR
Content-Encoding: gzip
alt-svc: h3=":443"; ma=86400
-
Remote address:1.1.1.1:53Requestthypix.comIN AResponsethypix.comIN A172.67.190.180thypix.comIN A104.21.19.250
-
Remote address:172.67.190.180:443RequestGET /wp-content/uploads/2021/01/black-wallpapers-for-smartphone-102-700x990.jpg HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: thypix.com
Connection: Keep-Alive
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Content-Type: image/jpeg
Content-Length: 3828
Connection: keep-alive
last-modified: Thu, 04 Aug 2022 13:34:51 GMT
etag: "62ebcafb-ef4"
x-powered-by: PleskLin
Cache-Control: max-age=31536000
CF-Cache-Status: HIT
Age: 3264
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sx5lO0cC0Hd5BxAZG%2FFHMs4UYiPThspGPPJJfWYj4pCw6HbSjloZvFJx7C7LWxUYnfxP6jEBkj%2BdZe%2BFdLqfzc%2BnbeyVvnOyEcPlmN2HlEvF5VtPZ%2FzCfsxwmxDv"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 890dbf7a8d9d640f-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:1.1.1.1:53Requestpc.brunoespiao.com.brIN AResponsepc.brunoespiao.com.brIN A34.200.160.51
-
Remote address:1.1.1.1:53Requestandroid.apis.google.comIN AResponseandroid.apis.google.comIN CNAMEclients.l.google.comclients.l.google.comIN A172.217.16.238
-
202 B 40 B 1 1
-
970 B 7.0kB 9 10
HTTP Request
GET https://brunoespiao.com.br/esp/appprofile.jspHTTP Response
200 -
172.67.190.180:443https://thypix.com/wp-content/uploads/2021/01/black-wallpapers-for-smartphone-102-700x990.jpgtls, http1.1kB 10.2kB 11 12
HTTP Request
GET https://thypix.com/wp-content/uploads/2021/01/black-wallpapers-for-smartphone-102-700x990.jpgHTTP Response
200 -
1.4kB 10.1kB 12 13
-
858 B 40 B 1 1
-
4.7kB 8.8kB 14 22
-
3.7kB 11
-
80 B 288 B 1 1
DNS Request
semanticlocation-pa.googleapis.com
DNS Response
172.217.16.234142.250.178.10216.58.212.234142.250.187.202216.58.201.106216.58.204.74142.250.200.10142.250.200.42142.250.179.234216.58.213.10142.250.187.234142.250.180.10172.217.169.10
-
64 B 96 B 1 1
DNS Request
brunoespiao.com.br
DNS Response
172.67.189.189104.21.49.104
-
56 B 88 B 1 1
DNS Request
thypix.com
DNS Response
172.67.190.180104.21.19.250
-
67 B 83 B 1 1
DNS Request
pc.brunoespiao.com.br
DNS Response
34.200.160.51
-
69 B 109 B 1 1
DNS Request
android.apis.google.com
DNS Response
172.217.16.238
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Execution Guardrails
1Geofencing
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD53621ce0aa81e37bc5c80e2cf881f1dd0
SHA100365f82dcada94caea07443656848baf60b3bd9
SHA2568620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA51276bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf
-
Filesize
512B
MD5aa7b5fc680c2fe9abacf5aac9de40f14
SHA1e709f72b47d1b5f7548f1800fc5b6ac48af70f89
SHA256374cfcbfc94053645163f8382592b3d936c1bc6443e160e783d423605a7ba3d0
SHA512c8e96e292d39cc9a3c33eaf16a425f48e81c07f20f0084298a66c2be2236e635c4b4d5a7e2a2ac010bc95183d5c3aed53d108ea6acd318c0598eb408dcb088a8
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
28KB
MD58455c5727eb7275c150ca83cecf9e592
SHA12413c2ce50e20be681e43ba71d8b2cbbf12b72e3
SHA256e2dc051941c52aa261ce557e79a85bea40147bb622df2df0a13cb20a3771aaa9
SHA512d11e65f31a09c8afee2df93f5ddb759b58f04a40568842dfd34f5cfbc7d4c44ba1fb3cd37339b3506042bcb26ae1afbd84b7b1a64c3773f9f50d769b5ba68c03
-
Filesize
145KB
MD5db19ee2f80237c276d3a65e038ff3fb1
SHA114c53162b67a5083fca05658fabc6e441dc49008
SHA256269409d57e6375570c700392230a7534bcba9fc62e7bc83bfe7f7ec7be8592a6
SHA5121318713c9a9f56de9bf08641f3c4177f3b8230ceb7abb7cc4db710363e8c6415dbb828834ad837f9d2e91ffe1546e8ba20c4b2e46957becac7ac08b25b2792c5
-
Filesize
3KB
MD54651e1fd4234ee465d6fe6349f2e178d
SHA11a86fbd1edd11fa983155172d484959760c1fc0e
SHA256725ccd777793d5b05707aa28438b58a021c15b0f9cf47ace83aada6ea93a921b
SHA5126962571dbc91930f4624e3c80e1ab7a5ac23f8f13ccb4587d1619c5d5f8e9731974ae954e8b9ba2e86084f8e797c6a9d49267667a98e47bd7af9e0af29686b0c
-
Filesize
531KB
MD550d78e1dbc1066e433cfbdb728e00dc4
SHA1f61fea7711c841c6064dd39a25deecda9da842de
SHA256721e09d908922941752b942669f1edbe3f5cd3221179ea6fd5ed6de24b87b088
SHA512b3050eedc5fadcc866d6c8cbbae3d915249c68ed07bb628af0dc887d0bf32fdd95dc8d3372e65f9738a0a1d4cb9265e481eca505b7a7572a7c05c39b9439794d
-
Filesize
17KB
MD530d8e41fdc6e7553db5f3f30e44352f7
SHA1453d783871412c0bf1dc17bb78f2f038f5e5cf23
SHA256fdf19fc26235742492419eeb33b7c6631883ba0f85ea9a4456e5e77ab276b651
SHA51271b632307a643074657ae8a971f60e903666090e717ecd8dab583aa3d1bee2482e203a4ad86f99b697817111e7c528e4d7c6fb5adec6f3936e7300f601b3ce5c
-
Filesize
1.3MB
MD59939a81a288cf2ced10c58a7e3216693
SHA186af39bd7afbb6a0fc8b8f09f24e9607de906aad
SHA256177488b2ac624ad6625bc3282bada9d76b39471dc7a0399a6893dcc8077cf470
SHA5123485e2a2bd00fe598600ab160d9dec14ac4b2dcde3c1e8f0b4326390fe688f624b9713a916c6f5a98fa71867e8e92632f5dc6b989cb74d17fdedb28c92464779
-
Filesize
1.3MB
MD52605a6c20bab31f5a26fb2551c7f1ed3
SHA1f277f85d168e55c47f5fb45b05411b9ce4e25dc6
SHA256f4d0f6519ed32f434ec071a2c0e861f00deaefbe023b4e2ba5e208f953da5d2c
SHA512bcabbaf1111ac4d88bf3df0569d42f4fa91b491ec4fb4a914462f8c071acc8dd8b34a8fee2012a8d3e2e4f20910c8f08f320c012f1160f4d528b72120e2e146f