tispy | 4f10c7ffc34e54c72c82e92f6a1d7992fb5c55ea9a98760195ccf6dc9a541107

Analysis

max time kernel
46s
max time network
157s
platform
android_x86
resource
android-x86-arm-20240611.1-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
submitted
17-06-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f10c7ffc34e54c72c82e92f6a1d7992fb5c55ea9a98760195ccf6dc9a541107.apk
Size

2.4MB
MD5

f704ebe7d5ba61ea965d484361bbb672
SHA1

68767821178ed2dd18f0770efbecbaa97f75c7b7
SHA256

4f10c7ffc34e54c72c82e92f6a1d7992fb5c55ea9a98760195ccf6dc9a541107
SHA512

f2f95ac2caed68b316d69918b201223b507e5aac172a3af23d722c299a86da21426910680678b866a41e7d703f7e07ccd72f9890a13d20a78064acbac79e0522
SSDEEP

49152:A6KXkvfSeOHbvgJfU83IPCkGYYPOiSUgWNL0sA/TcnHA:bKUStHbIi83IPrSMUPNJeEHA

Score

10^/10

tispy collection discovery evasion infostealer persistence spyware trojan

Malware Config

Extracted

Family

tispy

https://brunoespiao.com.br/esp/appprofile.jsp

Signatures

TiSpy
TiSpy is an Android stalkerware.
trojan infostealer spyware tispy

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/oat/x86/nbvxqMqfKGfHfKBzh.odex --compiler-filter=quicken --class-loader-context=&com.nuwrwmqy.sgrnpwsn

ioc	pid	process
/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip	4301	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/oat/x86/nbvxqMqfKGfHfKBzh.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip	4274	com.nuwrwmqy.sgrnpwsn
/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip	4274	com.nuwrwmqy.sgrnpwsn

Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
discovery

T1421

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

Framework service call android.net.wifi.IWifiManager.getScanResults com.nuwrwmqy.sgrnpwsn
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

T1430

T1627.001

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.nuwrwmqy.sgrnpwsn
Acquires the wake lock 1 IoCs

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.nuwrwmqy.sgrnpwsn
Queries information about active data network 1 TTPs 1 IoCs
discovery

T1421

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.nuwrwmqy.sgrnpwsn
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.nuwrwmqy.sgrnpwsn
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

T1422

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.nuwrwmqy.sgrnpwsn
Reads information about phone network operator. 1 TTPs
discovery

T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.nuwrwmqy.sgrnpwsn
Checks CPU information 2 TTPs 1 IoCs

T1633.001

T1426

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

File opened for read /proc/cpuinfo com.nuwrwmqy.sgrnpwsn
Checks memory information 2 TTPs 1 IoCs

T1633.001

T1426

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

File opened for read /proc/meminfo com.nuwrwmqy.sgrnpwsn

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.nuwrwmqy.sgrnpwsn

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.nuwrwmqy.sgrnpwsn

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.nuwrwmqy.sgrnpwsn

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.nuwrwmqy.sgrnpwsn

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.nuwrwmqy.sgrnpwsn

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.nuwrwmqy.sgrnpwsn

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.nuwrwmqy.sgrnpwsn

description	ioc	process
File opened for read	/proc/cpuinfo	com.nuwrwmqy.sgrnpwsn

description	ioc	process
File opened for read	/proc/meminfo	com.nuwrwmqy.sgrnpwsn

com.nuwrwmqy.sgrnpwsn
1⤵
- Loads dropped Dex/Jar
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4274

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/oat/x86/nbvxqMqfKGfHfKBzh.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4301

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.nuwrwmqy.sgrnpwsn/databases/privatesms.db
Filesize
16KB

MD5
3621ce0aa81e37bc5c80e2cf881f1dd0

SHA1
00365f82dcada94caea07443656848baf60b3bd9

SHA256
8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5

SHA512
76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

Download Submit
/data/data/com.nuwrwmqy.sgrnpwsn/databases/privatesms.db-journal
Filesize
512B

MD5
c1075154dbe44bf74bdc4c00277fbb41

SHA1
e010adee772b084e25dca5e3866296b503aa7f29

SHA256
f4514c5a3e4b6d5a5bca703e573a9fdf75bb209b59f2e30ae18fe7d441f59175

SHA512
9dfb820a673ce6d5394c36cc9ea35162273a1b108944bba88caf0bc8366af4f8f3cbb0d9fa8a42a10cfed1d3c09e23ff2d558fa1bb5ab2ac62124a0fd864ff87

Download Submit
/data/data/com.nuwrwmqy.sgrnpwsn/databases/privatesms.db-shm
Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.nuwrwmqy.sgrnpwsn/databases/privatesms.db-wal
Filesize
28KB

MD5
667013b2493b43e0b1148a9fc7247b7a

SHA1
9779fefe68fb074cc32031ec7bc4be06991e6614

SHA256
e361a4aed16c33a33a1f06d2501e12a48b71720aeee28e05df5e40510ecc378a

SHA512
dc691f53450220488d1372da6ff70a4b59e158632541e616543603a8d5bbdaef682b9428c83d1d26dacc7dfc743b1df5844d7557638debd9556ec2511bb194c0

Download Submit
/data/data/com.nuwrwmqy.sgrnpwsn/files/477383.so
Filesize
145KB

MD5
fad0ec47f7ac508f31e2b8ce38f0bfaa

SHA1
334b8d474a5a2d7a09a82da3a2b064e1e93cd188

SHA256
48042289b55dacca46eb8490a240c0d14b4da86f173d47cc70a5cdc71dbdbe1f

SHA512
87760fad813907630b5df660cf26209b4681facf821f97823a5abab403e6598d94186fd19a6e7c7564baa03cc86f15e6c9b96823bb497c0ad95ce5211d325346

Download Submit
/data/data/com.nuwrwmqy.sgrnpwsn/files/Background/black-wallpapers-for-smartphone-102-700x990.jpg
Filesize
3KB

MD5
4651e1fd4234ee465d6fe6349f2e178d

SHA1
1a86fbd1edd11fa983155172d484959760c1fc0e

SHA256
725ccd777793d5b05707aa28438b58a021c15b0f9cf47ace83aada6ea93a921b

SHA512
6962571dbc91930f4624e3c80e1ab7a5ac23f8f13ccb4587d1619c5d5f8e9731974ae954e8b9ba2e86084f8e797c6a9d49267667a98e47bd7af9e0af29686b0c

Download Submit
/data/data/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip
Filesize
535KB

MD5
0694f3ac46bfb9327140496abdc29529

SHA1
c38e09e31cd09909e4c8808cbcd06102c646bde8

SHA256
c48ad644fab5783d91fd59d17be1d568d445bf621ee2e705a592907be8c5c0e3

SHA512
629311db7aec2e37361e32d134031682d48036c3dbd1a1ef58840f2da70d17c1dee0757d08eb350056e93e27f2cb64519fb65b2ba9f32473037615c26ce726db

Download Submit
/data/data/com.nuwrwmqy.sgrnpwsn/logs/Sistema1718590392798.log
Filesize
17KB

MD5
0b5245a21fa941a8268e9cc756025c1b

SHA1
85cdcfdc26189bec00072639021527666f3a5d24

SHA256
a24f3b5ed16fd07bf860334cddab997a276e6dab4c2f5c034f9121e44f96b7f5

SHA512
a0e0020dca3e3a5900572df750053c9df38033cc6e9dbe9442c3bcb1aa74e24c8f3353262d24b86934d3caafd0333901fe359d1079be886cfd733c50cf2d2f9d

Download Submit
/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip
Filesize
1.3MB

MD5
e8427af6bc0474d2fc279d7315d841be

SHA1
31fc8abadd1c4d02a5c1d3f09527cb41a0e61fc5

SHA256
0bb1af0c1491174182cd9be4b818e824f06525d86c917ee9d368d058f902268b

SHA512
ae3f6a154b3149faa6d20ed59b84f3ecd90a624af3eef78f2a401cf22cf26fbdc12c753dfc9592ed7ef662ece4db3d3eae7d6fe2cc2073cbe5aa394ce287680f

Download Submit
/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip
Filesize
1.3MB

MD5
50b78e4671840df39709a91b9170986c

SHA1
905279259f047d6e74b0e18663349f23201fa453

SHA256
964e85af9578293672294809c438b26bbe773dd989986f4e1759c6cb9452f87b

SHA512
9154ee3b5e0091f5e23a4201a0762abd4904a3cfa2395c80066004f84b285c12459703457ac7d405c4c9d3a011209c0876c1750cff6abf229ec7c3cc460658da

Download Submit