tispy | 4f10c7ffc34e54c72c82e92f6a1d7992fb5c55ea9a98760195ccf6dc9a541107

Analysis

max time kernel
47s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240611.1-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
submitted
17-06-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bruno-wi1.apk
Size

2.4MB
MD5

f704ebe7d5ba61ea965d484361bbb672
SHA1

68767821178ed2dd18f0770efbecbaa97f75c7b7
SHA256

4f10c7ffc34e54c72c82e92f6a1d7992fb5c55ea9a98760195ccf6dc9a541107
SHA512

f2f95ac2caed68b316d69918b201223b507e5aac172a3af23d722c299a86da21426910680678b866a41e7d703f7e07ccd72f9890a13d20a78064acbac79e0522
SSDEEP

49152:A6KXkvfSeOHbvgJfU83IPCkGYYPOiSUgWNL0sA/TcnHA:bKUStHbIi83IPrSMUPNJeEHA

Score

10^/10

tispy collection discovery evasion infostealer persistence spyware trojan

Malware Config

Extracted

Family

tispy

https://brunoespiao.com.br/esp/appprofile.jsp

Signatures

TiSpy
TiSpy is an Android stalkerware.
trojan infostealer spyware tispy

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/oat/x86/nbvxqMqfKGfHfKBzh.odex --compiler-filter=quicken --class-loader-context=&com.nuwrwmqy.sgrnpwsn

ioc	pid	process
/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip	4292	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/oat/x86/nbvxqMqfKGfHfKBzh.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip	4233	com.nuwrwmqy.sgrnpwsn
/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip	4233	com.nuwrwmqy.sgrnpwsn

Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
discovery

T1421

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

Framework service call android.net.wifi.IWifiManager.getScanResults com.nuwrwmqy.sgrnpwsn
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

T1430

T1627.001

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.nuwrwmqy.sgrnpwsn
Acquires the wake lock 1 IoCs

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.nuwrwmqy.sgrnpwsn
Queries information about active data network 1 TTPs 1 IoCs
discovery

T1421

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.nuwrwmqy.sgrnpwsn
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.nuwrwmqy.sgrnpwsn
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

T1422

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.nuwrwmqy.sgrnpwsn
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.nuwrwmqy.sgrnpwsn
Checks CPU information 2 TTPs 1 IoCs

T1633.001

T1426

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

File opened for read /proc/cpuinfo com.nuwrwmqy.sgrnpwsn
Checks memory information 2 TTPs 1 IoCs

T1633.001

T1426

Processes:

com.nuwrwmqy.sgrnpwsn

description ioc process

File opened for read /proc/meminfo com.nuwrwmqy.sgrnpwsn

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.nuwrwmqy.sgrnpwsn

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.nuwrwmqy.sgrnpwsn

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.nuwrwmqy.sgrnpwsn

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.nuwrwmqy.sgrnpwsn

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.nuwrwmqy.sgrnpwsn

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.nuwrwmqy.sgrnpwsn

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.nuwrwmqy.sgrnpwsn

description	ioc	process
File opened for read	/proc/cpuinfo	com.nuwrwmqy.sgrnpwsn

description	ioc	process
File opened for read	/proc/meminfo	com.nuwrwmqy.sgrnpwsn

com.nuwrwmqy.sgrnpwsn
1⤵
- Loads dropped Dex/Jar
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4233

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/oat/x86/nbvxqMqfKGfHfKBzh.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.nuwrwmqy.sgrnpwsn/databases/privatesms.db
Filesize
16KB

MD5
3621ce0aa81e37bc5c80e2cf881f1dd0

SHA1
00365f82dcada94caea07443656848baf60b3bd9

SHA256
8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5

SHA512
76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

Download Submit
/data/data/com.nuwrwmqy.sgrnpwsn/databases/privatesms.db-journal
Filesize
512B

MD5
f2558dd39a85ed86a94b04b9dd311c6e

SHA1
cb494ee42af6024fc309c9407042ccaf4a0326ce

SHA256
2a1e0a6aaee0c6bdd90f03670eec2f03b36919be70380c3bdcbbda00812581ba

SHA512
8635912dd12c73414bbbbe1f8de284d88d4ec1f123500cff6d3578b1f90f391cadc96d300d3b03b6fbcfd9b9503bf440596471c353009c8ef40a42f8c673cf24

Download Submit
/data/data/com.nuwrwmqy.sgrnpwsn/databases/privatesms.db-shm
Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.nuwrwmqy.sgrnpwsn/databases/privatesms.db-wal
Filesize
28KB

MD5
ff9623243a6a1daa00696d9d28afab43

SHA1
9cd8046f7435fb3ba34c323b3bb0b049d7b3df41

SHA256
c3eb5d6bd009a4df7ba0bf4d1979977f063ee11ceeba1308661d1184b7b239fc

SHA512
2e93032e61c61265a9fcac587798bb93bc39d8cb90a5a8198bdae23016f7014dfe6d748568b4a90e9c27d6bedbca28d1007a4d2f8a0879880f334a200cfa414c

Download Submit
/data/data/com.nuwrwmqy.sgrnpwsn/files/477383.so
Filesize
145KB

MD5
fad0ec47f7ac508f31e2b8ce38f0bfaa

SHA1
334b8d474a5a2d7a09a82da3a2b064e1e93cd188

SHA256
48042289b55dacca46eb8490a240c0d14b4da86f173d47cc70a5cdc71dbdbe1f

SHA512
87760fad813907630b5df660cf26209b4681facf821f97823a5abab403e6598d94186fd19a6e7c7564baa03cc86f15e6c9b96823bb497c0ad95ce5211d325346

Download Submit
/data/data/com.nuwrwmqy.sgrnpwsn/files/Background/black-wallpapers-for-smartphone-102-700x990.jpg
Filesize
3KB

MD5
4651e1fd4234ee465d6fe6349f2e178d

SHA1
1a86fbd1edd11fa983155172d484959760c1fc0e

SHA256
725ccd777793d5b05707aa28438b58a021c15b0f9cf47ace83aada6ea93a921b

SHA512
6962571dbc91930f4624e3c80e1ab7a5ac23f8f13ccb4587d1619c5d5f8e9731974ae954e8b9ba2e86084f8e797c6a9d49267667a98e47bd7af9e0af29686b0c

Download Submit
/data/data/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip
Filesize
535KB

MD5
0694f3ac46bfb9327140496abdc29529

SHA1
c38e09e31cd09909e4c8808cbcd06102c646bde8

SHA256
c48ad644fab5783d91fd59d17be1d568d445bf621ee2e705a592907be8c5c0e3

SHA512
629311db7aec2e37361e32d134031682d48036c3dbd1a1ef58840f2da70d17c1dee0757d08eb350056e93e27f2cb64519fb65b2ba9f32473037615c26ce726db

Download Submit
/data/data/com.nuwrwmqy.sgrnpwsn/logs/Sistema1718590408516.log
Filesize
17KB

MD5
55f9335b3b0f5b6f482395093e2dff67

SHA1
273045b43255dbe5ecd3acba22337a72e79b91a7

SHA256
70af5ef4ab2cfeeaf9145a43131bd311fdb2efdaf0e00a53d41279c868c4dff3

SHA512
079adba9d72b8e538825672d398e35d7248d1a00983f19d8c867daeeee2baff16001fd607e0e1fec19eecf20e8238eae0ea9cece4ac179eadd541fd528c5e7cd

Download Submit
/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip
Filesize
1.3MB

MD5
e8427af6bc0474d2fc279d7315d841be

SHA1
31fc8abadd1c4d02a5c1d3f09527cb41a0e61fc5

SHA256
0bb1af0c1491174182cd9be4b818e824f06525d86c917ee9d368d058f902268b

SHA512
ae3f6a154b3149faa6d20ed59b84f3ecd90a624af3eef78f2a401cf22cf26fbdc12c753dfc9592ed7ef662ece4db3d3eae7d6fe2cc2073cbe5aa394ce287680f

Download Submit
/data/user/0/com.nuwrwmqy.sgrnpwsn/files/dex/nbvxqMqfKGfHfKBzh.zip
Filesize
1.3MB

MD5
50b78e4671840df39709a91b9170986c

SHA1
905279259f047d6e74b0e18663349f23201fa453

SHA256
964e85af9578293672294809c438b26bbe773dd989986f4e1759c6cb9452f87b

SHA512
9154ee3b5e0091f5e23a4201a0762abd4904a3cfa2395c80066004f84b285c12459703457ac7d405c4c9d3a011209c0876c1750cff6abf229ec7c3cc460658da

Download Submit