Analysis Overview
SHA256
6a386248e8856ebd0841cb70e0433189b251c4dbe9bc2dce2096d6996266abbe
Threat Level: Known bad
The file 6a386248e8856ebd0841cb70e0433189b251c4dbe9bc2dce2096d6996266abbe was found to be: Known bad.
Malicious Activity Summary
TiSpy
Loads dropped Dex/Jar
Queries the phone number (MSISDN for GSM devices)
Requests cell location
Queries information about the current nearby Wi-Fi networks
Declares broadcast receivers with permission to handle system events
Requests dangerous framework permissions
Queries information about active data network
Queries information about the current Wi-Fi connection
Reads information about phone network operator.
Declares services with permission to bind to the system
Queries the mobile country code (MCC)
Acquires the wake lock
Registers a broadcast receiver at runtime (usually for listening for system events)
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-20 02:07
Signatures
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
| Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. | android.permission.BIND_NOTIFICATION_LISTENER_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows the app to answer an incoming phone call. | android.permission.ANSWER_PHONE_CALLS | N/A | N/A |
| Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. | android.permission.PROCESS_OUTGOING_CALLS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to read the user's calendar data. | android.permission.READ_CALENDAR | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to collect component usage statistics. | android.permission.PACKAGE_USAGE_STATS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 02:07
Reported
2024-06-20 02:10
Platform
android-x86-arm-20240611.1-en
Max time kernel
47s
Max time network
130s
Command Line
Signatures
TiSpy
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.suyriwhm.ouseqkgn/files/dex/1ff530525b482ffd.zip | N/A | N/A |
| N/A | /data/user/0/com.suyriwhm.ouseqkgn/files/dex/1ff530525b482ffd.zip | N/A | N/A |
| N/A | /data/user/0/com.suyriwhm.ouseqkgn/files/dex/gSovILZiesBTWshqC.zip | N/A | N/A |
| N/A | /data/user/0/com.suyriwhm.ouseqkgn/files/dex/gSovILZiesBTWshqC.zip | N/A | N/A |
| N/A | /data/user/0/com.suyriwhm.ouseqkgn/files/dex/1ff530525b482ffd.zip | N/A | N/A |
| N/A | /data/user/0/com.suyriwhm.ouseqkgn/files/dex/gSovILZiesBTWshqC.zip | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.suyriwhm.ouseqkgn
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.suyriwhm.ouseqkgn/files/dex/1ff530525b482ffd.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.suyriwhm.ouseqkgn/files/dex/oat/x86/1ff530525b482ffd.odex --compiler-filter=quicken --class-loader-context=&
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.suyriwhm.ouseqkgn/files/dex/gSovILZiesBTWshqC.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.suyriwhm.ouseqkgn/files/dex/oat/x86/gSovILZiesBTWshqC.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
Files
/data/data/com.suyriwhm.ouseqkgn/files/dex/1ff530525b482ffd.zip
| MD5 | 7b292558c6220d30f7ef769a79e05fe9 |
| SHA1 | 9efe8e9ad9f51e446e34f8776ce0a6435111497c |
| SHA256 | 16a649e6236b950157c3e97efe06ba152822d2631f64bc12e815825164c4d956 |
| SHA512 | 3e6033bb0069d451dc9c18f81cbb56bdb7074d6adae4df7c13e01e8847f13abc3284c4a0f6b0fb5f3c05f2233afd0b0bd8c20ee1f8d16783d75c3e9d6da6f26c |
/data/user/0/com.suyriwhm.ouseqkgn/files/dex/1ff530525b482ffd.zip
| MD5 | 2591b06aa7a25be3da827dbf2364b67e |
| SHA1 | 4ac197bd24868b7596a1de1486fd694574bd14ba |
| SHA256 | 2786c5c58a43043a7450d3dcd63a92ef95e8ed1edb850b8030379a179f86fe75 |
| SHA512 | f78936fa3b5f67b935d9c45f67637c4026b8c814fc805747cfdc6e4e0bff743ec7beeda11c2a48b0efb11a5e5e4f7b3370111f0239fb443a3a180cb65c8866ef |
/data/user/0/com.suyriwhm.ouseqkgn/files/dex/1ff530525b482ffd.zip
| MD5 | ecbf331b2f228fa46a091b23b5a1fdc8 |
| SHA1 | 7ecdc443c515c0f315ed8b7ff48e09a2869b82f7 |
| SHA256 | dcba48863964f874f10917608edf99628682b3f4aac60ffe67c38da674c7311f |
| SHA512 | 8d032776f2e91978d3ccf1259cbcf0d8a0acc2e0d4701a0f40e2d038a13cd8c40d6e99f84ea7aa4c6882729de52bd82feb9b19c05949a6e2429a75a9d3f04e9f |
/data/data/com.suyriwhm.ouseqkgn/files/dex/gSovILZiesBTWshqC.zip
| MD5 | 2dfb3d2eee0ea31e4b8b25c9bd6b1315 |
| SHA1 | f6cdd15c669ecb614fd51b5070bc96a63a4a5234 |
| SHA256 | aaa1e60465c5197b87a9ac67b901a71678e23e61143627ff10ab2290d377bdc2 |
| SHA512 | cf2ca635a8ef7c88860014b36e65124d84e986d3a85ea88a2db5534d5fbde6c8056ff8488fff32ab141e199d546416686f459aee468e9c648e88c93c0f07e2eb |
/data/user/0/com.suyriwhm.ouseqkgn/files/dex/gSovILZiesBTWshqC.zip
| MD5 | de52e6b4f3b809e01eddd925fb53aa3a |
| SHA1 | 717c0abe1ce5c3aef541129a957bff94678aa98e |
| SHA256 | 3724dba2cd6b5acba72b422085bcd9a9c0cdb440168e514f4f8e5d8e7a30a06d |
| SHA512 | 3e89ddecb5941b8749561458634f151b3c7cc4cb8aafccc9e675e4017af0378a108f096ede750fded3b6326238a0abadf6706373d1b795ac5dae4bfadad2f652 |
/data/user/0/com.suyriwhm.ouseqkgn/files/dex/gSovILZiesBTWshqC.zip
| MD5 | 969c5bb4705f4cef8da8829c583ea901 |
| SHA1 | ec8ebfa963243092b19f09ff5a9afa7ea1091352 |
| SHA256 | c37a1a0955e2cebee5515438b785a89fab33e42d3752c39c52867d4a7787239b |
| SHA512 | 3a05a1d461cad47a75727ad4f68e11438859c0e0c45beb0482dd7273b93aafbd1e91eb18c4244912e4ee54c9a47c46338c3293f4acb3fdc739197f492741eab9 |
/data/data/com.suyriwhm.ouseqkgn/files/dex/pro_btn_bg_animation_img_0.jpg.zip
| MD5 | 7c20a2b01bf3f9df1f0abb72ebbe82be |
| SHA1 | e601b2e41434623edbeece32867517a3cdec5449 |
| SHA256 | 1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e |
| SHA512 | 3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4 |
/data/data/com.suyriwhm.ouseqkgn/files/477290.so
| MD5 | 5331f946769d9a26661c461c59d031d9 |
| SHA1 | 008d623b0e0564a9a8a8cff8bd5bc327112697ed |
| SHA256 | 0ef7ca92ae4850cd98d6fe6aaec41901cdbaf64f12a77e110ff632bb2eda6713 |
| SHA512 | e041db2ece750293fb25da09570d89408325e26aa12e87bd8689bab63843edc8229b920aa8d5d6cc91bf0392ffebccb8491dde69a4495d326821b35146f93c30 |
/data/data/com.suyriwhm.ouseqkgn/logs/Sistema1718849283757.log
| MD5 | df72d6f7bb6758365f261391ef8514af |
| SHA1 | a6114fad751e457282bb6395a4c4cdcc2c3d2758 |
| SHA256 | 1a80b8f09c5df54562cd778c988795094a15939d5f66184e337decc3f4ef7958 |
| SHA512 | 86068681292819aa899b2208c9345c32b28326553bec97a62da2b70f888be76cdf9d1b310049c8dd187d437cb44eea6a2dbf6d1a88a66c57d04e9acaa4daec35 |
/data/data/com.suyriwhm.ouseqkgn/databases/privatesms.db-journal
| MD5 | 88ca417c127a5b3946ef25801e78263a |
| SHA1 | 16f93c2243f4b9bb62611d9bcacd2192e2269598 |
| SHA256 | cfcadcd301930e7d3ce0aae2096fd5d783e441b712bea48977fd26984a5bd21d |
| SHA512 | 140b4feb8246f1e9096ca68bf7b1430823848ab41e899733b7cc1441a4e43649617f686ecb93622fce0d0fb9c602bfde8e112655ba111aedfd9af0292d42c9c9 |
/data/data/com.suyriwhm.ouseqkgn/databases/privatesms.db
| MD5 | 3621ce0aa81e37bc5c80e2cf881f1dd0 |
| SHA1 | 00365f82dcada94caea07443656848baf60b3bd9 |
| SHA256 | 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5 |
| SHA512 | 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf |
/data/data/com.suyriwhm.ouseqkgn/databases/privatesms.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.suyriwhm.ouseqkgn/databases/privatesms.db-wal
| MD5 | b457e813c4da8cf29f27b627705031bd |
| SHA1 | 6183faa2401e232f7528df2cc6884365e8a35afb |
| SHA256 | 2fc2064bc27b3532b52e9d5640b6bbb06da7a667ff453f1bf55627ebe149d3c0 |
| SHA512 | 5fa917ab82ec0a0b448d9506134297c723c632ac001170ee3fb8b89b8d50c32da0d1a02c1a86f8e3604359388ebb0046fcc1b27c8077510e522e1010a69eefac |