Analysis Overview
SHA256
b3f23bdd3dea208f05de7a5b9ea928758187b3f2b0f4f5733c8bdb3298818ec0
Threat Level: Known bad
The file b3f23bdd3dea208f05de7a5b9ea928758187b3f2b0f4f5733c8bdb3298818ec0 was found to be: Known bad.
Malicious Activity Summary
TiSpy
Queries the phone number (MSISDN for GSM devices)
Loads dropped Dex/Jar
Queries information about the current nearby Wi-Fi networks
Requests cell location
Acquires the wake lock
Queries the mobile country code (MCC)
Declares services with permission to bind to the system
Queries information about the current Wi-Fi connection
Declares broadcast receivers with permission to handle system events
Queries information about active data network
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-22 02:01
Signatures
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
| Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. | android.permission.BIND_NOTIFICATION_LISTENER_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows the app to answer an incoming phone call. | android.permission.ANSWER_PHONE_CALLS | N/A | N/A |
| Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. | android.permission.PROCESS_OUTGOING_CALLS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to read the user's calendar data. | android.permission.READ_CALENDAR | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to collect component usage statistics. | android.permission.PACKAGE_USAGE_STATS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 02:01
Reported
2024-06-22 02:04
Platform
android-x86-arm-20240611.1-en
Max time kernel
47s
Max time network
158s
Command Line
Signatures
TiSpy
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip | N/A | N/A |
| N/A | /data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip | N/A | N/A |
| N/A | /data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip | N/A | N/A |
| N/A | /data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip | N/A | N/A |
| N/A | /data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip | N/A | N/A |
| N/A | /data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.ygvezckt.rwqaztkw
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/oat/x86/316f40170801e947.odex --compiler-filter=quicken --class-loader-context=&
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/oat/x86/lLtoeVfIDbcROVZBX.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.74:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
Files
/data/data/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip
| MD5 | 1b463ebe439550e65863364d145f3633 |
| SHA1 | 06a1d114d31cc0c0735f6e865290de0df66534fc |
| SHA256 | 402745874a8f4229a51c30bb0a3fc4a383d5d2bdecf43f73920c7ec59f402631 |
| SHA512 | 45be5088110b35464faac2c708084e5337ddf5f89d582001582c47db28e04ab577dc036ee481b02f3743b3bfc1a0bc85cdf9185f23aa8e683a2890833b77be5a |
/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip
| MD5 | c276d68c66d80dfed813846189721519 |
| SHA1 | 3006ae75be916f82d520f683322ce5b8af4be68b |
| SHA256 | ba4227db1d3fb1d9befcdc67847e414b5070dd7e9d28e397c4cec1488309053e |
| SHA512 | b5c1844af6bc735c26cb736691d864c3cb4ac567d49c8c0f5a3f73c7d8aa7de890900563a99a7e0a1e114cf561955225bea7522df876c338f380d03e502bb497 |
/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip
| MD5 | 0141ce546517d0ff09558391ffe2c3d1 |
| SHA1 | c8da2607f42222cf6726f30015fce0e501df3c30 |
| SHA256 | 4f647e2c0402fab82866f27337c18543123212e46abb52914e8c22bcff7382cf |
| SHA512 | 886f3fd3d8b891a8a1ced7552bb73e82b8eb390bf028570d1e5f1089863399dfe26184c4b6974968cc0a801ac1dadc768af157c386cda3fb0b810279680f48ce |
/data/data/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip
| MD5 | 5631aac4cdaafaf80e13e30ca0f35df4 |
| SHA1 | a5c11f94c00875c38fcc29debd5ab1f01b6a6d20 |
| SHA256 | c65d54edc4dfb9bb13a51764be2b1a66e6ef781a6f1a18368d22aeea79f1af6c |
| SHA512 | 15c45aabc02a08dd369de2b9f3ba736ccdea4cd325e865b079810887d3cfbdf52a7286dbb0516630cc0f83d3fba0a99efcb2a1f37ce3ee0a50bae98eb731eb47 |
/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip
| MD5 | eba2e1ec82083be20ece86501cf4a651 |
| SHA1 | c7296d77e0ff6982396d13e1f6cc54b2be4b5f12 |
| SHA256 | 7cd112ace3c9789beb88d7d75e3c664706505fc8c5ede01fc92fabb9da2700ec |
| SHA512 | 668f0e05318a9a1d8f28aa9f8796450422b0f5d722704bcb37e003d42951e7033053b2c38ba4bc1144b14bac9114d875e860f5ee8add0986234228e2dc9dfbaf |
/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip
| MD5 | 0df030186d9f5c370a15db6223ca2eb7 |
| SHA1 | 33a9951863ceaf037787cd169c4cf61fcb7bba1b |
| SHA256 | ecf40b3088a5186d0c043c2248aaa1a509c4336ae7cad299741fb7fc7ba0b11c |
| SHA512 | 0777b4c68b58b428410554b9e420852cd3fb2f2bcfe7a48487b1564918c386ca5d80327a7dc9b9b2d8d55da5330296aabd1f866db3e068bbfb3a3d7f393547ae |
/data/data/com.ygvezckt.rwqaztkw/files/dex/pro_btn_bg_animation_img_0.jpg.zip
| MD5 | 7c20a2b01bf3f9df1f0abb72ebbe82be |
| SHA1 | e601b2e41434623edbeece32867517a3cdec5449 |
| SHA256 | 1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e |
| SHA512 | 3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4 |
/data/data/com.ygvezckt.rwqaztkw/files/477458.so
| MD5 | 8767a74133b3328c2a87a24893142ec2 |
| SHA1 | c1c48bcab9d7bf804cad029656d8b79bf8655d29 |
| SHA256 | 80afd0eea39b125cd5a2f300a3b50302f002ff332943f71bd46d7ce5914e0f82 |
| SHA512 | 96a2d70a2adfef8b8da4fc8c6b2be0b7eed0c33f76770093799fd3bbccf1b766290151cbd65981634c821baabdd8d445a6f66cf955045f0f402286b61aab2d7c |
/data/data/com.ygvezckt.rwqaztkw/logs/Sistema1719021721369.log
| MD5 | 3ab198ee4b09970bc95922f559bdb4f2 |
| SHA1 | e5b3bdacec9cbc4e816f27c17e2a565459eb2723 |
| SHA256 | 3bd5ed8f2b30ff7a6b9289c1353864f7605bb4835adc2077525dad459fcd1089 |
| SHA512 | 51249277e432696519088421036cce67a690c5f899a9c218174e37110a1f6f99a5733eea197fe228d1bb5099d61ba0018d43d3fa6a18db7bc9d3b5cb77f35375 |
/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db-journal
| MD5 | e287ca9a331414be8e924f9b7545d5c2 |
| SHA1 | 66034e59f3339bfe82ff57d412dce0988cd420a8 |
| SHA256 | 05938173ed3ecf25993f4eee90eb0f51bb89e0cc85b5b3f5e71ac6b0c9efca30 |
| SHA512 | 7ae4eda8efe604e95b70fa581222795a05a8467e121131bc31eccb00328fe62b914a85d50de2384d5ce4e26b5596769357cd2ac88eb2a99dc37c3f319935f2a4 |
/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db
| MD5 | 3621ce0aa81e37bc5c80e2cf881f1dd0 |
| SHA1 | 00365f82dcada94caea07443656848baf60b3bd9 |
| SHA256 | 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5 |
| SHA512 | 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf |
/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db-wal
| MD5 | 9dbd5005340b75378f724e0f6e4948db |
| SHA1 | 79e86a64726d6d88e89fb7b7cc7dca0c0b0e5621 |
| SHA256 | df37ef89e881269e525d55bde0607d5d95c572109246a5b6558f88382e86ad32 |
| SHA512 | 88b073053fc41e6454e27fce6e1f81f8f638e2cb5561d26e0ef335b8c890c3f78ec043df6a185a9020123b510f750547ef1b19527d55d498565fd94c332e919f |