tispy | 1733625b4976afb39f3c68bbd4b9b51695aff9810db15394cbae873909067f23

Analysis

max time kernel
47s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
03/08/2024, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1733625b4976afb39f3c68bbd4b9b51695aff9810db15394cbae873909067f23.apk
Size

3.7MB
MD5

7c4addaed9dad7985951d81d377b7343
SHA1

5ed8bf700cb6bed532369122760c5a09514e5cb6
SHA256

1733625b4976afb39f3c68bbd4b9b51695aff9810db15394cbae873909067f23
SHA512

170f001fc9846f1dc00f301370139f6c958d566198238fc9ec047dfab7644d777ba0a0598cd9118dbd17c7746b84a85ce34c0d6b113fc482f5e1b7adea4b1dfc
SSDEEP

98304:ylmK1/BjthXPCKwXaGZsOjFoMfGvzW8O4R25qGJ1:yTlBjTXqKaZshMfyW8Oc25qw1

Score

10^/10

tispy collection discovery evasion infostealer persistence spyware trojan

Malware Config

Signatures

TiSpy
TiSpy is an Android stalkerware.
trojan infostealer spyware tispy

Loads dropped Dex/Jar 1 TTPs 6 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip	4281	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.sqhnyhot.iqivheju/files/dex/oat/x86/MZRKudjucXrrOZEEK.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip	4253	com.sqhnyhot.iqivheju
/data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip	4306	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip --output-vdex-fd=44 --oat-fd=47 --oat-location=/data/user/0/com.sqhnyhot.iqivheju/files/dex/oat/x86/e29643bd0c19dc8a.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip	4253	com.sqhnyhot.iqivheju
/data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip	4253	com.sqhnyhot.iqivheju
/data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip	4253	com.sqhnyhot.iqivheju

Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.sqhnyhot.iqivheju

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.sqhnyhot.iqivheju

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.sqhnyhot.iqivheju

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.sqhnyhot.iqivheju

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.sqhnyhot.iqivheju

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.sqhnyhot.iqivheju

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.sqhnyhot.iqivheju

com.sqhnyhot.iqivheju
1⤵
- Loads dropped Dex/Jar
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4253
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.sqhnyhot.iqivheju/files/dex/oat/x86/MZRKudjucXrrOZEEK.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4281
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip --output-vdex-fd=44 --oat-fd=47 --oat-location=/data/user/0/com.sqhnyhot.iqivheju/files/dex/oat/x86/e29643bd0c19dc8a.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4306

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Credential Access

Discovery

Location Tracking

T1430

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sqhnyhot.iqivheju/databases/privatesms.db

Filesize
16KB

MD5
3621ce0aa81e37bc5c80e2cf881f1dd0

SHA1
00365f82dcada94caea07443656848baf60b3bd9

SHA256
8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5

SHA512
76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

Download Submit
/data/data/com.sqhnyhot.iqivheju/databases/privatesms.db-journal

Filesize
512B

MD5
c2228a309cdf127d279d0babaf15192e

SHA1
b1fe7bff4fed52c8c94c8b0b96695f08a1b1d476

SHA256
0c1fac1eff82712691fc64905186d1feab8412fdff95811c35877d2eaade314c

SHA512
ecaeabec167aa8f189945701a78cc87947735e7fffb53ac16e2254f4e09ca8c19ebe40c1e4a82d65370802bd32b84053381a40f7526bfb1ff9702567bc0d2597

Download Submit
/data/data/com.sqhnyhot.iqivheju/databases/privatesms.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.sqhnyhot.iqivheju/databases/privatesms.db-wal

Filesize
28KB

MD5
b01dcd58149fb4e71bfed3c592a75426

SHA1
5ecdc78b51e0cb1fcf43aa6cebd74f648f780b9d

SHA256
ef8c6b03fc94072da19e4e0fed5023cb2e329c5a969f8756d2bf1fa7e05b803b

SHA512
caf12611d77e13a91ea743a1485c3cee88bf0dfc9f2594a7e35499ed8852118466945f414787bbb2b8809a466b17e6d5d40b05712d4df2aeffb2d1bd31deda0f

Download Submit
/data/data/com.sqhnyhot.iqivheju/files/477973.so

Filesize
145KB

MD5
f6cf89b01ee7bafbbdfb50defc34a9b3

SHA1
68403beb298746babd31c4217e4f2a22ed67b20f

SHA256
d4be8f7d06335b267b56a17543cad9758a87443fa5794c39acb9042a320edcb2

SHA512
cb846e507ceb0d6394944760ddd5a9350a10e12931a4fc89c65a26252a1400694ab2a64ff2a5bb4079d7fd3ee9a2db45542b25bdfb46575b8323bfb084fe1806

Download Submit
/data/data/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip

Filesize
649KB

MD5
a86f007e3e35ed7a75069651cad761ae

SHA1
a21d90d909a99b91d2caa1f33a280136fbd2af03

SHA256
9f82d2bfa747a7d981d8990a1fdd704268d39939e2596eec5d02378c6b06b7dd

SHA512
e8ab8bd295ed84bd2d9e4c2e094f0930b4786357a820713bb4c4f517277a6632745531d8c30413312f67fd3860b0d58579ebb5ec8197feaf7f108b63eeb29c67

Download Submit
/data/data/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip

Filesize
548KB

MD5
7bf8b3ccb234272653c57f36d5a49011

SHA1
7cff5c50ec2b39d15902498619dbdc25cb89197a

SHA256
9108bd88f5a9fdcdf8e4b6dd04bd22f08a415fb6ef9a7549bdd9599dab3c6209

SHA512
32666d7bf9dd81601631b365ddcd76f194dbceb87419245d0023de52e05e0ea82864c0b5ceafb8912e226ed49050ccb5eea133a5c9559680e6bb5c214dcfb8de

Download Submit
/data/data/com.sqhnyhot.iqivheju/files/dex/pro_btn_bg_animation_img_0.jpg.zip

Filesize
8KB

MD5
7c20a2b01bf3f9df1f0abb72ebbe82be

SHA1
e601b2e41434623edbeece32867517a3cdec5449

SHA256
1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e

SHA512
3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4

Download Submit
/data/data/com.sqhnyhot.iqivheju/logs/Sistema1722650754841.log

Filesize
14KB

MD5
feaeca0305b2fef40a41480fda8e4250

SHA1
03323407201f9f64bc367e0a072ffd3fc4e2fee3

SHA256
8abe969d773680bc8c7922965c0021623b58e293dba900252905caa444284a71

SHA512
2b3cef2938842509522bcc25b6275140e8ae59a50db2cc75e6bfc067c10a219554f6f7e86efc68c3ace811fc6c7f45b5ea4ebd43aad96a0f4549cb23ca0aa6fa

Download Submit
/data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip

Filesize
1.7MB

MD5
b523917fc80a55f2a84bd20be3e8fd93

SHA1
3ae198c850dae526577782465b66d1ef6dc34bcf

SHA256
750bd2ccaf5a40a4303ea5e5558a853d69a9f369c39d42b359685e3a1998590a

SHA512
9969c1c791e023282b88354fd7197245778b08eed0a6dc784c38a0bca2d8b4b932bda454c9b9088e9a27238b9aa73ed1676a4b9d90a84e957f09ced47e7c63c1

Download Submit
/data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip

Filesize
1.7MB

MD5
a7df6945e04035a02d8b6d25a5b51ab6

SHA1
88e5029184407a100307017dc1fa21dcd44e32fa

SHA256
640aa06471bdb5e92f7d8509b42d95ab2b81d2926592aec923e6bcc476deb64d

SHA512
89ff473bae86c613590418c9be99ec28627db08f3d246c86f9e84f96f7199153ccda19321efbf6e9216098566db3eb171fcb5daa0f2b9c19c6b06cee9e2b9d6f

Download Submit
/data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip

Filesize
1.3MB

MD5
c850fabc3095283199a552ffa3236bb5

SHA1
a368febbf62a61feb14d4352c72601f42e5643b6

SHA256
5397d6f7c58444216c4ed8ccbac836d3f8334a5c9a2784fe56e9520658fd4bfb

SHA512
ba4c8a29fc6a013139ad35d4bd9bd758c20421994f8296be03ef870439a66181134c66bfd8680b4e7da073e6fa0427597589645b7efb1f0d9954673e187d5d56

Download Submit
/data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip

Filesize
1.3MB

MD5
927f34d05059761915ac80bc259333e4

SHA1
53435e32d5c5bbddc78b9d6bd4106333e99756b3

SHA256
239c67f7a80bf987d1e29f74cb947a471af87f5a7f4d38763f7a12d1ec91e80b

SHA512
6c510eaf770ceb4b30d949e0bd6240994f7dec33952a5de8450d763e9d4da8103dac38213bed109bdbf3c8c66e4b0fdf3eadde916ddc4f4d5c621742ae54a4a7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads