Overview

overview

10

Static

static

10

1777a2ba85...b0.apk

android-9-x86

10

5251a35642...3e.apk

android-9-x86

1

5251a35642...3e.apk

android-10-x64

1

5251a35642...3e.apk

android-11-x64

1

7c44519e51...57.apk

android-9-x86

10

FE_Invisib...pt.apk

android-9-x86

7

FE_Invisib...pt.apk

android-10-x64

7

FE_Invisib...pt.apk

android-11-x64

7

HellBoy.apk

android-9-x86

6

HellBoy.apk

android-10-x64

1

HellBoy.apk

android-11-x64

6

Roblox Key...V3.apk

android-9-x86

7

Roblox Key...V3.apk

android-10-x64

1

Roblox Key...V3.apk

android-11-x64

7

Stick War_ Legacy.apk

android-9-x86

1

Stick War_ Legacy.apk

android-10-x64

7

Stick War_ Legacy.apk

android-11-x64

7

Undead_Def...pt.apk

android-9-x86

7

Undead_Def...pt.apk

android-10-x64

7

Undead_Def...pt.apk

android-11-x64

7

antivirus.apk

android-9-x86

7

antivirus.apk

android-10-x64

7

antivirus.apk

android-11-x64

7

b3f23bdd3d...c0.apk

android-9-x86

10

e8947bc9fb...10.apk

android-9-x86

7

insta_followers.apk

android-9-x86

7

insta_followers.apk

android-10-x64

7

insta_followers.apk

android-11-x64

7

xxx.apk

android-9-x86

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    51baf4bc48db631e887ded88c0beb05b7a2f6f26ad2d122ee7c6cca6678752f5.zip

  • Size

    32.5MB

  • Sample

    240805-brn1fasfqj

  • MD5

    a58b72237a14d709c6eea04b73049210

  • SHA1

    786a2d070ea75d7fd858ebd93869063fedd6d705

  • SHA256

    51baf4bc48db631e887ded88c0beb05b7a2f6f26ad2d122ee7c6cca6678752f5

  • SHA512

    978b868d4ce591570f722d167e14f2b6533d3b341bdaac1048fb3d1196ad26b2009269514d29b5aeb12aa75697ae556ebd3c88af1ed4ea00f8c83289fff7a9b9

  • SSDEEP

    786432:xDWCPFc6LHxrdAxglUJMtJg9GzAl8g5lf/F9M6GvHzn9:sUzjxrdAxxJM+l8g5lDM6Gj9

Score
10/10
slockertispywipelockandroidcollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceprivilege_escalationspywaretrojan

Malware Config

Extracted

Family

tispy

C2

https://auth.familysafty.com/TiSPY/printIPN.jsp?screen=IntroScreen&model=Pixel+2&osversion=28&deviceid=358240051014041&version=3.2.183_22Jun24&rtype=T

https://auth.familysafty.com/TiSPY/printIPN.jsp?screen=IntroScreen&model=Pixel+2&osversion=28&deviceid=358240051014041&version=3.2.183_21Jun24&rtype=T

Targets

    • Target

      1777a2ba85f831e41c6a60418f84205c9de9c66402f9b7e5be13d29c543a42b0.apk

    • Size

      3.2MB

    • MD5

      14623d7dc9a647db6984cc6dfdfa2f63

    • SHA1

      4784359d681992c1db6e4221a5e51f01c306c24d

    • SHA256

      1777a2ba85f831e41c6a60418f84205c9de9c66402f9b7e5be13d29c543a42b0

    • SHA512

      955dcf412c8f8dc62562465f0cf0a359fd11c31739e8dbb0d53b75fe5fc24376914f85517dc9ee88763072a5d855e2b9200e801ea906b58119f9736b6e41689f

    • SSDEEP

      49152:kkQ7hynArFFP/RI5cHF2+XwTn8JBvvrMNvrsdKcWVftaWcSFhidvbKCH9B8zTAI:kkQ7Qn+nPD2+AIfMtrs09A7dvb5dBA

    Score
    10/10
    tispycollectiondiscoveryevasioninfostealerpersistencespywaretrojan

    • TiSpy

      TiSpy is an Android stalkerware.

      trojaninfostealerspywaretispy

    • TiSpy payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Queries information about the current nearby Wi-Fi networks

      Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

      discovery

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Requests cell location

      Uses Android APIs to to get current cell location.

      collectiondiscoveryevasion

    • Acquires the wake lock

    • Queries information about active data network

      discovery

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Reads information about phone network operator.

      discovery
    behavioral1

    • Target

      5251a356421340a45c8dc6d431ef8a8cbca4078a0305a87f4fbd552e9fc0793e.apk

    • Size

      2.7MB

    • MD5

      2ddbc785cd696041c5b0c3bd1a8af552

    • SHA1

      1269636a5197ee7a1402e406c91177bf6a149652

    • SHA256

      5251a356421340a45c8dc6d431ef8a8cbca4078a0305a87f4fbd552e9fc0793e

    • SHA512

      30e3187fa0c65981ae80f0bfae4ac753020ceb591d9c001a809040fac08795ab2cb04d9a95645a025d15008c4057f14a84826bec86b75453f389ac52d9b8a1e5

    • SSDEEP

      49152:VPctdtUtD6iJjM2M7xZkQPctdtUtD6yJjM2M7xZkpPctdtUtD62JjM2M7xZknJjj:VP04D6ojkxlP04D64jkx4P04D6sjkxin

    Score
    1/10
    behavioral2behavioral3behavioral4

    • Target

      7c44519e51cc203cdd23f27cefe7cf99de34abddf947ba55951721725f15aa57.apk

    • Size

      3.2MB

    • MD5

      2f73a6fe62a8ac27d658f15b1dc9a287

    • SHA1

      a40118f9d9a54938e6e261ee242716ac3a761e89

    • SHA256

      7c44519e51cc203cdd23f27cefe7cf99de34abddf947ba55951721725f15aa57

    • SHA512

      480a6c820664ce78b6284678019671edacc4cf98865e335f9816ce84507c2fe42b765db5103e27dab52605f95c5302f58c6691a869e24876df1f396c4d966d89

    • SSDEEP

      49152:pVPh+nACbPhX9CR3WHZn0/dwbDnog36hR4F41RemM3zfhVzsv5w:pVPcnzbPhoZW5nhnnHVyRtM3znzQw

    Score
    10/10
    tispycollectiondiscoveryevasioninfostealerpersistencespywaretrojan

    • TiSpy

      TiSpy is an Android stalkerware.

      trojaninfostealerspywaretispy

    • TiSpy payload

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Queries information about the current nearby Wi-Fi networks

      Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

      discovery

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Requests cell location

      Uses Android APIs to to get current cell location.

      collectiondiscoveryevasion

    • Acquires the wake lock

    • Queries information about active data network

      discovery

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Reads information about phone network operator.

      discovery
    behavioral5

    • Target

      FE_Invisible_Troll_Script.apk

    • Size

      3.2MB

    • MD5

      3ff43582aa468b8a8d0e063dcfea73bf

    • SHA1

      5d1d34fcec8f715ce045a5bda04741d40f29001b

    • SHA256

      a6f56581bb7ae7b242fcaab3d97d04ec2c5ac8aa5870e4e64ffbcf0d78899993

    • SHA512

      6af7639bc336015161f3087519e1a365ece0d1e0f5f7f20fe1af3243d1e6c3a0f65e38b50dc70f15cd13a232989b22884ca36bf0151630223d37bdba4f250149

    • SSDEEP

      49152:hrOpp2RqaP3KdsFeHcEKYC4KiJK5ncPjPuE/UpXSkdkIDk5sSEj6QiVterxzrK:hYgv6dsFt0FQnGD/UsrLEjS81PK

    Score
    7/10
    evasioncollectioncredential_accessdiscoveryimpactpersistence

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Queries information about active data network

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Reads information about phone network operator.

      discovery
    behavioral6behavioral7behavioral8

    • Target

      HellBoy.apk

    • Size

      343KB

    • MD5

      b2bf555242160805a704c3daaf8dab9e

    • SHA1

      fac7514df4ac0feefc5ebf6870e07d49e28ef824

    • SHA256

      e1f8a78fe6c1bc7f8390f2d83dccb82c05e4eafd9b0d8b877131a5574d33975a

    • SHA512

      ac65cda4fec4fabb837e563830a1dba5d27493db85a360ecdc0f07b1c0241b773c7f0123fbcffe944ab1f4ccbbaf9e9dc428ef57213104bc996849f3d23a5016

    • SSDEEP

      6144:Nv41LzIlR3wC2/ZoDwbCwR+i+Na4iIwsZC9b98frZo1tRZaNRP:NvMIlCC2Vzp47FZ8b9yWRZ4l

    Score
    6/10
    evasion

    • Requests uninstalling the application.

      evasion
    behavioral10behavioral11behavioral9

    • Target

      Roblox Keyless Bloxfruits Script HoHo Hub V3.apk

    • Size

      3.2MB

    • MD5

      35b6944128c7cb11594bfc93e4ad0d7c

    • SHA1

      1dd7c14f0d05c7560764a5bd2e9693cddc049a21

    • SHA256

      1879320e3bc42bcec7ee18e7e36e8cd579b8711f313d561ab502bcf1d1a559ae

    • SHA512

      5a53b65492cc7756c5a014c812cc620458462b7fcde15251068f964adebd98d61756fd340fc51a68392f8ef58d2debbb8b53fb34ccea3b68cf65cfd34dff42ba

    • SSDEEP

      98304:fU5DjBYQQ/2Kp7d5QDJCqVuc6TjEj/K8h+5:iDjel/jp7d5+kqN6TY+L5

    Score
    7/10
    evasioncollectioncredential_accessdiscoveryimpactpersistence

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Queries information about active data network

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Reads information about phone network operator.

      discovery
    behavioral12behavioral13behavioral14

    • Target

      Stick War_ Legacy.apk

    • Size

      3.2MB

    • MD5

      ae5770ecb741649cd470d645dd611843

    • SHA1

      d6d29b4466c5139b9ea5b63d2b85150d6604abc5

    • SHA256

      ba39a4b76ab656532003e560476b9a295df488f50195c6b9d7ac523b6d07aab4

    • SHA512

      dda845e67dedf51508205f6aa7ffd8d19fcad0f0077178c71b8f65a96cb4096d3f326f52c081ea003f78703fdbbbff79f77b3618fd06717be67987627d0f524f

    • SSDEEP

      98304:mO76p/xfKx1ppTyRwkrB0z+X0iXN9ALEjTRVShd:mi6FxfKxjdy66B0z+EiZnKT

    Score
    7/10
    collectioncredential_accessdiscoveryevasionimpactpersistence

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Queries information about active data network

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Reads information about phone network operator.

      discovery
    behavioral15behavioral16behavioral17

    • Target

      Undead_Defense_Tycoon_Script.apk

    • Size

      3.2MB

    • MD5

      fc35546a7395a68b6440de033afa789d

    • SHA1

      4afc8724e58084164148b7ce518ede8b203dce3c

    • SHA256

      c1b81966fa17c4e7d5137f13b2f4d04704c97d66a54d57dcfc1f42ad1f4029e7

    • SHA512

      ae32d9e7d7403a6ab0429da69fe4f803001a077327a0f103ccc9bcb90b17973ef10be8dc2cbf1909549a04f1eff5e85c81c2dfc2d99ba7fa93369efa47beca6c

    • SSDEEP

      98304:BaqBN1el9eL+FB8Y2nzDNWbVAneM/EjF+894S:oqX1nk52n05AehERS

    Score
    7/10
    evasioncollectioncredential_accessdiscoveryimpactpersistence

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Queries information about active data network

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Reads information about phone network operator.

      discovery
    behavioral18behavioral19behavioral20

    • Target

      antivirus.apk

    • Size

      533KB

    • MD5

      9f01767647e2e72f446d374bbcb20c53

    • SHA1

      f6b1adcd7723b525418a05bcede5c671366d7ab3

    • SHA256

      fcee982b3d0e1601b40078d98df03503668aec7542721f921ae8248bc3cec3a1

    • SHA512

      4b9dc2dc08f015ed96a3ce30978994314d3edca84348eb62e7cb65d4d5477f179c44c80cc0a67863bc119555d0217f57681d047ce98ec405bd5eeaf2da8280ed

    • SSDEEP

      12288:kjRH6+O//n3tKpSsM+1HA+x283ecVS3EVqPlR6i0Ci3jM34D9Z:kN6+ONjstg38OOS3EW6i0C+M3SZ

    Score
    7/10
    collectionimpactprivilege_escalation
    behavioral21behavioral22behavioral23

    • Target

      b3f23bdd3dea208f05de7a5b9ea928758187b3f2b0f4f5733c8bdb3298818ec0.apk

    • Size

      3.7MB

    • MD5

      f17c846775fe7d69c25b1f9834ec31d9

    • SHA1

      642e9c6595ed94cf6040c9a66e4431b04a62a2a3

    • SHA256

      b3f23bdd3dea208f05de7a5b9ea928758187b3f2b0f4f5733c8bdb3298818ec0

    • SHA512

      2f9883be40f1b9fda7ef9bd432c7d32e5adf6222e5bc9dbeed974f7e101a8c8af39f3bdd059fb0b83cb7e0d034f1ac85bc860bba30eb46b2da7f6d02657c70c9

    • SSDEEP

      98304:qmVDDWjqPP2X1180Q046fgVPwLBqylSWFk5uYUbLCJrn:p3WjqX2l2046qPwLB/lS+kpUnu

    Score
    10/10
    tispycollectiondiscoveryevasioninfostealerpersistencespywaretrojan

    • TiSpy

      TiSpy is an Android stalkerware.

      trojaninfostealerspywaretispy

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Queries information about the current nearby Wi-Fi networks

      Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

      discovery

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Requests cell location

      Uses Android APIs to to get current cell location.

      collectiondiscoveryevasion

    • Acquires the wake lock

    • Queries information about active data network

      discovery

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Reads information about phone network operator.

      discovery
    behavioral24

    • Target

      e8947bc9fb2bd597daba3064d5fab275d8df2beac92f301063f22fe276dcbc10.apk

    • Size

      3.5MB

    • MD5

      990bf5a2e9a7c90c75c9c07bf4a5e634

    • SHA1

      ade24475ee8a9a2a0eec43772bbc02aeacb5926c

    • SHA256

      e8947bc9fb2bd597daba3064d5fab275d8df2beac92f301063f22fe276dcbc10

    • SHA512

      40419371a8dd596e8930e298e0d5470efd168a6d1a8425b8aa6eeb4e495cbc49580f234ac4278117600e2ff516ebdd867e6d395d67c80ce56660d1c8ca9ec92f

    • SSDEEP

      98304:8mRW7NIyWHAt/2qcPf7K+KjXZKBEjzZST:8R7Wgt/GPjKPFK2XC

    Score
    7/10
    discoveryevasionpersistence

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      evasionpersistence

    • Queries information about active data network

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Reads information about phone network operator.

      discovery
    behavioral25

    • Target

      insta_followers.apk

    • Size

      4.6MB

    • MD5

      51064cc8676f45813dec4c5a1c1ce150

    • SHA1

      e9d2c7b278c98f85481176c6089b2a74120c6b56

    • SHA256

      e232bbfa86980003e46cd2019243e2579b15c844957cd21e70f8d4300ce25f78

    • SHA512

      e380e740f4a91013e07e05848ebc4e64ac8278425697cd1da110ec940f6884402d4974302eff493ac685f6969d732e63e95304aaad9742e06f9d8fcd7da3d722

    • SSDEEP

      98304:SjbFZKFifcyWk4D+zfro+Pr0hOR6G21GB/EjJ9:IhsFTkP4h8F8b

    Score
    7/10
    evasionimpact

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion
    behavioral26behavioral27behavioral28

    • Target

      xxx.apk

    • Size

      1.3MB

    • MD5

      a36c03f774b76ed4ef5b006a87df6044

    • SHA1

      7fe65ebb68b4230ecab0cdb0bd8118bb4977c9aa

    • SHA256

      a56cc7c5357f5a7a0e3eb1ac6c0c7a57e8c2fcc3921b6075e200ebfec2154020

    • SHA512

      0405ba700fd5149ca38ed8fa1ecc905141512985a081d9ebc612d251ab693d6d861c501351f83c213a4c4036a8f64eec0b1bdd3b1ddb3dd400fdc75e83e291bd

    • SSDEEP

      24576:s9VZHdEZhZDzNj/cUh0gY1nR7xBGBv/K3938C4SQHKAeXY+s2xnmRkAYRJzJCO24:s9VZHdEfph7cUSgY1JxovsQqPXz5xnKU

    Score
    1/10
    behavioral29

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1626

Device Administrator Permissions

1
T1626.001

Defense Evasion

Download New Code at Runtime

1
T1407

Execution Guardrails

1
T1627

Geofencing

1
T1627.001

Foreground Persistence

1
T1541

Indicator Removal on Host

1
T1630

Uninstall Malicious Application

1
T1630.001

Virtualization/Sandbox Evasion

1
T1633

System Checks

1
T1633.001

Credential Access

Clipboard Data

1
T1414

Discovery

Location Tracking

1
T1430

System Information Discovery

1
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

3
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Location Tracking

1
T1430

Protected User Data

1
T1636

Contact List

1
T1636.003

Command and Control

Exfiltration

Impact

Account Access Removal

1
T1640

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Tasks

static1

slockerwipelock
Score
10/10

behavioral1

tispycollectiondiscoveryevasioninfostealerpersistencespywaretrojan
Score
10/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

tispycollectiondiscoveryevasioninfostealerpersistencespywaretrojan
Score
10/10

behavioral6

evasion
Score
7/10

behavioral7

collectioncredential_accessdiscoveryevasionimpactpersistence
Score
7/10

behavioral8

collectioncredential_accessdiscoveryevasionimpactpersistence
Score
7/10

behavioral9

evasion
Score
6/10

behavioral10

Score
1/10

behavioral11

evasion
Score
6/10

behavioral12

evasion
Score
7/10

behavioral13

Score
1/10

behavioral14

collectioncredential_accessdiscoveryevasionimpactpersistence
Score
7/10

behavioral15

Score
1/10

behavioral16

collectioncredential_accessdiscoveryevasionimpactpersistence
Score
7/10

behavioral17

collectioncredential_accessdiscoveryevasionimpactpersistence
Score
7/10

behavioral18

evasion
Score
7/10

behavioral19

collectioncredential_accessdiscoveryevasionimpactpersistence
Score
7/10

behavioral20

collectioncredential_accessdiscoveryevasionimpactpersistence
Score
7/10

behavioral21

collectionimpactprivilege_escalation
Score
7/10

behavioral22

collection
Score
7/10

behavioral23

collectionimpactprivilege_escalation
Score
7/10

behavioral24

tispycollectiondiscoveryevasioninfostealerpersistencespywaretrojan
Score
10/10

behavioral25

discoveryevasionpersistence
Score
7/10

behavioral26

evasionimpact
Score
7/10

behavioral27

evasionimpact
Score
7/10

behavioral28

evasionimpact
Score
7/10

behavioral29

Score
1/10