tispy | 51baf4bc48db631e887ded88c0beb05b7a2f6f26ad2d122ee7c6cca6678752f5

Analysis

max time kernel
48s
max time network
128s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
05-08-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3f23bdd3dea208f05de7a5b9ea928758187b3f2b0f4f5733c8bdb3298818ec0.apk
Size

3.7MB
MD5

f17c846775fe7d69c25b1f9834ec31d9
SHA1

642e9c6595ed94cf6040c9a66e4431b04a62a2a3
SHA256

b3f23bdd3dea208f05de7a5b9ea928758187b3f2b0f4f5733c8bdb3298818ec0
SHA512

2f9883be40f1b9fda7ef9bd432c7d32e5adf6222e5bc9dbeed974f7e101a8c8af39f3bdd059fb0b83cb7e0d034f1ac85bc860bba30eb46b2da7f6d02657c70c9
SSDEEP

98304:qmVDDWjqPP2X1180Q046fgVPwLBqylSWFk5uYUbLCJrn:p3WjqX2l2046qPwLB/lS+kpUnu

Score

10^/10

tispy collection discovery evasion infostealer persistence spyware trojan

Malware Config

Signatures

TiSpy
TiSpy is an Android stalkerware.
trojan infostealer spyware tispy

Loads dropped Dex/Jar 1 TTPs 6 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/oat/x86/316f40170801e947.odex --compiler-filter=quicken --class-loader-context=&com.ygvezckt.rwqaztkw/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip --output-vdex-fd=45 --oat-fd=44 --oat-location=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/oat/x86/lLtoeVfIDbcROVZBX.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip	4257	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/oat/x86/316f40170801e947.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip	4228	com.ygvezckt.rwqaztkw
/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip	4281	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip --output-vdex-fd=45 --oat-fd=44 --oat-location=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/oat/x86/lLtoeVfIDbcROVZBX.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip	4228	com.ygvezckt.rwqaztkw
/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip	4228	com.ygvezckt.rwqaztkw
/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip	4228	com.ygvezckt.rwqaztkw

Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
discovery

T1421

Processes:

com.ygvezckt.rwqaztkw

description ioc process

Framework service call android.net.wifi.IWifiManager.getScanResults com.ygvezckt.rwqaztkw
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
collection discovery evasion

T1430

T1627.001

Processes:

com.ygvezckt.rwqaztkw

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.ygvezckt.rwqaztkw
Acquires the wake lock 1 IoCs

Processes:

com.ygvezckt.rwqaztkw

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.ygvezckt.rwqaztkw
Queries information about active data network 1 TTPs 1 IoCs
discovery

T1421

Processes:

com.ygvezckt.rwqaztkw

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.ygvezckt.rwqaztkw
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

com.ygvezckt.rwqaztkw

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.ygvezckt.rwqaztkw
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

T1422

Processes:

com.ygvezckt.rwqaztkw

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.ygvezckt.rwqaztkw
Reads information about phone network operator. 1 TTPs
discovery

T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

com.ygvezckt.rwqaztkw

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.ygvezckt.rwqaztkw

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.ygvezckt.rwqaztkw

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.ygvezckt.rwqaztkw

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.ygvezckt.rwqaztkw

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.ygvezckt.rwqaztkw

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.ygvezckt.rwqaztkw

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.ygvezckt.rwqaztkw

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.ygvezckt.rwqaztkw

com.ygvezckt.rwqaztkw
1⤵
- Loads dropped Dex/Jar
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4228

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/oat/x86/316f40170801e947.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4257

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip --output-vdex-fd=45 --oat-fd=44 --oat-location=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/oat/x86/lLtoeVfIDbcROVZBX.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4281

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db
Filesize
16KB

MD5
3621ce0aa81e37bc5c80e2cf881f1dd0

SHA1
00365f82dcada94caea07443656848baf60b3bd9

SHA256
8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5

SHA512
76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

Download Submit
/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db-journal
Filesize
512B

MD5
b61ca75f7c09d267f8c008a6caf0c4b8

SHA1
e1ba2fe5d5eea6c29c7f3cb12a83e31e4c2c3144

SHA256
a5910635554b2ae348790b255e1ca41fceaf9bf28d921529322fd45eda50578d

SHA512
8c5b4f27a152b3ccdb890832a7b6897ce618cf57a0cc4f423d3dff7aa1f8b86a77b64c78ea80e85e885a4e3d58d7d69fb264f6e5e1a5f069adcb89782d8628d4

Download Submit
/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db-shm
Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db-wal
Filesize
28KB

MD5
1b813f308efeab47760ecc2d8ea1fad4

SHA1
01799628c2445f111cedda26c1c938aa3b8118b5

SHA256
dddcb53374f0b66cf5f223cb310a874f6a2083ea2ba1d04ccaff8d24a1089a09

SHA512
fa17d55d0594b7c1caa486b2ad631bc2636a49951ad43bc341b3b1e37c2a152afe80239f9b45700bda5c3bf234dec215b10f1685b6a7b6c62b5fd6dd2022dd07

Download Submit
/data/data/com.ygvezckt.rwqaztkw/files/477458.so
Filesize
145KB

MD5
8767a74133b3328c2a87a24893142ec2

SHA1
c1c48bcab9d7bf804cad029656d8b79bf8655d29

SHA256
80afd0eea39b125cd5a2f300a3b50302f002ff332943f71bd46d7ce5914e0f82

SHA512
96a2d70a2adfef8b8da4fc8c6b2be0b7eed0c33f76770093799fd3bbccf1b766290151cbd65981634c821baabdd8d445a6f66cf955045f0f402286b61aab2d7c

Download Submit
/data/data/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip
Filesize
548KB

MD5
1b463ebe439550e65863364d145f3633

SHA1
06a1d114d31cc0c0735f6e865290de0df66534fc

SHA256
402745874a8f4229a51c30bb0a3fc4a383d5d2bdecf43f73920c7ec59f402631

SHA512
45be5088110b35464faac2c708084e5337ddf5f89d582001582c47db28e04ab577dc036ee481b02f3743b3bfc1a0bc85cdf9185f23aa8e683a2890833b77be5a

Download Submit
/data/data/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip
Filesize
649KB

MD5
5631aac4cdaafaf80e13e30ca0f35df4

SHA1
a5c11f94c00875c38fcc29debd5ab1f01b6a6d20

SHA256
c65d54edc4dfb9bb13a51764be2b1a66e6ef781a6f1a18368d22aeea79f1af6c

SHA512
15c45aabc02a08dd369de2b9f3ba736ccdea4cd325e865b079810887d3cfbdf52a7286dbb0516630cc0f83d3fba0a99efcb2a1f37ce3ee0a50bae98eb731eb47

Download Submit
/data/data/com.ygvezckt.rwqaztkw/files/dex/pro_btn_bg_animation_img_0.jpg.zip
Filesize
8KB

MD5
7c20a2b01bf3f9df1f0abb72ebbe82be

SHA1
e601b2e41434623edbeece32867517a3cdec5449

SHA256
1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e

SHA512
3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4

Download Submit
/data/data/com.ygvezckt.rwqaztkw/logs/Sistema1722821223161.log
Filesize
15KB

MD5
59a270bf9697ac290d25416cc5d07de0

SHA1
c5e2e061c54d9f320ea3fc82310738c173e25d1b

SHA256
d5746aaa9f577df76ed1e5334519e23008b3e4918f3e1a83b96c2bd63e02dbd4

SHA512
b98af881e6ba7f80d8d1dd9252c880d5ce5b57b9c5054f518d7f32a88c6fb86e4f9049fe4384d71893490a3a9615b11f45a908ff9b47fc45d30141b91d0cab7c

Download Submit
/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip
Filesize
1.3MB

MD5
0141ce546517d0ff09558391ffe2c3d1

SHA1
c8da2607f42222cf6726f30015fce0e501df3c30

SHA256
4f647e2c0402fab82866f27337c18543123212e46abb52914e8c22bcff7382cf

SHA512
886f3fd3d8b891a8a1ced7552bb73e82b8eb390bf028570d1e5f1089863399dfe26184c4b6974968cc0a801ac1dadc768af157c386cda3fb0b810279680f48ce

Download Submit
/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip
Filesize
1.3MB

MD5
c276d68c66d80dfed813846189721519

SHA1
3006ae75be916f82d520f683322ce5b8af4be68b

SHA256
ba4227db1d3fb1d9befcdc67847e414b5070dd7e9d28e397c4cec1488309053e

SHA512
b5c1844af6bc735c26cb736691d864c3cb4ac567d49c8c0f5a3f73c7d8aa7de890900563a99a7e0a1e114cf561955225bea7522df876c338f380d03e502bb497

Download Submit
/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip
Filesize
1.7MB

MD5
0df030186d9f5c370a15db6223ca2eb7

SHA1
33a9951863ceaf037787cd169c4cf61fcb7bba1b

SHA256
ecf40b3088a5186d0c043c2248aaa1a509c4336ae7cad299741fb7fc7ba0b11c

SHA512
0777b4c68b58b428410554b9e420852cd3fb2f2bcfe7a48487b1564918c386ca5d80327a7dc9b9b2d8d55da5330296aabd1f866db3e068bbfb3a3d7f393547ae

Download Submit
/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip
Filesize
1.7MB

MD5
eba2e1ec82083be20ece86501cf4a651

SHA1
c7296d77e0ff6982396d13e1f6cc54b2be4b5f12

SHA256
7cd112ace3c9789beb88d7d75e3c664706505fc8c5ede01fc92fabb9da2700ec

SHA512
668f0e05318a9a1d8f28aa9f8796450422b0f5d722704bcb37e003d42951e7033053b2c38ba4bc1144b14bac9114d875e860f5ee8add0986234228e2dc9dfbaf

Download Submit