Analysis
-
max time kernel
47s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
08-08-2024 02:09
Static task
static1
Behavioral task
behavioral1
Sample
1733625b4976afb39f3c68bbd4b9b51695aff9810db15394cbae873909067f23.apk
Resource
android-x86-arm-20240624-en
General
-
Target
1733625b4976afb39f3c68bbd4b9b51695aff9810db15394cbae873909067f23.apk
-
Size
3.7MB
-
MD5
7c4addaed9dad7985951d81d377b7343
-
SHA1
5ed8bf700cb6bed532369122760c5a09514e5cb6
-
SHA256
1733625b4976afb39f3c68bbd4b9b51695aff9810db15394cbae873909067f23
-
SHA512
170f001fc9846f1dc00f301370139f6c958d566198238fc9ec047dfab7644d777ba0a0598cd9118dbd17c7746b84a85ce34c0d6b113fc482f5e1b7adea4b1dfc
-
SSDEEP
98304:ylmK1/BjthXPCKwXaGZsOjFoMfGvzW8O4R25qGJ1:yTlBjTXqKaZshMfyW8Oc25qw1
Malware Config
Signatures
-
TiSpy
TiSpy is an Android stalkerware.
-
Loads dropped Dex/Jar 1 TTPs 6 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.sqhnyhot.iqivheju/files/dex/oat/x86/MZRKudjucXrrOZEEK.odex --compiler-filter=quicken --class-loader-context=&com.sqhnyhot.iqivheju/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.sqhnyhot.iqivheju/files/dex/oat/x86/e29643bd0c19dc8a.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip 4340 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.sqhnyhot.iqivheju/files/dex/oat/x86/MZRKudjucXrrOZEEK.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip 4312 com.sqhnyhot.iqivheju /data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip 4363 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.sqhnyhot.iqivheju/files/dex/oat/x86/e29643bd0c19dc8a.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip 4312 com.sqhnyhot.iqivheju /data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip 4312 com.sqhnyhot.iqivheju /data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip 4312 com.sqhnyhot.iqivheju -
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
Processes:
com.sqhnyhot.iqivhejudescription ioc process Framework service call android.net.wifi.IWifiManager.getScanResults com.sqhnyhot.iqivheju -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
Processes:
com.sqhnyhot.iqivhejudescription ioc process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.sqhnyhot.iqivheju -
Acquires the wake lock 1 IoCs
Processes:
com.sqhnyhot.iqivhejudescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.sqhnyhot.iqivheju -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
com.sqhnyhot.iqivhejudescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.sqhnyhot.iqivheju -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.sqhnyhot.iqivhejudescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.sqhnyhot.iqivheju -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.sqhnyhot.iqivhejudescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.sqhnyhot.iqivheju -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.sqhnyhot.iqivhejudescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.sqhnyhot.iqivheju
Processes
-
com.sqhnyhot.iqivheju1⤵
- Loads dropped Dex/Jar
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4312 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.sqhnyhot.iqivheju/files/dex/oat/x86/MZRKudjucXrrOZEEK.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4340 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.sqhnyhot.iqivheju/files/dex/oat/x86/e29643bd0c19dc8a.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4363
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD53621ce0aa81e37bc5c80e2cf881f1dd0
SHA100365f82dcada94caea07443656848baf60b3bd9
SHA2568620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA51276bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf
-
Filesize
512B
MD5221f5cfcd08fd53a352b068e917bea6a
SHA1d1a66e85c3b3176f1812da9a3b9c17889d494ffe
SHA256b525e579257bfc0181be56f488db24912cdb36a94ebf675e436235c5b16deff1
SHA512f21d2545384147703cd71381bf065f223b888a45b0c68783fde6853c4b21460b6ccba81064d47081a8e9eeb4349330d94c82b8427004c90f51ae3242f5fbebd3
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
28KB
MD56337eeba6dce3d11d2ba00968abb0c93
SHA1ab9431510a6adbfc710688f8d7e66d54eb902913
SHA25635fde79f232938835c9108a4974ada68872f8a9b24bcd5714f0283b031588867
SHA512c6eec57bbbb3cfa8420e4c4a325da1b85de2c6683032c42e419b670108169ebdb6957be3fbb5bc2546751c6e0e917263fafb3448c3d471bb5f4a431a45b07697
-
Filesize
145KB
MD5f6cf89b01ee7bafbbdfb50defc34a9b3
SHA168403beb298746babd31c4217e4f2a22ed67b20f
SHA256d4be8f7d06335b267b56a17543cad9758a87443fa5794c39acb9042a320edcb2
SHA512cb846e507ceb0d6394944760ddd5a9350a10e12931a4fc89c65a26252a1400694ab2a64ff2a5bb4079d7fd3ee9a2db45542b25bdfb46575b8323bfb084fe1806
-
Filesize
649KB
MD5a86f007e3e35ed7a75069651cad761ae
SHA1a21d90d909a99b91d2caa1f33a280136fbd2af03
SHA2569f82d2bfa747a7d981d8990a1fdd704268d39939e2596eec5d02378c6b06b7dd
SHA512e8ab8bd295ed84bd2d9e4c2e094f0930b4786357a820713bb4c4f517277a6632745531d8c30413312f67fd3860b0d58579ebb5ec8197feaf7f108b63eeb29c67
-
Filesize
548KB
MD57bf8b3ccb234272653c57f36d5a49011
SHA17cff5c50ec2b39d15902498619dbdc25cb89197a
SHA2569108bd88f5a9fdcdf8e4b6dd04bd22f08a415fb6ef9a7549bdd9599dab3c6209
SHA51232666d7bf9dd81601631b365ddcd76f194dbceb87419245d0023de52e05e0ea82864c0b5ceafb8912e226ed49050ccb5eea133a5c9559680e6bb5c214dcfb8de
-
Filesize
8KB
MD57c20a2b01bf3f9df1f0abb72ebbe82be
SHA1e601b2e41434623edbeece32867517a3cdec5449
SHA2561a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e
SHA5123faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4
-
Filesize
15KB
MD582cfde95d367fae10c6e973ba81c59e7
SHA1e3e83cd1892cdb36312e44e5f1492129193b2374
SHA25640070a0175c6e6e3141dd06bb555858c19b135c199d7c508c74e4013fff29e09
SHA51261a8ec8f0e4ff5f1b9ef0b57599e1b106625fd4bd1afd9f8058b270ea0ed1f9053e73b210cd55088bbc0fc04095513e81d3e139ac8678ba84d720bf94f6602cd
-
Filesize
1.7MB
MD5b523917fc80a55f2a84bd20be3e8fd93
SHA13ae198c850dae526577782465b66d1ef6dc34bcf
SHA256750bd2ccaf5a40a4303ea5e5558a853d69a9f369c39d42b359685e3a1998590a
SHA5129969c1c791e023282b88354fd7197245778b08eed0a6dc784c38a0bca2d8b4b932bda454c9b9088e9a27238b9aa73ed1676a4b9d90a84e957f09ced47e7c63c1
-
Filesize
1.7MB
MD5a7df6945e04035a02d8b6d25a5b51ab6
SHA188e5029184407a100307017dc1fa21dcd44e32fa
SHA256640aa06471bdb5e92f7d8509b42d95ab2b81d2926592aec923e6bcc476deb64d
SHA51289ff473bae86c613590418c9be99ec28627db08f3d246c86f9e84f96f7199153ccda19321efbf6e9216098566db3eb171fcb5daa0f2b9c19c6b06cee9e2b9d6f
-
Filesize
1.3MB
MD5c850fabc3095283199a552ffa3236bb5
SHA1a368febbf62a61feb14d4352c72601f42e5643b6
SHA2565397d6f7c58444216c4ed8ccbac836d3f8334a5c9a2784fe56e9520658fd4bfb
SHA512ba4c8a29fc6a013139ad35d4bd9bd758c20421994f8296be03ef870439a66181134c66bfd8680b4e7da073e6fa0427597589645b7efb1f0d9954673e187d5d56
-
Filesize
1.3MB
MD5927f34d05059761915ac80bc259333e4
SHA153435e32d5c5bbddc78b9d6bd4106333e99756b3
SHA256239c67f7a80bf987d1e29f74cb947a471af87f5a7f4d38763f7a12d1ec91e80b
SHA5126c510eaf770ceb4b30d949e0bd6240994f7dec33952a5de8450d763e9d4da8103dac38213bed109bdbf3c8c66e4b0fdf3eadde916ddc4f4d5c621742ae54a4a7