Malware Analysis Report

2024-10-19 11:45

Sample ID 240808-ck4mzssaqe
Target 1733625b4976afb39f3c68bbd4b9b51695aff9810db15394cbae873909067f23
SHA256 1733625b4976afb39f3c68bbd4b9b51695aff9810db15394cbae873909067f23
Tags
tispy collection discovery evasion infostealer persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1733625b4976afb39f3c68bbd4b9b51695aff9810db15394cbae873909067f23

Threat Level: Known bad

The file 1733625b4976afb39f3c68bbd4b9b51695aff9810db15394cbae873909067f23 was found to be: Known bad.

Malicious Activity Summary

tispy collection discovery evasion infostealer persistence spyware trojan

TiSpy

Requests cell location

Queries the phone number (MSISDN for GSM devices)

Queries information about the current nearby Wi-Fi networks

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Declares services with permission to bind to the system

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-08 02:09

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-08 02:09

Reported

2024-08-08 02:12

Platform

android-x86-arm-20240624-en

Max time kernel

47s

Max time network

131s

Command Line

com.sqhnyhot.iqivheju

Signatures

TiSpy

trojan infostealer spyware tispy

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip N/A N/A
N/A /data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip N/A N/A
N/A /data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip N/A N/A
N/A /data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip N/A N/A
N/A /data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip N/A N/A
N/A /data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.sqhnyhot.iqivheju

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.sqhnyhot.iqivheju/files/dex/oat/x86/MZRKudjucXrrOZEEK.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.sqhnyhot.iqivheju/files/dex/oat/x86/e29643bd0c19dc8a.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip

MD5 a86f007e3e35ed7a75069651cad761ae
SHA1 a21d90d909a99b91d2caa1f33a280136fbd2af03
SHA256 9f82d2bfa747a7d981d8990a1fdd704268d39939e2596eec5d02378c6b06b7dd
SHA512 e8ab8bd295ed84bd2d9e4c2e094f0930b4786357a820713bb4c4f517277a6632745531d8c30413312f67fd3860b0d58579ebb5ec8197feaf7f108b63eeb29c67

/data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip

MD5 a7df6945e04035a02d8b6d25a5b51ab6
SHA1 88e5029184407a100307017dc1fa21dcd44e32fa
SHA256 640aa06471bdb5e92f7d8509b42d95ab2b81d2926592aec923e6bcc476deb64d
SHA512 89ff473bae86c613590418c9be99ec28627db08f3d246c86f9e84f96f7199153ccda19321efbf6e9216098566db3eb171fcb5daa0f2b9c19c6b06cee9e2b9d6f

/data/user/0/com.sqhnyhot.iqivheju/files/dex/MZRKudjucXrrOZEEK.zip

MD5 b523917fc80a55f2a84bd20be3e8fd93
SHA1 3ae198c850dae526577782465b66d1ef6dc34bcf
SHA256 750bd2ccaf5a40a4303ea5e5558a853d69a9f369c39d42b359685e3a1998590a
SHA512 9969c1c791e023282b88354fd7197245778b08eed0a6dc784c38a0bca2d8b4b932bda454c9b9088e9a27238b9aa73ed1676a4b9d90a84e957f09ced47e7c63c1

/data/data/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip

MD5 7bf8b3ccb234272653c57f36d5a49011
SHA1 7cff5c50ec2b39d15902498619dbdc25cb89197a
SHA256 9108bd88f5a9fdcdf8e4b6dd04bd22f08a415fb6ef9a7549bdd9599dab3c6209
SHA512 32666d7bf9dd81601631b365ddcd76f194dbceb87419245d0023de52e05e0ea82864c0b5ceafb8912e226ed49050ccb5eea133a5c9559680e6bb5c214dcfb8de

/data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip

MD5 927f34d05059761915ac80bc259333e4
SHA1 53435e32d5c5bbddc78b9d6bd4106333e99756b3
SHA256 239c67f7a80bf987d1e29f74cb947a471af87f5a7f4d38763f7a12d1ec91e80b
SHA512 6c510eaf770ceb4b30d949e0bd6240994f7dec33952a5de8450d763e9d4da8103dac38213bed109bdbf3c8c66e4b0fdf3eadde916ddc4f4d5c621742ae54a4a7

/data/user/0/com.sqhnyhot.iqivheju/files/dex/e29643bd0c19dc8a.zip

MD5 c850fabc3095283199a552ffa3236bb5
SHA1 a368febbf62a61feb14d4352c72601f42e5643b6
SHA256 5397d6f7c58444216c4ed8ccbac836d3f8334a5c9a2784fe56e9520658fd4bfb
SHA512 ba4c8a29fc6a013139ad35d4bd9bd758c20421994f8296be03ef870439a66181134c66bfd8680b4e7da073e6fa0427597589645b7efb1f0d9954673e187d5d56

/data/data/com.sqhnyhot.iqivheju/files/dex/pro_btn_bg_animation_img_0.jpg.zip

MD5 7c20a2b01bf3f9df1f0abb72ebbe82be
SHA1 e601b2e41434623edbeece32867517a3cdec5449
SHA256 1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e
SHA512 3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4

/data/data/com.sqhnyhot.iqivheju/files/477973.so

MD5 f6cf89b01ee7bafbbdfb50defc34a9b3
SHA1 68403beb298746babd31c4217e4f2a22ed67b20f
SHA256 d4be8f7d06335b267b56a17543cad9758a87443fa5794c39acb9042a320edcb2
SHA512 cb846e507ceb0d6394944760ddd5a9350a10e12931a4fc89c65a26252a1400694ab2a64ff2a5bb4079d7fd3ee9a2db45542b25bdfb46575b8323bfb084fe1806

/data/data/com.sqhnyhot.iqivheju/logs/Sistema1723082957746.log

MD5 82cfde95d367fae10c6e973ba81c59e7
SHA1 e3e83cd1892cdb36312e44e5f1492129193b2374
SHA256 40070a0175c6e6e3141dd06bb555858c19b135c199d7c508c74e4013fff29e09
SHA512 61a8ec8f0e4ff5f1b9ef0b57599e1b106625fd4bd1afd9f8058b270ea0ed1f9053e73b210cd55088bbc0fc04095513e81d3e139ac8678ba84d720bf94f6602cd

/data/data/com.sqhnyhot.iqivheju/databases/privatesms.db-journal

MD5 221f5cfcd08fd53a352b068e917bea6a
SHA1 d1a66e85c3b3176f1812da9a3b9c17889d494ffe
SHA256 b525e579257bfc0181be56f488db24912cdb36a94ebf675e436235c5b16deff1
SHA512 f21d2545384147703cd71381bf065f223b888a45b0c68783fde6853c4b21460b6ccba81064d47081a8e9eeb4349330d94c82b8427004c90f51ae3242f5fbebd3

/data/data/com.sqhnyhot.iqivheju/databases/privatesms.db

MD5 3621ce0aa81e37bc5c80e2cf881f1dd0
SHA1 00365f82dcada94caea07443656848baf60b3bd9
SHA256 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA512 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

/data/data/com.sqhnyhot.iqivheju/databases/privatesms.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.sqhnyhot.iqivheju/databases/privatesms.db-wal

MD5 6337eeba6dce3d11d2ba00968abb0c93
SHA1 ab9431510a6adbfc710688f8d7e66d54eb902913
SHA256 35fde79f232938835c9108a4974ada68872f8a9b24bcd5714f0283b031588867
SHA512 c6eec57bbbb3cfa8420e4c4a325da1b85de2c6683032c42e419b670108169ebdb6957be3fbb5bc2546751c6e0e917263fafb3448c3d471bb5f4a431a45b07697