Analysis
-
max time kernel
47s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
10-08-2024 01:32
Static task
static1
Behavioral task
behavioral1
Sample
9da384315a6a26bf7643ef1b72d922735c3a214eed168370716fd6ed758c8e5c.apk
Resource
android-x86-arm-20240624-en
General
-
Target
9da384315a6a26bf7643ef1b72d922735c3a214eed168370716fd6ed758c8e5c.apk
-
Size
3.5MB
-
MD5
8cc8a48283f4fcfe17612be889b56e72
-
SHA1
f95e96b47ce38c544367254ae11662d7e5421d12
-
SHA256
9da384315a6a26bf7643ef1b72d922735c3a214eed168370716fd6ed758c8e5c
-
SHA512
766723888f46cdf6fd52f32c0b8b1323909ac33c07c1d22cf59192ee5f7cc200fd47b33233eddc82e9c12702156fa4181c2621a2ecb3fcca99f64317573f9b79
-
SSDEEP
49152:8MmD+1PEvtjAo+70PL6YFsswaatFYiOsav22R9qak1IRPy1G9c/kZ1mse:lmD+q1jnP7Fw3fYvreH1Ipy4K/kZw
Malware Config
Signatures
-
TiSpy
TiSpy is an Android stalkerware.
-
Loads dropped Dex/Jar 1 TTPs 6 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/oat/x86/0403266e6e7e1ea9.odex --compiler-filter=quicken --class-loader-context=&com.fwqxxsbl.gcqyjyxg/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/oat/x86/genCXMRwJdUzBEGAw.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip 4278 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/oat/x86/0403266e6e7e1ea9.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip 4251 com.fwqxxsbl.gcqyjyxg /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip 4303 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/oat/x86/genCXMRwJdUzBEGAw.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip 4251 com.fwqxxsbl.gcqyjyxg /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip 4251 com.fwqxxsbl.gcqyjyxg /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip 4251 com.fwqxxsbl.gcqyjyxg -
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
Processes:
com.fwqxxsbl.gcqyjyxgdescription ioc process Framework service call android.net.wifi.IWifiManager.getScanResults com.fwqxxsbl.gcqyjyxg -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
Processes:
com.fwqxxsbl.gcqyjyxgdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.fwqxxsbl.gcqyjyxg -
Acquires the wake lock 1 IoCs
Processes:
com.fwqxxsbl.gcqyjyxgdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.fwqxxsbl.gcqyjyxg -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
com.fwqxxsbl.gcqyjyxgdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.fwqxxsbl.gcqyjyxg -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.fwqxxsbl.gcqyjyxgdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.fwqxxsbl.gcqyjyxg -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.fwqxxsbl.gcqyjyxgdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.fwqxxsbl.gcqyjyxg -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.fwqxxsbl.gcqyjyxgdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.fwqxxsbl.gcqyjyxg
Processes
-
com.fwqxxsbl.gcqyjyxg1⤵
- Loads dropped Dex/Jar
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4251 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/oat/x86/0403266e6e7e1ea9.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4278 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/oat/x86/genCXMRwJdUzBEGAw.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4303
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD53621ce0aa81e37bc5c80e2cf881f1dd0
SHA100365f82dcada94caea07443656848baf60b3bd9
SHA2568620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA51276bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf
-
Filesize
512B
MD5a078aa21d8ce2b8bdf1d61de8b7fa82a
SHA18bd694b55d15fa15e56e6d89b00a7bcb25438651
SHA256f8f39e550b73be39ff83f7f652de938497252b199347a46f4f9b76d8c27742d7
SHA512bc37b04d81412af3face41ad5a5c00d6673375451f21121987ef2cbdb6c47282aa88ee651d130d04a7461880d7192568b95b2f18078b75c4839a188fc23ec3ab
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
28KB
MD588183722e6b230e5f29ab19b2f4bbb87
SHA1f0c4312644545321c662404edc8ba586b66d1a9f
SHA25607ee8bdcfb575cdb3e8f7f87fcaae2efc7ba909bf5db89d892732b31b63c8da6
SHA512a675de56e5b5770cc565474249212339a84fb3cc445c153bddc3aa34ab46b5a700c1913bae39f9cedc9fbc1314643876c4a3c56c5aada79a55cd704ea819f72e
-
Filesize
145KB
MD5431bc96f3397cae478e3d83f45f20f46
SHA146957c13b1bec97a974833f9097f88199a346e94
SHA25607158e52ba60c58ddc771f6fd45c2f1c65bbbc154b826e931a309eaf17b0ff06
SHA512bdf62c794e34ec1534c87c06bcc2ed4a7662cd4a5565f71f2e1cdfa19a5a6ca0dfc935efda0e68ad78f8335e6b67286787b09c25a5050e38c24a302acd7f5575
-
Filesize
547KB
MD5cad969920acc3286d5430323c79459bc
SHA1d1d9cd747b28a1d17ef981f28ed3dac5ff15b583
SHA256dd60490b62377f881db49d6cb149db6466837aaa4e03fd016e34a8d4b9043226
SHA51218e3f557235fd1e0599a7085247436d2c412d744c2d224fbf194bea34fd103e9b5694dce6c1dc4332137724bd83db3c959048483484419843eacac5548b434c7
-
Filesize
649KB
MD55f27322d0d5e4ea4f76906787cfb563b
SHA184ed53db2e80a3c99c98a79c3fb486819c5cfb82
SHA256994aa5703ae93367b22754284bd170c274cbd05f053043261238b9d633451da9
SHA5129d639cb1158628805e6366054a988048dade415de31e997fa10a60067cc49f07391354ae1f58c13e9c304b66f7de661c548a810991106b2aeae0e4dbd84ebb9b
-
Filesize
8KB
MD57c20a2b01bf3f9df1f0abb72ebbe82be
SHA1e601b2e41434623edbeece32867517a3cdec5449
SHA2561a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e
SHA5123faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4
-
Filesize
15KB
MD510abc931b305c0e85bc2d9d91e9b3be9
SHA18412a7c883db53ad05b4f0fd29f4793063f80b74
SHA256e6d919253162e369f7adea93170af97ac595a8dbfd5d86eeac454d3b76d8ca16
SHA5120ca4de13f2caa0e4542a5b69d3c9f3f37cfb943bf6adf60283d97de0c8d81bca3f7f89015601f711694d4a352dcd15d95f67bf125aada8a6b02e0792a5adcef3
-
Filesize
1.3MB
MD526bc3d0409805223ba3ad9e63011c3fc
SHA1bc250dfa745e726764bac067a7498cd7ebfaca75
SHA256759e6d0306df81b5b32a279677a1b7e20a4bc5ecc7cff4a55c2b0c4faffaa156
SHA51250abea9fea6b4dce7c0a62a5a828303975bd56397f664c923d7c0a157089e2863820311498c43cff7f837f23c67c40b07280a8fc00b8aa89c3bc5e76eea3753b
-
Filesize
1.3MB
MD5527776d8791ba5677972eab364f23aeb
SHA19d23e23c900c24bb633f8636425b4abbb5288c95
SHA2568231b93a33137b2cb869913925b467b637c2e9a8b919786b1e5f3c89a9152a89
SHA5124fe38f4e216e3c076743140287c07f8411f99c9333dd80aff5633f35b9ee305e6c28e0fa648f1e15f774dc23f08ab66ce049eeda858473cc471e3d4ca7ada004
-
Filesize
1.7MB
MD5eeb5cdb545d0d703104163f10cac7601
SHA17e8335867a22f5f77c54674b8956d73121cc5d74
SHA2562ccb00f2db40972c913e0efcc12c09c06fadc24312fe0aad9fd83e42e13bb13c
SHA512e94a1e169dd3e07e84cd23eddb01ddf118c7cf80ccf7c4e9f23cc79182b7f13f7937fc32dbd9db3f40ac78ebf566e5107cbbf9a22724214c6a00da06a6e3eec9
-
Filesize
1.7MB
MD5ccce70d4b8c9a73abd26f822de9b9122
SHA1cec70874ec9f106c2063b5effc0392ef0ffd0990
SHA256db141f42433e03a510c8b186d9d0b3b3afd7e17d7da56808514f8470231ad87c
SHA512be955cfef6c9f97b5bda9c77fc51d4906917a08e5d29e8b6ba216f1d95df418826b231e314afe5cb5da48723068988a2fe6b0e2746afa57a6e437f8877ffbd6e