Malware Analysis Report

2024-10-19 11:46

Sample ID 240810-cmxx8a1elp
Target 9da384315a6a26bf7643ef1b72d922735c3a214eed168370716fd6ed758c8e5c
SHA256 9da384315a6a26bf7643ef1b72d922735c3a214eed168370716fd6ed758c8e5c
Tags
tispy collection discovery evasion infostealer persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9da384315a6a26bf7643ef1b72d922735c3a214eed168370716fd6ed758c8e5c

Threat Level: Known bad

The file 9da384315a6a26bf7643ef1b72d922735c3a214eed168370716fd6ed758c8e5c was found to be: Known bad.

Malicious Activity Summary

tispy collection discovery evasion infostealer persistence spyware trojan

TiSpy

Requests cell location

Queries information about the current nearby Wi-Fi networks

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Acquires the wake lock

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Queries information about active data network

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-10 02:12

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-10 02:12

Reported

2024-08-10 02:15

Platform

android-x86-arm-20240624-en

Max time kernel

48s

Max time network

136s

Command Line

com.fwqxxsbl.gcqyjyxg

Signatures

TiSpy

trojan infostealer spyware tispy

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip N/A N/A
N/A /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip N/A N/A
N/A /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip N/A N/A
N/A /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip N/A N/A
N/A /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip N/A N/A
N/A /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.fwqxxsbl.gcqyjyxg

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/oat/x86/0403266e6e7e1ea9.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/oat/x86/genCXMRwJdUzBEGAw.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip

MD5 cad969920acc3286d5430323c79459bc
SHA1 d1d9cd747b28a1d17ef981f28ed3dac5ff15b583
SHA256 dd60490b62377f881db49d6cb149db6466837aaa4e03fd016e34a8d4b9043226
SHA512 18e3f557235fd1e0599a7085247436d2c412d744c2d224fbf194bea34fd103e9b5694dce6c1dc4332137724bd83db3c959048483484419843eacac5548b434c7

/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip

MD5 527776d8791ba5677972eab364f23aeb
SHA1 9d23e23c900c24bb633f8636425b4abbb5288c95
SHA256 8231b93a33137b2cb869913925b467b637c2e9a8b919786b1e5f3c89a9152a89
SHA512 4fe38f4e216e3c076743140287c07f8411f99c9333dd80aff5633f35b9ee305e6c28e0fa648f1e15f774dc23f08ab66ce049eeda858473cc471e3d4ca7ada004

/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip

MD5 26bc3d0409805223ba3ad9e63011c3fc
SHA1 bc250dfa745e726764bac067a7498cd7ebfaca75
SHA256 759e6d0306df81b5b32a279677a1b7e20a4bc5ecc7cff4a55c2b0c4faffaa156
SHA512 50abea9fea6b4dce7c0a62a5a828303975bd56397f664c923d7c0a157089e2863820311498c43cff7f837f23c67c40b07280a8fc00b8aa89c3bc5e76eea3753b

/data/data/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip

MD5 5f27322d0d5e4ea4f76906787cfb563b
SHA1 84ed53db2e80a3c99c98a79c3fb486819c5cfb82
SHA256 994aa5703ae93367b22754284bd170c274cbd05f053043261238b9d633451da9
SHA512 9d639cb1158628805e6366054a988048dade415de31e997fa10a60067cc49f07391354ae1f58c13e9c304b66f7de661c548a810991106b2aeae0e4dbd84ebb9b

/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip

MD5 ccce70d4b8c9a73abd26f822de9b9122
SHA1 cec70874ec9f106c2063b5effc0392ef0ffd0990
SHA256 db141f42433e03a510c8b186d9d0b3b3afd7e17d7da56808514f8470231ad87c
SHA512 be955cfef6c9f97b5bda9c77fc51d4906917a08e5d29e8b6ba216f1d95df418826b231e314afe5cb5da48723068988a2fe6b0e2746afa57a6e437f8877ffbd6e

/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip

MD5 eeb5cdb545d0d703104163f10cac7601
SHA1 7e8335867a22f5f77c54674b8956d73121cc5d74
SHA256 2ccb00f2db40972c913e0efcc12c09c06fadc24312fe0aad9fd83e42e13bb13c
SHA512 e94a1e169dd3e07e84cd23eddb01ddf118c7cf80ccf7c4e9f23cc79182b7f13f7937fc32dbd9db3f40ac78ebf566e5107cbbf9a22724214c6a00da06a6e3eec9

/data/data/com.fwqxxsbl.gcqyjyxg/files/dex/pro_btn_bg_animation_img_0.jpg.zip

MD5 7c20a2b01bf3f9df1f0abb72ebbe82be
SHA1 e601b2e41434623edbeece32867517a3cdec5449
SHA256 1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e
SHA512 3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4

/data/data/com.fwqxxsbl.gcqyjyxg/files/478634.so

MD5 431bc96f3397cae478e3d83f45f20f46
SHA1 46957c13b1bec97a974833f9097f88199a346e94
SHA256 07158e52ba60c58ddc771f6fd45c2f1c65bbbc154b826e931a309eaf17b0ff06
SHA512 bdf62c794e34ec1534c87c06bcc2ed4a7662cd4a5565f71f2e1cdfa19a5a6ca0dfc935efda0e68ad78f8335e6b67286787b09c25a5050e38c24a302acd7f5575

/data/data/com.fwqxxsbl.gcqyjyxg/logs/Sistema1723255948668.log

MD5 7dfb17c8b1d5abed22a14e1342e7b0d0
SHA1 519aa2fbda18c00ac4d8c5287909d9559ef8f88c
SHA256 ce69e4d32f46d7ceb74e02fde8f5e1f7b8c6083af958e9a9b0105362a8591eaf
SHA512 ed4b314e2c0e27c56c63c9d9c23510aff183cedcc8664e26c93ada78e5b04f1dc3fde5b7adfe6d4b584e8a0e70cb895e1a8cb693c2747118809eb102e9043e9c

/data/data/com.fwqxxsbl.gcqyjyxg/databases/privatesms.db-journal

MD5 25fd53272c9c276e33407cd6749c608a
SHA1 056f998b2537a7d02a9b5badda4bf93dca437901
SHA256 dee75f2ff1c6dc54bdc3b3e69d0859b936331b773acab7f20af425d533a96008
SHA512 bf9a84cacd5a69effacc0d5dbdc615e516395b3bd8c329f19ca9639bd7a3672b87ecc9550b6e5ef9d6b548a0488ed26d9ad22738dd9ec5e08392138a7d593751

/data/data/com.fwqxxsbl.gcqyjyxg/databases/privatesms.db

MD5 3621ce0aa81e37bc5c80e2cf881f1dd0
SHA1 00365f82dcada94caea07443656848baf60b3bd9
SHA256 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA512 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

/data/data/com.fwqxxsbl.gcqyjyxg/databases/privatesms.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.fwqxxsbl.gcqyjyxg/databases/privatesms.db-wal

MD5 06897960a7aa3328a173fd866f993f9b
SHA1 8a5f55719b08bfaa2787fa48e7600c39dcc8d8e5
SHA256 ce57db6e24234369a975bb3e58919b13f999875fb1793e08733c9b11f1b605bd
SHA512 33a720121d780febad95a2e946ae0f3d2866bfa2a1d4f8316a6e16960658068ebb09cbc966123b77dbf305e65fcb46e17a9ec5bbb2c27846d50e8d58bd38239c