Analysis Overview
SHA256
9da384315a6a26bf7643ef1b72d922735c3a214eed168370716fd6ed758c8e5c
Threat Level: Known bad
The file 9da384315a6a26bf7643ef1b72d922735c3a214eed168370716fd6ed758c8e5c was found to be: Known bad.
Malicious Activity Summary
TiSpy
Requests cell location
Queries information about the current nearby Wi-Fi networks
Queries the phone number (MSISDN for GSM devices)
Loads dropped Dex/Jar
Declares broadcast receivers with permission to handle system events
Requests dangerous framework permissions
Acquires the wake lock
Queries information about the current Wi-Fi connection
Reads information about phone network operator.
Queries information about active data network
Declares services with permission to bind to the system
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-10 02:12
Signatures
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
| Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. | android.permission.BIND_NOTIFICATION_LISTENER_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows the app to answer an incoming phone call. | android.permission.ANSWER_PHONE_CALLS | N/A | N/A |
| Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. | android.permission.PROCESS_OUTGOING_CALLS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to read the user's calendar data. | android.permission.READ_CALENDAR | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to collect component usage statistics. | android.permission.PACKAGE_USAGE_STATS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-10 02:12
Reported
2024-08-10 02:15
Platform
android-x86-arm-20240624-en
Max time kernel
48s
Max time network
136s
Command Line
Signatures
TiSpy
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip | N/A | N/A |
| N/A | /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip | N/A | N/A |
| N/A | /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip | N/A | N/A |
| N/A | /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip | N/A | N/A |
| N/A | /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip | N/A | N/A |
| N/A | /data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.fwqxxsbl.gcqyjyxg
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/oat/x86/0403266e6e7e1ea9.odex --compiler-filter=quicken --class-loader-context=&
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/oat/x86/genCXMRwJdUzBEGAw.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.213.10:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
Files
/data/data/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip
| MD5 | cad969920acc3286d5430323c79459bc |
| SHA1 | d1d9cd747b28a1d17ef981f28ed3dac5ff15b583 |
| SHA256 | dd60490b62377f881db49d6cb149db6466837aaa4e03fd016e34a8d4b9043226 |
| SHA512 | 18e3f557235fd1e0599a7085247436d2c412d744c2d224fbf194bea34fd103e9b5694dce6c1dc4332137724bd83db3c959048483484419843eacac5548b434c7 |
/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip
| MD5 | 527776d8791ba5677972eab364f23aeb |
| SHA1 | 9d23e23c900c24bb633f8636425b4abbb5288c95 |
| SHA256 | 8231b93a33137b2cb869913925b467b637c2e9a8b919786b1e5f3c89a9152a89 |
| SHA512 | 4fe38f4e216e3c076743140287c07f8411f99c9333dd80aff5633f35b9ee305e6c28e0fa648f1e15f774dc23f08ab66ce049eeda858473cc471e3d4ca7ada004 |
/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/0403266e6e7e1ea9.zip
| MD5 | 26bc3d0409805223ba3ad9e63011c3fc |
| SHA1 | bc250dfa745e726764bac067a7498cd7ebfaca75 |
| SHA256 | 759e6d0306df81b5b32a279677a1b7e20a4bc5ecc7cff4a55c2b0c4faffaa156 |
| SHA512 | 50abea9fea6b4dce7c0a62a5a828303975bd56397f664c923d7c0a157089e2863820311498c43cff7f837f23c67c40b07280a8fc00b8aa89c3bc5e76eea3753b |
/data/data/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip
| MD5 | 5f27322d0d5e4ea4f76906787cfb563b |
| SHA1 | 84ed53db2e80a3c99c98a79c3fb486819c5cfb82 |
| SHA256 | 994aa5703ae93367b22754284bd170c274cbd05f053043261238b9d633451da9 |
| SHA512 | 9d639cb1158628805e6366054a988048dade415de31e997fa10a60067cc49f07391354ae1f58c13e9c304b66f7de661c548a810991106b2aeae0e4dbd84ebb9b |
/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip
| MD5 | ccce70d4b8c9a73abd26f822de9b9122 |
| SHA1 | cec70874ec9f106c2063b5effc0392ef0ffd0990 |
| SHA256 | db141f42433e03a510c8b186d9d0b3b3afd7e17d7da56808514f8470231ad87c |
| SHA512 | be955cfef6c9f97b5bda9c77fc51d4906917a08e5d29e8b6ba216f1d95df418826b231e314afe5cb5da48723068988a2fe6b0e2746afa57a6e437f8877ffbd6e |
/data/user/0/com.fwqxxsbl.gcqyjyxg/files/dex/genCXMRwJdUzBEGAw.zip
| MD5 | eeb5cdb545d0d703104163f10cac7601 |
| SHA1 | 7e8335867a22f5f77c54674b8956d73121cc5d74 |
| SHA256 | 2ccb00f2db40972c913e0efcc12c09c06fadc24312fe0aad9fd83e42e13bb13c |
| SHA512 | e94a1e169dd3e07e84cd23eddb01ddf118c7cf80ccf7c4e9f23cc79182b7f13f7937fc32dbd9db3f40ac78ebf566e5107cbbf9a22724214c6a00da06a6e3eec9 |
/data/data/com.fwqxxsbl.gcqyjyxg/files/dex/pro_btn_bg_animation_img_0.jpg.zip
| MD5 | 7c20a2b01bf3f9df1f0abb72ebbe82be |
| SHA1 | e601b2e41434623edbeece32867517a3cdec5449 |
| SHA256 | 1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e |
| SHA512 | 3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4 |
/data/data/com.fwqxxsbl.gcqyjyxg/files/478634.so
| MD5 | 431bc96f3397cae478e3d83f45f20f46 |
| SHA1 | 46957c13b1bec97a974833f9097f88199a346e94 |
| SHA256 | 07158e52ba60c58ddc771f6fd45c2f1c65bbbc154b826e931a309eaf17b0ff06 |
| SHA512 | bdf62c794e34ec1534c87c06bcc2ed4a7662cd4a5565f71f2e1cdfa19a5a6ca0dfc935efda0e68ad78f8335e6b67286787b09c25a5050e38c24a302acd7f5575 |
/data/data/com.fwqxxsbl.gcqyjyxg/logs/Sistema1723255948668.log
| MD5 | 7dfb17c8b1d5abed22a14e1342e7b0d0 |
| SHA1 | 519aa2fbda18c00ac4d8c5287909d9559ef8f88c |
| SHA256 | ce69e4d32f46d7ceb74e02fde8f5e1f7b8c6083af958e9a9b0105362a8591eaf |
| SHA512 | ed4b314e2c0e27c56c63c9d9c23510aff183cedcc8664e26c93ada78e5b04f1dc3fde5b7adfe6d4b584e8a0e70cb895e1a8cb693c2747118809eb102e9043e9c |
/data/data/com.fwqxxsbl.gcqyjyxg/databases/privatesms.db-journal
| MD5 | 25fd53272c9c276e33407cd6749c608a |
| SHA1 | 056f998b2537a7d02a9b5badda4bf93dca437901 |
| SHA256 | dee75f2ff1c6dc54bdc3b3e69d0859b936331b773acab7f20af425d533a96008 |
| SHA512 | bf9a84cacd5a69effacc0d5dbdc615e516395b3bd8c329f19ca9639bd7a3672b87ecc9550b6e5ef9d6b548a0488ed26d9ad22738dd9ec5e08392138a7d593751 |
/data/data/com.fwqxxsbl.gcqyjyxg/databases/privatesms.db
| MD5 | 3621ce0aa81e37bc5c80e2cf881f1dd0 |
| SHA1 | 00365f82dcada94caea07443656848baf60b3bd9 |
| SHA256 | 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5 |
| SHA512 | 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf |
/data/data/com.fwqxxsbl.gcqyjyxg/databases/privatesms.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.fwqxxsbl.gcqyjyxg/databases/privatesms.db-wal
| MD5 | 06897960a7aa3328a173fd866f993f9b |
| SHA1 | 8a5f55719b08bfaa2787fa48e7600c39dcc8d8e5 |
| SHA256 | ce57db6e24234369a975bb3e58919b13f999875fb1793e08733c9b11f1b605bd |
| SHA512 | 33a720121d780febad95a2e946ae0f3d2866bfa2a1d4f8316a6e16960658068ebb09cbc966123b77dbf305e65fcb46e17a9ec5bbb2c27846d50e8d58bd38239c |