Malware Analysis Report

2024-10-19 11:46

Sample ID 240813-clrd2stgrn
Target 236647e1769e1f53d279e7562ac29a9f90d50338c89d0f613d19f8602f58b093
SHA256 236647e1769e1f53d279e7562ac29a9f90d50338c89d0f613d19f8602f58b093
Tags
tispy collection discovery evasion infostealer persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

236647e1769e1f53d279e7562ac29a9f90d50338c89d0f613d19f8602f58b093

Threat Level: Known bad

The file 236647e1769e1f53d279e7562ac29a9f90d50338c89d0f613d19f8602f58b093 was found to be: Known bad.

Malicious Activity Summary

tispy collection discovery evasion infostealer persistence spyware trojan

TiSpy

Queries information about the current nearby Wi-Fi networks

Loads dropped Dex/Jar

Requests cell location

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Declares services with permission to bind to the system

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Queries information about the current Wi-Fi connection

Queries information about active data network

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 02:10

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 02:10

Reported

2024-08-13 02:13

Platform

android-x86-arm-20240624-en

Max time kernel

47s

Max time network

130s

Command Line

com.hjpheunv.wdkqxdps

Signatures

TiSpy

trojan infostealer spyware tispy

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip N/A N/A
N/A /data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip N/A N/A
N/A /data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip N/A N/A
N/A /data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip N/A N/A
N/A /data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip N/A N/A
N/A /data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.hjpheunv.wdkqxdps

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/oat/x86/KGvXBNltRXFynlBpL.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/oat/x86/e6597c3daf8c41b7.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip

MD5 04c6e1dbb0da30c62a9a8bcb56c18d5e
SHA1 b9026bd9a5e094e2bdbcb7ff2c5c979ac0f139e7
SHA256 58903fd1cc3e2afa68260e646a8294bcdcb083cc1ee42baff0a9f90af2212f46
SHA512 1fbf31ddeca8ec56c0f472434f4973bd5b967429806b9f558eba844fbee9e83eaa40bf0b4240ebf69d38dcf0adece403629d951ede7286083d9ea2281d54a2f5

/data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip

MD5 6cf780c06c8d9ce36fcdcacb6e6ceba0
SHA1 05b6687f934679207ea627ecfabae86777f97715
SHA256 76dd0c5c5548152fa3517d9bc6c56e4c3ae3a4607aa6aa45cfe88a2618981606
SHA512 2a5234a2319b71753661ae39710b393bc4593d6391cc3dc26677567eb2a1e57619a2b11bc67385b26f1444d82d614d1a97007b56f0dae41137a7d8d05ee7a672

/data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip

MD5 bd92ac502e5c76d1cbe10a50d43e5b66
SHA1 9d015afdf61fc3b933f47b05cc35ccdbb90c6740
SHA256 b92d01d6045659e425cb145393957eebad079e54ea6baffffc964b325d8f88c4
SHA512 b82b5c2c3c73157e11049ebff1dbe406f0a3e77c70100c9e0f5b4de1acdc4906abb248238176501d4b2a54c19aa357d918ae9c031420a3923803324e304d37ae

/data/data/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip

MD5 8acbf0b1dfd0f30a31bcdb509cc85048
SHA1 1b8bea039f27ae7ede16aa209073502dd333ee6b
SHA256 34cff81928c8a453084b9306f776e0648b1e3c33e14126f64fb2deaafd200028
SHA512 6b8e5ec830481dbd33ec520f9e4e7498c1b3a6dc605558ac03d56c6dce8de922315321aaaa0de83887a12c3dd15e8936cef89635947d4794e07010eb560f4207

/data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip

MD5 f75e9a1bb2a4284c58369a935ab0b4ca
SHA1 bfc6fe7b20ba4904a115d2ce8e4307c6dfff4040
SHA256 e79f571b654d4a2bade4dd0ff7c29eae472c8a74eebff3c9462d2a024b7a6cad
SHA512 607cd2c050fbf835a39fe24eb9b597e2420c10f4e7bb8a895f0875128ff6abb61baaa54b8683336b497f7fbe61a51adfb2a3a1adda4bf287b48af290ebc08152

/data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip

MD5 ef0c66354daea880b63ab2a6e9cacd73
SHA1 8ad79f4106ac89dc2c2a73f1ca3033aef7229e31
SHA256 336fb7fcf1c1674c3e76114d056f385a77a594646b8676de3cf86ce1a2b63a86
SHA512 58bbaae7e2b6f2b22b28be33f0900fae248a67d29b6d699728ac3985af8dfaaf7a30e142d5bf5d79063d26f1dda8e52d3aa00217e29c6342fb79359d4e7c66ea

/data/data/com.hjpheunv.wdkqxdps/files/dex/pro_btn_bg_animation_img_0.jpg.zip

MD5 7c20a2b01bf3f9df1f0abb72ebbe82be
SHA1 e601b2e41434623edbeece32867517a3cdec5449
SHA256 1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e
SHA512 3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4

/data/data/com.hjpheunv.wdkqxdps/files/478730.so

MD5 d542be932e708569d91f88fb624adb69
SHA1 21275ce6b1e7e50cb6861d7db255a478bf8e6e4d
SHA256 0f21fb6b3f9fbfbc36d2a7565a7eaa3283980a8eecb7db0f36309a90ffa55995
SHA512 e6a1276623a34ad54cb574ae9d226e58b260f43768910f1063cc82e112dcaf87629a6212d86df2c1c94277bd16f79561ceeb9bd6248efca0af323e7eb74f6802

/data/data/com.hjpheunv.wdkqxdps/logs/Sistema1723515026456.log

MD5 043c445d2ab32079d8ac8ebef0de3e6c
SHA1 b08036ea4d1bada7b7099c8b8c85cf45a4447e2b
SHA256 e016344e8f431679610d64edb3d48965d96d4e3c19293807a4c558be6b5a816d
SHA512 ad0be54595a27e227bb016ed4ab9ab21bbd035269301e687c649042df0b922019aefc9c13b9b221a5fd7ded23df54ee3dc3e8042c70afb96310856c31c73653f

/data/data/com.hjpheunv.wdkqxdps/databases/privatesms.db-journal

MD5 0bdc3d87732e9e7d8666f3a2566ebafe
SHA1 27079058d1ea0c0f0634b70082fa88abbb397921
SHA256 606fe46894678cf6c03771af939d45213cbe2444422b9efcbe0637a40f1e0f48
SHA512 d38ec265b4ec46c64138fc5b3ee5d04f31f89988052837471c55f91cdcccd8728dbd60ab5c7c27a1b4324e90ba00c993f0064fc6ab9ea2bb62b5a759790a8f8e

/data/data/com.hjpheunv.wdkqxdps/databases/privatesms.db

MD5 3621ce0aa81e37bc5c80e2cf881f1dd0
SHA1 00365f82dcada94caea07443656848baf60b3bd9
SHA256 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA512 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

/data/data/com.hjpheunv.wdkqxdps/databases/privatesms.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.hjpheunv.wdkqxdps/databases/privatesms.db-wal

MD5 4115cd4255f43f422a5e6d9581428215
SHA1 eb4ecc1e0c13642433676b98176b2cdec15a9102
SHA256 6f4d72dece60a955db2e6b26231173b1c56d89a093b36345a944c910e0ced537
SHA512 18f13e9c05cbdf6aa009cfed3e767cc0cad8bbd09650012598efc00484a7bbdf8e2b8a80939e2c243d8b0dc1211cf23222737c39517abd32284f12b9c0b670a9