Analysis Overview
SHA256
236647e1769e1f53d279e7562ac29a9f90d50338c89d0f613d19f8602f58b093
Threat Level: Known bad
The file 236647e1769e1f53d279e7562ac29a9f90d50338c89d0f613d19f8602f58b093.apk was found to be: Known bad.
Malicious Activity Summary
TiSpy
Requests cell location
Queries information about the current nearby Wi-Fi networks
Queries the phone number (MSISDN for GSM devices)
Loads dropped Dex/Jar
Acquires the wake lock
Queries the mobile country code (MCC)
Reads information about phone network operator.
Requests dangerous framework permissions
Queries information about the current Wi-Fi connection
Queries information about active data network
Declares broadcast receivers with permission to handle system events
Declares services with permission to bind to the system
Registers a broadcast receiver at runtime (usually for listening for system events)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-14 01:03
Signatures
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
| Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. | android.permission.BIND_NOTIFICATION_LISTENER_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows the app to answer an incoming phone call. | android.permission.ANSWER_PHONE_CALLS | N/A | N/A |
| Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. | android.permission.PROCESS_OUTGOING_CALLS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to read the user's calendar data. | android.permission.READ_CALENDAR | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to collect component usage statistics. | android.permission.PACKAGE_USAGE_STATS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 01:03
Reported
2024-08-14 01:07
Platform
android-x86-arm-20240624-en
Max time kernel
46s
Max time network
131s
Command Line
Signatures
TiSpy
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip | N/A | N/A |
| N/A | /data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip | N/A | N/A |
| N/A | /data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip | N/A | N/A |
| N/A | /data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip | N/A | N/A |
| N/A | /data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip | N/A | N/A |
| N/A | /data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip | N/A | N/A |
Queries information about the current nearby Wi-Fi networks
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getScanResults | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Reads information about phone network operator.
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.hjpheunv.wdkqxdps
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/oat/x86/KGvXBNltRXFynlBpL.odex --compiler-filter=quicken --class-loader-context=&
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/oat/x86/e6597c3daf8c41b7.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
Files
/data/data/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip
| MD5 | 04c6e1dbb0da30c62a9a8bcb56c18d5e |
| SHA1 | b9026bd9a5e094e2bdbcb7ff2c5c979ac0f139e7 |
| SHA256 | 58903fd1cc3e2afa68260e646a8294bcdcb083cc1ee42baff0a9f90af2212f46 |
| SHA512 | 1fbf31ddeca8ec56c0f472434f4973bd5b967429806b9f558eba844fbee9e83eaa40bf0b4240ebf69d38dcf0adece403629d951ede7286083d9ea2281d54a2f5 |
/data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip
| MD5 | 6cf780c06c8d9ce36fcdcacb6e6ceba0 |
| SHA1 | 05b6687f934679207ea627ecfabae86777f97715 |
| SHA256 | 76dd0c5c5548152fa3517d9bc6c56e4c3ae3a4607aa6aa45cfe88a2618981606 |
| SHA512 | 2a5234a2319b71753661ae39710b393bc4593d6391cc3dc26677567eb2a1e57619a2b11bc67385b26f1444d82d614d1a97007b56f0dae41137a7d8d05ee7a672 |
/data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip
| MD5 | bd92ac502e5c76d1cbe10a50d43e5b66 |
| SHA1 | 9d015afdf61fc3b933f47b05cc35ccdbb90c6740 |
| SHA256 | b92d01d6045659e425cb145393957eebad079e54ea6baffffc964b325d8f88c4 |
| SHA512 | b82b5c2c3c73157e11049ebff1dbe406f0a3e77c70100c9e0f5b4de1acdc4906abb248238176501d4b2a54c19aa357d918ae9c031420a3923803324e304d37ae |
/data/data/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip
| MD5 | 8acbf0b1dfd0f30a31bcdb509cc85048 |
| SHA1 | 1b8bea039f27ae7ede16aa209073502dd333ee6b |
| SHA256 | 34cff81928c8a453084b9306f776e0648b1e3c33e14126f64fb2deaafd200028 |
| SHA512 | 6b8e5ec830481dbd33ec520f9e4e7498c1b3a6dc605558ac03d56c6dce8de922315321aaaa0de83887a12c3dd15e8936cef89635947d4794e07010eb560f4207 |
/data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip
| MD5 | f75e9a1bb2a4284c58369a935ab0b4ca |
| SHA1 | bfc6fe7b20ba4904a115d2ce8e4307c6dfff4040 |
| SHA256 | e79f571b654d4a2bade4dd0ff7c29eae472c8a74eebff3c9462d2a024b7a6cad |
| SHA512 | 607cd2c050fbf835a39fe24eb9b597e2420c10f4e7bb8a895f0875128ff6abb61baaa54b8683336b497f7fbe61a51adfb2a3a1adda4bf287b48af290ebc08152 |
/data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip
| MD5 | ef0c66354daea880b63ab2a6e9cacd73 |
| SHA1 | 8ad79f4106ac89dc2c2a73f1ca3033aef7229e31 |
| SHA256 | 336fb7fcf1c1674c3e76114d056f385a77a594646b8676de3cf86ce1a2b63a86 |
| SHA512 | 58bbaae7e2b6f2b22b28be33f0900fae248a67d29b6d699728ac3985af8dfaaf7a30e142d5bf5d79063d26f1dda8e52d3aa00217e29c6342fb79359d4e7c66ea |
/data/data/com.hjpheunv.wdkqxdps/files/dex/pro_btn_bg_animation_img_0.jpg.zip
| MD5 | 7c20a2b01bf3f9df1f0abb72ebbe82be |
| SHA1 | e601b2e41434623edbeece32867517a3cdec5449 |
| SHA256 | 1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e |
| SHA512 | 3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4 |
/data/data/com.hjpheunv.wdkqxdps/files/478730.so
| MD5 | d542be932e708569d91f88fb624adb69 |
| SHA1 | 21275ce6b1e7e50cb6861d7db255a478bf8e6e4d |
| SHA256 | 0f21fb6b3f9fbfbc36d2a7565a7eaa3283980a8eecb7db0f36309a90ffa55995 |
| SHA512 | e6a1276623a34ad54cb574ae9d226e58b260f43768910f1063cc82e112dcaf87629a6212d86df2c1c94277bd16f79561ceeb9bd6248efca0af323e7eb74f6802 |
/data/data/com.hjpheunv.wdkqxdps/logs/Sistema1723597450013.log
| MD5 | de93be1dd01401393513b7f8728fee89 |
| SHA1 | e9c98728de13392bb4c0532380293d8d4442f735 |
| SHA256 | 7630a46ed534df572d2da33877388154519379343e1d9bf307e8d15ef1fd9460 |
| SHA512 | c3cbae317c4dc68a4b9b1135da11e8f60628d15d5837e6b3944469e1b6b7af17a9043e1c5d259e4702af1198f6a6a2eb40e509b56b5e57d38a52d9b4c7b014d6 |
/data/data/com.hjpheunv.wdkqxdps/databases/privatesms.db-journal
| MD5 | c7637e54dc72b7fa02520f4dc25d22e2 |
| SHA1 | c8018d78c94d901c7d5d64475d3e34b34286a552 |
| SHA256 | ce38c97b59f50a74cf8dca8cc71f40d221144600ddac0bbd61ad532ea6fc5ba3 |
| SHA512 | 758457b7de28d359de85e097406d60163d7e3b58e52311944df57ab256af48ec5889813a906ea73decd7efec0d83910777f233988a90a14175e8efa15829c0f4 |
/data/data/com.hjpheunv.wdkqxdps/databases/privatesms.db
| MD5 | 3621ce0aa81e37bc5c80e2cf881f1dd0 |
| SHA1 | 00365f82dcada94caea07443656848baf60b3bd9 |
| SHA256 | 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5 |
| SHA512 | 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf |
/data/data/com.hjpheunv.wdkqxdps/databases/privatesms.db-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.hjpheunv.wdkqxdps/databases/privatesms.db-wal
| MD5 | 24b952abbeefb67c0c559c5a77ee680e |
| SHA1 | 3c0c8ecb15e770bba3f43912f352ccbce26c36c6 |
| SHA256 | e0e33709463972b94589c482e0a5d3aa653bc75f3694d3550494cc4f9ba2b2b1 |
| SHA512 | 0cb8f5953818d02b8ca4d2006bcc83420adc8461db9cad19771b60a5d3ee2fbfe036490baba7a264a2494488f4f265053a15c43e0a649a7e3a4d8cdeadc06ee1 |