Analysis
-
max time kernel
47s -
max time network
137s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
14-08-2024 02:14
Static task
static1
Behavioral task
behavioral1
Sample
236647e1769e1f53d279e7562ac29a9f90d50338c89d0f613d19f8602f58b093.apk
Resource
android-x86-arm-20240624-en
General
-
Target
236647e1769e1f53d279e7562ac29a9f90d50338c89d0f613d19f8602f58b093.apk
-
Size
3.5MB
-
MD5
6ce7b9bb757e1afddfb56989cb267354
-
SHA1
4be2af2cd1e0dfe6744a7fdd8bcf0b59deabd75c
-
SHA256
236647e1769e1f53d279e7562ac29a9f90d50338c89d0f613d19f8602f58b093
-
SHA512
77d19b676c562cd3100b7fb52c51a7f9e91c155bcd1fff2348dfe9bb585d7c1f513476ed18f5f213f7e01359862bc6279c5102009e5288f28848bc5458db2749
-
SSDEEP
98304:pWme/apj7PW2hUXWlu+X/7+ATkqbTbS1QD:Qypj7UGlPyCG1QD
Malware Config
Signatures
-
TiSpy
TiSpy is an Android stalkerware.
-
Loads dropped Dex/Jar 1 TTPs 6 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/oat/x86/KGvXBNltRXFynlBpL.odex --compiler-filter=quicken --class-loader-context=&com.hjpheunv.wdkqxdps/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip --output-vdex-fd=43 --oat-fd=47 --oat-location=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/oat/x86/e6597c3daf8c41b7.odex --compiler-filter=quicken --class-loader-context=&ioc pid process /data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip 4272 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/oat/x86/KGvXBNltRXFynlBpL.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip 4216 com.hjpheunv.wdkqxdps /data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip 4299 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip --output-vdex-fd=43 --oat-fd=47 --oat-location=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/oat/x86/e6597c3daf8c41b7.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip 4216 com.hjpheunv.wdkqxdps /data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip 4216 com.hjpheunv.wdkqxdps /data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip 4216 com.hjpheunv.wdkqxdps -
Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.
Processes:
com.hjpheunv.wdkqxdpsdescription ioc process Framework service call android.net.wifi.IWifiManager.getScanResults com.hjpheunv.wdkqxdps -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Requests cell location 2 TTPs 1 IoCs
Uses Android APIs to to get current cell location.
Processes:
com.hjpheunv.wdkqxdpsdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.hjpheunv.wdkqxdps -
Acquires the wake lock 1 IoCs
Processes:
com.hjpheunv.wdkqxdpsdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.hjpheunv.wdkqxdps -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
com.hjpheunv.wdkqxdpsdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.hjpheunv.wdkqxdps -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.hjpheunv.wdkqxdpsdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.hjpheunv.wdkqxdps -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.hjpheunv.wdkqxdpsdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.hjpheunv.wdkqxdps -
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.hjpheunv.wdkqxdpsdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.hjpheunv.wdkqxdps
Processes
-
com.hjpheunv.wdkqxdps1⤵
- Loads dropped Dex/Jar
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4216 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/KGvXBNltRXFynlBpL.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/oat/x86/KGvXBNltRXFynlBpL.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4272 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/e6597c3daf8c41b7.zip --output-vdex-fd=43 --oat-fd=47 --oat-location=/data/user/0/com.hjpheunv.wdkqxdps/files/dex/oat/x86/e6597c3daf8c41b7.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4299
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD53621ce0aa81e37bc5c80e2cf881f1dd0
SHA100365f82dcada94caea07443656848baf60b3bd9
SHA2568620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA51276bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf
-
Filesize
512B
MD59e509796ba094019ad847bcd38ca3eca
SHA195e873e9b56fe4a40f0e76349db4840f91e1178f
SHA25618f997f09e4d16f9e1c76c392041862beeaa95c3e9bddd3a3c5a130dc32ddf80
SHA512ea01479bd4dac32b710e7647944be118bf088ec0d4354933595b960e6109a657baa6f98281ea8aa3122fb631586fbea5d02ac662877e8fb0eb23ff120edb1799
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
28KB
MD5c95a632dd60e2e35d3a3bfbc96fa6d9c
SHA1c83e7c7547cc364830973cb8d7f3a740878dadd5
SHA25603b2bec46ad92260fcb66b6ac11d61ca64cff34b37838f119e660ec332399055
SHA512d0a2932bd0897a97cf7c0c311a6966bea763f72b7c2b1c5b61ca26435d94564df3da74d0646d74ade4ae53e890840cd11bfdd356db86f5a5b0dc0020f0bd0a18
-
Filesize
145KB
MD5d542be932e708569d91f88fb624adb69
SHA121275ce6b1e7e50cb6861d7db255a478bf8e6e4d
SHA2560f21fb6b3f9fbfbc36d2a7565a7eaa3283980a8eecb7db0f36309a90ffa55995
SHA512e6a1276623a34ad54cb574ae9d226e58b260f43768910f1063cc82e112dcaf87629a6212d86df2c1c94277bd16f79561ceeb9bd6248efca0af323e7eb74f6802
-
Filesize
649KB
MD504c6e1dbb0da30c62a9a8bcb56c18d5e
SHA1b9026bd9a5e094e2bdbcb7ff2c5c979ac0f139e7
SHA25658903fd1cc3e2afa68260e646a8294bcdcb083cc1ee42baff0a9f90af2212f46
SHA5121fbf31ddeca8ec56c0f472434f4973bd5b967429806b9f558eba844fbee9e83eaa40bf0b4240ebf69d38dcf0adece403629d951ede7286083d9ea2281d54a2f5
-
Filesize
548KB
MD58acbf0b1dfd0f30a31bcdb509cc85048
SHA11b8bea039f27ae7ede16aa209073502dd333ee6b
SHA25634cff81928c8a453084b9306f776e0648b1e3c33e14126f64fb2deaafd200028
SHA5126b8e5ec830481dbd33ec520f9e4e7498c1b3a6dc605558ac03d56c6dce8de922315321aaaa0de83887a12c3dd15e8936cef89635947d4794e07010eb560f4207
-
Filesize
8KB
MD57c20a2b01bf3f9df1f0abb72ebbe82be
SHA1e601b2e41434623edbeece32867517a3cdec5449
SHA2561a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e
SHA5123faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4
-
Filesize
14KB
MD590f56898e9483ed549b439b58f04df07
SHA132b59d6336680aef5da95366d786be38ab12e0fb
SHA2563445ddccc3e66e6acf12ba8a85c9dc2182e51e4d6db0b2a264d26d12e3df097d
SHA512bbd06da1543ef459bd8bc3c610e1223d4cd496b8f83b246e30eca20e36858403e5ac1eeca38978d962f9cc9fdb015f108cbb59cd1d7f4a31830ceb9522177122
-
Filesize
1.7MB
MD5bd92ac502e5c76d1cbe10a50d43e5b66
SHA19d015afdf61fc3b933f47b05cc35ccdbb90c6740
SHA256b92d01d6045659e425cb145393957eebad079e54ea6baffffc964b325d8f88c4
SHA512b82b5c2c3c73157e11049ebff1dbe406f0a3e77c70100c9e0f5b4de1acdc4906abb248238176501d4b2a54c19aa357d918ae9c031420a3923803324e304d37ae
-
Filesize
1.7MB
MD56cf780c06c8d9ce36fcdcacb6e6ceba0
SHA105b6687f934679207ea627ecfabae86777f97715
SHA25676dd0c5c5548152fa3517d9bc6c56e4c3ae3a4607aa6aa45cfe88a2618981606
SHA5122a5234a2319b71753661ae39710b393bc4593d6391cc3dc26677567eb2a1e57619a2b11bc67385b26f1444d82d614d1a97007b56f0dae41137a7d8d05ee7a672
-
Filesize
1.3MB
MD5ef0c66354daea880b63ab2a6e9cacd73
SHA18ad79f4106ac89dc2c2a73f1ca3033aef7229e31
SHA256336fb7fcf1c1674c3e76114d056f385a77a594646b8676de3cf86ce1a2b63a86
SHA51258bbaae7e2b6f2b22b28be33f0900fae248a67d29b6d699728ac3985af8dfaaf7a30e142d5bf5d79063d26f1dda8e52d3aa00217e29c6342fb79359d4e7c66ea
-
Filesize
1.3MB
MD5f75e9a1bb2a4284c58369a935ab0b4ca
SHA1bfc6fe7b20ba4904a115d2ce8e4307c6dfff4040
SHA256e79f571b654d4a2bade4dd0ff7c29eae472c8a74eebff3c9462d2a024b7a6cad
SHA512607cd2c050fbf835a39fe24eb9b597e2420c10f4e7bb8a895f0875128ff6abb61baaa54b8683336b497f7fbe61a51adfb2a3a1adda4bf287b48af290ebc08152