tispy | 5b29c4e0126e0b72e904d9583ab08d4712f7e23d76f763b8af4d06d5289cd491

Analysis

max time kernel
47s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
28/08/2024, 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b29c4e0126e0b72e904d9583ab08d4712f7e23d76f763b8af4d06d5289cd491.apk
Size

3.5MB
MD5

01c49f92e5128a6ccb5afddadc5f17d7
SHA1

2fd0b46339f85b1c98eef7d562bfd98ad1cc2d2a
SHA256

5b29c4e0126e0b72e904d9583ab08d4712f7e23d76f763b8af4d06d5289cd491
SHA512

de30e510fbe7260b1e4b2808cce2f0fbeba4557c00062c1d5c81aeeed17b7ae0e835a0e3b2eca46a8588a8c47d0de5307f009ebc82d2f35570681a00c872c259
SSDEEP

98304:om591ljxPKdUPXYPDZxdWA30iu8OllYeN:bnljxCWPoPDZDW+0iu8Slp

Score

10^/10

tispy collection discovery evasion infostealer persistence spyware trojan

Malware Config

Signatures

TiSpy
TiSpy is an Android stalkerware.
trojan infostealer spyware tispy

Loads dropped Dex/Jar 1 TTPs 6 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/14224d7f4faca4c7.zip	4278	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/14224d7f4faca4c7.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/oat/x86/14224d7f4faca4c7.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/14224d7f4faca4c7.zip	4252	com.jmjxbsvp.iuvivhov
/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/lzfBvUpIxUAObfnhI.zip	4304	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/lzfBvUpIxUAObfnhI.zip --output-vdex-fd=43 --oat-fd=45 --oat-location=/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/oat/x86/lzfBvUpIxUAObfnhI.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/lzfBvUpIxUAObfnhI.zip	4252	com.jmjxbsvp.iuvivhov
/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/14224d7f4faca4c7.zip	4252	com.jmjxbsvp.iuvivhov
/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/lzfBvUpIxUAObfnhI.zip	4252	com.jmjxbsvp.iuvivhov

Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getScanResults	com.jmjxbsvp.iuvivhov

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.jmjxbsvp.iuvivhov

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.jmjxbsvp.iuvivhov

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.jmjxbsvp.iuvivhov

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.jmjxbsvp.iuvivhov

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.jmjxbsvp.iuvivhov

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.jmjxbsvp.iuvivhov

com.jmjxbsvp.iuvivhov
1⤵
- Loads dropped Dex/Jar
- Queries information about the current nearby Wi-Fi networks
- Requests cell location
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4252
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/14224d7f4faca4c7.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/oat/x86/14224d7f4faca4c7.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4278
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/lzfBvUpIxUAObfnhI.zip --output-vdex-fd=43 --oat-fd=45 --oat-location=/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/oat/x86/lzfBvUpIxUAObfnhI.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4304

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Credential Access

Discovery

Location Tracking

T1430

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.jmjxbsvp.iuvivhov/databases/privatesms.db

Filesize
16KB

MD5
3621ce0aa81e37bc5c80e2cf881f1dd0

SHA1
00365f82dcada94caea07443656848baf60b3bd9

SHA256
8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5

SHA512
76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

Download Submit
/data/data/com.jmjxbsvp.iuvivhov/databases/privatesms.db-journal

Filesize
512B

MD5
209f8cd8b96cf9cbfdd94d1664fed760

SHA1
d96272e081e01339d8977220a8813697e0c52236

SHA256
78540860ca749fe7cc2fddb882c22423e7015cb8fa712b5fc03b259ba9560308

SHA512
11ab7c5471120a4e247a7ecfa40e9a301ae612bded73a336fda497756c5e2c84218f353a3deeebbf17fd1262ea6d2a9bcf8477d133f080b5cccdb39096df2d0b

Download Submit
/data/data/com.jmjxbsvp.iuvivhov/databases/privatesms.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.jmjxbsvp.iuvivhov/databases/privatesms.db-wal

Filesize
28KB

MD5
9e554aaab44e50229be74aa9feff3faf

SHA1
9fb8af5771c7218674a3a6e2cebddd7b1a494509

SHA256
520059ba2db3639253220d386d2903f614e5dc8a4d0645ad3e1dffe6719b0f71

SHA512
f05be1b89d3f9f19f32202f617252d6cbad815b960c7f20bf4a7ee2116fc92671d2efef0d945f48e048dcc72ff5cf91aa1fd223343f81d5e28bcc67acba0e643

Download Submit
/data/data/com.jmjxbsvp.iuvivhov/files/478850.so

Filesize
145KB

MD5
8a5aca5c41cc5dfb165510bf75272035

SHA1
a25cc40ef82c64773d35c10027605bb155afd843

SHA256
57e962cb3054bbdba8c101107746dc660ae2e18e685be7befbe396d5a3099e7f

SHA512
2c09df4bbf1936be915719c0dcee912f040d40877b13cefb1c577efac35a63f28fe2163c835b0e19ff971c44f79d5561c69b2a49a2467ec9bfea8f742bddd4f5

Download Submit
/data/data/com.jmjxbsvp.iuvivhov/files/dex/14224d7f4faca4c7.zip

Filesize
548KB

MD5
c4ebc28b4ef3d3ed8e0b34bbfe5630ac

SHA1
727fe7c099461851fc34218ba9e8a45cd1dc5236

SHA256
396a9ea0358fdcb008405562209b51b2aaf478ee67afb018d801ca5bee3bcdbd

SHA512
b372b2b6c9c95fbde13f94b5a9e7a82ebb911fa6d53cff66d0e21c6dac8e179c466039b1fdd77d3c9a4ac7da280818e77cfac4dd15a9b0bbd8cea6e286762fdb

Download Submit
/data/data/com.jmjxbsvp.iuvivhov/files/dex/lzfBvUpIxUAObfnhI.zip

Filesize
649KB

MD5
b27a3cd0942c9306f6f1a155193afa9c

SHA1
77cc569e347f763a03472df17eb3363af483c273

SHA256
38dc384bd5d2260dfc19d820920ed9c7af2068aa6dfa905e8bf73cea15d661f0

SHA512
ab4b964cbbe69b9756bbcf905648d35c37180b437f13621958590b4036ae031006fb5c24b8fd5f029e431ef2c051b1fcdeb31c4f3a4cc0b065e590adf78ad084

Download Submit
/data/data/com.jmjxbsvp.iuvivhov/files/dex/pro_btn_bg_animation_img_0.jpg.zip

Filesize
8KB

MD5
7c20a2b01bf3f9df1f0abb72ebbe82be

SHA1
e601b2e41434623edbeece32867517a3cdec5449

SHA256
1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e

SHA512
3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4

Download Submit
/data/data/com.jmjxbsvp.iuvivhov/logs/Sistema1724811594472.log

Filesize
15KB

MD5
11084545f1a4b082308f3495d05c4e86

SHA1
5f9f8e4a3f889d5a4dfa21241e741380e98b462a

SHA256
56d5c50af584829e9ae5525ea937ba8ba493b87491eb002270aceb9219407311

SHA512
4c519dff8d1313032ec28ffe87e9c2398829bd2e98c9983626d2cc94c26ad01813327aadca11d6ec11626c3d92ccba3459d6e2bec0e61733137be476b8a5a565

Download Submit
/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/14224d7f4faca4c7.zip

Filesize
1.3MB

MD5
a77bdca16285935ad31e7dc571c9175d

SHA1
afe4098a0ab93db576986486e7742858ac16a56b

SHA256
4d7cd9d8327f4189188ced460a4c3a2abea3ff06e621243ac1aba2433dfc70b9

SHA512
fe199fbd7d82fa3396ccb1eda140b05bca827b08ef2a213954b5be48768869e5c954f96ce6f6dcced7b5198c42edf066bb246952ef6757b9b78b3b5f4511bf7f

Download Submit
/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/14224d7f4faca4c7.zip

Filesize
1.3MB

MD5
ae554b440090d83f79d0e367e954c647

SHA1
c7849ccd3ba936269a4d04384550cb21f7c40935

SHA256
3d86114b545f2f10a017a4959a5906b2dc3b87bbd4d7cb0b2bde63579a8fa88e

SHA512
ac6b5406390b20cfa5006e20e53754f9d74e1db38192a31c43257862b37f0f3e9468ed31d03c06deb0e410a061284fece65fd0de74fedc578dff1e034abc3b4d

Download Submit
/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/lzfBvUpIxUAObfnhI.zip

Filesize
1.7MB

MD5
18ed7624766b72b0022c4ad373446939

SHA1
1f4ecec6c6486b4ccf9ba2a0f1908c15980ea528

SHA256
f71f350cbb18c5a2a0678f639f614c1c7ed2717cea40e9ca52c0dcf2f401d82a

SHA512
6d96683fe295b2cb96a85be5976b2d7bb908147f8983f89480e21f55814f7a45cf7db00eb404d25bc24296178a247771af68a52e147193cfdd1a1e9387a3ecee

Download Submit
/data/user/0/com.jmjxbsvp.iuvivhov/files/dex/lzfBvUpIxUAObfnhI.zip

Filesize
1.7MB

MD5
55fe90cd0c61de828cbc160a0b01ff2f

SHA1
449130e6ac36fc109e0fe0738abb1db3321b8235

SHA256
e7a1016c51e9cd4be46ca20cec695f169d259645983ef44fd2565760613f09ca

SHA512
30994b07346866be6cda420bd9dfd42146c8b7c43a76fd647af33d5561e37174a64642361da84b6a4c6377604c028c71393889df5f46c5aac5632e9c7eea5e50

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads