Overview

overview

10

Static

static

6

7c44519e51...57.apk

android-9-x86

10

Analysis

  • max time kernel
    148s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    01-09-2024 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c44519e51cc203cdd23f27cefe7cf99de34abddf947ba55951721725f15aa57.apk

  • Size

    3.2MB

  • MD5

    2f73a6fe62a8ac27d658f15b1dc9a287

  • SHA1

    a40118f9d9a54938e6e261ee242716ac3a761e89

  • SHA256

    7c44519e51cc203cdd23f27cefe7cf99de34abddf947ba55951721725f15aa57

  • SHA512

    480a6c820664ce78b6284678019671edacc4cf98865e335f9816ce84507c2fe42b765db5103e27dab52605f95c5302f58c6691a869e24876df1f396c4d966d89

  • SSDEEP

    49152:pVPh+nACbPhX9CR3WHZn0/dwbDnog36hR4F41RemM3zfhVzsv5w:pVPcnzbPhoZW5nhnnHVyRtM3znzQw

Score
10/10
tispycollectiondiscoveryevasioninfostealerpersistencespywaretrojan

Malware Config

Extracted

Family

tispy

C2

https://auth.familysafty.com/TiSPY/printIPN.jsp?screen=IntroScreen&model=Pixel+2&osversion=28&deviceid=358240051014041&version=3.2.183_21Jun24&rtype=T

https://auth.familysafty.com/TiSPY/printIPN.jsp?screen=Signin&model=Pixel+2&osversion=28&deviceid=358240051014041&version=3.2.183_21Jun24&rtype=T

Signatures

  • TiSpy

    TiSpy is an Android stalkerware.

    trojaninfostealerspywaretispy
  • TiSpy payload 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 7 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries information about the current nearby Wi-Fi networks 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current nearby Wi-Fi networks.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Requests cell location 2 TTPs 1 IoCs

    Uses Android APIs to to get current cell location.

    collectiondiscoveryevasion
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 19 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence

Processes

  • com.foqrpral.oxudfpdy
    1⤵
    • Loads dropped Dex/Jar
    • Queries information about the current nearby Wi-Fi networks
    • Reads the contacts stored on the device.
    • Requests cell location
    • Acquires the wake lock
    • Queries information about active data network
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4256
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.foqrpral.oxudfpdy/code_cache/1725228503050.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/com.foqrpral.oxudfpdy/code_cache/oat/x86/1725228503050.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4285
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip --output-vdex-fd=49 --oat-fd=50 --oat-location=/data/user/0/com.foqrpral.oxudfpdy/files/dex/oat/x86/rIiUhJCHARxzyIQxM.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4310
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.foqrpral.oxudfpdy/code_cache/1725228511579.dex --output-vdex-fd=44 --oat-fd=47 --oat-location=/data/data/com.foqrpral.oxudfpdy/code_cache/oat/x86/1725228511579.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4340

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.foqrpral.oxudfpdy/code_cache/1725228503050.dex
    Filesize

    4KB

    MD5

    d3364728f634bf71c4b16542c02c60cb

    SHA1

    f23088362b69935f404f2b81eaa40ed3172efca5

    SHA256

    401f68f4448fd6288b7619a7a2ae4646493cd7268f16aa6714802833fbc1197e

    SHA512

    9378bbda71abcb437676a2d4095d7d3ab6a5a1c1682ec95f3f6d050b9226692cd1a29ba8e7a65dac441c29cfb7b1d5e69e34b5cc32989c90c025909567a662af

    Download Submit

  • /data/data/com.foqrpral.oxudfpdy/code_cache/1725228503050.dex
    Filesize

    8KB

    MD5

    cf790c0dfb1361b86d4b8bfca1f8814c

    SHA1

    d452d9d6504f6af0c9408d6fdb1ced0ff3c45dee

    SHA256

    5dfcef0f59a512a9d88d21de81e5f9a20ff420d328736a1426b0a45f9459d832

    SHA512

    e2194cf4ab22064206d9df3523afd3b247f4ce72b7fed17056029746d1f79c1a25d340f8f9c7ec77b9590d05dc7549a735d631a368f82c472cd54bb8a1396c47

    Download Submit

  • /data/data/com.foqrpral.oxudfpdy/code_cache/1725228503050.dex
    Filesize

    8KB

    MD5

    a137b5568de65b8fef35329930d8617f

    SHA1

    49a2d6e95d447ba1d448c81691f6a609fb2859ed

    SHA256

    bc5290425eaa32b00a84a94c58976321e7643bc5d668817524ad68a1c7d2082b

    SHA512

    9dd6c25dea7b3424e8ca0150a9f1f6f85ed5fccef69e7fadfa05324014b74cc350365b788cee2a8ce25afccee084908e679eafa7f449e7791c6288485d2c5338

    Download Submit

  • /data/data/com.foqrpral.oxudfpdy/databases/privatesms.db
    Filesize

    16KB

    MD5

    3621ce0aa81e37bc5c80e2cf881f1dd0

    SHA1

    00365f82dcada94caea07443656848baf60b3bd9

    SHA256

    8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5

    SHA512

    76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

    Download Submit

  • /data/data/com.foqrpral.oxudfpdy/databases/privatesms.db-journal
    Filesize

    512B

    MD5

    f2c6e8ae2135c37c8fbc493871d4daa3

    SHA1

    b29c87611b12db0c463def7cdc9aa885a0e925ee

    SHA256

    661f5638e11c646d5568b11caf4627e5ac0b15254c29fe45eac05517878996db

    SHA512

    a60784b7d7e30e20772cc8dd8d7ad15a3e7297683920c60b75db23a6aafca88d8477b0a07c848e7ca69c6895c55d12a2dafb36cbc6f245b747c76c6e26a15a5e

    Download Submit

  • /data/data/com.foqrpral.oxudfpdy/databases/privatesms.db-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.foqrpral.oxudfpdy/databases/privatesms.db-wal
    Filesize

    28KB

    MD5

    53eaeeb9e4d77c7f68e5020069cfeb94

    SHA1

    de52812856870ae961193fc3fc4b6aaab3977228

    SHA256

    eb33710890050f3bbba994813f3729a2fa362766446342de053e60619245952c

    SHA512

    7fc1c226c16a6169de0f8b2937efe40b312c491158db3bbd6cd9fa2c6923f903e1d272125a9f7b2e957871237b640e06610b9cd623f13bb67023dd7dc92b2166

    Download Submit

  • /data/data/com.foqrpral.oxudfpdy/files/477480.so
    Filesize

    145KB

    MD5

    58c46208d95caaa3e72b9a812e2e4fa7

    SHA1

    d4d4159adde5b34b31f06fdbf622577a7e5c49e2

    SHA256

    61afb81a844465836f0f8665ec5cda08620362f1cfd3357b54c31e64747c7569

    SHA512

    12a7b66191bdfb6012517acda5a2dfe4b3ed510fdac14673a859a50cf358365f58a9accd91126e1cb95f68bbcec9265a3cab9d46e481700b161f4578bec4a835

    Download Submit

  • /data/data/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip
    Filesize

    1.5MB

    MD5

    e10223a9dd1e0ddb8b1061d1f4437625

    SHA1

    7d1e8cc7b1409eb49f4fef532a4f3003f8785b4a

    SHA256

    649d1bcd5b1a5f75260e284bb8e1bda2c4630dca5a7536d5e56c8b8dcd51b5d3

    SHA512

    a0aac391a377c514598034929fb1d7fad129f32eb253c778de1724b7bebb84afe077ac2d0bea432b2bbd93cbe192d2452e85c9e3356d4ba8d321c349242aab8b

    Download Submit

  • /data/data/com.foqrpral.oxudfpdy/logs/Sistema1725228515582.log
    Filesize

    30KB

    MD5

    c5431d7b3a133d2bb06b37a876fc0a93

    SHA1

    9f56c55499ce24b1f3985e8eb7053aa2c31cdd77

    SHA256

    447ce3ffa30faefa9fa9834f715b203bac424d39866539fb986d11e8278abe2b

    SHA512

    1c47970bbdfb9bf8c6c0c4458117b2cda6af1362ac72c0c3a347e634efd2c700cbde4e02455477bc105e8e042cfc3ccc9c3591513a01c7a1e3f1bbf2be052356

    Download Submit

  • /data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip
    Filesize

    3.7MB

    MD5

    4a3936648e0d6bb8de54977f7d2f2440

    SHA1

    528efc4052546f80a371bfce96e7cb3813ee3ddc

    SHA256

    bfea891d0ac92148bc35c91769f34c802c07b020b4330213650360f4ebb245d3

    SHA512

    c72a85335ae061943f53be66472f2ca83d3ab780665cf2b919c838bfee265f202d02a7c1b1cbb038fb0f56c53f8ec1dbd390fe9ee1c69fdf81a0f652cc677e39

    Download Submit

  • /data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip
    Filesize

    3.7MB

    MD5

    5e55cdadb8774e38f6b17f3c8acfe6af

    SHA1

    96fa6e628d74782f6efe0f52c6113ed638d37845

    SHA256

    05402c8959137f312278d1f2d5fe1cf7e0ff1c26fa09521c37fe700b0c82ca23

    SHA512

    a76d1a43278eb938bc7a133a6235e3b465a1c8266b57e2d3d39dd5736178388df3873ac49ee5a8ca4564a984ddabd5d18b5aceb6af666d988bcc420ccc7d1685

    Download Submit