Malware Analysis Report

2024-12-06 02:38

Sample ID 240929-c6g14szbrg
Target 2c193c9f18db13d13903e0cd15c90ff9c3623d2a0b3b74c4d9e2a173e87cc4dc
SHA256 2c193c9f18db13d13903e0cd15c90ff9c3623d2a0b3b74c4d9e2a173e87cc4dc
Tags
truthspy banker collection credential_access discovery impact persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c193c9f18db13d13903e0cd15c90ff9c3623d2a0b3b74c4d9e2a173e87cc4dc

Threat Level: Known bad

The file 2c193c9f18db13d13903e0cd15c90ff9c3623d2a0b3b74c4d9e2a173e87cc4dc was found to be: Known bad.

Malicious Activity Summary

truthspy banker collection credential_access discovery impact persistence

Truthspy family

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-29 02:41

Signatures

Truthspy family

truthspy

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-29 02:41

Reported

2024-09-29 02:43

Platform

android-x86-arm-20240624-en

Max time kernel

17s

Max time network

131s

Command Line

com.systemservice

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.systemservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 protocol-a100.phoneparental.com udp
US 172.67.144.220:80 protocol-a100.phoneparental.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.systemservice/databases/com.google.android.datatransport.events-journal

MD5 83de75de606b442e7f3dcc5392464f09
SHA1 482930f16271bebf716804777d7965ea24852013
SHA256 3e321d13eaf0986d93d43b307ff12e96be8a15f3675422656f434963ce73eb9c
SHA512 6cbe063d75ce624b74ad2318f3c571131b8672b05250188972553847596b4df6579fd26dc342b504dead941f23143d243dca9a79e9203061ce8badc6b900fde7

/data/data/com.systemservice/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.systemservice/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.systemservice/databases/com.google.android.datatransport.events-wal

MD5 ded6b4a157fa3dbf4d6453cd5e3917d0
SHA1 5cb2aff8581c73c60327a06fcb87443d566fef5b
SHA256 d96f7185beecaf199af9d496ce47922b45591afdeb65d67d6d975f1680b32c60
SHA512 514ff793bdcd7c41d2a87f618614ee9264ea8ee04d9770cc711ed90f4f21e57e465bc9c707d00be424bf0201a458067bc5ec19f99f506445c08c11586fa03c41

/data/data/com.systemservice/databases/core.db

MD5 045489a0639eee27bca52f48828cd93d
SHA1 436e7966e7c019273c44faa4d8c5709b816dfda3
SHA256 0151eae0eec786abb19ab59d7361b3291ae98411fae12cbbdfecd1612e16996e
SHA512 c8739a723a8648b0e380b946a97fb6cd83d6c4769ec3679bf4bc003ad0049ff5cccfc8f75a6ea272feced0020b13d3129f792f0f22cf442f0d0127f399eba22e

/data/data/com.systemservice/files/PersistedInstallation9070777221244063448tmp

MD5 a283bc1c206eea87a774ac1621b813d1
SHA1 8deef8685e8d29917e79f0bd0f35f002eebb568b
SHA256 6fcca7da84b338ea7e50f1b73874cfb395f7c576b3743dda641b5b0dd345c10c
SHA512 a5e0e1d34149647ab421654fe1b4dc03ef081aba27a1c392fb019bc1d3be88ae4611b85d9ccf5b95857766670bde6cfdc777c8ceb011a6844d249702ae8dded7

/data/data/com.systemservice/databases/google_app_measurement_local.db-journal

MD5 4750b0948c06eb2e648015ff86d5ab7e
SHA1 6da638275e0effd0706e344d73dbb0226a65d8d6
SHA256 c23d4f76f1f06dd263df3b8c125be7cff0674e3c1ed6db7c98d7c74ada60bae5
SHA512 7ac6229e57f7506755b72649a4cbc9584315eebaff7d4d2fab4dcd2a16f345e0323e15688891de7f778785c9adb17213562ba37fdbde4322fb251d0e83ad158d

/data/data/com.systemservice/databases/google_app_measurement_local.db

MD5 7237409e0640cfab7bdbd429bf821a3b
SHA1 4c3da934842f8d4835dfe2a9c275a300e5123309
SHA256 5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa
SHA512 c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

MD5 62e0bcbdbd0451336a73b3701b715f41
SHA1 07a4f66c5943df5253024211da0972004eddf4d9
SHA256 83fb7399dd842833bca96cafff745f668d517d0caa712962efc31b2500cc4a3f
SHA512 f251075a81334a232997fab9237a33424f50101bc3f3a7dbcfcf9defb1cab987c193c172e430f40484c224c30285627a4d13a6806aa469e79a5de10ab54ce868

/data/data/com.systemservice/files/PersistedInstallation7437320896668962778tmp

MD5 1818dc0d964d13a0dee7f3c5ff46310d
SHA1 8a565a08cbea1f3f370331029a66ddaf15add91a
SHA256 363ecdb121b506817313792b24bf3bbd4802658df9397048cb2f219beff18523
SHA512 df7c2307908f9d9b89ece47a704e04144b5df3deb4879c1def99cbff4a4ce3d2e50c377eede704255d4f970f2871e7bd65366df2203a78af8eea3ca11426b2bc

/data/data/com.systemservice/log/log4j.txt

MD5 3039d3edd05207c437659f5403b7f94f
SHA1 21a6738af9428303f6b6caffed1f5e0ab0dee773
SHA256 52053bc0de2f7b1214951b26e30a993309adbe18a5d54fda79b72caef6de73b6
SHA512 d5067034cad4c14cd05c28149a9d2d32d409a72ac58905c21a90fc970c66814de7f218c44cf333f295be818cc9a9b5b32994b1c10b6bd94179496cf4cce07ef7

/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

MD5 c802b7c8ed1065fa81076347c79b1a28
SHA1 7d8ca5cc628114bac24fca6c8f2871ff3c1ee33f
SHA256 1dd0418345a3552b38991079da1ca1fc24a5ff195da9712e4634ba0ace8644f5
SHA512 b0871e9e578bcfa61ada81eeab846144818500608782131a73d753928569c16040a5b245bc493bb6a79b9b27ea014fcb7a40d6af5b17058d5c9e6ffe448d1642

/data/data/com.systemservice/databases/google_app_measurement_local.db

MD5 d73836c4f8ae7ca4d48db9ba80aa1e3e
SHA1 adf5bb0037cc43c94921bd57609710b69d685ed9
SHA256 3dee1b3f2ccdcf6c8002f87566ca89be2770fcc0c661618f5e99bcd3681f1d8d
SHA512 7a3d7e41320cd6f2e792e3e4acfedb3bed862929674019bef3ca003578e648ce7c517741a434acf293547fd57a23cab2990a9c37ad509a84e4a8090cd1ff9c16

/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

MD5 778a95b718a9cedb6ca864c38445dc1f
SHA1 7a956f5b6f2e50d34c166ba0dd3203499d17ff1e
SHA256 b0a95154dde10a44fcd0fadce59fac6c3fca64ea936684173e0fa2e0afa930d6
SHA512 813cf64659e3b967f6fd5fd9e266e9ff876dc3c3ab9ed027d4f60ed1ac4a8051611f05616a956e056f84fbca7cc3b837d5c8098f9627432d0ddd72b81f2fa18c

/data/data/com.systemservice/databases/google_app_measurement_local.db

MD5 36a05c00f1dfc83cbdbc80ed7e6497d1
SHA1 cd6a0e082b58779bfb3d95f58304dcbf16028788
SHA256 0e566829ccf2cfa63a8ec6be55febf13c04e3534d9cd91ab34f85afbcf4dab0a
SHA512 7b345fb47c5c2549f4614029cbaa165051dd3327b96cb1bdf6c16402bd9a97497ed4194a1eab37626485916594ab0f6e2051ccafa6493a47252dd2cadd379c03

/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

MD5 a6e64461ee9a38c07dc73d0878548994
SHA1 7ad7417f7ff6b35db49a44c8a69701ff0f7f5de1
SHA256 0daa412b5d28deeaf074470518de3c78129196f34938a8e6e250171564f0b82f
SHA512 346bb3fe6fc80d0b2921041d1448c5593ccb36b76915a5ae8fd8d49b70c1b162b51ab690e65c4c0728a8e9452a9aac0d455b2ae84a7ef71bd4d4c5f16b1ed69e

/data/data/com.systemservice/databases/google_app_measurement_local.db

MD5 83380039924fab37f19126c806f349c1
SHA1 bb4783a00940a2d2618fe1adeb7fab63a0f15497
SHA256 d465e52381b8d3307287bb01453dd6c6e6a988e75d5f6e0c17cf87197574af0a
SHA512 a8ddb37c062a9d8fec5994df08141230a50db05defe71a57965594b4da32cc4d25d9d8cff80c58f82c0b608a7c53864fa67ec9b9b29a4dc5be00dfee1ee598de

/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

MD5 d98bc97060e062c38abd58ba5386d123
SHA1 0e32c61bb6a7bc34ce8449743376d9a2ab2f0200
SHA256 6f99f5145def816d081ed079256d148e4daba1f902f3d87137fe773d4d0f6058
SHA512 ff576ad1ff99e4ac9bcae131eb601f219f776690d32c058230aacaa8a336aa36a538ce249524900d61ffebc220e5ec0df2839c89b4eadcedfecbfe055229c577

/data/data/com.systemservice/databases/google_app_measurement_local.db

MD5 7022a8ef98f5ad956be956e5eb81fee5
SHA1 9f5476bc2eb649908758a0eb1dd047090ad0152c
SHA256 eda5f878ee27ebc0714b55cc7a3a1efc2ce86049b333fdcc4f2d56c89c1d9861
SHA512 e9110a9378045fcb4d688849d7803ffbdae8001953143fc05a51069b7197cf46cf144065eae4cff1045309d4c2662abd410fbaddde12bca72a753c8d41f0b8b5

/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

MD5 43435e735bf772788836139767c5383f
SHA1 09119a9716472cc430bc8d7ac9a2c23559423063
SHA256 eb9ae8d5e2ca6251842a7a23560c78568981313d01dfad072c820fef2dee8bcc
SHA512 38e4ec50c17b8d99ee25ec787fab836045444b69442d1a3a203f6b92a334aaf9005737df06b693c2980033e02c36b3443ec22f5f114fbaeaa951bc8ef1328ae0

/data/data/com.systemservice/databases/google_app_measurement_local.db

MD5 835cfc7decf507cdc5e54f602e3f9699
SHA1 4a55d424cb32e766554672cb2d0b3804fc47552f
SHA256 29257dbf2b37d226ace65bd68d001398801235d93ed830a35435bd4bab4de852
SHA512 2ab470c2200d97b545693a4cdc661100e46b0299f3d3890773681bc5f22f29eeda6b6a83a5c627fa22119726f3ce78d40021362a3f018a4f3afb4a08476c253d

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-29 02:41

Reported

2024-09-29 02:43

Platform

android-x64-20240624-en

Max time kernel

4s

Max time network

146s

Command Line

com.systemservice

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.systemservice

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.200.34:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.212.227:443 tcp
GB 216.58.212.227:443 tcp
GB 216.58.212.227:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.212.202:443 tcp
GB 216.58.212.202:443 tcp
US 1.1.1.1:53 protocol-a100.phoneparental.com udp
US 172.67.144.220:80 protocol-a100.phoneparental.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
US 216.239.34.223:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.4:443 www.google.com udp
GB 172.217.169.4:443 www.google.com tcp

Files

/data/data/com.systemservice/databases/core.db

MD5 045489a0639eee27bca52f48828cd93d
SHA1 436e7966e7c019273c44faa4d8c5709b816dfda3
SHA256 0151eae0eec786abb19ab59d7361b3291ae98411fae12cbbdfecd1612e16996e
SHA512 c8739a723a8648b0e380b946a97fb6cd83d6c4769ec3679bf4bc003ad0049ff5cccfc8f75a6ea272feced0020b13d3129f792f0f22cf442f0d0127f399eba22e

/data/data/com.systemservice/databases/com.google.android.datatransport.events-journal

MD5 76ba82127b9bed18afbf2fcf0ca0512f
SHA1 7324f1d6818d0b1f38717759d9ea1381aa15c930
SHA256 239b18adbb6101080eeed5f1d7b475d05b226f83ec22dc3dc7ea059e94f21dbf
SHA512 4992a0ace9513c27422026d43ca60f496d6cc7adf341815bb55e88ea9d5ffba23bb7b7fdb020ef00a13061dc7b4254da80f421af925d21cf244e0c7f7992a900

/data/data/com.systemservice/databases/com.google.android.datatransport.events

MD5 ea628e04765adaf4238a5dcdff4bbd51
SHA1 a801947619ea8c368efe9c006a324dc6339ac60b
SHA256 885e337c2156e4dbf2176a9677ade50418740532d222ccae5ad4aa371b54c6a4
SHA512 c0287b0e7b690a7231a37d1745c49f3d861b22aa65dd769ba6a8b5ab9da55443f749957781ee05a405019c39e1be45d37a971b821bffd62a1d5620bc39119abe

/data/data/com.systemservice/databases/com.google.android.datatransport.events-journal

MD5 b9039021578361741a2e44897f3cd77c
SHA1 6b772fd76cda4d3e1d14a2ed7ab525c03b8b50b3
SHA256 499ba35ccdb191b0891b2e2e4a303bd3a2c867d31632a9f4b111b3af49be110e
SHA512 0480661b6df322ca828f105669078b024c0867aafe007ee30f9320ae0923acb4ff6e22d7b9e7c2149b28bd145fa24a102bb8b4d77a36e5ea0b80f70b95da46b0