truthspy | 2c193c9f18db13d13903e0cd15c90ff9c3623d2a0b3b74c4d9e2a173e87cc4dc

Analysis

max time kernel
18s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
04/10/2024, 02:27 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c193c9f18db13d13903e0cd15c90ff9c3623d2a0b3b74c4d9e2a173e87cc4dc.apk
Size

3.6MB
MD5

39fa2c58237de702fc3458251f358cab
SHA1

16e4e5003046f5d07a0fb1eff0dad56d9ce53be3
SHA256

2c193c9f18db13d13903e0cd15c90ff9c3623d2a0b3b74c4d9e2a173e87cc4dc
SHA512

023b77900582d0b6629d587f7411ce5153124cd3870b9533cf9afc5304b874e4353d8dabb7adf8a199768992123e707bc6a87ee682463c3bdccecc8a060e7126
SSDEEP

98304:kyHTjmHgJcyw+WoeX89z6Odp/9hBbW+te6lXhAyHmz:k+jmKcyPsXMl9jS+oSc

Score

10^/10

truthspy banker collection credential_access discovery evasion impact infostealer persistence spyware trojan

Malware Config

Extracted

Family

truthspy

http://protocol-a100.phoneparental.com/protocols

Signatures

Truthspy
Truthspy is an Android stalkerware.
trojan infostealer spyware truthspy

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.systemservice

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.systemservice

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.systemservice

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.systemservice

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.systemservice

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.systemservice

com.systemservice
1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4252

Network

DNS

semanticlocation-pa.googleapis.com

Remote address:

1.1.1.1:53

Request

semanticlocation-pa.googleapis.com

IN A

Response

semanticlocation-pa.googleapis.com

IN A

142.250.187.202

semanticlocation-pa.googleapis.com

IN A

142.250.200.10

semanticlocation-pa.googleapis.com

IN A

172.217.16.234

semanticlocation-pa.googleapis.com

IN A

216.58.204.74

semanticlocation-pa.googleapis.com

IN A

216.58.212.234

semanticlocation-pa.googleapis.com

IN A

216.58.213.10

semanticlocation-pa.googleapis.com

IN A

142.250.187.234

semanticlocation-pa.googleapis.com

IN A

216.58.201.106

semanticlocation-pa.googleapis.com

IN A

172.217.169.10

semanticlocation-pa.googleapis.com

IN A

142.250.200.42

semanticlocation-pa.googleapis.com

IN A

142.250.178.10

semanticlocation-pa.googleapis.com

IN A

172.217.169.42

semanticlocation-pa.googleapis.com

IN A

216.58.212.202

semanticlocation-pa.googleapis.com

IN A

172.217.169.74

semanticlocation-pa.googleapis.com

IN A

142.250.180.10

semanticlocation-pa.googleapis.com

IN A

142.250.179.234
DNS

protocol-a100.phoneparental.com

Remote address:

1.1.1.1:53

Request

protocol-a100.phoneparental.com

IN A

Response

protocol-a100.phoneparental.com

IN A

104.21.47.58

protocol-a100.phoneparental.com

IN A

172.67.144.220
GET

http://protocol-a100.phoneparental.com/protocols/get-brand-info.aspx?brand_info=tts

Remote address:

104.21.47.58:80

Request

GET /protocols/get-brand-info.aspx?brand_info=tts HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: protocol-a100.phoneparental.com
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 02:27:25 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private
Vary: Accept-Encoding
Set-Cookie: ASP.NET_SessionId=pyfhs1x4fio5fl4r2e03vjrz; path=/; HttpOnly; SameSite=Lax
X-AspNetMvc-Version: 5.2
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=txm76%2FPUWya6GaZlZBnQ1wLVlBm8nQolZGr8IAhtaf8qg%2FKdXjfnoj6csIgNRo2Vb8ZQybbCe%2FeaF2goVwoBEcjwmgywuja20JjsafEotZefFia6ZOnlQCf%2BbftTDP3fqpHympX%2F9avaubEMwOTpMZ4O"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Speculation-Rules: "/cdn-cgi/speculation"
Server: cloudflare
CF-RAY: 8cd1bb9378cc63f9-LHR
Content-Encoding: gzip
GET

http://protocol-a100.phoneparental.com/protocols/get-brand-info.aspx?brand_info=tts

Remote address:

104.21.47.58:80

Request

GET /protocols/get-brand-info.aspx?brand_info=tts HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: protocol-a100.phoneparental.com
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Date: Fri, 04 Oct 2024 02:27:28 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private
Vary: Accept-Encoding
Set-Cookie: ASP.NET_SessionId=p0vohdzanfflfs5ijgx0k2as; path=/; HttpOnly; SameSite=Lax
X-AspNetMvc-Version: 5.2
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x%2BY%2B493miUXaw10fNJIGgM1Jwxx7bDUT4DLubALDM06Pu7YdcxmPncWKdxQ2L7dp1L7WyEtlwCa6dzyIv64PRJ302LMY03zG9qzQ59ydkIu%2FngS0i8JZoAuUE2f1R34plRsg3desdOyT0R%2FoHnGxnBOn"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Speculation-Rules: "/cdn-cgi/speculation"
Server: cloudflare
CF-RAY: 8cd1bba3ece263f9-LHR
Content-Encoding: gzip
DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

216.58.212.206

142.250.200.42:443

tls, https

202 B
40 B
1
1
104.21.47.58:80

http://protocol-a100.phoneparental.com/protocols/get-brand-info.aspx?brand_info=tts

http

878 B
3.4kB
8
9

HTTP Request

GET http://protocol-a100.phoneparental.com/protocols/get-brand-info.aspx?brand_info=tts

HTTP Response

200

HTTP Request

GET http://protocol-a100.phoneparental.com/protocols/get-brand-info.aspx?brand_info=tts

HTTP Response

200
216.58.204.78:443

tls, https

1.2kB
40 B
1
1
216.58.212.206:443

android.apis.google.com

tls

6.4kB
9.5kB
25
27

224.0.0.251:5353

3.7kB
11
1.1.1.1:53

semanticlocation-pa.googleapis.com

dns

80 B
336 B
1
1

DNS Request

semanticlocation-pa.googleapis.com

DNS Response

142.250.187.202

142.250.200.10

172.217.16.234

216.58.204.74

216.58.212.234

216.58.213.10

142.250.187.234

216.58.201.106

172.217.169.10

142.250.200.42

142.250.178.10

172.217.169.42

216.58.212.202

172.217.169.74

142.250.180.10

142.250.179.234
1.1.1.1:53

protocol-a100.phoneparental.com

dns

77 B
109 B
1
1

DNS Request

protocol-a100.phoneparental.com

DNS Response

104.21.47.58

172.67.144.220
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

216.58.212.206

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Input Injection

T1516

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.systemservice/databases/com.google.android.datatransport.events

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-journal

Filesize
512B

MD5
2bf0d7d05fb33461b151c4de5c559b24

SHA1
c299cf35e76bf9aa62365560818e0d7d91ad9e2b

SHA256
03f4d85ad3a256d58a9458c332c94a713d5c964cea9721d3a70706d94e877c32

SHA512
8369e6163faf0c1038ce41039fbaef79d70937b9d7b1f0c3fdc5115136b0d849515f2053bc97ac96c601475aeb2445d01498ba1e5b698275aa037be7417d5d4a

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-wal

Filesize
68KB

MD5
74b0ac1b4a82fe287c82eb77980f1a35

SHA1
fac18f72de58e808e4cbd16f2b6625db3b9b2ae6

SHA256
e0275325e3af0137cee8cda899dbc697838ac13db494418153b8eccd23effd93

SHA512
9914d895fe792898c0bfde6eac3c022ec5905c2e6f696982e10287d6e69ac91d1f0c4998e57b87631d9e2c00d1be7964dac595fcff008d6e261899de13083e1a

Download Submit
/data/data/com.systemservice/databases/core.db

Filesize
36KB

MD5
045489a0639eee27bca52f48828cd93d

SHA1
436e7966e7c019273c44faa4d8c5709b816dfda3

SHA256
0151eae0eec786abb19ab59d7361b3291ae98411fae12cbbdfecd1612e16996e

SHA512
c8739a723a8648b0e380b946a97fb6cd83d6c4769ec3679bf4bc003ad0049ff5cccfc8f75a6ea272feced0020b13d3129f792f0f22cf442f0d0127f399eba22e

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
7237409e0640cfab7bdbd429bf821a3b

SHA1
4c3da934842f8d4835dfe2a9c275a300e5123309

SHA256
5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa

SHA512
c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
fa3c5e6891031bd76af4bf0628688970

SHA1
fec0cf055962bde8f42e60c56efbf7dc42549fe3

SHA256
c610bd473a41e0591f97d72c27128e99817acf09dc3adfac8601f96fe5c09ebd

SHA512
82e16c6c64a18eacea6554c0e2a4eb8cca55cddf375c06ddcdd541be887b322b251b818f3a242cf58afe7b917e20b9d646a529a15a895377664e66dbdef28d65

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
1595b05c9a04aecbd792348914ccd756

SHA1
478239b48846753242a06c22b5d318f2be1bee56

SHA256
e62f47fbc1a4f7afdef5e20a920b53c0d0390d887c1457c9d55e99b3cf608ca0

SHA512
2fb90285bfe3cf0dcb2fb3379b456dcbb9b3293113b6d1cf0fba8bc807b7c7f00e483bb1991be41f39d89d9eb4a3d28859df35759cee8053b5bac21e8157afac

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
4ace4543209724445b32637449cfaf17

SHA1
21ba4f915ae62e763250d1d5ebfdd5ffb80ea118

SHA256
d534523d3963e68d955f268536ea3706fbfd96918498d9c049247d2f2355cf4c

SHA512
95e856c64f731a3f04e0f2b3cd35d9aa505245e41aa7e105d5f3fc901c2d07828e64e09df23529831c35316d1e2f60c39135a63a096893138f73b20f1e0996f7

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
da762ee24da51d94dd035e4dfac28cfe

SHA1
3b01b17bbf20ad4714063c069d2e453598c0f51d

SHA256
e6ac73061695b1f6e39a6f81ee4c468498b868c1649db9045580b60fba9f9e98

SHA512
a0887cf533f065caf2b0a9c31c715b60405050400102affd131b217fc99dab85c526875f33754c644bc147158fcc50f1ea8185d08b33e4e5c01436c43977646e

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
835cfc7decf507cdc5e54f602e3f9699

SHA1
4a55d424cb32e766554672cb2d0b3804fc47552f

SHA256
29257dbf2b37d226ace65bd68d001398801235d93ed830a35435bd4bab4de852

SHA512
2ab470c2200d97b545693a4cdc661100e46b0299f3d3890773681bc5f22f29eeda6b6a83a5c627fa22119726f3ce78d40021362a3f018a4f3afb4a08476c253d

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-journal

Filesize
512B

MD5
badf25863821faa1cfc23ab090c784d1

SHA1
334ed483cc09afa9f4e140faeab05bb602004426

SHA256
46e12e840e01b7812f1d62532157417c39500ffecd2a42474a54ddc8005d6604

SHA512
90f79268a3432f506dcbd71fb2b9a492c4eb7f6762ee7cb7a7adca3225a015fb4a746a0a0a4d8fec32476ebefc2df52d1326ec244dfe30f21cb74072ec04234a

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
36KB

MD5
e15bd1de2344642687a5790afea8aa63

SHA1
432fe1166a4c5fad1bb32b756b72f44e9e9047dc

SHA256
b0029741ec9cb6df82a4a4ddb3ab5bb9ec83b2902be7a4e50c80674bdac2011a

SHA512
f0354757c6ecc1a645a5358208ac79e75fcb17d37cb806e12dcf44305a06a51e0995ddcf518c939892fa7b0ce9f0b490ae5df96d77e9da6a79552083f5fa7a4c

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
04d91debd8bf5331910394452ef7c230

SHA1
fcd902889e46988c6782fa104159cb7ec2a01f11

SHA256
e3c359fa6d34cfe40b4c245f91868ee8686c77e62a99b230c7ee4e64aae8575c

SHA512
a54f5431cb4a758334ba17550988c5bfaf3f3ee330a3e225177b5166d610ec1b94ee9755c324336d5bde3df8625e44134cfb60f554f435fa41fd2c2caa4f4067

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
f6b3f71baad6d2da9cfe82fcf4975a9d

SHA1
ecaf1366cb8847af12ff613c6fc8f1f19f39697b

SHA256
8374367fc1b6dc0c0fd96e10c0624d1332c832f1ff57c7eeb70ea984cd40d3ea

SHA512
e85f5fdce6ad05ca8ad215e8fd3206b7fdd982513cd0942bf70a2c3dca80c062a56201366411eafeed632a1f77c96e960e50eca5bcb353fcba40e5c6766456fb

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
8d1d3c16666f29fa123cc15dd57a1f1e

SHA1
9a08f675f79a70ff82d35e62ee92db87759bd08e

SHA256
67fcb9f70cfb5f8b6962d09078b28cc8e3b4d32aed26f97ef44300f795c72a8f

SHA512
146e340147c6358a7ea051971fc556b5257e78796dc5caf55bfa6ff178b932de2b05b062d2dac844bc8afe39b5a35ecd935fbdba40d8d8046be104fbc4b11e1b

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
d6b4eafe1296e77f07265e17095f2232

SHA1
c6b6c070b891632b0afd67758fb140bbba761b34

SHA256
f621e3f0045e7741ac94f9d7a2f955558232a7c70907a2b163e9c6b895930a6d

SHA512
1038e0b4034d9e74dfa19394c517f523f4925a000da2952eab31d72e23c8aab81a640c9d2cf7cee1dc13122751a9704088b07f378ec0fcfd6e957ac634c4fa8f

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
87b1ebe4731524bae9422127d4936b0c

SHA1
22d807271c2ee318ed0b25e1018454409e98045c

SHA256
c65f46b553f1d8e6fdf7fa0e35fdf0fe59e5f7532292a467478c9c24717cd28c

SHA512
4c869be6af876fc459c50ee76ab3d4f587f6a68adfa39415408ef2b8db181fd7c263aef86a5b9f93af11cd92260729270b6b48efb61999faeb8b9c67fcfeb8a3

Download Submit
/data/data/com.systemservice/files/PersistedInstallation1704540401087749725tmp

Filesize
556B

MD5
e16ca72acb7c1b1b99a33d2bb0a76ee4

SHA1
1a8131b63d2d21ff8b0ba0c15d7899a35cd8fa9c

SHA256
3ea669be99d2e15470fb5ae78a35728318ec6c16ef2935d5e10e9cb951d05ab3

SHA512
4fac181f81bc4896a09a890ff7779a382deebf6b32263ea7f3f83f74f7314f1ea4fd52cac824030f61240f4acb24fda1b172700b26debfa32668388d0f253480

Download Submit
/data/data/com.systemservice/files/PersistedInstallation5201681782615563940tmp

Filesize
90B

MD5
bc277580fbbbb50ea55f81b71b576ce0

SHA1
33873827325dc10c6496a4f36f09bfb764673122

SHA256
fbf1ff2006e783d3719f158aae8534d3d2437ddbf31ba88d85c6737a98761628

SHA512
1add061a5b04fdd359950772442e5895630267b4ba1f73f71be175d0448746b2cfdc58627009296a0349b600694132e5d1607aad2a2904f8cbeb6efffebe4030

Download Submit
/data/data/com.systemservice/log/log4j.txt

Filesize
3KB

MD5
4834add3666f3f85002f496e734015dd

SHA1
e41786844b3420fa53b5fc16e0f4a7429c3ee52c

SHA256
b4205c502e781f75c4c6d0358eb9ac6fb8969e0d07308fb745bc5cd9ce962c5e

SHA512
e4084817ecc9396834a8fedc90f30a949071f0d5c664b161a72fa26a96a97018a3e1934b405b0dbc7ebf94e8e8f3b5f0c32af6a52c6ea529659d2e1d80431ba4

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.