truthspy | 92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c

Resubmissions

24-10-2024 03:22

241024-dw319sthrk 10

24-10-2024 02:40

241024-c537ys1blh 10

24-10-2024 02:34

241024-c2p6xs1aka 10

Analysis

max time kernel
118s
max time network
150s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
24-10-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c.apk
Size

3.6MB
MD5

0366ae0abf0ada8aed90322bfe07dfd5
SHA1

2f0779ce64f02944e87674745cb446c5bc620607
SHA256

92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c
SHA512

52f50f2f847628b1fb498784660050a6f189d8c7cc520c0d3a06ca28cc35ee4961d0a3daca71a540e263ab930ab629b884c3ff187d4abcd8f58549fdf87f9677
SSDEEP

98304:mD/SWbGiowrvH6Odp/9hBbW+te6lXhAyHtu:mWWbGjuvl9jS+oSc

Score

10^/10

truthspy banker collection credential_access discovery evasion impact infostealer persistence spyware trojan

Malware Config

Extracted

Family

truthspy

http://protocol-a100.phoneparental.com/protocols

Signatures

Truthspy
Truthspy is an Android stalkerware.
trojan infostealer spyware truthspy

Checks if the Android device is rooted. 1 TTPs 3 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/sbin/su	ls /sbin/su
/system/bin/su	ls /system/bin/su
/system/xbin/su	ls /system/xbin/su

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.systemservice

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.systemservice

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.systemservice

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.systemservice

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.systemservice

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.systemservice

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.systemservice

com.systemservice
1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4214
- /system/bin/sh
  2⤵
  PID:4384
- - ls /sbin/su
    3⤵
    - Checks if the Android device is rooted.
    PID:4430
- - ls /system/sbin/su
    3⤵
    PID:4450
- - ls /system/bin/su
    3⤵
    - Checks if the Android device is rooted.
    PID:4498
- su
  2⤵
  PID:4468
- /system/bin/sh
  2⤵
  PID:4524
- - ls /system/xbin/su
    3⤵
    - Checks if the Android device is rooted.
    PID:4569
- - ls /odm/bin/su
    3⤵
    PID:4616
- su
  2⤵
  PID:4587
- /system/bin/sh
  2⤵
  PID:4642
- - ls /vendor/bin/su
    3⤵
    PID:4687
- - ls /vendor/xbin/su
    3⤵
    PID:4734
- su
  2⤵
  PID:4705
- su
  2⤵
  PID:4804

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.systemservice/databases/com.google.android.datatransport.events

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-journal

Filesize
512B

MD5
e2ca47ac38f8ea3280d5ec9fd07ab3d9

SHA1
53a691bee8d8ad896dc9504273c515ab0c4bf3d2

SHA256
186be918575f534bf0ddb9539b0778ae05f8d4ea1bd4647943a0150b96ec093f

SHA512
b876bf20d84a5add06806e5e3adaed13f2d97b8b8bcbbc1182bab90f0f392ea598bb91d859d0b071b24b69a91a31aaad24a44a3b3ded5967769cd9ffb476892a

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-wal

Filesize
68KB

MD5
2847947e8dda09371c4c92e41b5fa685

SHA1
f5d6c69c6bb05e1631d5909d0426076ccadc1f9b

SHA256
5f375989ce23c6aff0e9b55aaffb1d9b8621cc9e9a11621cc3d3427a59656369

SHA512
fe44139e94116490cca932b26db0876a91a306707202d37417e94c84c2d0dcc6e47a22d48f587e3334050af02f5f20d2b8884fe4f942c97930ad6f65bcef64c1

Download Submit
/data/data/com.systemservice/databases/core.db

Filesize
1024B

MD5
aa55f0f9cd958e3feb709f9624b517e2

SHA1
ea27e365d9d62110d3d5e41869392d24f3193025

SHA256
7d430462cc9f89bcc460cfd9beba43b8cc208fc69dfce5879f697921a7bf255d

SHA512
1f564caf63184850f52f56a4c5448efb92433ba3c4f868426eb6423cafb5321c4a04035cd85a62e75b6f3f0305e6190f6260060de67d638c29b5423f3fb6644b

Download Submit
/data/data/com.systemservice/databases/core.db

Filesize
36KB

MD5
045489a0639eee27bca52f48828cd93d

SHA1
436e7966e7c019273c44faa4d8c5709b816dfda3

SHA256
0151eae0eec786abb19ab59d7361b3291ae98411fae12cbbdfecd1612e16996e

SHA512
c8739a723a8648b0e380b946a97fb6cd83d6c4769ec3679bf4bc003ad0049ff5cccfc8f75a6ea272feced0020b13d3129f792f0f22cf442f0d0127f399eba22e

Download Submit
/data/data/com.systemservice/databases/core.db-journal

Filesize
1KB

MD5
08a4ca372c5daa651e4a96264c60d302

SHA1
baabb336b657d38b2c266d15f768c34c058cc0e5

SHA256
f569097db7dbf1808f762b0d4f3e868c58f51646991d20de47f9b4fef9d6fed2

SHA512
6c0ba5017e8a69971ac203204def342695261c02a86c06b896d174b053d4e4c28bf62bd7f83d22f5e37c7dac89c94bbd01fc25434fb7e0f079871e986153403f

Download Submit
/data/data/com.systemservice/databases/core.db-wal

Filesize
12KB

MD5
67d62ea8cfb331b5d7405c77a8fdd599

SHA1
d5c1583d009b2a620bd9356fb6c6c98f3449358e

SHA256
64d4c3577a8879543a1686d7ce9a0838bcd0aa6db8525a222f97352c6d97806e

SHA512
b201fefebc24a528859b4a6a3e5a274868f6db69c6e7673ab6266312d93fcb41a191349aa61d21e82047a1ac14ba57caf33e51d2c53d33042af625e04633e520

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
7237409e0640cfab7bdbd429bf821a3b

SHA1
4c3da934842f8d4835dfe2a9c275a300e5123309

SHA256
5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa

SHA512
c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
8bcff197fbf29a8afbf61353e3b402f4

SHA1
e7d8192849d7b97c34fee651fba526ae5d1b9142

SHA256
1abed6f2833429642945716be03a8a8daef6247536e16fca8cc81eea16d6de72

SHA512
66f665b0af85736781d0a6614849dacbe3b4c352c92bd86da0da3432aa4c83e7a1f95502db75a73e7bd2b252892c50ff781983994f0abd90b71ef2a4597a6e1a

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
c386858bd74b32b2ae3d2d454f041a79

SHA1
edee4604f8bdbad896a2d3901c15caa0988e9bf6

SHA256
cd06f336da3059f4c012369428d692af7405574c0e1e7178104f10b728d8be53

SHA512
683314aeeda86da7e875de8bafb3f4d041c49c6d170038b24aecae9bc18eaee245eedb2d0e0caacfc4262e8397dda86b21a1732278770dd8b37a2d5f167cdef9

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
47e68ffa37ac8b993a741326b88bd3d4

SHA1
7b5c8266f1d6519642675c163a39aa6cdc1347c6

SHA256
93a57bb5790cc73f93f8da4acf9ea4b5833692f7ec5efa085b88659a0c060697

SHA512
14a24941e9160adf29d0083154142556511ab68a6ce199ee758e7528c1801a23750ef7e26d7bb729c10e8b4a9a878e207d8e7dd9d612b6919a6a0567d685cd04

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
e458f259e6ea979d93127841a5d3977b

SHA1
b29a5154b1467b1dc238b0b8052669edc364b6e6

SHA256
702b908e86fe4e53f4696163205d800cedff0c0ae5789031ca49200fadb5f46b

SHA512
78d2cd235a0309e4d9fac6599a59defcda6070d725588243ebb49b37ef220d0c7571d3ddd45e2b9894809025e9cebcb7a9d9d206656b2e622f67b0559fe6aefc

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
6a8eadca107243c16f2f88d75246ea7b

SHA1
af18da3c7f7cc72358da9521aa2f86dda3af86c8

SHA256
e72294fa8cb67cc3e48d90399af3eae4a2070aa2513ada92aa6ec5ca01af33fc

SHA512
3ebc55fee54b6d28216f9104f1ca158a7b29c8af3a68521be4e166a4a6163addbe888282e82c2b6b2dcc3f6c188cc4618e1897f0426962bceb986b5602e1e81f

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-journal

Filesize
512B

MD5
643d9813488e6f133aca8be9909b6fd0

SHA1
f4806510932abe98a256c0b5b9add62161d4ff36

SHA256
40575fca1cccec3471104b16049e52d9854ce8fb04839bae6a710e9e8d186da1

SHA512
b796fb472ef0b51456066237a9438a57def46f0d4922b61e8ea63f4a273f1b35192ffbf76580b95c34a859cc20c0c0bd78a71ece184ed9cdb8ed29c148e30342

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
36KB

MD5
3041a1d0b6912d16fe7a77fc29679243

SHA1
d43c096fdad93802f5e8bb9c113bd6f9ea34d421

SHA256
631b4278d113c855a97664b1a91d2081c02872b1c9218003c041f76410d6ac6b

SHA512
9e00993850a026fb1cefeb8ec6b6c5462c4927d7ee4249cf5be88bbb9aec974f407a12a60d971ce1feaf30d192da9ddcbc60be6d82e113462e9c7d456b41b404

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
f2a7ff116ab02c04fec4b5c47c760f91

SHA1
044faf92a99ce69dd09f85bb70555ff6b1ccbd7a

SHA256
acc64fa5fc7deff1fa661bc4bdd0115484f8a2c5d4430732528df2b4f092b786

SHA512
e1833aaf0493794e909620dae380ea3a92f4277654f73af1bad22a1532d9993e056955371ba47b81dce446d8026de677bd01ab3e82b15b0b8a2a6efe679189b5

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
f2fb4441de4c1a504cc96c568b27866d

SHA1
7d5a39bfdf94bc93c7182e55f0da677cdb0d65db

SHA256
7db1d2fe1418bb8019df946a4b13ae36c7b2f8f5268704d90c05f2529016e217

SHA512
d5f992447c2fc7ef6d2aa12f687787505da9870f0ba8a63e04ad82149d759a21f7bab8bfb45d123980af3a4bb98eb84902e4c4cd8e122787efa6d1a85d828d35

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
994cafaa94294e7e00fbfa095f9f55d4

SHA1
887fc3e0abd1284bae12470a90b56ad9d2f47ea0

SHA256
0276ca1794a032c5a633240123a233ba5a16273017e5f3be60079191e38fb0ce

SHA512
a09f1feb2ec6574e9111a3d627479224aea7771df0ceeefd9b1348add27999b19fbe2a6b4f02e46bfdf9d547223beb3e8cf20269c0997911e07fa36ce1d87a7f

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
df5880f6b8aaae5fbf40e5aec933e0ac

SHA1
3e402a3b998ef14de87fc68319afb3dbf0c0cc51

SHA256
eb098ded286275a3f7da03e3d627ab50e4e2c9f2b96705422675eb3635ce9f8d

SHA512
78f1f33b742b5381c449db09f8c9f919a37b1d45feec2ef819c1b19d933646f32f43900cf9fd974dcf4408b3e8ce1411e2e0f7d41cee69ff15344951b8cbc86b

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
13fbf4dc73281066ad69476e97be5748

SHA1
925cfad02e24b75a23bc78291e8e168c24e7ce6b

SHA256
09f92ab64c3392039d4110167056ac6f9ec52fa04fd4e3fa593541ead82c833c

SHA512
eb9e5960a743f0ff38c0c0c3208c10b100c2d2f8c162363c6477a401ae03225a79af2dd7150115058dc67ce8d514ad01e187db2afb82e825689a91e9fc92efaf

Download Submit
/data/data/com.systemservice/files/PersistedInstallation2111703331349407205tmp

Filesize
90B

MD5
95269e49b97955d204e345ed8bad330f

SHA1
662a21665afbbf7487778a72a7765d23ab01cda0

SHA256
b0cd1f90ac155963acc2637c3d6886d95d5038bdc29d20d34579da593d65e55d

SHA512
24d150f0a5eb8ad899f96e928ee3b16e68df0b814655098d799683351303dcb42cdec567ffd92fa618584fd72d1500d09d1d1dbb7bda15c77a52394bb6ce9836

Download Submit
/data/data/com.systemservice/files/PersistedInstallation3572940426686216247tmp

Filesize
557B

MD5
bfcfede33f3174b469aab5b77daef130

SHA1
c89857a1c71aa98df2c75c625b4258b3d1474011

SHA256
291af13372368eb2bf4ddaa34f9a78689ae802d05040689e62127931dc9362cf

SHA512
4bb74a165a6f5d7c7bd6bb9c6538a2e289fa77e121a19172ef2059e2820dc33efd08df5bdddd679b00ef6cdff0fbbbe11d0aea7a37bc40dffb67dd699209134a

Download Submit
/data/data/com.systemservice/log/log4j.txt

Filesize
33KB

MD5
8a98006c13820245e552ec0a3145dd4b

SHA1
765fe420b15759a6674349fda026e77b0d94f82e

SHA256
7456499584ee55c2e90fc1d86a0db43c422566f0047ca0045291fd61ae8512e8

SHA512
4cad652e3218d6df69d66de1992d487a88991f8b18a59e24c2707567ad2c3eac71e474eab0b8f47792576bf2b9d1b32362cf0f14662e5429ee3e9c87f463219e

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads