truthspy | 92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c

Resubmissions

07-11-2024 02:29

241107-cyssmssmbz 10

07-11-2024 02:17

241107-cqzk8avrbl 10

Analysis

max time kernel
140s
max time network
127s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
07-11-2024 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c.apk
Size

3.6MB
MD5

0366ae0abf0ada8aed90322bfe07dfd5
SHA1

2f0779ce64f02944e87674745cb446c5bc620607
SHA256

92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c
SHA512

52f50f2f847628b1fb498784660050a6f189d8c7cc520c0d3a06ca28cc35ee4961d0a3daca71a540e263ab930ab629b884c3ff187d4abcd8f58549fdf87f9677
SSDEEP

98304:mD/SWbGiowrvH6Odp/9hBbW+te6lXhAyHtu:mWWbGjuvl9jS+oSc

Score

10^/10

truthspy banker collection credential_access discovery evasion impact infostealer persistence spyware trojan

Malware Config

Extracted

Family

truthspy

http://protocol-a100.phoneparental.com/protocols

Signatures

Truthspy
Truthspy is an Android stalkerware.
trojan infostealer spyware truthspy
Truthspy family
truthspy

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.systemservice

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.systemservice

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.systemservice

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.systemservice
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Acquires the wake lock 1 IoCs

Processes:

com.systemservice

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.systemservice
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

com.systemservice

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.systemservice
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

System Network Connections Discovery
T1421

Processes:

com.systemservice

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.systemservice
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.systemservice

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.systemservice

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.systemservice

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.systemservice

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.systemservice

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	com.systemservice

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.systemservice

com.systemservice
1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4244

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Input Injection

T1516

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.systemservice/databases/com.google.android.datatransport.events

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-journal

Filesize
512B

MD5
379fefee94126fd8bddf4925d6267303

SHA1
adad4d409911d613c1ad17e2572e0093427349b7

SHA256
dc62048305dca5ace40a46d62437bcc62f647c1ddfe2cb62f9079ed875fcd303

SHA512
fb12b04fea850c3494fbbf1d7791c001ba9dc510c89361ea311874d36a73834fcdf7c8865fd5d85a64209f99fb610788ea35eeccda4015afd8decf8112f9b86a

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.systemservice/databases/com.google.android.datatransport.events-wal

Filesize
68KB

MD5
01c8de46e5cb41dfec2ea260f888cbc6

SHA1
87bc4736b61f2dd5df5d4d7ff0b6542bcb6b886e

SHA256
3ffcb50de2c92501360e0afd5a9e90a8720b6547383a55de416e463cd179d228

SHA512
6892f031a42618b750db9827396e278a66655d455166481917ffb832e7bb610e79818e5b8bf9aeeeafc0f9b565a5d983f3322c7283862185df0001fd7bfa8e40

Download Submit
/data/data/com.systemservice/databases/core.db

Filesize
36KB

MD5
045489a0639eee27bca52f48828cd93d

SHA1
436e7966e7c019273c44faa4d8c5709b816dfda3

SHA256
0151eae0eec786abb19ab59d7361b3291ae98411fae12cbbdfecd1612e16996e

SHA512
c8739a723a8648b0e380b946a97fb6cd83d6c4769ec3679bf4bc003ad0049ff5cccfc8f75a6ea272feced0020b13d3129f792f0f22cf442f0d0127f399eba22e

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
7237409e0640cfab7bdbd429bf821a3b

SHA1
4c3da934842f8d4835dfe2a9c275a300e5123309

SHA256
5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa

SHA512
c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
81c6a9f01c1af14065b816caae18451e

SHA1
dd8c496a72c2dc87c79c7992157256d8d8128d52

SHA256
58ceb79b0cf5224e6fef840541e35b390a4a37660e1cc958faf15a4af2617695

SHA512
2a896c97b5488b3baa1c88d76f64343e1ac59fb94d5e700852d96937d77e20acdbf4f295a15e2f2f694e139c3b872d5ae5980571987eb2019ebabe0d6b9abee5

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
4b67a4370e8ef41eb3b2d51372bf1184

SHA1
37d65e511cd1c74d9689e37d74bf86bcf56fdda8

SHA256
b5bf7a86bbcf6e0545b3065dee9a26a8d46c9a5081f364adb20ba030a5a4601a

SHA512
4ab3ed1bd3169b64ca79316d04e6c475cf1d687df3b958fb0a0b2db0f17b726fce2d70b7abd46ff333aa8a0252a10d11e7f82d507f154e262319f3a92a1c7716

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
3d150112e3db27f377e3a08d4fd875cf

SHA1
05de161e00e6577186e863c738a20cc62bc0df5d

SHA256
54eb138eb5a042e58de6c4a377bb2476c76d070f70f494980618e978e6675900

SHA512
578ad5ed2d9ddfec05fbf200664f188171edc179166e4ce977381d3a6ee08a15493082791ca00b478453680714421ba0407dfec5b37382406557bc124e05fa2b

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
712911448caf86673dcced373d82d20e

SHA1
ed4b0b91e075664c7a712c6903ef1a750381a578

SHA256
03b387b5595f06fdb229e274d479e6612f81e5eeb59b8bb0e5ab128d0edd0653

SHA512
856848a64d3dc8e1e2e19e1c9420ccb94e654fe69479865bb84ca438575b7292e9600e98f3983d4a14ba31a47fcf07e124e11a6f9fbe14f2da997c5424e07bcd

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db

Filesize
16KB

MD5
1f9a4c6a007af31c614e855daff8e7e9

SHA1
c0f5d089de75e0fb8fa3a3ac1b6c21400f6f1358

SHA256
05ce2c2684c0f6369f629d05d1589ced6de7cd8369facd529fae976f4a2f98f1

SHA512
d959d718f1c8296d1c74cc01f91422353a9380db4431b50e8f4febbbf25e4ad9e0eb6e9241d65f6a76b43a7818e5918ac409ab61d56e36469430bff982fd6b37

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-journal

Filesize
512B

MD5
7d3485a7d7af38316b1c12f66e62fdd4

SHA1
400968bd6116ee5466d4c0e80744d57280e29400

SHA256
64154b3a2664a438ef21770b3a1a90e438e5290b3a8e1df50291f59ac83dfee4

SHA512
90b5f250a34a9798a82a4a071394503098bcd446fb2d1905c78f94854634d3d61ca15eaf0521c555f11093e586ef6245c5ad134c8f9893d62e4510579505d250

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
36KB

MD5
9f5e14243d296e641c9dd5634caf9958

SHA1
8fb692f588cc7159f5e1d822198c6760b35449c4

SHA256
f32666e3506c6ae319e7f7b8f0d28df82fdcd978ec2e82b914cdbc284b55be67

SHA512
d193a93407b873d5efff828c5e0af3b9a6678ca51692f9cff5975e5b8e5c3162459c3082fcfeef4f28ef21970bf2013e85f7aa33151231be9e883fed3cacab6e

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
8e8ceac859dae6f4e816035915d0bd00

SHA1
389f0bf12203ca77472bbd4f6fcb840140edfb87

SHA256
faecd7a65f3e3f570a0b4ffb415662e6d26b766cc98b7572f6ba2de08f1732e2

SHA512
641fa3581847b3bdc7047b41e2b80d580a9a40bbc76c179610dd412228b0f1c4cf0c17a5402f025285ea4fb6ca48bac28bd3be1278435c76b93f4921de79b9f5

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
60427525509fddee57f81ab4c492e18b

SHA1
f4c2f28196024a636e1a5c407fe0403e99f076e3

SHA256
0dff52f80ff397aac070eab5befd365e9e3c72ae3e140267ac022307de7637d2

SHA512
a2f61287c05001624e864e4d154651825aed1a9e6494032c036b4549e42a7892c02347f4d1bf6940ef5400557f6b5349e8c98bde2648bca4eeef3f49ca4f1628

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
b59d3ac2682802801be062d92810c453

SHA1
5b276b22693d6a2b7b0c9164d3bf7556b30723b4

SHA256
5bb0c558f8363e7e2888377aec4708b3596f96181c2e21a64a8b55cfbd84e1e5

SHA512
7c0495b1903ca12bc7b73bdd2b2a5578e42f3788057ec1217c47a214f35ca88879343992c5f51272a8fc4b815b319531373ce3b5e2d3ff5f471cc5d2a60fff8d

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
6b13d3be4f6f3be8d2bfd41edc5743b4

SHA1
fc8aea2809c79fad7be04483218ec7ab49b5009b

SHA256
d0bcd4a61b94d1303e2ac9198022f9cc003fb6e97019ea1f4372610679f3635b

SHA512
a1c39f648794cb5865b05f434f394a55c4a6920d9c90b8a6165d8ef4461f23d919cc2c26f3e7d67ea4f7caade2cb6ab043a6cfc3ad4b0a23313e7669b95e5089

Download Submit
/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
513bc0afbb2f1f54c5297eb8865991c1

SHA1
912a487b4d14550f492faa4029e11c199f918e94

SHA256
0cd696bd46ca094b20f5b4b96b7525ed44cb7551506bbfe5b14715816144f34a

SHA512
bd5822a6fcaa1f7dbbac34c0946c313697e6ee3cb578d82649b1cb79ef6f0748e6a5617510e2b6b64927cee8db3c97f27212bff60e1944fa817f04ce8b707377

Download Submit
/data/data/com.systemservice/files/PersistedInstallation1859206617325789893tmp

Filesize
554B

MD5
cd633c48c7e408d27b20f72977c0bf28

SHA1
86cfee1d394893e65f10b3505a2ec466f1a85d0b

SHA256
75a3d871e54fd4f34b1077f12882a0637b95c991b4a847a03edf5eb1adeb5213

SHA512
9cf5ed6eab2806fe82560d5d452eda6b8f31ff86dd4e238585655053ef455d87be5554daab34c5797ef9835d90e3d7bbfc62b54c3d74229eea08944b5558b099

Download Submit
/data/data/com.systemservice/files/PersistedInstallation6708378959404838396tmp

Filesize
90B

MD5
f56c828b983b1d33e632aa40a9cdbcd1

SHA1
915ab24a51942eba34d1087d068e8bfc45eb6970

SHA256
4e25d7996db48d54d9db098fd9b8725d3d97822c669fdcfad2ccc9e4646adb6e

SHA512
f2a5d77fa314c44aeecf787a66cccd87d5b2c548922e2c2311aadd830f316a9923f0a2d6890a0241882047214fac7a54ee3d158ef76859986e35b33d741bbc64

Download Submit
/data/data/com.systemservice/log/log4j.txt

Filesize
3KB

MD5
6bb18592d98b867c145305acb9128118

SHA1
1265b409408ac5f47822e40894158be46af744bd

SHA256
beadaef9edfbf4e59fca9f42310524b7d75fa160f6de531ea0cc631572ed3593

SHA512
76efdfeefd3c3aaec2405f3d21fcf1253a0caf4a2e34cbe9e1421824ef68000685d93cc28c2d0fdd284dc7a27ba68a691a9d10438476495c070d7f0a981df7db

Download Submit