tispy | 51baf4bc48db631e887ded88c0beb05b7a2f6f26ad2d122ee7c6cca6678752f5

max time kernel
38s
max time network
49s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
14-01-2025 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1777a2ba85f831e41c6a60418f84205c9de9c66402f9b7e5be13d29c543a42b0.apk
Size

3.2MB
MD5

14623d7dc9a647db6984cc6dfdfa2f63
SHA1

4784359d681992c1db6e4221a5e51f01c306c24d
SHA256

1777a2ba85f831e41c6a60418f84205c9de9c66402f9b7e5be13d29c543a42b0
SHA512

955dcf412c8f8dc62562465f0cf0a359fd11c31739e8dbb0d53b75fe5fc24376914f85517dc9ee88763072a5d855e2b9200e801ea906b58119f9736b6e41689f
SSDEEP

49152:kkQ7hynArFFP/RI5cHF2+XwTn8JBvvrMNvrsdKcWVftaWcSFhidvbKCH9B8zTAI:kkQ7Qn+nPD2+AIfMtrs09A7dvb5dBA

Score

10^/10

tispy collection discovery evasion infostealer spyware trojan

Malware Config

Extracted

Family

tispy

https://auth.familysafty.com/TiSPY/printIPN.jsp?screen=IntroScreen&model=Pixel+2&osversion=33&deviceid=43d7b21d2c03444daac9236d60bb1356&version=3.2.183_22Jun24&rtype=T

https://auth.familysafty.com/TiSPY/printIPN.jsp?screen=Signin&model=Pixel+2&osversion=33&deviceid=43d7b21d2c03444daac9236d60bb1356&version=3.2.183_22Jun24&rtype=T

Signatures

TiSpy
TiSpy is an Android stalkerware.
trojan infostealer spyware tispy

TiSpy payload 1 IoCs

resource	yara_rule
behavioral1/memory/4342-1.dex	family_tispy

Tispy family
tispy

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.crbpphsj.wjphxfzk/code_cache/1736831484965.dex	4342	com.crbpphsj.wjphxfzk
/data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip	4342	com.crbpphsj.wjphxfzk
/data/user/0/com.crbpphsj.wjphxfzk/code_cache/1736831487951.dex	4342	com.crbpphsj.wjphxfzk
/data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip	4342	com.crbpphsj.wjphxfzk

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/contacts	com.crbpphsj.wjphxfzk

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.crbpphsj.wjphxfzk

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.crbpphsj.wjphxfzk

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 19 IoCs

flow	ioc
43	tispy.net
45	tispy.net
47	tispy.net
29	tispy.net
31	tispy.net
38	tispy.net
37	tispy.net
41	tispy.net
42	tispy.net
44	tispy.net
46	tispy.net
32	tispy.net
33	tispy.net
36	tispy.net
40	tispy.net
48	tispy.net
34	tispy.net
35	tispy.net
39	tispy.net

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.crbpphsj.wjphxfzk

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.crbpphsj.wjphxfzk

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

com.crbpphsj.wjphxfzk
1⤵
- Loads dropped Dex/Jar
- Reads the contacts stored on the device.
- Requests cell location
- Acquires the wake lock
- Queries information about active data network
- Queries the mobile country code (MCC)
PID:4342

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Credential Access

Discovery

Location Tracking

T1430

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Protected User Data

T1636

Contact List

T1636.003

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.crbpphsj.wjphxfzk/code_cache/1736831484965.dex

Filesize
4KB

MD5
d3364728f634bf71c4b16542c02c60cb

SHA1
f23088362b69935f404f2b81eaa40ed3172efca5

SHA256
401f68f4448fd6288b7619a7a2ae4646493cd7268f16aa6714802833fbc1197e

SHA512
9378bbda71abcb437676a2d4095d7d3ab6a5a1c1682ec95f3f6d050b9226692cd1a29ba8e7a65dac441c29cfb7b1d5e69e34b5cc32989c90c025909567a662af

Download Submit
/data/user/0/com.crbpphsj.wjphxfzk/code_cache/1736831484965.dex

Filesize
8KB

MD5
a137b5568de65b8fef35329930d8617f

SHA1
49a2d6e95d447ba1d448c81691f6a609fb2859ed

SHA256
bc5290425eaa32b00a84a94c58976321e7643bc5d668817524ad68a1c7d2082b

SHA512
9dd6c25dea7b3424e8ca0150a9f1f6f85ed5fccef69e7fadfa05324014b74cc350365b788cee2a8ce25afccee084908e679eafa7f449e7791c6288485d2c5338

Download Submit
/data/user/0/com.crbpphsj.wjphxfzk/databases/privatesms.db

Filesize
16KB

MD5
8a10f85bcb419b77dcf49fbcf348e67d

SHA1
de45210ab1cae4be6ff7485386a0be8abed04faf

SHA256
a0ff1b8c48b78918fb218515f955a788620ea0b61002f73febba862b47092dda

SHA512
8662fc33368068066dfa7bf3543e6b1f68c857699991761afca16c5142995efc4074bac500044591b3af1c221b466bbf4a3e562610494b42cc2019e1f69b1226

Download Submit
/data/user/0/com.crbpphsj.wjphxfzk/databases/privatesms.db-journal

Filesize
512B

MD5
908c09fd6504d52dc59ea9a6689f8407

SHA1
3e45dae0b7ba513a6f0155322480cb6eb89d5099

SHA256
32e09df5e5c6666fbdead27a7479a005eedc1c6f5dbb85324e228a8fa94807f9

SHA512
7b4e7e9f7e4ae0c851328bb24537d1fa6d6b1a13e3aef54351fcd89a0e92827708ee7e7cd470b9c1afe0a47529f9df5395297370b9540a4b98e740e73739579e

Download Submit
/data/user/0/com.crbpphsj.wjphxfzk/databases/privatesms.db-journal

Filesize
8KB

MD5
4a80995bac55d65a43bf7547bf27a1fe

SHA1
9c342cff9a8ae8da6bad3853d04569fdf887a36b

SHA256
019881338d90a68073fdc002c6ab11408528118ea262ee5a96895c5a35e69af3

SHA512
0027b91b4646b49c73a7cc7cbd4953df0295f59336efa2a8e3c84f3eaea6f9aa2096af82cfffa198585395d2403bacdfb57c38768c4a862edae7cccf5da8a10c

Download Submit
/data/user/0/com.crbpphsj.wjphxfzk/databases/privatesms.db-journal

Filesize
8KB

MD5
a2b765379b27839264b928d8b780771a

SHA1
78a9a905814dceb4e7bb3552577036e9c662089b

SHA256
da9e8ce5c9095ad5c31e16b4c9ebbf9b9a51e5dfc0f1dee4a16f044785944f0e

SHA512
73cc1d80864a3d1edc3450e54a1be860aa285a48e5fb7158307fa19ca74b596e1c613ecc03ce6c2bc9e01de7e3eaa7d734dfa5dbcba5256ff88f88359dad6cca

Download Submit
/data/user/0/com.crbpphsj.wjphxfzk/files/477498.so

Filesize
145KB

MD5
1b82243685c1c0be15d83c8fc11153f9

SHA1
e637f8b2d0c3c0dadd45dcd88be87f5e12f8624d

SHA256
deb10f3c7b34c37e2dcb226c68ebaae067e61e05429b44273e9610e84b7223f7

SHA512
cd7e82cfa509809d1a644a105e022759d74d00d1c13f90df389cfa88eb997aa3c371ebbc3d66397e1e72ecd9adb2f38029f619ad278b50a9907b68d7631b9c3a

Download Submit
/data/user/0/com.crbpphsj.wjphxfzk/files/477499.so

Filesize
270KB

MD5
16d8da965ce793cb6a39186b654e9038

SHA1
f72e2ae3fe2c2e8b2603b2db6bfbe2a6d2e19ce3

SHA256
e03c1975d9d8ecc487438cf2a402ec4a75cb3558a4a02009bc3f9d32ddd428ef

SHA512
9b0a725d0b001dabe8da21c0a3bf7e8332250da3b23f5ffcd199e3b45cab72bb6c0712e013b2d14230ee138e176f871b836ddfc528fa7961e96c5360e3e82990

Download Submit
/data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip

Filesize
1.5MB

MD5
59393f43989813af3d160e210a5952c9

SHA1
9b6780014fb444ea42351e80a94c6d30fc40df25

SHA256
6bcf568203c45b24659e5138f9149ddb0221eac842afc82339686d9ee7e8ec2d

SHA512
10c18b2b0258d96155ccc5269565000d502a5e88d4117d838ff46036b0e8eee656515a50205d4e602148c3bc39083072fb08dee70223beaac0b4cd569a3c18f7

Download Submit
/data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip

Filesize
3.7MB

MD5
6b1a12f2792059773d78e52505ce2e7f

SHA1
ef8254c4e28e718fc6c7c6e92920a07f06dae233

SHA256
cb480143a043bb4fe9452618c2c4875263311389ee865ec165319c49c28283ca

SHA512
26d2a36ca021f1d86f5a4d19502f757821f908e2d68a716e4f5d5deeec689a09c27a98796685cf244324f332eaf952f6e87772fe80552811eb2a3efeb3b396f5

Download Submit
/data/user/0/com.crbpphsj.wjphxfzk/logs/Sistema1736831490350.log

Filesize
16KB

MD5
f4639d4f75a4b7c4a5b1ad3a2d9569b1

SHA1
74a6c49512d6d1b5390ba926626b19da3c0576fe

SHA256
38a697800e3ff565e28c48488913f8cccf6d08e8554787c504c2b7e98cb489f7

SHA512
ee3f9accbae05da141d6b423a6f8b1520dfaa1342812e742f13ccfe007e1285d0db11bc67c9ad5dcb395fb14835b01302e6b11ff72d8583c44fe64f9ad7b5e2f

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads