tispy | 51baf4bc48db631e887ded88c0beb05b7a2f6f26ad2d122ee7c6cca6678752f5

max time kernel
32s
max time network
40s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
14-01-2025 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c44519e51cc203cdd23f27cefe7cf99de34abddf947ba55951721725f15aa57.apk
Size

3.2MB
MD5

2f73a6fe62a8ac27d658f15b1dc9a287
SHA1

a40118f9d9a54938e6e261ee242716ac3a761e89
SHA256

7c44519e51cc203cdd23f27cefe7cf99de34abddf947ba55951721725f15aa57
SHA512

480a6c820664ce78b6284678019671edacc4cf98865e335f9816ce84507c2fe42b765db5103e27dab52605f95c5302f58c6691a869e24876df1f396c4d966d89
SSDEEP

49152:pVPh+nACbPhX9CR3WHZn0/dwbDnog36hR4F41RemM3zfhVzsv5w:pVPcnzbPhoZW5nhnnHVyRtM3znzQw

Score

10^/10

tispy collection discovery evasion infostealer spyware trojan

Malware Config

Extracted

Family

tispy

https://auth.familysafty.com/TiSPY/printIPN.jsp?screen=IntroScreen&model=Pixel+2&osversion=33&deviceid=787b156950dc4fdf8da6d0edde78dfa4&version=3.2.183_21Jun24&rtype=T

https://auth.familysafty.com/TiSPY/printIPN.jsp?screen=Signin&model=Pixel+2&osversion=33&deviceid=787b156950dc4fdf8da6d0edde78dfa4&version=3.2.183_21Jun24&rtype=T

Signatures

TiSpy
TiSpy is an Android stalkerware.
trojan infostealer spyware tispy

TiSpy payload 1 IoCs

resource	yara_rule
behavioral1/memory/4351-1.dex	family_tispy

Tispy family
tispy

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.foqrpral.oxudfpdy/code_cache/1736831767421.dex	4351	com.foqrpral.oxudfpdy
/data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip	4351	com.foqrpral.oxudfpdy
/data/user/0/com.foqrpral.oxudfpdy/code_cache/1736831770136.dex	4351	com.foqrpral.oxudfpdy
/data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip	4351	com.foqrpral.oxudfpdy

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/contacts	com.foqrpral.oxudfpdy

Requests cell location 2 TTPs 1 IoCs

Uses Android APIs to to get current cell location.

collection discovery evasion

Location Tracking

T1430

Geofencing

T1627.001

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.foqrpral.oxudfpdy

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.foqrpral.oxudfpdy

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 19 IoCs

flow	ioc
46	tispy.net
32	tispy.net
45	tispy.net
34	tispy.net
40	tispy.net
43	tispy.net
28	tispy.net
29	tispy.net
35	tispy.net
37	tispy.net
38	tispy.net
39	tispy.net
41	tispy.net
44	tispy.net
31	tispy.net
33	tispy.net
42	tispy.net
30	tispy.net
36	tispy.net

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.foqrpral.oxudfpdy

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.foqrpral.oxudfpdy

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

com.foqrpral.oxudfpdy
1⤵
- Loads dropped Dex/Jar
- Reads the contacts stored on the device.
- Requests cell location
- Acquires the wake lock
- Queries information about active data network
- Queries the mobile country code (MCC)
PID:4351

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Execution Guardrails

T1627

Geofencing

T1627.001

Credential Access

Discovery

Location Tracking

T1430

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Protected User Data

T1636

Contact List

T1636.003

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.foqrpral.oxudfpdy/code_cache/1736831767421.dex

Filesize
4KB

MD5
d3364728f634bf71c4b16542c02c60cb

SHA1
f23088362b69935f404f2b81eaa40ed3172efca5

SHA256
401f68f4448fd6288b7619a7a2ae4646493cd7268f16aa6714802833fbc1197e

SHA512
9378bbda71abcb437676a2d4095d7d3ab6a5a1c1682ec95f3f6d050b9226692cd1a29ba8e7a65dac441c29cfb7b1d5e69e34b5cc32989c90c025909567a662af

Download Submit
/data/user/0/com.foqrpral.oxudfpdy/code_cache/1736831767421.dex

Filesize
8KB

MD5
a137b5568de65b8fef35329930d8617f

SHA1
49a2d6e95d447ba1d448c81691f6a609fb2859ed

SHA256
bc5290425eaa32b00a84a94c58976321e7643bc5d668817524ad68a1c7d2082b

SHA512
9dd6c25dea7b3424e8ca0150a9f1f6f85ed5fccef69e7fadfa05324014b74cc350365b788cee2a8ce25afccee084908e679eafa7f449e7791c6288485d2c5338

Download Submit
/data/user/0/com.foqrpral.oxudfpdy/databases/privatesms.db

Filesize
16KB

MD5
8a10f85bcb419b77dcf49fbcf348e67d

SHA1
de45210ab1cae4be6ff7485386a0be8abed04faf

SHA256
a0ff1b8c48b78918fb218515f955a788620ea0b61002f73febba862b47092dda

SHA512
8662fc33368068066dfa7bf3543e6b1f68c857699991761afca16c5142995efc4074bac500044591b3af1c221b466bbf4a3e562610494b42cc2019e1f69b1226

Download Submit
/data/user/0/com.foqrpral.oxudfpdy/databases/privatesms.db-journal

Filesize
512B

MD5
3b5b987151b14de2da850a8186af13a4

SHA1
cebfb94168317dca1c67b64a4a58b751ece795f7

SHA256
3a5cece4220efb880163ec25777b3a2015101299380a16172920a202ed1460da

SHA512
187f7bfc2a3f2b682552f7020c1f53ae69e1b35612290966391ffe7e64e2d154c2a001e235db5d0134195be00f8e7f49660f52baffda60a81c9addd18fb47790

Download Submit
/data/user/0/com.foqrpral.oxudfpdy/databases/privatesms.db-journal

Filesize
8KB

MD5
6dbadec5433168410750c1cfb01e1b0a

SHA1
cbb18b7202dba7a0c7caf302f39eb656c2da373c

SHA256
b731ffd41b081d3de0c82615b2a380b97113401ddfbbb1a507d69daa78c73697

SHA512
2c2c44e187bf9db037c179f437295571f10617113c31369fc40f13209298874070bc9db177bcda51ff40fa673f4ca2393e22f4d9166be2691006ba315ae1188e

Download Submit
/data/user/0/com.foqrpral.oxudfpdy/databases/privatesms.db-journal

Filesize
8KB

MD5
d806760a74dc90b0417359ddf10e657c

SHA1
ece1631b14a61194e220ff34f3c540c3ee3ea16a

SHA256
e6b4352acc1a4faf6f12d95a6c7fd8f64361d8feb8839d64915826d2a6270b8a

SHA512
564d6822e6bb8d75a2f6dce6950a814c2b13bcf655b9b7071fa321b1b0b4ae16516dfbbbf4c7544965e22dff94f8959e811ffac6c708dac1e49b3a0228d34da7

Download Submit
/data/user/0/com.foqrpral.oxudfpdy/files/477480.so

Filesize
145KB

MD5
58c46208d95caaa3e72b9a812e2e4fa7

SHA1
d4d4159adde5b34b31f06fdbf622577a7e5c49e2

SHA256
61afb81a844465836f0f8665ec5cda08620362f1cfd3357b54c31e64747c7569

SHA512
12a7b66191bdfb6012517acda5a2dfe4b3ed510fdac14673a859a50cf358365f58a9accd91126e1cb95f68bbcec9265a3cab9d46e481700b161f4578bec4a835

Download Submit
/data/user/0/com.foqrpral.oxudfpdy/files/477481.so

Filesize
270KB

MD5
8e886eab51131ecfe3b6610142e1990c

SHA1
783e651ce9a332fef5ebb497c2f636d212cfba78

SHA256
1c82cd2b474a2aa6d4be9ac17dbd94b29671a133fbb5a2dfc0b7da1350d1a855

SHA512
ce941e3e2f1a5599b05b31aa5ae2eaf5cc0285fe1e16f8fb6d9d4c91691c888768f23911c5e4b997e4ae41b84023933784c68db381095134b5d5551d59522c7d

Download Submit
/data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip

Filesize
1.5MB

MD5
e10223a9dd1e0ddb8b1061d1f4437625

SHA1
7d1e8cc7b1409eb49f4fef532a4f3003f8785b4a

SHA256
649d1bcd5b1a5f75260e284bb8e1bda2c4630dca5a7536d5e56c8b8dcd51b5d3

SHA512
a0aac391a377c514598034929fb1d7fad129f32eb253c778de1724b7bebb84afe077ac2d0bea432b2bbd93cbe192d2452e85c9e3356d4ba8d321c349242aab8b

Download Submit
/data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip

Filesize
3.7MB

MD5
5e55cdadb8774e38f6b17f3c8acfe6af

SHA1
96fa6e628d74782f6efe0f52c6113ed638d37845

SHA256
05402c8959137f312278d1f2d5fe1cf7e0ff1c26fa09521c37fe700b0c82ca23

SHA512
a76d1a43278eb938bc7a133a6235e3b465a1c8266b57e2d3d39dd5736178388df3873ac49ee5a8ca4564a984ddabd5d18b5aceb6af666d988bcc420ccc7d1685

Download Submit
/data/user/0/com.foqrpral.oxudfpdy/logs/Sistema1736831773561.log

Filesize
17KB

MD5
c5e342c0b5b15dd878948bb2d7dac3d1

SHA1
682a12b5ee3f4ce223804df4d42af9877d4dd913

SHA256
4e156aea67314cbfc2c3a186d681fdc6d95ed9154b281c0e8f99e00f99edd5b5

SHA512
54940535484906f1f1bfab4543221a07345a05c25642d6b3cbc9050e2c31094b462ac11e0154ad00c78b3d1d0c310ea47ae987ce7f2b5b543f2f0ed7a3a36de0

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads