Analysis
-
max time kernel
68s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
26-01-2025 16:28
General
-
Target
86361fcace1ac9458d930d3cabffece4caaaa37ea17b690c2e0eafec5976795d.apk
-
Size
3.9MB
-
MD5
f428eb0d94bdedc983728a056aca7d27
-
SHA1
9f9244c99a4143100bed3b45ec8a6962c421eede
-
SHA256
86361fcace1ac9458d930d3cabffece4caaaa37ea17b690c2e0eafec5976795d
-
SHA512
2474fa5c3350461e7801fd30130ce8d65df690089b6834e0e3670310aff963e2ab760a96bac331d2cb002333eb21018270cd08ff0c94c55e50849613552fdf6d
-
SSDEEP
98304:0OcVtd8n4x6QAP3ftPq3tE2LV62nGxbsTQ9We2ePdlD2AWy:0TyFQa+c+GhMWVH3Df
Malware Config
Extracted
truthspy
http://protocol-a943.thetruthspy.com/protocols
Signatures
-
Truthspy
Truthspy is an Android stalkerware.
-
Truthspy family
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 1 IoCs
-
Queries information about active data network 1 TTPs 1 IoCs
-
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes
-
com.systemservice1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Queries information about active data network
- Queries information about the current Wi-Fi connection
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
-
/system/bin/sh2⤵
-
ls /sbin/su3⤵
- Checks if the Android device is rooted.
-
-
ls /system/sbin/su3⤵
-
-
ls /system/bin/su3⤵
- Checks if the Android device is rooted.
-
-
ls /system/xbin/su3⤵
- Checks if the Android device is rooted.
-
-
-
su2⤵
-
-
/system/bin/sh2⤵
-
ls /odm/bin/su3⤵
-
-
ls /vendor/bin/su3⤵
-
-
ls /vendor/xbin/su3⤵
-
-
-
su2⤵
-
-
su2⤵
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Hide Artifacts
2Suppress Application Icon
1User Evasion
1Input Injection
1Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
1System Network Connections Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD5e536225763ddb3c9af07645fff610e78
SHA1a4b64ccc35939ff6beeb2b82f0f8041ab1d34e69
SHA256c473fa302a5b627d7c573865c2f653aa67bfb69c6f10265803e4ab9855934f41
SHA512462c20ebbf153b339d23c7f6b61c9b091eebacdeb6d752ae672b63a27118f38e49af23c05f2e0b143b2bf15fd525e46074ed4f1400ac9af95cbf04639db3053d
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
16KB
MD5c4acef6514f59a4716e6e7af02af0d14
SHA1b2327d7e2d559b50d9f0f6e138f1228d0e0696a3
SHA2563358651ce5b4c6dd3efb3ac84181d7868254d2e9130b5d41b04dbdbde5c73bdc
SHA5122beb6ff1c33e93f9a59d5fde8292b70c81a9f31a77e10e89c2009c2407f3792a9bc90077900066f64ee227e8ba72645c18f00c046499f43a82ad94e1205b8e76
-
Filesize
88KB
MD57a487ea899bb529da452c8ce7f9272f9
SHA1500bf0e9bee5c4059bb54d7efe3852559349fb8f
SHA256765cc9fb3d48c19bb7b8b2e1ffb45bdfc7cdb93e31a58c064579efe4fe661e93
SHA512403220d6504eaa223a18a8f32ce03b36f045ad24333a1ecf59754d640779377f843ef37842a176eb3440a2e295adc39e393cb4bcba5161835ed7d43dd1226a3b
-
Filesize
36KB
MD5bb83b5fdc1865d7616a82449d4022fba
SHA15f695935d1731b319af0707d8a646754598af3da
SHA256530d7bd5b4abab38d9fa2f4c2cfa7f0d4da06050293478a12b9d5a909e6de6cf
SHA512620e2f28ac30bf7d211878b66ccc53ceb1dc6b645efa35b99e9590412d7692f153c929943bc0aacaf2767431388ff6637127f1b93dcd82aeca674770cb77707b
-
Filesize
1024B
MD5aa55f0f9cd958e3feb709f9624b517e2
SHA1ea27e365d9d62110d3d5e41869392d24f3193025
SHA2567d430462cc9f89bcc460cfd9beba43b8cc208fc69dfce5879f697921a7bf255d
SHA5121f564caf63184850f52f56a4c5448efb92433ba3c4f868426eb6423cafb5321c4a04035cd85a62e75b6f3f0305e6190f6260060de67d638c29b5423f3fb6644b
-
Filesize
1KB
MD55045d9c979461ab9e104baad0c7d63d2
SHA1806b843c835d8a89941267b6e3d4b0fcf0e90967
SHA256bc33cec2b4fc7846168fe17d505bfdcaf54d40f5f6d5d054f993e551ba1043f7
SHA5120205411fd4434a756523ed8271bc77b7ad40d65fedec85b87b3d3fbf11c7e1d7ae07babb52700ef617b5beeecc1e8a258453849ac43dc7f02111bcc7b830a079
-
Filesize
12KB
MD5651b65e9d1abb5433608fbc4ca3a070b
SHA161d4d6d752d1feae6e53c1d6388e9c91020923b1
SHA2566cb086608da60ebe7625668579f0bb98d0e6a2bafc7b902e8ea6727c90b8c906
SHA51222819a3b78de1add0e9d27921297358606b52c4e6708f17973d92458e204eb0675532f2afb28193331d43eb0defec1d49f919fef745a8b6392b3a96670a968e4
-
Filesize
16KB
MD529d1853e04991d9503127012cccc7419
SHA1bfe0a636d9cd8e4e35909fd32a1351a4429eb1ba
SHA256dbca266df19d6e90c7de88cc8d3c98bb3bce67e155f4e1f738e682bba1218fde
SHA512d93ffea3cd06b5811f52562b596bbfa915b1223c2306d9f2f384d3b731184abd76f9d8c87468deaab14c6c48c8b872f546f77a4fb6e93c2673e491c62b7cbfd1
-
Filesize
16KB
MD57b664782fb50a7db8e043239f398863b
SHA1a9f6dd09aeae2958f2eeb9c190361bd093877628
SHA256948857509670cefe069fa77951ae8d08c66c6b87d6ee01fdb67732fc01fef2a9
SHA512c22c409ee7d0e47348896681630162bce44cc851f504917e893d82f824fed4b8964a9232ffad28add48e9052d997917d127db1931e654ba9e57a562e462fcefb
-
Filesize
16KB
MD58fe07b5b6bd6547d4b6fac3419db5247
SHA1e037a869a60f360177f1cc0d53333c1a9bd99be1
SHA2565b4062f5f3e42a8dc8e1ba91e4c233824944fc8e545f6f493c0dab04a1d94aac
SHA512ec4f7f54799d23c0d770aef991cf91f1cc82fcd14ee37b1fbbef1ff77478ae6ba8ae45ad3b4842f13a34eff9b5cb1b97b7c79fb416cb8ddc167ce9ff0b7a757f
-
Filesize
16KB
MD57fe501e31d9d16ad71c2dd4e1bdc49fa
SHA1c946b3ef95116a71049c76ea149b6a80b459660d
SHA2567c0c9aeaae2707a5877b1ab62bd1e1e2d34d7890608f6c3b1fe747ac691a5d75
SHA51233a71b5346093a7183bfae14286f47a6ecae15f851e2d8c889b102b81796a6b23ec84c61bdb2a0795d7827ebd9f747ee232c0aad278b81bcba9e646e5a5b12ed
-
Filesize
16KB
MD5706d780274bd06aa5577997dba0aa563
SHA1395572c132de7cd037ee92125e905f83f18359bf
SHA2569cb27939b08aecc6117579efa9bad75811d7428e03668c48d136080e1349665e
SHA512c30c6b53ac9e84c9d31fc224d0d3d98a7508799cbc9fb476444ec64da8bb2c43ce7f9910d7252aa9a62504d12ac445755608127eba193d4da27c3b125f0e962d
-
Filesize
512B
MD551caadb725d6cd8440e7aeaf3e373bb9
SHA14147f0f7b0b7643bc17e97ae5611aa2a915cac0a
SHA2561799afe5e6b267c1447c5622d9b8934e71187283a0539b5485babcba3148b635
SHA5126a397b56f8f9ca4689ce7b0e232466d864a47d7f20333473c4ad85f175c399726fee0240750e4f78ab4d596888db51c971063ba962d4467cb6a21d34d195edf6
-
Filesize
36KB
MD57081159d206e946708ad029fa30d2204
SHA155d2354a1c3496b6c3086d1d12b9d3e7c9c6bfbe
SHA25692c5f77c028e2696d005e0f7076f21fab32ca4b692ebf533d0b6f9642d0850f8
SHA512e1eedc8ebf53f68b836949c10df164e28d96ba9d66199845e225d9b27e43ce9e63f1b5319e7af57c5cb4f87d990d84493ceb18e2e0469925056f0defaa37dcfe
-
Filesize
4KB
MD5be99432c8d337b95d8c36f00ede0b481
SHA196706d96632ea3a636d8ddc41b0470bf4712d647
SHA2561acd19f2d56c09cdb7ad2110b3f11be57a0f24a616beeb9284391dcd28ceee68
SHA5124191dae46b846dde6a85640dbc8f23bd3f6e0f2c52c1aeb948d8776be85dc22ad392ae93b47f86408d277537ca56ee6b99c41e0e5d55b9ef391a315005c5b66f
-
Filesize
4KB
MD5cc9df676dbfa5e3a50b9b98b52c7fc60
SHA11945d06669cfca35afac4b9a893df3b22a2f93af
SHA256c8ebe26b2fbecbdb18f2aafc0a8cd81771f4c0af7297305b24ecd85439455501
SHA5124a11bd74fc11767dc5628e160287dddb28c8dd1d66069a7c3331d96eda5324be3ee49de115b3a8436f09e2343ef9acf46ea87a291df014f4f6d0e69739b698db
-
Filesize
4KB
MD50ce247aa056c53aa8cf4edb2fb427171
SHA1fd5c3b304d93cb17b9510b2f53ddf0694e998bfa
SHA256d1fdeb7aa0853d112e307159c2722fdf1f643d789327ef2254618c129b403230
SHA512a3b7111ec78ec86faaabeac1db91fb8f5b5694854432596c5d0e9acd6efe16121c3a0a7ab52294806166fde4ef1671d6559cdddfcbe60d2523089498d69193b1
-
Filesize
4KB
MD5e623663e6b20b13c22caf0566568dea6
SHA196724ebc568b0fc1a589053078c84e4ccbed4bf5
SHA2567de14055187a5a651ab5f2c248e3841784a5f9bbd44d7547c74166caf73500ba
SHA5128ce21219c40b83098cc6257975c88aa7d9e615262cedc5a26e20c0b489b7edb6d843371f4d9ccc181227f28b856a5599eb85ca5d79bc2c191c2959f614a4586d
-
Filesize
4KB
MD5d8bfc4caded8ececec0cdd0f828cea22
SHA16a672b817432cf9390d7a64a78691d9e0eff297c
SHA256bd2e0c1c0d695fe9414db9cda7a480260d301c5a20650d42344e93110841110d
SHA512a48f204d64cb1a919a5e1044a416899f137506ab1be4aae86b4fd11a3b1777159fe565f432cfe420767ce0078e563d061980461e98f87db465ca020cb118a340
-
Filesize
17KB
MD57c70acef9180009985680210e939b7b3
SHA157154597f516fcbc775cb99995c4a9abce74aa83
SHA2561c450c2359025c87f7fc344c89ee2446ab675748200d4dec0b719ef9617740bb
SHA512c2c241554e20576d42979804e6817c2700475da8214eb4110201ff4f1fd61d2a656c59a8f794226b35007906209cf03514d241931775c6fb362abda5049e1993
-
Filesize
2KB
MD59cf471fd3ae7730fe85e6d165bfcce5d
SHA1abbfe3ced9878176c56cff5b1aeae0e629428dbf
SHA256ba2828165ac640dcce3302b3b6407ff1baa057d11883c42a7c34b79fd7c009d1
SHA5122b337389e553aa8d072af42cd6e3771db3108f740091ce2978bcac332c462e03e71f7833bc9fc92cd25075721875964e5dd76c3b1259aea02c950d438ed2d806