Malware Analysis Report

2025-04-03 14:16

Sample ID 250310-sf8zxayzdy
Target 92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c
SHA256 92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c
Tags
truthspy banker collection credential_access defense_evasion discovery impact infostealer persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c

Threat Level: Known bad

The file 92c3337b3d74f2aab8f0ca3a6f045719a3301519810d535856ff11dd743b523c was found to be: Known bad.

Malicious Activity Summary

truthspy banker collection credential_access defense_evasion discovery impact infostealer persistence spyware trojan

Truthspy

Truthspy family

Checks if the Android device is rooted.

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries information about active data network

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Legitimate hosting services abused for malware hosting/C2

Queries information about the current Wi-Fi connection

Declares services with permission to bind to the system

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-10 15:05

Signatures

Truthspy family

truthspy

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-10 15:05

Reported

2025-03-10 15:07

Platform

android-x86-arm-20240910-en

Max time kernel

109s

Max time network

110s

Command Line

com.systemservice

Signatures

Truthspy

trojan infostealer spyware truthspy

Truthspy family

truthspy

Checks if the Android device is rooted.

defense_evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Makes use of the framework's Accessibility service

collection defense_evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

defense_evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.systemservice

/system/bin/sh

stat /sbin/su

stat /system/sbin/su

stat /system/bin/su

stat /system/xbin/su

stat /odm/bin/su

stat /vendor/bin/su

stat /vendor/xbin/su

su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
AU 1.1.1.1:53 protocol-a100.phoneparental.com udp
US 104.21.32.1:80 protocol-a100.phoneparental.com tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 172.217.169.46:443 android.apis.google.com tcp
AU 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
AU 1.1.1.1:53 static.xx.fbcdn.net udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
AU 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
AU 1.1.1.1:53 consent.google.com udp
GB 142.250.187.238:443 consent.google.com tcp
AU 1.1.1.1:53 update.googleapis.com udp
GB 216.58.204.67:443 update.googleapis.com tcp
AU 1.1.1.1:53 id.google.com udp
GB 142.250.200.35:443 id.google.com tcp
AU 1.1.1.1:53 www.reddit.com udp
US 151.101.129.140:443 www.reddit.com tcp
AU 1.1.1.1:53 www.redditstatic.com udp
US 151.101.1.140:443 www.redditstatic.com tcp
US 151.101.1.140:443 www.redditstatic.com tcp
AU 1.1.1.1:53 styles.redditmedia.com udp
US 151.101.129.140:443 styles.redditmedia.com tcp
AU 1.1.1.1:53 id.rlcdn.com udp
US 35.244.174.68:443 id.rlcdn.com tcp
AU 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
AU 1.1.1.1:53 github.githubassets.com udp
AU 1.1.1.1:53 avatars.githubusercontent.com udp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
AU 1.1.1.1:53 github-cloud.s3.amazonaws.com udp
AU 1.1.1.1:53 user-images.githubusercontent.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
AU 1.1.1.1:53 raw.githubusercontent.com udp
US 185.199.111.154:443 github.githubassets.com tcp

Files

/data/data/com.systemservice/databases/com.google.android.datatransport.events-journal

MD5 58f16c2e32519ff8648bf3da85dd952a
SHA1 7e330e0544697f8e02aa3231c6f3463b7584762e
SHA256 a7c7c6ea8db1d903cb570f6ef88ffd5310bd3e7d80dfe2458a2c55d1e2c1088a
SHA512 e8ac662088d0cc063a6318e9c30dd03b388c815ce4872f27dc6a2695f4a252923beffe6d4ab4283a5a19d696562805e6bd153f5fa4693f7f99dbadf2f5e0b389

/data/data/com.systemservice/databases/com.google.android.datatransport.events

MD5 fca4d2d6a1a02a32e770be9c95f428f7
SHA1 b40eeca94bce3a5d4abbeec789b440ce223ffb7f
SHA256 48fe6acd4ad321e68aaf03103463183ae1990e62e8ed408d1ee92d434bde7fae
SHA512 a38a36785db7312210e558a8f800d63d66d2bc9870768c5b18f0008ab2654deaf2349abd3b5aebf356d7e18bdf0753566a1c334a8406f57b1c699341a2c27a95

/data/data/com.systemservice/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.systemservice/databases/com.google.android.datatransport.events-wal

MD5 cbb62ca69a9262e99418fa7e1974d71a
SHA1 0b5c36a0518713529a5fca7521ea3e97e596944f
SHA256 d935c93401f4189cf89c7f6934a5f103ad9efa10c39a0d80fcac6d5bcb63139b
SHA512 83b1da892c13c8614704d70b619a05359d6ba3a55d04a5dbb6f79a7721d3b0ea393ad9c57887db5a3dfa54b3f99f3245706cda564673faebe9599886c8f5b16c

/data/data/com.systemservice/databases/core.db

MD5 045489a0639eee27bca52f48828cd93d
SHA1 436e7966e7c019273c44faa4d8c5709b816dfda3
SHA256 0151eae0eec786abb19ab59d7361b3291ae98411fae12cbbdfecd1612e16996e
SHA512 c8739a723a8648b0e380b946a97fb6cd83d6c4769ec3679bf4bc003ad0049ff5cccfc8f75a6ea272feced0020b13d3129f792f0f22cf442f0d0127f399eba22e

/data/data/com.systemservice/files/PersistedInstallation3492889590003632721tmp

MD5 a1f3ad6ad4a18274fe779367d2189221
SHA1 ff144ec773f8abe00dc37467f4222cd3d0152730
SHA256 cbec76d00469e5ce10ec604eb0110072627187b4825cfdfd4f0d47df69227893
SHA512 0fdbc44980c0722dee05a5e25c651b4016dfd889cb9dd965668c9a2a47339cc96996cf893eec79db7c58b165bd1cd9fca82f41b92398968d4c70cf2fe9bcb11b

/data/data/com.systemservice/databases/google_app_measurement_local.db-journal

MD5 23ceec8b5e5c925e58553c76d59690e7
SHA1 87f45187d3b74bcef92ab535614f9dc98750af20
SHA256 d5529dce8ca6fd5ffbae8f3b1eeb48978db43e24680b66c0c766778a3dc1ebc1
SHA512 bd757965f111045427aeaa607167496d5fec6daf63b7ca663a61cbabbc7564bafd2ec14f00767fc46396720d6fd17af2ac8e2d869951378696c7373ee2189eba

/data/data/com.systemservice/databases/google_app_measurement_local.db

MD5 7237409e0640cfab7bdbd429bf821a3b
SHA1 4c3da934842f8d4835dfe2a9c275a300e5123309
SHA256 5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa
SHA512 c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

MD5 32fb692b6fe1925bfeb1d174cdd0e094
SHA1 62bf32fff8b7db8ca4a406270e3e71e766b89d51
SHA256 e6ab25edc5301b41125244cc8e2ab7ae70b8a11f646f22c49e522d1d802240c4
SHA512 2658cb13199d7243d10a8dac0262be0d9192baf0a7d834406c4572686a65122d2b74ce4ccf3cbc92b729317fc133d963700af26f268e0a88ded39898a327d96a

/data/data/com.systemservice/log/log4j.txt

MD5 24881fbb20f3de21d3e4b4fc8efdcadf
SHA1 d2fcece1e84654b28d09fb0e0ac78578c9028d82
SHA256 a9caa82b0d4ffa8d0c2c768aa778553dc3d7b3e9be184e18af96d5ee2d10ebc6
SHA512 29f56935ed144dcb6cf39209fba65ba2bcea629ebe7bc25f8cdce88b5b0dd59bf45e32b089760919f91605276dbc0bb22841dfdb28078d820722ee648e8e80fe

/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

MD5 5f881d7b7d12e1d99e3edcd148c264b8
SHA1 29d117f94de1f0071de4ab06b0e0e3a3aa65a504
SHA256 843589e0445b7a3e346882c5500eddede7814bac9d9251cc158ed0f55236b24f
SHA512 48043f92eec6ec79efb59edf9029e4107ebd1188dd95d7207b6f78cf67d16bd4686302e1090fa7250b85ca3510dd45eb7f527ae82b8d91fb19c136e5cb8317ed

/data/data/com.systemservice/databases/google_app_measurement_local.db

MD5 ce578e6a0cf245642413d4496cb51a0a
SHA1 bc9259864607dc21f39e0cc1b26cc6d13073d426
SHA256 e0aad0709d35ce63896ca911ae2f833198f78f07b324e9f2b709d41c47278f5b
SHA512 f275fa087e27af06ef4e78dc72ee6759fa02718ae52a36440c06d49db7ba753f074846bc0834f3eee333277878c334592679dd3fd0134c3d683e666d4e23e781

/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

MD5 d81d99ac52e4e0446023525b1baaf807
SHA1 67e4542c6da1f12d1df1a5f1f82ff7b70b7d5fd2
SHA256 4d8c083b4868d99659bf95194366fc6b542100e4906ebef1cfb1fa3c647feaab
SHA512 24a99ef2e6782c4664ed261061990320c89f37dc8ca44d6a7a7947fc7d571ea853c662a763cc8c580b631c7e3917e5b4b7e426f559419757d29f1a95df8e79ae

/data/data/com.systemservice/databases/google_app_measurement_local.db

MD5 2977dab3897d63738887d168d117f77b
SHA1 365dbe5e019a5a7c793fbaa16b4944be7cf1e367
SHA256 9990b32d28c73b03ba98d712b1061cc73b7ef2c754fc35097965437b6629e87a
SHA512 50aecbf10a2a58a1ce4ab04d4d34d85e16531642b839407681874ab2bcb52b5160e3a00c5f6108f22d341fee40656e9defa8ffeb051fca7a4d1048945384d6ec

/data/data/com.systemservice/files/PersistedInstallation7816238150204918843tmp

MD5 1332a32eddfeea0de1311e5882d8fc06
SHA1 0a5137af4a9f64e2061cce01168076d0e21d52ca
SHA256 98d50d7a11d042088fb5f4ba4f728b844bf24835f5e57e704cacfdde181e8ba9
SHA512 d286e17b6a0d21739c793300ae7f705300cf64b445d77ea69e136856a9adc164714eefd6d926817664b677f371b5d82ee24d2baeb03e50d2cd6e3c6bf0f7ddd6

/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

MD5 2d21b6ac30edfa3cdde8412184390936
SHA1 14c2ac1d301cd72df1d21149bb0e8d2e9852e88a
SHA256 c5115c5c6eddab79588dd7427160a7b3abaf528b74d04b8cba0b2cdb8fea9546
SHA512 373f61bcef1b94ff0adfa29489c23971e5025e1c8ee25fb28165edd7c3373c2234b788be78b4af9748b80df4d26774b5f7b541d15e8a52d8cb7c68217134aeac

/data/data/com.systemservice/databases/google_app_measurement_local.db

MD5 2776d8a05860813f0904a82f260981d6
SHA1 db86abd4d479d221ee9c85321c987cd56677baf4
SHA256 63e7d2206e614f7217d4b7f431d5c296e669830a9769fdde392a6508eeffb75b
SHA512 07ec2f5954e6252d7b8c8720c115e431dee7b4dfac658171ed3f0804443aeaa9b0697019668d78e34813fc4484c49ca656ad2fc2f94d44dd62b7a8b250a0c488

/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

MD5 be36d6dabc2495e5c3e2654ee623e216
SHA1 66328089c5e6405ee9bea914b72c5084053d92af
SHA256 ae81cdc9eba5d60bdff3e84ca817d981b50174736255cafa4aec527fda8ef978
SHA512 a63dcf40b38ee1a87c0edf2f55d91fadde66687907437e793c57988e4a37fa331454835d9d937eff30195dfaf0154711b0066ce8cfd0a199f444aa4f81a42442

/data/data/com.systemservice/databases/google_app_measurement_local.db

MD5 e084b5db5a1f5d58fb6f961998f6ccb1
SHA1 900f7193dbe29113db9ed12e9a5c41322c32eec4
SHA256 96d712ad6ac79e1e6f582bf6e49cdb27fafd383117748bff690d18db476adac5
SHA512 d78cd960b1e85b6140eb174a7e845a283ee98d24b0182dcdb839e67a287db41b92b515b5d252480b759c83b19d38767e97cb1a9a3095ef1a7059c15efa8d1dd4

/data/data/com.systemservice/databases/google_app_measurement_local.db-wal

MD5 fe826f0beae9d996a71c5611d9b0828e
SHA1 b6ca2c0d6810e1506a528531d19e643b72ed1874
SHA256 d9db01f977e3a2ec18f7ee80a63712506bf584bf1e6d453477502acf2b9eb0f5
SHA512 40db29059127197bf1a877458bfd42deb51fd95888cdf4a1300dbce94c991a95c4f81c90ae69708f2eb0090931f1d2eae9a9883812ee5a41ba0cd93ccb98e17d

/data/data/com.systemservice/databases/google_app_measurement_local.db

MD5 46fe110a0a71b6b35a9f2244b0c82bbc
SHA1 ab2ae3a05b8e66ad2e957038f6617c80646fc9db
SHA256 d16d29413c0b5787e33630f6cf0462c49fb189b10a1b01032cebcf60d513b461
SHA512 53047507342b4ada7b2a5d3d3ad7f000eed972a1e5d50efeaa840e687ba1d90120b23f41cb6b1cae53c834fc4341896b0abc2ae77cb4878e36e433637de23acb

/data/data/com.systemservice/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.systemservice/cache/image_manager_disk_cache/journal

MD5 032ab390ced84616c73c9b07dc01218b
SHA1 c2766b83007ab75cd65b8484578f629e1aca6c11
SHA256 98f30b7b773f4da858bbe3a6648b210785daedebeb382edc6662f2cf757795ea
SHA512 d31e29add59f705404db923c9431d6c947d23a2e1a8700fa4b07e62561c0a87d8dee1637ee045d4252b26365f8b95c678a57a93973bf8803b8135dbf1e6aed48

/data/data/com.systemservice/cache/image_manager_disk_cache/119240b5c507da9ad0fa1c8aa89526b0d3b318ee30c724b3db8c9b0913ea064e.0.tmp

MD5 48610ddc9a91fae7814ed15a5851aefd
SHA1 39a97a7794cfe4df667f3d0030e3290a1eae6061
SHA256 78063c1282a0a4e00d02c92811f6cddef48fb229e1f92cd4b17e3487b53402b5
SHA512 55d7c784c57a04746ce834aeeeb461467e313f2c34dc6e78c004bf58422acf54393edba98770161018b42dbf74de75a54f0d24e8b6b0afc5d96a9f832e9271e0