Analysis
-
max time kernel
304s -
max time network
314s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
01-08-2024 02:37
Behavioral task
behavioral1
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral2
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x86-arm-20240624-en
General
-
Target
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
-
Size
20.5MB
-
MD5
662a29140ea32f87a19fa76996137563
-
SHA1
cd0a4bd3abbf0fe2773a9c7a7a589a0609582219
-
SHA256
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4
-
SHA512
511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c
-
SSDEEP
393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk xspcmj.qiegf /sbin/su xspcmj.qiegf -
pid Process 4944 xspcmj.qiegf 4944 xspcmj.qiegf -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/xspcmj.qiegf/[email protected] 4944 xspcmj.qiegf /data/user/0/xspcmj.qiegf/[email protected] 4944 xspcmj.qiegf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts xspcmj.qiegf -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xspcmj.qiegf -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 27 IoCs
flow ioc 6 prog-money.com 55 anmon.name 26 anmon.name 48 anmon.name 52 anmon.name 10 anmon.name 35 anmon.name 45 anmon.name 51 anmon.name 66 anmon.name 7 prog-money.com 36 anmon.name 60 anmon.name 9 anmon.name 56 anmon.name 42 anmon.name 67 anmon.name 44 anmon.name 64 anmon.name 132 anmon.name 8 anmon.name 11 anmon.name 25 anmon.name 39 anmon.name 86 anmon.name 15 anmon.name 16 andmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xspcmj.qiegf -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xspcmj.qiegf -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xspcmj.qiegf -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver xspcmj.qiegf -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xspcmj.qiegf
Processes
-
xspcmj.qiegf1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4944
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD59cf7e03179a00e0097bb8292c310a7f8
SHA18046f1a0d32003f672b2da8ba6c7eb8f54ffcd17
SHA256b428664066ed6496119d7ef35afee74fe8f5eb834939f9cacbf55804aa592438
SHA5121d046cd7d5a96b0b4f0c5d218f97ebc850ea4a3385658ea4a9d36dc05363659d1dc53660f94d4d7d87794cfd60b94593f304e9011421d35f3f17296d28c28cb6
-
Filesize
96KB
MD52ed4c38fb0e20b20dba8213671024cfb
SHA14bf83a07b994be92a004fc9fe05f3817c2f65184
SHA2569ee1273c7c7064ff86cba228a6faf61a201ed13b2a6c71745716ccfbfd78b7c5
SHA5126b1a9e1a95c3b13c5da4183b46bbe2e1bd18dd67418597eba4e75fc8e9faf6a91040a5d44e0794ca0cc50fc34311434c6d27c5929f25489eb468c3ac574180a2
-
Filesize
96KB
MD5254639f9bcfbfaf2062503ed7e53fd54
SHA103333625dfb103f0eab652bf463783f9a5735280
SHA2566c618ef45f1fedefe564a99fc26bb96b7b5e92ffb403097980834f95490ddfa3
SHA51274f9ed166ccc9aa0de21f7bb16903f57f4f16367b5eb2c267a88ed26b8e148e62dab25d0c66814757154dd0d19df92f930d02b0fd837567468fe3e38e46d46ef
-
Filesize
96KB
MD5272d9a2e6d13866fcc358ef7d595199f
SHA16ece6a85e31ad33696ca71db4c89de74925ccb06
SHA256d794f20f4e8f482a92e454a6292879bd89f3e8e56c3b6925fb4d0328573a16c8
SHA51292e04e401fb3917cd598c8b3f3db2695db75d1fda3b0afe167cc91c64e42f051bb00bc61525a791fcb0911bc30e06b02054c38efeb1f918b26bb1641ce0031c8
-
Filesize
96KB
MD5006b896d29597da602652582a6b7b4e2
SHA1ed671273d87c7380a3f6e65f74dfb33adb96a56c
SHA2567e9957adfdd5195b346965e20164fdfabff46c415651eb6f6403978ba78b687c
SHA512642d6779d692f9456fe318c51723ec7ccb38edfa9e0cebd6abfd9abf43d1ffa43f8fec9a97e212edb9c055d892ba704364f7063f031a9f8aa50bdcc9c05ae1cb
-
Filesize
160KB
MD5e47b443701d9c868f469bd67c73c2a60
SHA1a66d64f0bebb8b8013d82010c66b13ac37705528
SHA2565cb5ee52841ea4dec403064b311398d79dd072c1e1b2bebd9baaea011eeb03fe
SHA5122bd825a94e21e4c41ec4be671695c27e897f0cddc825bf1d66972d7ee81f5e890555571d633c596d84c3eb02fcc804010590346611a4f168d01b2aa038fe7c0e
-
Filesize
512B
MD58a1d4ff6f8a8e112a82c094ea8b1b0e3
SHA1556918378138cd192014d3b8fa13302631145e68
SHA256b296794da739bb39898dd1e909b76cf68eb5945334ab620e550ac4ae02690add
SHA5126743012cfcc256c8a2fc1e42d84cd0ea4c94ba8e10f7cfc2543bc0661956bd390919b89cb05af0ce746319db9e839764fac33d811dd4213b6e58dbc5f74383a1
-
Filesize
8KB
MD5b25b027d7a128612f8eb7edfba24c14d
SHA14633c87dbaf4fab1e983ea0247913b4b6953e343
SHA256968cb77ea198abf6bbb25e78c7bc3071974f6f5fb0c57c7bf98e5aa139d5da91
SHA512f00b01acd13fb377e1377895c2d7b26887d29c35fa81f3febbc009a0dbb5d1ec5c5a4406040152c5ef2b36ded90cd9a2c3e321ae89f0bf5a026bcd9ef6bf23bf
-
Filesize
4KB
MD5a37305f2436b493f9b84deae1c0eece1
SHA17fcee3b69bb968231c45c912c78aa31c713f6e8a
SHA256c7d306b17aff7b26d8139ba3cac734469b6207a4d97f2397e358506b7d87706a
SHA512f7044e3cfffd48cafed8e3b53c53dc31c55af7d8abdd35a3f5a8e12e3d745a0d7d1a69298b58ecd5e7b93fdc3bf841d697550dca7a4b84e0d965d0e69fc2b05b
-
Filesize
8KB
MD5c3d4d029a00f6a0525c448510a148841
SHA1f992b5e85fa1c4f50498001225a1ab2a1efd57e8
SHA2561435f10f67e0f6ab061811623c252fcccc52850f7f704b2be464946bf2796847
SHA512bdc4cdcc1eb7a1b47e4859dde3979b661583f3f6a9662eb7658a2ba4969219085e9e7a9deed6e119572d0d08bad3003845f303fc2ddb480ff2ea81d1eb6d7f8c
-
Filesize
12KB
MD5ea3f31bb2f0bbe6fb7102d0ac23e00a4
SHA1f8b4843c54aac4f5dc191119279be5a76a922b72
SHA256ee5bffa3dedcc919237b53cc923573ba459c05ddf3c85d1e6c30b1ffdfb974ad
SHA51221f4ed73f602c497fc387530841b51a63b0ce52b4a84ba4885db4d773e5a67636f8b274c613e6178afd1eeda967955b8c99c3f28da16e12a3a8746bfe6f62de5
-
Filesize
20KB
MD5f93cb376357ca1e1f56811ca4e9ae536
SHA11d77e99d96de67d21023a41e65e7eec4d6e6be64
SHA256a7add416127b33a77cce331bcf4944a33e5218778ad0c6e499015f7e20b61a73
SHA512ebe39ccb53216188c39bed4d90ee60de22dd491abdeac8c3b089a66ec3118e2cc828c087a2dc3c41fe8f5f91bf080bdaf0dfd773259db8cc46b2bb02c5102e90
-
/data/user/0/xspcmj.qiegf/[email protected]
Filesize2.6MB
MD53bca1a576ba29bd493e42938a489aa5d
SHA10e5d4bc3a7daf6864fb3076e6c1e9685e254efd9
SHA256b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce
SHA51239a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0
-
/data/user/0/xspcmj.qiegf/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
2.6MB
MD58aa5d8f3622ac78fa2cc58d58c87dfaf
SHA133071f0a26c21320a749a25a5e94a694aaf346de
SHA256db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326
SHA5120ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD58ca0dfa10d01a66c4060db732b85fc46
SHA18745295499e482415e1f72098518cbf75243cc4e
SHA256a52b3e558ecd5a2580732f7fe61bb9798b872b0885bbed134944dd444514d866
SHA5129e9ce651f26475d43326a28bd7f303c10b0753c5445dae8504821925bc07970c956b3a4356fac53de411aa1d0c2c78cf6ab1604b101cb1301eb452f58677c127
-
Filesize
152B
MD5dc9294b6f5a76270b3d324079a16e944
SHA142d329ce4b8b79145d180b67368e6b57752fe699
SHA2560cff07f0d27a2a4b3ff10479a1cc64e0ee966814fa93b6e527cceae4368c5701
SHA51265cd78e35a8b3ad03c009aba8ecad1a4be7f0c13293387e3a0be567339ad8919788dfd3d4f98b5bbcc1f497b0b016f590c032c3791bc8f9fdc4fc0133e628705
-
Filesize
4KB
MD57fe514398aa20ea73f1d4e8ba835d0e9
SHA13cfa2f4069b136436f73b848792997a0b85454bb
SHA256ba8a2577916154297dcae3061ffa8da6ac2753365e5fec023d3334a7d19c4bc2
SHA512835a247052053a2fb5e7db31193d30e16d314a290ca22d99d6ab7987842febf07ebfa8784c81662eef3b702a7c070d59f135aa82a68ec36de070f5999ce1a50f
-
Filesize
64B
MD5e1a5e5084577113916a9d1c8a121206c
SHA192c93aed49ab7acb55a1aeef4a96281f7842f169
SHA256c8c7981ba2a49fd8880b53e2228de3b9defb71bc2a4297aedf71e150df89c6a9
SHA512016282c4d699dcccb1ab01fe59b1365b6b6749c297e584febddfcad494833530e5262634039fe2d59cca134661e872f0c80a0413b1a7946bf002b2a9d33eea95
-
Filesize
72B
MD5968003083313e238794808089ba71391
SHA1ffc1790620e4fd382c2f6fc8383fd0465a592e86
SHA256092527e1d84742d0376ba15b18e6637b5fd1026dcff8e4c5b72a287a051c5d4a
SHA51234b8717fffc7061f40258bd1d92137f643bf7384849297c41f0b2aff158d6e2b6c4ba4b09eeb1ad6e6e10ee4ff6af6a0c211d5ed813a553059610963244aedae
-
Filesize
156B
MD5ebddd3fffbcd8e60c23d61957933e55b
SHA1550ddf64df14e7a8c4bb1c56463123d369525866
SHA25610defc9d6d0480b0163c2d3e02d02e7227592c6c8d8c533e035ebd82dad19a55
SHA512ebd5fb539ed6e5fc7076e018762011578568635bb0ad27b40284606018085fa8b678d0fc2502d476cae42fa21d84542eb769b0cc3aafbf8295018a17ed276a09
-
Filesize
129B
MD5aa7ef15280f7d3713bd6b1f6b1966084
SHA119353a23ef3ca4ba96ce1098b17a976ada464b0f
SHA25680d86713ef2fe37a198b39002b1dc48e2b9f6f24d44878cb8d1591d36c4e83a7
SHA51232f25f646778a07afed4d45e146c4a15868fc868434356770f4aaa7dbcbf712717317876e346c3cdfce8405a007dba5090a2f3dd3db780b7af158335273c3be1
-
Filesize
27KB
MD5f438ff5af29a8b353cbf497eaa6e6220
SHA10bf35d084e42c5612f0690701e780de2d8433c6f
SHA25649abdd2bbcb54f6f199679a89ce7d6877f6ad5d5672e86f5bcc9ae527babb5f3
SHA5128b279c59ed88fb586cee62d234a2eb2fc86ea9641238b6b9253e993ac7c039caddbc5b3f603613f8f1b54d7d316edf0149ef84162d0a421d9d450d108c9e219f
-
Filesize
6KB
MD52a0bf36264673dc90ba51561c80eb6f4
SHA188ccab96722bbe26a6d300d2fbdc6ac1d3ee2384
SHA256b01795d47b09eee67cfb26e41801e71b0eacac3c2749b74b2a1e952e5fec1aa4
SHA512c61dfd5f5fc9c6f0a7feba10f0e5fd8fcdf8c81915cf34aca2b181630b9f6034af28b7d83787badacc9314b36286b94eafe53af7b4203858d29dcb4751e192e9
-
Filesize
220B
MD592cbd834c95bb48b860cfbc12992c930
SHA18c492aecd9b90094c4412f6281f650187eefc4a1
SHA2567b4c78cf08bfbb069e722a66da0abe848b52080dd7e830c8d2bc2a8a7ff6940f
SHA512ce4bbfbf719f027e3a180c408b59100cd2d9ace56f37b8eba5560b6edb2da50671f6c1ba9275f691d04cfb5ad7ed7d59dd823110a86344601ffb57758da10aea
-
Filesize
62KB
MD5d98f3f26a11ae6315131da68ba59aa79
SHA11fb42fbc17421e687787b7be5e051c4a3bb0afef
SHA2564de635c69244dbd1f41560eaee6751967f98d0011714cd07f24b8dea57cd30ed
SHA512aab7c373de637d9ffddb2e2531b7f3d9af0ec7e237ad7759affa506b88583e1f03b23066215c99c909cbaf5024a61fd2149ee6737a5e137b3423378d0d6f5c9f
-
Filesize
72B
MD5fda9182e3ed7babfe6cdfb2fc79f91a4
SHA163c41d4facdb15262581b9096fef50492c48c801
SHA256d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803
SHA5128554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217