Analysis
-
max time kernel
323s -
max time network
339s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
01-08-2024 02:37
Behavioral task
behavioral1
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral2
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x86-arm-20240624-en
General
-
Target
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
-
Size
20.5MB
-
MD5
662a29140ea32f87a19fa76996137563
-
SHA1
cd0a4bd3abbf0fe2773a9c7a7a589a0609582219
-
SHA256
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4
-
SHA512
511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c
-
SSDEEP
393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/app/Superuser.apk xspcmj.qiegf /sbin/su xspcmj.qiegf /system/bin/su xspcmj.qiegf -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/xspcmj.qiegf/[email protected] 4330 xspcmj.qiegf /data/user/0/xspcmj.qiegf/[email protected] 4330 xspcmj.qiegf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser xspcmj.qiegf -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xspcmj.qiegf -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 19 IoCs
flow ioc 91 anmon.name 23 anmon.name 34 andmon.name 67 anmon.name 70 anmon.name 92 anmon.name 18 prog-money.com 20 anmon.name 21 anmon.name 71 anmon.name 19 anmon.name 33 prog-money.com 69 anmon.name 55 anmon.name 68 anmon.name 73 anmon.name 17 prog-money.com 32 anmon.name 48 anmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xspcmj.qiegf -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xspcmj.qiegf -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xspcmj.qiegf
Processes
-
xspcmj.qiegf1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4330
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/xspcmj.qiegf/[email protected]
Filesize2.6MB
MD53bca1a576ba29bd493e42938a489aa5d
SHA10e5d4bc3a7daf6864fb3076e6c1e9685e254efd9
SHA256b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce
SHA51239a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0
-
/data/user/0/xspcmj.qiegf/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
124KB
MD5011cd6a11afb071cc79ef5019e0548e2
SHA106456658c8ad8e29492347ea80b83b0cd1dd20f0
SHA2569b72e53428efa4d1b97f3e59a765390e5116af3b6be16c645a61a8f96c040c97
SHA512ad7ef191f6be037bdad532e90c4e48c152b6665e720a640f4bd7ba35801d91b5730f131201da223443b0a964b8bb815c719ca7b6344d8d1ae5655aac4ce16d30
-
Filesize
96KB
MD5198978ce2324775c47b254fb6e7fd4a6
SHA1e5506fd6bc54da3202b9d588b8864193fc1dc1e5
SHA25691d81fca2c4a7f1805de67200404579315648a226f3806f188104f848769d701
SHA5125b409eb67b25d8112fd63a9561986a59961c7dfc20850152d04551d049588549341b070b323a2a295e30b9ac1ffc6e340878cede8a432b103bfaf941549b8d67
-
Filesize
96KB
MD597bf2f9dc54ac80db6d126e82f6213a7
SHA1b09f8448b314ea22cd2e11aad73771d4bcab46e5
SHA2566c5343505f4e1324ea8615147c0af9350cb489d1bbbd11e22337faaeb892cb08
SHA512bc21b786b38790d3ef501fc9bd76a273be8c13c0853326c2bf17da7f8a01ca77d2c4bd020265cc0d769bd8795a428e011220a524720dce9b0aec3761b215c3aa
-
Filesize
96KB
MD594b2319c0dfb587d48083d3f5000650b
SHA1d488adda7ad70cd90e30a25a55bd1ebe6d147785
SHA2569d631fb6da7562a5be7c12cf78f40f22516cc8fe7a40f871f445c1ffc1add021
SHA512856405720657f0b4034429f6f4cc951b01438db72114d26418bd6b5eb349440711b7bc4efc15f70e90900fdb3510faba6d948664958ac0cf426cc35c9a060a9c
-
Filesize
96KB
MD52bc1033be5b7d15268cfe9c49d51c4d9
SHA14a58fde2cf0eddc64abfc9c1e87e52e063c5837d
SHA256c9eb07e5badd5289d7941d36fbf51f58f428559361935c975d7e82665d5f4408
SHA512005442094b02d13da29cd0eb8182ffce3081c5c76374a6067f682d0487c345d72de0161e7dbb1376394bfa63a3f7f5a159f502c737cb3eac3b2a045f9935b2d0
-
Filesize
172KB
MD5853a9097a39f0b3daf75345d3c536529
SHA11939a27cee560b1d8c3958ae4ff0309b4b5258d5
SHA2561b9b8902a2e304a720e9e2c174527dc7c186e161b8c69ae217d296b6b1c502e9
SHA512c4ce655a3704675d639a0f9e9b308b9cd38dc0aa302252877a955e74abbab0bec08bca0cd21f4ce76de898ed42b34c49472a85b612580f2669b98108440c7107
-
Filesize
512B
MD57b425e0e11af4bd7e47fef8739c7669b
SHA1258fa726c7aa11c97ac5f3ce4c59c5f2396d28c3
SHA256a79f66cba14b8d5a37ba36cc5bb1a608d44f8e69f3c785006ccc8b3f4c0bafe8
SHA512ba1f6f9a57678a7f14c9b4eabdf711366214a29ad38b775ee37c7a70f41f25f367b0dc830245db464341a56e210d35b62acc8a80991518ad5922c889d43c8ccc
-
Filesize
8KB
MD59f2a719eb098d6ef5a41367788d82a0f
SHA103216f4a4291a40872d1c69c9d933a0286e0a6a5
SHA2564f3309f1afaf47e99cb4f9c94777af214c419ec20b98048c98ea6a42f414d651
SHA512f9c1a6bc2e0f488608162aee9e0a6f3b0ce93ec3b92c5c637543fc426b732f2240d0d42fbc20a7ffe365e5da9d284f811110fb87ffd060c233114fef7940a902
-
Filesize
4KB
MD5e1fe760687091a02bf90a02a90eacdc7
SHA1df9b7ccd9bcbdb8c56111ea58cba0ebb2bc8ae03
SHA25684ffe5e25593a0cb20d4f6a489dd54400b9cc8c544272e1d426ffabcccafca52
SHA5128520275cfef9038c97dbd7ef75b39c854b62d9103bde69430a78a8f8be69819301cfe9396aeb8914831c3aaddfe5b4fef40724d883cb5ea417a2edbb715854eb
-
Filesize
8KB
MD527a389df7d2424debd296ffe688cc303
SHA166e88402f00da99f7f87bc8a7c1517f63724175f
SHA25686373131a7c65d1ae8e018500f5cc0a8c57635cb26ce8ebcf411e59537fd07ce
SHA51221cfa7d709164ce464851148b5e3d94bbbad4f6e6126f20eeafea40bab536b7b714d2f8b21132573adf779de933d69e2ebf31ff72d5bc6f666e76bfa6240c6d2
-
Filesize
12KB
MD53cd76409ca69550de8cc968890f45be3
SHA13abf1c31a765940d187aa9df702c61e08b4b8444
SHA256218ff063b16e209094e9fb22bbefa6ee9c9867714a9c933ce2ae20383dce5866
SHA512a341faaee77280fa8b0a3ce41dba47890df5c9ac2668db4f8ce3ce1f0bed7233878519bf03182bf3e5f20fbee7fa1bb8de80c5e3bc3b78f2fe3ee33543a9b3e3
-
Filesize
24KB
MD54984c573113dfe064a60a91a9d5bf318
SHA147727aecb85ad02d96a237eef95f19e925ce19d6
SHA256f93cc6ab511eaa9d781303a7ae63dbd2c71d5f69b5d8fdd646322e7f37dce627
SHA5122c83cea6fd14fde39709213508be06915538de2ce0f60622771f921ac7dc4f41e2c0c41c20c56436da80575561477fecfef35989a1197c4ac15e7bbbbe88f7d7
-
Filesize
2.6MB
MD58aa5d8f3622ac78fa2cc58d58c87dfaf
SHA133071f0a26c21320a749a25a5e94a694aaf346de
SHA256db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326
SHA5120ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5bc0941ff33dccf8170b6e29eec4c6df9
SHA1548ad75ccb297139b9094bb8fc4b8ccc8c138fa7
SHA25697d360af12de0c8555ea43f80e7a95513a2f7d77b7cf4f34ef4bb1e521e4ff23
SHA51287d66186d19d3d29358998f64ceef04db8b72d4d799c0ec7a3ba694d82a9bf0c838955f7e592198516a8132a8d080885cb78895f5eeeed82b28f91cbca9255da
-
Filesize
152B
MD5d4f41d6f10733aaa5bb727ce19e2e3b0
SHA18756943f5a8a205d2f3d002fd4356cad17e4741e
SHA256a010d9f468affd29461719bae58ac6873b14e54f15a61eb7c9e09642a73da5e9
SHA512f4af64cdfd75b685b7e260d3d4392cf171449946e507ca53f89e54f3261aeee5ee6d08dc04a588347575bf26a76691fc069ac629aa5ba15d8715cba28f2ab90f
-
Filesize
4KB
MD5ff8138f91f333f7a57f71366067f948c
SHA1c6de7551388d57619b101d79c9f0e43a28e03bb7
SHA2568494eb0f4688b19d86b2468e8e3e31e55ec5b30cf49f6a308d47e523df0d0ac2
SHA512be4ce8288a408bde7df2fdb373efb32b882467947327bf78b7f49b22c27dc2f7eda5bfa9612321317091202643fca917c1e870179db44be72f7137928cce6529
-
Filesize
64B
MD54c33cee54a480018c92296c5499df429
SHA119eefea9c2ebbe069606b91beb4a5fd4435de3c7
SHA25643e059be116655acd417ea364e20ca83a5721884fdb1509efb97a27f4cd96351
SHA512b5ef576717d42faef9fa7f7f46d4e88d631a83383a6f7bb833af1d377b1d83c73520bdacd97eb40b5f4e2342448fa7a3c9fc91197a39822e03cec18f2ca072d9
-
Filesize
72B
MD5b9d1f860c55a8133133d2a86b1607d22
SHA1e412300b2bcf8a1dc6ca200dd94077fbe5d41065
SHA256469a7605c8359045f88d88276a4b5504deaaac3a31abcdcd0da3b7a2268df4aa
SHA512d09e6f2080f510fc5b29763e7353b119d3002de535695bed30e49f9684675fc96f90773cdce624e35a5ef21b875e75c22346928cf790b0fc6157f6caf437c57b
-
Filesize
183B
MD54f346cf402f02644f6929a5d900f506b
SHA170c65849913af8c492d6d173b959a969d811693c
SHA25672e5df8940336337f0e9ef04d8c65fc7fc221bd7d8e59d6f810efafa92c78481
SHA512bfd47c4522884a1cdb7cb7e8ea47e1c43da124c3fa553c5f621ad338f013bb15a9f6d3ff89148b689ae4d8d53a212a34bed9452067b5aee338d11242a765b9d8
-
Filesize
129B
MD533fd1fd2a3236a11c46c1a2307cbb526
SHA1b5c9affb05df9ca2c2f43b65c9999e61abf7a65f
SHA256a0ed9a2c414470a811c88239d798290687d70dd1e116abf4e7c3fb7f8d17dcd2
SHA512a128af3c23b3671869df1b3fbbabbdee43ec4eafa8ee82c49d36e9b631a29ade25d237bf765b8f9a4cefc45ce95773cc129ce6898f9e6d71ca3a54dd425f5904
-
Filesize
27KB
MD5e2ab3e6ea0bb4e5539498c55d3aae4ca
SHA1de9e44a03d6d5e666a6c6611e6fb3b2a1160f654
SHA2566b05ec68fe9fa302341ffdd1598b61b754a344ebc510c1a0621b03a88296a94f
SHA512d6cc403b433c1b466f4aa3ec0a3e59b6257c0de94314b5a03d054f995c4e421b361b4290a399fda24a2557d0d5ce6d84010d9c695260325dcdda3b2f9482458a
-
Filesize
7KB
MD513dfae7283f7acf88dbdbfff9ba75276
SHA1bce605ca369398ad7d7e038f28eeabb622644e74
SHA2563f3fbdd9feec6ec447a7d314b8499c50b0cb4f616cfaec3287609ba75dc1c22c
SHA51239067e85182f6edcd9803bcc74e4fe83b4fbf49f824aa9cbb9159d27eecbd9343ea0b977cb0b7f56cc2975efbbf05ab55107389a99065979b90cebf0ebbee237
-
Filesize
220B
MD538c590196223f7f6fbc28c7385614c5d
SHA1fc7708dbfb4e9af32af6d324bdf80c95ee7c57b6
SHA256cc09a8617d94365ac7e9afe825dc4bc2953587291a3e360c2fe811b715848943
SHA5124c1fb206e77b2d5709ddb1d4d4b3227ed9932e191cac63b569071590d6394006c0683e5d431adb78f3df722fd4b074f4930324828e6cf4216cf69e485c64b8d8
-
Filesize
35KB
MD55d8396e8484054034e8b6eca19d999b5
SHA1057b2a30e9aa39f42168a9e19524b6a0cadbf8a1
SHA2566b679fe970c7598063684a04993284c7833ce52e93f06dcd935df7e31e2bd63d
SHA5122512cf0acf9d4a383afca1bc85c0ebfa7d6a052d4b682ef412465b7eb088656ca581eed95a5a014fb80b853b709cbab9e229ae431849602e9ddc78c5e47ba705
-
Filesize
72B
MD5fda9182e3ed7babfe6cdfb2fc79f91a4
SHA163c41d4facdb15262581b9096fef50492c48c801
SHA256d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803
SHA5128554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217
-
Filesize
64KB
MD55e8efd799fc9a16c9aa80994d3f08fea
SHA1d37e6ed20d9e55935850ef7e1cd329833a52b9cd
SHA2561974fe0e775b36bb22cc1fc50d4acf25ac3d25c661a531981812e99fc41335d6
SHA5126ab74d07c02734e9fe7975542c56bf690402a389dc2eb75147e60f298c8abe371d67639e58ebabf815af983b10d025e95d42935844a0f81c472eb7d2cb0d652f