Analysis

  • max time kernel
    323s
  • max time network
    339s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    01-08-2024 02:37

General

  • Target

    960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk

  • Size

    20.5MB

  • MD5

    662a29140ea32f87a19fa76996137563

  • SHA1

    cd0a4bd3abbf0fe2773a9c7a7a589a0609582219

  • SHA256

    960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4

  • SHA512

    511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c

  • SSDEEP

    393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 19 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • xspcmj.qiegf
    1⤵
    • Checks if the Android device is rooted.
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Requests cell location
    • Schedules tasks to execute at a specified time
    PID:4330

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/xspcmj.qiegf/[email protected]

    Filesize

    2.6MB

    MD5

    3bca1a576ba29bd493e42938a489aa5d

    SHA1

    0e5d4bc3a7daf6864fb3076e6c1e9685e254efd9

    SHA256

    b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce

    SHA512

    39a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0

  • /data/user/0/xspcmj.qiegf/[email protected]

    Filesize

    1.2MB

    MD5

    336921950a9f279733cd787f1203d73d

    SHA1

    cefc36a7c17909054cf2a507b34f545af96c0e36

    SHA256

    c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

    SHA512

    6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB

    Filesize

    124KB

    MD5

    011cd6a11afb071cc79ef5019e0548e2

    SHA1

    06456658c8ad8e29492347ea80b83b0cd1dd20f0

    SHA256

    9b72e53428efa4d1b97f3e59a765390e5116af3b6be16c645a61a8f96c040c97

    SHA512

    ad7ef191f6be037bdad532e90c4e48c152b6665e720a640f4bd7ba35801d91b5730f131201da223443b0a964b8bb815c719ca7b6344d8d1ae5655aac4ce16d30

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB

    Filesize

    96KB

    MD5

    198978ce2324775c47b254fb6e7fd4a6

    SHA1

    e5506fd6bc54da3202b9d588b8864193fc1dc1e5

    SHA256

    91d81fca2c4a7f1805de67200404579315648a226f3806f188104f848769d701

    SHA512

    5b409eb67b25d8112fd63a9561986a59961c7dfc20850152d04551d049588549341b070b323a2a295e30b9ac1ffc6e340878cede8a432b103bfaf941549b8d67

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB

    Filesize

    96KB

    MD5

    97bf2f9dc54ac80db6d126e82f6213a7

    SHA1

    b09f8448b314ea22cd2e11aad73771d4bcab46e5

    SHA256

    6c5343505f4e1324ea8615147c0af9350cb489d1bbbd11e22337faaeb892cb08

    SHA512

    bc21b786b38790d3ef501fc9bd76a273be8c13c0853326c2bf17da7f8a01ca77d2c4bd020265cc0d769bd8795a428e011220a524720dce9b0aec3761b215c3aa

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB

    Filesize

    96KB

    MD5

    94b2319c0dfb587d48083d3f5000650b

    SHA1

    d488adda7ad70cd90e30a25a55bd1ebe6d147785

    SHA256

    9d631fb6da7562a5be7c12cf78f40f22516cc8fe7a40f871f445c1ffc1add021

    SHA512

    856405720657f0b4034429f6f4cc951b01438db72114d26418bd6b5eb349440711b7bc4efc15f70e90900fdb3510faba6d948664958ac0cf426cc35c9a060a9c

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB

    Filesize

    96KB

    MD5

    2bc1033be5b7d15268cfe9c49d51c4d9

    SHA1

    4a58fde2cf0eddc64abfc9c1e87e52e063c5837d

    SHA256

    c9eb07e5badd5289d7941d36fbf51f58f428559361935c975d7e82665d5f4408

    SHA512

    005442094b02d13da29cd0eb8182ffce3081c5c76374a6067f682d0487c345d72de0161e7dbb1376394bfa63a3f7f5a159f502c737cb3eac3b2a045f9935b2d0

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB

    Filesize

    172KB

    MD5

    853a9097a39f0b3daf75345d3c536529

    SHA1

    1939a27cee560b1d8c3958ae4ff0309b4b5258d5

    SHA256

    1b9b8902a2e304a720e9e2c174527dc7c186e161b8c69ae217d296b6b1c502e9

    SHA512

    c4ce655a3704675d639a0f9e9b308b9cd38dc0aa302252877a955e74abbab0bec08bca0cd21f4ce76de898ed42b34c49472a85b612580f2669b98108440c7107

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    512B

    MD5

    7b425e0e11af4bd7e47fef8739c7669b

    SHA1

    258fa726c7aa11c97ac5f3ce4c59c5f2396d28c3

    SHA256

    a79f66cba14b8d5a37ba36cc5bb1a608d44f8e69f3c785006ccc8b3f4c0bafe8

    SHA512

    ba1f6f9a57678a7f14c9b4eabdf711366214a29ad38b775ee37c7a70f41f25f367b0dc830245db464341a56e210d35b62acc8a80991518ad5922c889d43c8ccc

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    8KB

    MD5

    9f2a719eb098d6ef5a41367788d82a0f

    SHA1

    03216f4a4291a40872d1c69c9d933a0286e0a6a5

    SHA256

    4f3309f1afaf47e99cb4f9c94777af214c419ec20b98048c98ea6a42f414d651

    SHA512

    f9c1a6bc2e0f488608162aee9e0a6f3b0ce93ec3b92c5c637543fc426b732f2240d0d42fbc20a7ffe365e5da9d284f811110fb87ffd060c233114fef7940a902

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    4KB

    MD5

    e1fe760687091a02bf90a02a90eacdc7

    SHA1

    df9b7ccd9bcbdb8c56111ea58cba0ebb2bc8ae03

    SHA256

    84ffe5e25593a0cb20d4f6a489dd54400b9cc8c544272e1d426ffabcccafca52

    SHA512

    8520275cfef9038c97dbd7ef75b39c854b62d9103bde69430a78a8f8be69819301cfe9396aeb8914831c3aaddfe5b4fef40724d883cb5ea417a2edbb715854eb

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    8KB

    MD5

    27a389df7d2424debd296ffe688cc303

    SHA1

    66e88402f00da99f7f87bc8a7c1517f63724175f

    SHA256

    86373131a7c65d1ae8e018500f5cc0a8c57635cb26ce8ebcf411e59537fd07ce

    SHA512

    21cfa7d709164ce464851148b5e3d94bbbad4f6e6126f20eeafea40bab536b7b714d2f8b21132573adf779de933d69e2ebf31ff72d5bc6f666e76bfa6240c6d2

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    12KB

    MD5

    3cd76409ca69550de8cc968890f45be3

    SHA1

    3abf1c31a765940d187aa9df702c61e08b4b8444

    SHA256

    218ff063b16e209094e9fb22bbefa6ee9c9867714a9c933ce2ae20383dce5866

    SHA512

    a341faaee77280fa8b0a3ce41dba47890df5c9ac2668db4f8ce3ce1f0bed7233878519bf03182bf3e5f20fbee7fa1bb8de80c5e3bc3b78f2fe3ee33543a9b3e3

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    24KB

    MD5

    4984c573113dfe064a60a91a9d5bf318

    SHA1

    47727aecb85ad02d96a237eef95f19e925ce19d6

    SHA256

    f93cc6ab511eaa9d781303a7ae63dbd2c71d5f69b5d8fdd646322e7f37dce627

    SHA512

    2c83cea6fd14fde39709213508be06915538de2ce0f60622771f921ac7dc4f41e2c0c41c20c56436da80575561477fecfef35989a1197c4ac15e7bbbbe88f7d7

  • /storage/emulated/0/.am/dm/md/main.md

    Filesize

    2.6MB

    MD5

    8aa5d8f3622ac78fa2cc58d58c87dfaf

    SHA1

    33071f0a26c21320a749a25a5e94a694aaf346de

    SHA256

    db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326

    SHA512

    0ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251

  • /storage/emulated/0/.am/dm/md/main_tools.md

    Filesize

    1.2MB

    MD5

    51112e0a7f7962a8e02bc885025414ef

    SHA1

    40622959af4fe349d8881c885b9b30441de8804c

    SHA256

    2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

    SHA512

    f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

  • /storage/emulated/0/.am/log.txt

    Filesize

    173B

    MD5

    bc0941ff33dccf8170b6e29eec4c6df9

    SHA1

    548ad75ccb297139b9094bb8fc4b8ccc8c138fa7

    SHA256

    97d360af12de0c8555ea43f80e7a95513a2f7d77b7cf4f34ef4bb1e521e4ff23

    SHA512

    87d66186d19d3d29358998f64ceef04db8b72d4d799c0ec7a3ba694d82a9bf0c838955f7e592198516a8132a8d080885cb78895f5eeeed82b28f91cbca9255da

  • /storage/emulated/0/.am/log.txt

    Filesize

    152B

    MD5

    d4f41d6f10733aaa5bb727ce19e2e3b0

    SHA1

    8756943f5a8a205d2f3d002fd4356cad17e4741e

    SHA256

    a010d9f468affd29461719bae58ac6873b14e54f15a61eb7c9e09642a73da5e9

    SHA512

    f4af64cdfd75b685b7e260d3d4392cf171449946e507ca53f89e54f3261aeee5ee6d08dc04a588347575bf26a76691fc069ac629aa5ba15d8715cba28f2ab90f

  • /storage/emulated/0/.am/log.txt

    Filesize

    4KB

    MD5

    ff8138f91f333f7a57f71366067f948c

    SHA1

    c6de7551388d57619b101d79c9f0e43a28e03bb7

    SHA256

    8494eb0f4688b19d86b2468e8e3e31e55ec5b30cf49f6a308d47e523df0d0ac2

    SHA512

    be4ce8288a408bde7df2fdb373efb32b882467947327bf78b7f49b22c27dc2f7eda5bfa9612321317091202643fca917c1e870179db44be72f7137928cce6529

  • /storage/emulated/0/.am/log.txt

    Filesize

    64B

    MD5

    4c33cee54a480018c92296c5499df429

    SHA1

    19eefea9c2ebbe069606b91beb4a5fd4435de3c7

    SHA256

    43e059be116655acd417ea364e20ca83a5721884fdb1509efb97a27f4cd96351

    SHA512

    b5ef576717d42faef9fa7f7f46d4e88d631a83383a6f7bb833af1d377b1d83c73520bdacd97eb40b5f4e2342448fa7a3c9fc91197a39822e03cec18f2ca072d9

  • /storage/emulated/0/.am/log.txt

    Filesize

    72B

    MD5

    b9d1f860c55a8133133d2a86b1607d22

    SHA1

    e412300b2bcf8a1dc6ca200dd94077fbe5d41065

    SHA256

    469a7605c8359045f88d88276a4b5504deaaac3a31abcdcd0da3b7a2268df4aa

    SHA512

    d09e6f2080f510fc5b29763e7353b119d3002de535695bed30e49f9684675fc96f90773cdce624e35a5ef21b875e75c22346928cf790b0fc6157f6caf437c57b

  • /storage/emulated/0/.am/log.txt

    Filesize

    183B

    MD5

    4f346cf402f02644f6929a5d900f506b

    SHA1

    70c65849913af8c492d6d173b959a969d811693c

    SHA256

    72e5df8940336337f0e9ef04d8c65fc7fc221bd7d8e59d6f810efafa92c78481

    SHA512

    bfd47c4522884a1cdb7cb7e8ea47e1c43da124c3fa553c5f621ad338f013bb15a9f6d3ff89148b689ae4d8d53a212a34bed9452067b5aee338d11242a765b9d8

  • /storage/emulated/0/.am/log.txt

    Filesize

    129B

    MD5

    33fd1fd2a3236a11c46c1a2307cbb526

    SHA1

    b5c9affb05df9ca2c2f43b65c9999e61abf7a65f

    SHA256

    a0ed9a2c414470a811c88239d798290687d70dd1e116abf4e7c3fb7f8d17dcd2

    SHA512

    a128af3c23b3671869df1b3fbbabbdee43ec4eafa8ee82c49d36e9b631a29ade25d237bf765b8f9a4cefc45ce95773cc129ce6898f9e6d71ca3a54dd425f5904

  • /storage/emulated/0/.am/log_.txt

    Filesize

    27KB

    MD5

    e2ab3e6ea0bb4e5539498c55d3aae4ca

    SHA1

    de9e44a03d6d5e666a6c6611e6fb3b2a1160f654

    SHA256

    6b05ec68fe9fa302341ffdd1598b61b754a344ebc510c1a0621b03a88296a94f

    SHA512

    d6cc403b433c1b466f4aa3ec0a3e59b6257c0de94314b5a03d054f995c4e421b361b4290a399fda24a2557d0d5ce6d84010d9c695260325dcdda3b2f9482458a

  • /storage/emulated/0/.am/log_.txt.zip

    Filesize

    7KB

    MD5

    13dfae7283f7acf88dbdbfff9ba75276

    SHA1

    bce605ca369398ad7d7e038f28eeabb622644e74

    SHA256

    3f3fbdd9feec6ec447a7d314b8499c50b0cb4f616cfaec3287609ba75dc1c22c

    SHA512

    39067e85182f6edcd9803bcc74e4fe83b4fbf49f824aa9cbb9159d27eecbd9343ea0b977cb0b7f56cc2975efbbf05ab55107389a99065979b90cebf0ebbee237

  • /storage/emulated/0/.am/log_1722479880778.txt.zip

    Filesize

    220B

    MD5

    38c590196223f7f6fbc28c7385614c5d

    SHA1

    fc7708dbfb4e9af32af6d324bdf80c95ee7c57b6

    SHA256

    cc09a8617d94365ac7e9afe825dc4bc2953587291a3e360c2fe811b715848943

    SHA512

    4c1fb206e77b2d5709ddb1d4d4b3227ed9932e191cac63b569071590d6394006c0683e5d431adb78f3df722fd4b074f4930324828e6cf4216cf69e485c64b8d8

  • /storage/emulated/0/.am/mch.apk

    Filesize

    35KB

    MD5

    5d8396e8484054034e8b6eca19d999b5

    SHA1

    057b2a30e9aa39f42168a9e19524b6a0cadbf8a1

    SHA256

    6b679fe970c7598063684a04993284c7833ce52e93f06dcd935df7e31e2bd63d

    SHA512

    2512cf0acf9d4a383afca1bc85c0ebfa7d6a052d4b682ef412465b7eb088656ca581eed95a5a014fb80b853b709cbab9e229ae431849602e9ddc78c5e47ba705

  • /storage/emulated/0/.am/prog_class.name

    Filesize

    72B

    MD5

    fda9182e3ed7babfe6cdfb2fc79f91a4

    SHA1

    63c41d4facdb15262581b9096fef50492c48c801

    SHA256

    d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803

    SHA512

    8554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7

  • /storage/emulated/0/Android/data/xspcmj.qiegf/files/Download/mch.apk (deleted)

    Filesize

    64KB

    MD5

    13684d2547f64dabfe299d1c6553a05f

    SHA1

    b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

    SHA256

    3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

    SHA512

    e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

  • /storage/emulated/0/Android/data/xspcmj.qiegf/files/Download/mch.apk (deleted)

    Filesize

    64KB

    MD5

    5e8efd799fc9a16c9aa80994d3f08fea

    SHA1

    d37e6ed20d9e55935850ef7e1cd329833a52b9cd

    SHA256

    1974fe0e775b36bb22cc1fc50d4acf25ac3d25c661a531981812e99fc41335d6

    SHA512

    6ab74d07c02734e9fe7975542c56bf690402a389dc2eb75147e60f298c8abe371d67639e58ebabf815af983b10d025e95d42935844a0f81c472eb7d2cb0d652f