Analysis

  • max time kernel
    318s
  • max time network
    337s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    01-08-2024 02:37

General

  • Target

    960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk

  • Size

    20.5MB

  • MD5

    662a29140ea32f87a19fa76996137563

  • SHA1

    cd0a4bd3abbf0fe2773a9c7a7a589a0609582219

  • SHA256

    960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4

  • SHA512

    511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c

  • SSDEEP

    393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • xspcmj.qiegf
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests cell location
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4225
    • su
      2⤵
        PID:4298

    Network

    MITRE ATT&CK Mobile v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/xspcmj.qiegf/databases/SettingsDB

      Filesize

      124KB

      MD5

      4c0ccabb25100a908b9db06434a6af8b

      SHA1

      555d9ecfa42e17aec483e1c05be0fc1362db9e66

      SHA256

      79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

      SHA512

      b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

    • /data/data/xspcmj.qiegf/databases/SettingsDB

      Filesize

      96KB

      MD5

      6509e2aade100e83e6b2008ea402185f

      SHA1

      4369caad54672ed707251b3e415ca52d6aa20b79

      SHA256

      848ed3ea1bbe862da41b6587deb98e628e461d11b522a43a0470854cf780959a

      SHA512

      0cb5929ff4a33742b22f536723c3b7864b763ede0afa9cb4b1c7c7dc230b45c5807a3c9d45cf89db4100bb8c8a0fa82875cffebb15441f76425ba5340bbbb44e

    • /data/data/xspcmj.qiegf/databases/SettingsDB

      Filesize

      96KB

      MD5

      24e56d4efb4b50fafd96e40083273573

      SHA1

      756f4abb147bfbde5b6a12bdc12e3ab9672529e5

      SHA256

      be924664bc8adda92dc1f3fe127ff87e1c02491b2372b0b1cd8e260d13b53785

      SHA512

      839775ac4c58c66b3f2a408dc2e43c0beaff58cb2981a5276ff3b1eeac61937048763d90a33d2c743afa2245e1d5d82fe906ac43a8204850122206afb2e4f422

    • /data/data/xspcmj.qiegf/databases/SettingsDB

      Filesize

      52KB

      MD5

      b6815b344f6926d458cea05acd052cdd

      SHA1

      88f524aff1d4c5fee979a203dd952427871a7097

      SHA256

      028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

      SHA512

      0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

    • /data/data/xspcmj.qiegf/databases/SettingsDB

      Filesize

      96KB

      MD5

      9bfb3a1797f12e47d4514e89cedfaba6

      SHA1

      113ca0bf1c0d00e1a87b716dd2207f719307114b

      SHA256

      aa435e8604ed4edf9ab4c9ee81e0dd0cdc8cba7cd8ab4022134b09ad2a0b887f

      SHA512

      0764e3e9c35cfca01deff8d41a139146ce80719c2e39848c597677cbde5110bdeea5a5dd687852a1e2e8522439cc70374265db7c440e4d52b1f310c59adf0163

    • /data/data/xspcmj.qiegf/databases/SettingsDB

      Filesize

      144KB

      MD5

      8efa4750e19c202d88ca7c996f9f259f

      SHA1

      f4d455ac7575ace3cedbc927ab8a5e69a5c8c2bd

      SHA256

      48d5b6b32950c99b2d248ac174d4aee9565ff41fb8c8d23829723283294ee232

      SHA512

      d07eef4f9a2374d5402d92856eeb7ab93f10fc5087186b20f351e6bff16849cf249c33a158a8a5635f3ef745233098eaec1014e30268c22b55fc1a0b839930e2

    • /data/data/xspcmj.qiegf/databases/SettingsDB-journal

      Filesize

      512B

      MD5

      4b50874fb27f31bcbd9707aadc572af8

      SHA1

      0a6f1edd1078c6bfb9487ae19aed2b7c155c6f7d

      SHA256

      e41b296022788ffb90636d5e6b23e93fd81c817678140fbef77e24ef784bc33c

      SHA512

      8b7cc68e04fafb960050e742fce28c09a6d98f87bd562a43a4bfdd4ddfa3d12cfa6ff0f4867fd650dcbeb8b36e211d74803c5e6c8a02397f5bb73d6dd394c0d0

    • /data/data/xspcmj.qiegf/databases/SettingsDB-shm

      Filesize

      32KB

      MD5

      bb7df04e1b0a2570657527a7e108ae23

      SHA1

      5188431849b4613152fd7bdba6a3ff0a4fd6424b

      SHA256

      c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

      SHA512

      768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    • /data/data/xspcmj.qiegf/databases/SettingsDB-wal

      Filesize

      414KB

      MD5

      0f02be1d2b394a2981aa2056691314aa

      SHA1

      b85b6bb41ef136c69623c885e16bcc696559f004

      SHA256

      b7be89f70645db4ce4c25995c1e3f662626c7a798e007c2dbf44095d2f9e48eb

      SHA512

      26e7139ccb184abf13e73f710c55571f186e67c7bf93aa0947aeac22e69114c96f007e0c9182f366e98857ff0763d86b42ecc0da0d4ef1e94d8db81bc5dff9ba

    • /data/data/xspcmj.qiegf/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      a8653a8ca873e48b4d476254f46fa2fe

      SHA1

      22ec7b7a2bc81996ee2a58f2032c98c617cff969

      SHA256

      3b4fa058ad13f8dbf5abe052c621ebbfb7ae3ecfd73894abd7ea137f98a443af

      SHA512

      3ee5a7c4d2ec8220dc38118bf3bedbd7ffacb4015bc4e0f3f5a84d048973ac502120d54ef2f0d62d1f5543872928b64a76d7be3c8565f82b673ffa34f3a61483

    • /data/data/xspcmj.qiegf/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      1bf6f579040e3d4047b464382d17aebd

      SHA1

      ac21c63e297055d929b6e200c4e2a544858b1dfe

      SHA256

      596ad1cacd028e1523996d6890eea2882afdbce4fa799b6b2f2d459d4e461ac3

      SHA512

      299b58c1bd8a2dc55e6702186c139044599817e3bd2a6eafd8e96818c955a177ad145c9649ba9433aaf31c7efabe729f49ce509f75233e599bfeb69d513b015a

    • /data/data/xspcmj.qiegf/databases/SettingsDB-wal

      Filesize

      4KB

      MD5

      961bdff4ba741788c3ad9a46ea67d8e2

      SHA1

      bf3682784e98c987835cf1f3d100ffcbd0a1db29

      SHA256

      5f5497e8f999c83d29a9171632f841679b34f6a93dad774686fa62efbaa8cd67

      SHA512

      35f36f0b17c9d609bcb800d93f5edde7405213082e604e4f5fac62991c4be51c0124d8ad88fadcb5a7e96204c667c270bd49bec00e4522899980e739fe4fcbae

    • /data/data/xspcmj.qiegf/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      5b249929e420afda9db88d7796e9af08

      SHA1

      203d83f44fb915954bda6332c3301afb769ee6d5

      SHA256

      cbaf3294d8f1894db12ad81be9316068351e99bd4e142912f0293dc19c337d60

      SHA512

      f65de070b6e4bbbc9a2ac95ab5b5d999648fd5cda789333652eec0d1eae459761c24235e12ba1c118787079dbc1e3aa89df9a03dc17d1995c62736825ed2a1b3

    • /data/data/xspcmj.qiegf/databases/SettingsDB-wal

      Filesize

      418KB

      MD5

      ee6d6c80601496481f83910fd28d77e1

      SHA1

      85aece61cc269eeb34e88ef05ffd2787dde01a7d

      SHA256

      f35876f206838474068d424eb486bdb660e774ad1f311dd385c2fe1fedac7f98

      SHA512

      3c5b2e30b320df5a38d6b4a64150c59d6abb01a4839a9830431bcb57db2b9dd908c075cea34e7ea94ce5610a30efa44ca5ff308122fc87dc99e0599833b3e4e7

    • /storage/emulated/0/.am/dm/md/main.md

      Filesize

      2.6MB

      MD5

      8aa5d8f3622ac78fa2cc58d58c87dfaf

      SHA1

      33071f0a26c21320a749a25a5e94a694aaf346de

      SHA256

      db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326

      SHA512

      0ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251

    • /storage/emulated/0/.am/dm/md/main_tools.md

      Filesize

      1.2MB

      MD5

      51112e0a7f7962a8e02bc885025414ef

      SHA1

      40622959af4fe349d8881c885b9b30441de8804c

      SHA256

      2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

      SHA512

      f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

    • /storage/emulated/0/.am/log.txt

      Filesize

      173B

      MD5

      b2eec49406cccd1b8c1295026994fe97

      SHA1

      250a8f9fcbceadc175e595dab7219d784af0318f

      SHA256

      87d00274176baa14c818c436f9823f038f42b2ee3150fcf11213dbe7c18d396d

      SHA512

      159fb577896ece40eb6a8069c19216cb23135f45ea3fe9df67545d94f3d6759c866877da9e993b8a9c58d758cf2a4214b12ed22d5032bce0217958ce27f1ea9a

    • /storage/emulated/0/.am/log.txt

      Filesize

      152B

      MD5

      971f31636ca666f8ede544d9ca13309b

      SHA1

      2ba7537dce6e94176e9a5d5051195e242ec2061c

      SHA256

      929f48658bfe3814045e0efe5d4fa41ef62fa1ebdb55ebc8b46058e76205adaf

      SHA512

      9194cc7ce3c995835e2cea050d21abb928d6796930e79f5726610a88c1ee64f937cbcc893caac6441958b77174b9dd35367ef7ef204c599f2b227f3df7ae5b98

    • /storage/emulated/0/.am/log.txt

      Filesize

      3KB

      MD5

      3a7dce688f361742f797d5a3c69e374f

      SHA1

      0348d80a1c84e3b2cbe2d876bf3c0e2bbb4f43ed

      SHA256

      b8b7c2df7785bbe9cea2736a43bfb3afecd998b3192edfb17d9fc6b9fe129e9c

      SHA512

      4c55d0b4cfefcef6c31cebc91e6aaea01914ed4566d67e6d8f8174762ed181c486c10a82165fb3e6fc060a79782e4983979c00adb2900af55cad61d798a21886

    • /storage/emulated/0/.am/log.txt

      Filesize

      64B

      MD5

      f334aee756448aa54dfcbfc6040a19f0

      SHA1

      58ce461216ff4edcad34dbad5a196511144614d8

      SHA256

      89d9eace3904871e8bdaf1135eb1257268fffc53fdea0bd8291c2c1bfcab69e4

      SHA512

      910df6027c8843ef202067514cb4a82b14e8b546065d39904f5f1870124ef4b3b68b893c0cee3117694d57ce0adad08c9f04ef0fef7b19b54e015f39e9e1e4cf

    • /storage/emulated/0/.am/log.txt

      Filesize

      72B

      MD5

      93cc177c808d4e2f458265f649b2b1cc

      SHA1

      a04b213679f1b87dd76df4fbef63b8c854034beb

      SHA256

      cf8f06a22db9f67988e29a51c00ce41912c184e91cba1601ace53f55d9457614

      SHA512

      4d7d5778ccd3d47a38b80ddc63a35e001e86f83a40d7b4ca689aea5fae25d35a6adecea6c921c773c5bfc365806a62209a9efd97e707b359b2348a5306e9e436

    • /storage/emulated/0/.am/log.txt

      Filesize

      153B

      MD5

      9c908084eec1071188536e151cfd110b

      SHA1

      788d38e79c84a3a2032340dc164072e8a3266f94

      SHA256

      ebecf65b309af4d61f8a76896adf6ad33ea1f905cd9515363891756261e00c40

      SHA512

      e3ddebdb8e71363fe11318c60880f6cea637466389c1a77b3cf18a68791ad5c3b3269a3f6a7dce3b04879b4b1f00a58e88805be7ff03c06a9e6fb1a91fa094e4

    • /storage/emulated/0/.am/log.txt

      Filesize

      129B

      MD5

      36cd8d31d928e922a427d2bd3b7d8130

      SHA1

      888fb875a9dbe062bbba37a161d858c0b27471b4

      SHA256

      d020f6c223314bd41e776a95e3666a8c2df4f626c39d5682686601601a0f2734

      SHA512

      a3eeee0e7d34ccafaca9cbf1b75394fb44bddb52ce2fe716f6a825e7a13420d359407486952adc7b466b53d6c903530a5a3f780a17fbecd565c6ea522a48638f

    • /storage/emulated/0/.am/log_.txt

      Filesize

      24KB

      MD5

      0b8a7f3390e8203138d46f82eecf4585

      SHA1

      632d5871257586689c109b63be0a64db4046e56d

      SHA256

      a184c05fae633b93c70164290c8d599a00e8d5381f837e016f3e57058797bf53

      SHA512

      e1e675195a3a2dc56879a0c11ff95c51a32836ec634ae12d8ea24a016056ed82c8c0eb75fd04d735af1f5f2f647e73086bbf6c790533fec1d4b5672b8d307756

    • /storage/emulated/0/.am/log_.txt.zip

      Filesize

      6KB

      MD5

      f94ade4038c09731a2d6e5f18eac0e00

      SHA1

      78717c773c21f33d596113d15880da7e456245a8

      SHA256

      ec2f05c3bdc53b87d11c44de87f18e616eaf0686f068ceacd74a2bc3967d5458

      SHA512

      5629f648a30de3d36bcdc25415da4d06bb5fa8d0da0c4736c0eb535fe4556f0772efd1855602fe88ba96c8bde80c13bbe4a9d8dc1d4ccf3c64bc9b374e7770a4

    • /storage/emulated/0/.am/log_1722479876562.txt.zip

      Filesize

      220B

      MD5

      48ee2c6a958052e40503cb42b31fea27

      SHA1

      38c8316ad92f76c6548f8347b4672806c0787222

      SHA256

      b758d9c286d4c2941d4e4ea2e28821a64c5f2914a8b4e2bf7517a628964b1f40

      SHA512

      d6e7465e7ba51dc3eb5d2de243c9a8e59710ede859bf70d6ce856c1c442b2f9f6f05dc0b06d87fe2f3730f2b9f95c9fb50c42ce3adb188fe91bfd61cad526edc

    • /storage/emulated/0/.am/mch.apk

      Filesize

      54KB

      MD5

      0cbdd0c249cb43e0a8edea559fe79414

      SHA1

      9ec30805a5e1bd8675294b3dc6759bc1ffc1dd5f

      SHA256

      c3458d9827e89f9bb124379827baf1be8a374e8fb80e3107dedd569d814c6fc3

      SHA512

      aaf8c20325d0a2d8f451161215fa01ce40b550cc74bbed12294e90b52f9d71fa1ae10c3455b33a9d4c54a2b8514cc5ddd5ea1b4660be5b88a94bce349228e3b1

    • /storage/emulated/0/.am/prog_class.name

      Filesize

      72B

      MD5

      fda9182e3ed7babfe6cdfb2fc79f91a4

      SHA1

      63c41d4facdb15262581b9096fef50492c48c801

      SHA256

      d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803

      SHA512

      8554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7

    • /storage/emulated/0/Android/data/xspcmj.qiegf/files/Download/mch.apk (deleted)

      Filesize

      64KB

      MD5

      13684d2547f64dabfe299d1c6553a05f

      SHA1

      b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

      SHA256

      3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

      SHA512

      e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

    • Anonymous-DexFile@0xd33bd000-0xd34e84b8

      Filesize

      1.2MB

      MD5

      336921950a9f279733cd787f1203d73d

      SHA1

      cefc36a7c17909054cf2a507b34f545af96c0e36

      SHA256

      c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

      SHA512

      6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87

    • Anonymous-DexFile@0xd3615000-0xd38a780c

      Filesize

      2.6MB

      MD5

      3bca1a576ba29bd493e42938a489aa5d

      SHA1

      0e5d4bc3a7daf6864fb3076e6c1e9685e254efd9

      SHA256

      b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce

      SHA512

      39a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0