Analysis
-
max time kernel
318s -
max time network
337s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
01-08-2024 02:37
Behavioral task
behavioral1
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral2
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x86-arm-20240624-en
General
-
Target
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
-
Size
20.5MB
-
MD5
662a29140ea32f87a19fa76996137563
-
SHA1
cd0a4bd3abbf0fe2773a9c7a7a589a0609582219
-
SHA256
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4
-
SHA512
511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c
-
SSDEEP
393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk xspcmj.qiegf /sbin/su xspcmj.qiegf -
pid Process 4225 xspcmj.qiegf 4225 xspcmj.qiegf -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xd3615000-0xd38a780c 4225 xspcmj.qiegf Anonymous-DexFile@0xd33bd000-0xd34e84b8 4225 xspcmj.qiegf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts xspcmj.qiegf -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xspcmj.qiegf -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 4 prog-money.com 6 anmon.name 14 andmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xspcmj.qiegf -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xspcmj.qiegf -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS xspcmj.qiegf -
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xspcmj.qiegf -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS xspcmj.qiegf -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver xspcmj.qiegf -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xspcmj.qiegf
Processes
-
xspcmj.qiegf1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests cell location
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4225 -
su2⤵PID:4298
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD54c0ccabb25100a908b9db06434a6af8b
SHA1555d9ecfa42e17aec483e1c05be0fc1362db9e66
SHA25679aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304
SHA512b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb
-
Filesize
96KB
MD56509e2aade100e83e6b2008ea402185f
SHA14369caad54672ed707251b3e415ca52d6aa20b79
SHA256848ed3ea1bbe862da41b6587deb98e628e461d11b522a43a0470854cf780959a
SHA5120cb5929ff4a33742b22f536723c3b7864b763ede0afa9cb4b1c7c7dc230b45c5807a3c9d45cf89db4100bb8c8a0fa82875cffebb15441f76425ba5340bbbb44e
-
Filesize
96KB
MD524e56d4efb4b50fafd96e40083273573
SHA1756f4abb147bfbde5b6a12bdc12e3ab9672529e5
SHA256be924664bc8adda92dc1f3fe127ff87e1c02491b2372b0b1cd8e260d13b53785
SHA512839775ac4c58c66b3f2a408dc2e43c0beaff58cb2981a5276ff3b1eeac61937048763d90a33d2c743afa2245e1d5d82fe906ac43a8204850122206afb2e4f422
-
Filesize
52KB
MD5b6815b344f6926d458cea05acd052cdd
SHA188f524aff1d4c5fee979a203dd952427871a7097
SHA256028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA5120431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade
-
Filesize
96KB
MD59bfb3a1797f12e47d4514e89cedfaba6
SHA1113ca0bf1c0d00e1a87b716dd2207f719307114b
SHA256aa435e8604ed4edf9ab4c9ee81e0dd0cdc8cba7cd8ab4022134b09ad2a0b887f
SHA5120764e3e9c35cfca01deff8d41a139146ce80719c2e39848c597677cbde5110bdeea5a5dd687852a1e2e8522439cc70374265db7c440e4d52b1f310c59adf0163
-
Filesize
144KB
MD58efa4750e19c202d88ca7c996f9f259f
SHA1f4d455ac7575ace3cedbc927ab8a5e69a5c8c2bd
SHA25648d5b6b32950c99b2d248ac174d4aee9565ff41fb8c8d23829723283294ee232
SHA512d07eef4f9a2374d5402d92856eeb7ab93f10fc5087186b20f351e6bff16849cf249c33a158a8a5635f3ef745233098eaec1014e30268c22b55fc1a0b839930e2
-
Filesize
512B
MD54b50874fb27f31bcbd9707aadc572af8
SHA10a6f1edd1078c6bfb9487ae19aed2b7c155c6f7d
SHA256e41b296022788ffb90636d5e6b23e93fd81c817678140fbef77e24ef784bc33c
SHA5128b7cc68e04fafb960050e742fce28c09a6d98f87bd562a43a4bfdd4ddfa3d12cfa6ff0f4867fd650dcbeb8b36e211d74803c5e6c8a02397f5bb73d6dd394c0d0
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
414KB
MD50f02be1d2b394a2981aa2056691314aa
SHA1b85b6bb41ef136c69623c885e16bcc696559f004
SHA256b7be89f70645db4ce4c25995c1e3f662626c7a798e007c2dbf44095d2f9e48eb
SHA51226e7139ccb184abf13e73f710c55571f186e67c7bf93aa0947aeac22e69114c96f007e0c9182f366e98857ff0763d86b42ecc0da0d4ef1e94d8db81bc5dff9ba
-
Filesize
8KB
MD5a8653a8ca873e48b4d476254f46fa2fe
SHA122ec7b7a2bc81996ee2a58f2032c98c617cff969
SHA2563b4fa058ad13f8dbf5abe052c621ebbfb7ae3ecfd73894abd7ea137f98a443af
SHA5123ee5a7c4d2ec8220dc38118bf3bedbd7ffacb4015bc4e0f3f5a84d048973ac502120d54ef2f0d62d1f5543872928b64a76d7be3c8565f82b673ffa34f3a61483
-
Filesize
8KB
MD51bf6f579040e3d4047b464382d17aebd
SHA1ac21c63e297055d929b6e200c4e2a544858b1dfe
SHA256596ad1cacd028e1523996d6890eea2882afdbce4fa799b6b2f2d459d4e461ac3
SHA512299b58c1bd8a2dc55e6702186c139044599817e3bd2a6eafd8e96818c955a177ad145c9649ba9433aaf31c7efabe729f49ce509f75233e599bfeb69d513b015a
-
Filesize
4KB
MD5961bdff4ba741788c3ad9a46ea67d8e2
SHA1bf3682784e98c987835cf1f3d100ffcbd0a1db29
SHA2565f5497e8f999c83d29a9171632f841679b34f6a93dad774686fa62efbaa8cd67
SHA51235f36f0b17c9d609bcb800d93f5edde7405213082e604e4f5fac62991c4be51c0124d8ad88fadcb5a7e96204c667c270bd49bec00e4522899980e739fe4fcbae
-
Filesize
8KB
MD55b249929e420afda9db88d7796e9af08
SHA1203d83f44fb915954bda6332c3301afb769ee6d5
SHA256cbaf3294d8f1894db12ad81be9316068351e99bd4e142912f0293dc19c337d60
SHA512f65de070b6e4bbbc9a2ac95ab5b5d999648fd5cda789333652eec0d1eae459761c24235e12ba1c118787079dbc1e3aa89df9a03dc17d1995c62736825ed2a1b3
-
Filesize
418KB
MD5ee6d6c80601496481f83910fd28d77e1
SHA185aece61cc269eeb34e88ef05ffd2787dde01a7d
SHA256f35876f206838474068d424eb486bdb660e774ad1f311dd385c2fe1fedac7f98
SHA5123c5b2e30b320df5a38d6b4a64150c59d6abb01a4839a9830431bcb57db2b9dd908c075cea34e7ea94ce5610a30efa44ca5ff308122fc87dc99e0599833b3e4e7
-
Filesize
2.6MB
MD58aa5d8f3622ac78fa2cc58d58c87dfaf
SHA133071f0a26c21320a749a25a5e94a694aaf346de
SHA256db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326
SHA5120ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5b2eec49406cccd1b8c1295026994fe97
SHA1250a8f9fcbceadc175e595dab7219d784af0318f
SHA25687d00274176baa14c818c436f9823f038f42b2ee3150fcf11213dbe7c18d396d
SHA512159fb577896ece40eb6a8069c19216cb23135f45ea3fe9df67545d94f3d6759c866877da9e993b8a9c58d758cf2a4214b12ed22d5032bce0217958ce27f1ea9a
-
Filesize
152B
MD5971f31636ca666f8ede544d9ca13309b
SHA12ba7537dce6e94176e9a5d5051195e242ec2061c
SHA256929f48658bfe3814045e0efe5d4fa41ef62fa1ebdb55ebc8b46058e76205adaf
SHA5129194cc7ce3c995835e2cea050d21abb928d6796930e79f5726610a88c1ee64f937cbcc893caac6441958b77174b9dd35367ef7ef204c599f2b227f3df7ae5b98
-
Filesize
3KB
MD53a7dce688f361742f797d5a3c69e374f
SHA10348d80a1c84e3b2cbe2d876bf3c0e2bbb4f43ed
SHA256b8b7c2df7785bbe9cea2736a43bfb3afecd998b3192edfb17d9fc6b9fe129e9c
SHA5124c55d0b4cfefcef6c31cebc91e6aaea01914ed4566d67e6d8f8174762ed181c486c10a82165fb3e6fc060a79782e4983979c00adb2900af55cad61d798a21886
-
Filesize
64B
MD5f334aee756448aa54dfcbfc6040a19f0
SHA158ce461216ff4edcad34dbad5a196511144614d8
SHA25689d9eace3904871e8bdaf1135eb1257268fffc53fdea0bd8291c2c1bfcab69e4
SHA512910df6027c8843ef202067514cb4a82b14e8b546065d39904f5f1870124ef4b3b68b893c0cee3117694d57ce0adad08c9f04ef0fef7b19b54e015f39e9e1e4cf
-
Filesize
72B
MD593cc177c808d4e2f458265f649b2b1cc
SHA1a04b213679f1b87dd76df4fbef63b8c854034beb
SHA256cf8f06a22db9f67988e29a51c00ce41912c184e91cba1601ace53f55d9457614
SHA5124d7d5778ccd3d47a38b80ddc63a35e001e86f83a40d7b4ca689aea5fae25d35a6adecea6c921c773c5bfc365806a62209a9efd97e707b359b2348a5306e9e436
-
Filesize
153B
MD59c908084eec1071188536e151cfd110b
SHA1788d38e79c84a3a2032340dc164072e8a3266f94
SHA256ebecf65b309af4d61f8a76896adf6ad33ea1f905cd9515363891756261e00c40
SHA512e3ddebdb8e71363fe11318c60880f6cea637466389c1a77b3cf18a68791ad5c3b3269a3f6a7dce3b04879b4b1f00a58e88805be7ff03c06a9e6fb1a91fa094e4
-
Filesize
129B
MD536cd8d31d928e922a427d2bd3b7d8130
SHA1888fb875a9dbe062bbba37a161d858c0b27471b4
SHA256d020f6c223314bd41e776a95e3666a8c2df4f626c39d5682686601601a0f2734
SHA512a3eeee0e7d34ccafaca9cbf1b75394fb44bddb52ce2fe716f6a825e7a13420d359407486952adc7b466b53d6c903530a5a3f780a17fbecd565c6ea522a48638f
-
Filesize
24KB
MD50b8a7f3390e8203138d46f82eecf4585
SHA1632d5871257586689c109b63be0a64db4046e56d
SHA256a184c05fae633b93c70164290c8d599a00e8d5381f837e016f3e57058797bf53
SHA512e1e675195a3a2dc56879a0c11ff95c51a32836ec634ae12d8ea24a016056ed82c8c0eb75fd04d735af1f5f2f647e73086bbf6c790533fec1d4b5672b8d307756
-
Filesize
6KB
MD5f94ade4038c09731a2d6e5f18eac0e00
SHA178717c773c21f33d596113d15880da7e456245a8
SHA256ec2f05c3bdc53b87d11c44de87f18e616eaf0686f068ceacd74a2bc3967d5458
SHA5125629f648a30de3d36bcdc25415da4d06bb5fa8d0da0c4736c0eb535fe4556f0772efd1855602fe88ba96c8bde80c13bbe4a9d8dc1d4ccf3c64bc9b374e7770a4
-
Filesize
220B
MD548ee2c6a958052e40503cb42b31fea27
SHA138c8316ad92f76c6548f8347b4672806c0787222
SHA256b758d9c286d4c2941d4e4ea2e28821a64c5f2914a8b4e2bf7517a628964b1f40
SHA512d6e7465e7ba51dc3eb5d2de243c9a8e59710ede859bf70d6ce856c1c442b2f9f6f05dc0b06d87fe2f3730f2b9f95c9fb50c42ce3adb188fe91bfd61cad526edc
-
Filesize
54KB
MD50cbdd0c249cb43e0a8edea559fe79414
SHA19ec30805a5e1bd8675294b3dc6759bc1ffc1dd5f
SHA256c3458d9827e89f9bb124379827baf1be8a374e8fb80e3107dedd569d814c6fc3
SHA512aaf8c20325d0a2d8f451161215fa01ce40b550cc74bbed12294e90b52f9d71fa1ae10c3455b33a9d4c54a2b8514cc5ddd5ea1b4660be5b88a94bce349228e3b1
-
Filesize
72B
MD5fda9182e3ed7babfe6cdfb2fc79f91a4
SHA163c41d4facdb15262581b9096fef50492c48c801
SHA256d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803
SHA5128554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217
-
Filesize
1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
2.6MB
MD53bca1a576ba29bd493e42938a489aa5d
SHA10e5d4bc3a7daf6864fb3076e6c1e9685e254efd9
SHA256b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce
SHA51239a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0