Analysis
-
max time kernel
167s -
max time network
178s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
01-08-2024 02:15
Behavioral task
behavioral1
Sample
am.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
am.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
am.apk
-
Size
20.5MB
-
MD5
662a29140ea32f87a19fa76996137563
-
SHA1
cd0a4bd3abbf0fe2773a9c7a7a589a0609582219
-
SHA256
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4
-
SHA512
511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c
-
SSDEEP
393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk xspcmj.qiegf /sbin/su xspcmj.qiegf -
pid Process 4253 xspcmj.qiegf 4253 xspcmj.qiegf -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xcf31b000-0xcf5ad80c 4253 xspcmj.qiegf Anonymous-DexFile@0xcf6f3000-0xcf81e4b8 4253 xspcmj.qiegf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts xspcmj.qiegf -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xspcmj.qiegf -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 4 prog-money.com 6 anmon.name 14 andmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xspcmj.qiegf -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xspcmj.qiegf -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xspcmj.qiegf -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver xspcmj.qiegf -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xspcmj.qiegf
Processes
-
xspcmj.qiegf1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4253 -
su2⤵PID:4292
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD54c0ccabb25100a908b9db06434a6af8b
SHA1555d9ecfa42e17aec483e1c05be0fc1362db9e66
SHA25679aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304
SHA512b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb
-
Filesize
96KB
MD5191ed998a9ca1210c3bbc0645592519d
SHA1be9714d74f87bf5604a7b031d2a649bedc39c54d
SHA256e5cae53266f61e9eeb76f2a8a0c65239ca0a8dbe9a7c39b4b759aaf8e255fbd5
SHA5121366b30449253a56cf590b03d59fab822df952ba0aefb3f13f2cc14780c20666381543cdcf59d517000b4abffcb77d94516f9c51c9ccca7b889b4d56762a53bb
-
Filesize
96KB
MD5b05b5f2e3afd927fd5e47535e8e6437d
SHA1a4b983e0a23097e15b34110f90ae9ced4b315be3
SHA256cc53c12173d50c993104b9b22f50adede902034d707701bb1370a88c63f27b9f
SHA512a9cb13b25102a39fd4c2051b8f1d938f58a8da640f6bd59fb2ada59c0711e2b42abdec6856f7eb0982222e875161ca9508fb1d883312f63d549199a8ab024d2b
-
Filesize
52KB
MD5b6815b344f6926d458cea05acd052cdd
SHA188f524aff1d4c5fee979a203dd952427871a7097
SHA256028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA5120431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade
-
Filesize
96KB
MD50842cca3ca947b8252de5d53823643db
SHA16b0d601c1b1de9f06748d2f7727ed6cc826e5e46
SHA256e9b5a85de9fe9a28ba01e1fee18a9e04208ea7e752003e8d8fc885d6117f050b
SHA512e05d4ec4ab1c3b623b4202153d12cf6d5ffb2c04ecd6c0a84bd19c171e0bade576c0b4b255c3f736b549c95b7f79bbc3f772de78e0fd71a5616798998fdc4a7d
-
Filesize
144KB
MD5182fbd6c12a095f7ec417bc79815a777
SHA14c8c0a735be08ec8ae08c329a6bc70c7ae355dbb
SHA256a93d0338420a7f1d42b4e5d32f4a48cadba57b2237a78252bd967eb49e837843
SHA512f0c3b859cb94dc63458c387c70abdaa84cc29154542d2599e6f13432e76de8ce598dc62e1e4f6412c091d90e1044b9d999b82f9faeb33e10f1e21cef8c3fa3ee
-
Filesize
512B
MD5e2e7addd2aa40bf9d0218c31be16d104
SHA13425b1f21e0991a3c785d7a622c9b705486ca740
SHA256992d75c8cfaac5c0e011d9880e2b42471f1d7e54b16ad864d0f405dfeacef2c3
SHA512e868fc6c8ec12497bb586f4a069c918478cdeda48c2d43848f34c0a1c19783311d935fa194aed5f752f6d1e6aa6b2b8dc6e0ef899c50c5f6d13357ff1529ffa5
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
414KB
MD52b678cc09f5f7ae8cede66c7244c98ed
SHA1a3dd1a0940216571f83c94092be4f57103fdf11d
SHA256e70f5b432339101cb2b7824eea4c9254bd46897aa52f8f27f47b7d39d12ec314
SHA512a475f905effe5f5749d206e9ce97a3382ac1497503fbf217d81e53393cebe1f9487dd97b0d0749adf43af608e64ee105d7cc8a1c142203e227c44e34c50f6fc7
-
Filesize
8KB
MD5096914ee412176a31ebbb5ac8a3c1515
SHA183c09ab513ee5b5d954b67c190dc8ab4eeba2aac
SHA2562283aa4899d48ccefbfdba307271bfbc76625501790c8a17f1a85cb229e2ff11
SHA512a89152587d981854cd5680ceae7b4bcce079c42c78a7b9d2722da63adf282dff8881fa809389e3e415a13c1752707fffc5711f54d5321ffe05da42a7d8e81483
-
Filesize
8KB
MD51498f20b2cef322e7b6170e489e19603
SHA1746b8ab2d3f4d1d427e13ce10e99dc65b2486df8
SHA2561d1a6bb23c6b90915b7dd8a9213c9358777c111a70fcbefb0c1b08a6eab8186e
SHA5127b2e2765ee260deff73d407f7ef7bf6101f7773502c20aa881b5a9de067cc8cf44571de8486e2104e5533ac82ec397f13dd78a4e013b0ea070d637864f61c04e
-
Filesize
4KB
MD59fbd9eed627578ced786ad9d46a13252
SHA1521acff806a1f2c6eafb10ec26c7fc05693211f2
SHA25606bd131dd9352f970c0b83cbac21273f5f5e590490da39a602683d62be83ee70
SHA512da7959ccc0fe810018d20069e8e3143d8c2e7f9e051e88ff46eb3197da77b88b4e56e1674e08c4252f7ffd0bee72e06532be0c0596d57a21b5731fdb4d5526da
-
Filesize
8KB
MD57ff7626baf688d4d3c10d3c42d173c0b
SHA1b2e1875d4a339a06cce12f30577d1b7d82b7a987
SHA25687ee55f33ce97f902ed0e0d978aacf7df4db65fa7b91735ffb80ddbc1705b976
SHA5123a379f008085237b28ed5f0d093f9b8a3e7acf71ace0df2edd46a82ebb52fc17ba122ad15e86283970650fececc13fdbdc9c5fc59d00419c03ef2ff11cce8c75
-
Filesize
418KB
MD5b55717466aeee48ba75d76ac0d7ac078
SHA1acaedcf3cbeb74a391f4cdd26e15dba20fd65aef
SHA25638fb90e25bf9b25d8d1cd24d438a9c7e9f363f47156f82a21f4f6e6f79067def
SHA5123f616bef31c11f9d4e9d46f42251c0e66ca6e470b0858c227b94976177c6c47224ea139f564cbe128d1371414dc5ec3fe7c82182263a0bb13139f62089db38e4
-
Filesize
2.6MB
MD58aa5d8f3622ac78fa2cc58d58c87dfaf
SHA133071f0a26c21320a749a25a5e94a694aaf346de
SHA256db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326
SHA5120ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD51f863ee16dfc4a44ae3b67385913b9c0
SHA1d12b7541426ccb11e3df0093c6df85cea3a13482
SHA2563bdacc75a004613a0e2107ed787c445ba836ef9ef43974fdd6ce04c66f474de8
SHA51239ba5247746276d5da36e37e72a551e08919fbe5717cf390997b1ac9a1e0db48dea5c881eb12b2f323f7a462e6e9c52ae2f555163874b1ef810261b0e65c622e
-
Filesize
152B
MD5a028c4ade2cc189558caa6da727ab644
SHA1a488c5634b1ff87f3d33f3998625198d99045db0
SHA2561572d64f6dc767e4f05d6631c8c47d75b7ce6658e1eeecffa4eb021acd7d1195
SHA51294dbac97d1affbc49f88f02dff39c4b433b653d630d8d6e24de8746ee6ee0be71c7387deca339f789883f0c9651a6deef2e77e711b4d9278a81c8430747129e9
-
Filesize
3KB
MD5a431e3d38f94e22af81cd8b01d1c1d9c
SHA1093050d4cef3e89c1969ae421fe5921da2a7146d
SHA2567ceb27c91d36ae12f6910331a25b9f27d72228561db8602d5c3d82b14a946163
SHA51274285dd438ded4d487c2e9f99c7d6e67bb8f5da1c3e7058422878e90d88dfd7e0c16ba08430696a7657c9787d94dc33d04cc05aaccf80544b613daee95d24f60
-
Filesize
64B
MD5f4ed2463c530b646acf3ecebca74aa98
SHA1bcaf928b2608300990ab56f2593de5f1da0b0dfc
SHA256ceba181fef3fbd97270ff9ac6928d058d51fc1a43f712f72ebfccfefec5913ce
SHA5124c20f1a94e75db74f1e3fd4b1aa2aab3d5e8a00a3cd04701db5fa0f3f222efd8b273c18b08e66b035237225fb6c8780c5267a5c9793ac346d71d12a9a5254369
-
Filesize
72B
MD544bce3036790232ab5a4042ab320b5eb
SHA185208d258dc5ab3b0021c8313d1e1326dba718ae
SHA256d25542e7e0a8d665bfa2af058cd6a034e08b1d89220f893422b3536c6876bf71
SHA51286f3d35a5642b8a3d4af4ddc3b37c368b6544b5f38399a138a28f0afad2974690bfd6d7391fed242c79bb90a94a57a531d2c57f14f5db5a0eab785bc6d3ed9b0
-
Filesize
153B
MD5133a6dd7f49e1dc48858b7dc8c90fc87
SHA1e1cea85ddc0e842f2c62aa9113e2a1255320f808
SHA256bd0d0a5b3d24a4c4e4e450a79fce11e349e196fd58e3c915dc3e3978a8853c43
SHA5121ee8a508b6bc52dbb7195635d677d127fa55d02198a4a0b88f0838ad09c0c46718bbff1ea3af2280b74999b59729ba2269126c71da2eaa2ecc8d6e2b5852e32b
-
Filesize
129B
MD5df2f643dff5b8c24122d54a789f9d0b3
SHA1ae53e5b4000a98769c6993c5bd2b50710745a3f1
SHA25620718f7e6ee91187fa5bc1b404af63fdccc02d2a07bc8f2c0ae39a37bf6fa85f
SHA51264781a6eb683f74998e27ae9e69fa359ffbc3c87f87c1dfd345dc45a52fb890992c773381ab5c72ff0a0a675cd3b2b500b7d5c4f84614b55dc870e8c7ae53531
-
Filesize
24KB
MD5db37bd2faa292882de9a27e5ccfa5752
SHA140aaa1d1aa6edbb7c4698abc69ae38c989a350c4
SHA256df37e0635c607ebc21d968cba1ef908be1ce99a162801fa5e7713a9d9484e852
SHA5125a6791ff5956ebc83fca640c9e7f18f42fdf4b5bf80cab4b867ad82282365724330e7995a59234f6f32eb18a35cf290588a24e51051f0b23db23e272d3079df0
-
Filesize
6KB
MD5c3bb007ffe34f68ba5a49140ff9c59a7
SHA13925f7b77849d83eeeee6e95bf90a18670a7e46b
SHA25691467a0b69bc996bc06c8207c88a608cdd15239f22ba69f029475d60d8664876
SHA512debe425f7bca9a38e4ca96a0924d16a2be347d4daf6b8fc558cb31690910910dac94ab078722cb2793efa9996a316560de5fb78f84c0d44754abadc5fde1b67a
-
Filesize
220B
MD526edde40f481efb9a5c7181e581fdbd1
SHA16b5d99a74b0392debabf48dff9300b3b0eaf2b17
SHA2565e96211b4a7350b9fef1fac057dc2b257f40ea2248cfdfc4331ff933ace58c01
SHA512dcabe0ab8760c020f62f2ac5da19c5681bb6ff51ff111e2615d07f032c8f0f7dead7e7d78b121f71d0a9c288cc3a94516bf1c1e02e3e958e16d3c132ee5782aa
-
Filesize
72B
MD5fda9182e3ed7babfe6cdfb2fc79f91a4
SHA163c41d4facdb15262581b9096fef50492c48c801
SHA256d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803
SHA5128554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217
-
Filesize
2.6MB
MD53bca1a576ba29bd493e42938a489aa5d
SHA10e5d4bc3a7daf6864fb3076e6c1e9685e254efd9
SHA256b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce
SHA51239a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0
-
Filesize
1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87