Analysis
-
max time kernel
25s -
max time network
182s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
02-08-2024 23:36
Behavioral task
behavioral1
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral2
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x86-arm-20240624-en
General
-
Target
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
-
Size
20.5MB
-
MD5
662a29140ea32f87a19fa76996137563
-
SHA1
cd0a4bd3abbf0fe2773a9c7a7a589a0609582219
-
SHA256
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4
-
SHA512
511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c
-
SSDEEP
393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk xspcmj.qiegf /sbin/su xspcmj.qiegf -
pid Process 5064 xspcmj.qiegf 5064 xspcmj.qiegf -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/xspcmj.qiegf/[email protected] 5064 xspcmj.qiegf /data/user/0/xspcmj.qiegf/[email protected] 5064 xspcmj.qiegf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts xspcmj.qiegf -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xspcmj.qiegf -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 18 IoCs
flow ioc 121 anmon.name 122 anmon.name 148 anmon.name 7 prog-money.com 61 anmon.name 117 prog-money.com 120 prog-money.com 8 anmon.name 12 anmon.name 63 anmon.name 136 andmon.name 6 prog-money.com 13 anmon.name 14 anmon.name 15 andmon.name 60 prog-money.com 62 anmon.name 123 anmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xspcmj.qiegf -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xspcmj.qiegf -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xspcmj.qiegf -
Requests dangerous framework permissions 3 IoCs
description ioc Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver xspcmj.qiegf -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xspcmj.qiegf
Processes
-
xspcmj.qiegf1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:5064
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD59cf7e03179a00e0097bb8292c310a7f8
SHA18046f1a0d32003f672b2da8ba6c7eb8f54ffcd17
SHA256b428664066ed6496119d7ef35afee74fe8f5eb834939f9cacbf55804aa592438
SHA5121d046cd7d5a96b0b4f0c5d218f97ebc850ea4a3385658ea4a9d36dc05363659d1dc53660f94d4d7d87794cfd60b94593f304e9011421d35f3f17296d28c28cb6
-
Filesize
96KB
MD5fd30c972a9e059998e7cf3a1aa42f017
SHA1a8562a00ea9dbb7753f5a22f1eaa5130d31e0842
SHA2562bacef93581fcd07d519967397642d0b62b74b82bb21100cdb01a21f91242982
SHA512cd125410ce586a8e427cfe1da2574fa42a17acb7422d9419ba76628c5b1071f868b98b97e9d879b26cc72939ef604944612ca8c95f1df4066a6d6521b588be09
-
Filesize
96KB
MD575ffbc2ef09b45726dbee2d90a7bc90f
SHA1ef255783f6b33a32722e3c862f160bec41beeb11
SHA2560eba26cb99086589e806402cce2d5baf4096308ec5853cbaa58d601f9a17f1a3
SHA51215da30db485267b1af2a3c7c527cc8655aecbfcab31d53bc045226bd6771a12794dcb9accad36fa7bacb0d9f2f25a65005a874b6f8a0df2764c58efce4a1bf4c
-
Filesize
96KB
MD5e2a6c14089ed61b8e4d6ce13af540a62
SHA1c1d7dee921d6638fa0d5592c20aba7725a652da4
SHA2563ec5a4f3c445bba175a5e8e32c9c2513ee5881e119a2a2b79fde854826e50a3e
SHA5122b6d8e9acb01b25c9b582374a79d7eb9be27aac16b75f97e35b88390d694eff7e7d17436760cb185d26b43249dc4f3d9e05c3bce164f9ab90e5640e17ca6017a
-
Filesize
96KB
MD5487b587d7a6091455e062fad5d47ea59
SHA17e8f7409c0656cbfe99a973e91026bd198caeb67
SHA256a4a577a5c023dd21a7ed31299119b61bed1b0545b0a03aecb914fcbd4eb1d6fa
SHA512802c79c389908e980cf973951c11bead8310ff91b885c33a087f1699bddd650a65bd33c92bf6c924bfaede87fdc9920775ec265c26919d56bbd0488733530e4e
-
Filesize
96KB
MD5c10634f71f4bebd856160f85c68ec32e
SHA1d1a1106f4c581e51aea7abb96531f2da10424ace
SHA2563a1b6e19fce6f42219165545ed74b683aacb6886e06752f2ed485382035ae37f
SHA512ab39f4f0712fd01e62dcae93b3d125133e5c43126ba897d5093af9fd9b42703bd2f6f933720f176121e73133ea57e738c0f43caa1c5c422605e02c8739e14f27
-
Filesize
512B
MD531d398dbac04cdf6ff75f638961da125
SHA16f153e3f15bfda052545214d8a8bd9d68c5ae559
SHA256957ad083b66dd81d8fb6d06fead504e4a6c3fdcb8719b08912bd4808ce2f477a
SHA51206f010ce5a07f956907d72b210dd91b12b210766175628663922afc96e53baa93cc302091c0ed8516f3b33971cf1892375073ba58d18999bd816de0c9f17dbbf
-
Filesize
8KB
MD58b9f966f9c9a925a40de79a1136f1d7b
SHA1c3728d8442a4bc277beee832fc86f9a57177fe22
SHA256f5a3a18bb73d7dc464ea18a2592460a6e98e5cf71b2340dd1628636f1a2a1c81
SHA512b82dd26438cfe4dc999d54832ed992958f8fbf8dfa8aa1c6c80f0d09b5a8cb703688eb1a07c7bff1fe6e64235ba80f480821fb10eda8e1a14c2b119f486d258d
-
Filesize
4KB
MD579e5acdf1f3b6ed44fc27920a16b6808
SHA16010c48c307b30aa4c679b9ea6e9b0d853802db0
SHA256be1932b6fe150c23f9993cc9ab1f79782bcc9402f6e70091abf6d52b78818811
SHA5129ef539f14f37a7e56cf51fa3821cea7b69d44c47aa58dac889e297c2181382c6c4bae38da9c37510eb916e601a1e1f2377bf5cf49db8f478f64584838d25f53b
-
Filesize
8KB
MD5ddcafb21b7eba797640e8f2476f0e914
SHA1276ffa8dbe2f52c4c9bcd2395192a47ed4fb7194
SHA256871a74f820889e8c2219c796252396702f4527eeeb1861c4f2f3b9d00c08ce3d
SHA512849e3ce9f4a9ead216ae1f6cdde315b7650a30da7f1cf95bae700a700ca7937ff291226b1e71e3bfebb63725ede77236a754590f40fcefee67d6bd7fea752405
-
Filesize
12KB
MD5422cacc1c0e1ee4f06d5f668f0235e44
SHA1e57c8f10f6690d45ada98679f173af7b18a7eb85
SHA25661aadb429d521e48a8dc7bd4c42b74715b9df058b11276bcda557562647f93aa
SHA5129f8c943a304075609c0b4540fb22cd5dc7b8d639d9096aebcc5d19fa26fd482b18484230be2c35615bc0f4a3454974bf0db06ad0f3ab2c21e33bde48d250c761
-
Filesize
20KB
MD5b94fdec53a01fc449c8346be9db3b91a
SHA1d25b59ae626f85f1fd653b47c86708dd913f33ef
SHA256016ae3a93a468ca48fb302a88cadc1c06370e3750f826b2fcbbdcbf570d38ab6
SHA5122664b35bafe4a594c49407f29f6306acc9cd75e710ff401aa73d09c2652522b2aebab05a4c21d3603d098c34b84fdca13c477f65694a07932b778b42211e478e
-
/data/user/0/xspcmj.qiegf/[email protected]
Filesize2.6MB
MD53bca1a576ba29bd493e42938a489aa5d
SHA10e5d4bc3a7daf6864fb3076e6c1e9685e254efd9
SHA256b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce
SHA51239a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0
-
/data/user/0/xspcmj.qiegf/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
2.6MB
MD58aa5d8f3622ac78fa2cc58d58c87dfaf
SHA133071f0a26c21320a749a25a5e94a694aaf346de
SHA256db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326
SHA5120ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5a0a14f5e481520661898f67ae76d4e02
SHA1ddfade25292339310fdac378ddaf50276044cf5c
SHA256abd1cf1eb5e1ff4dde3252e68e7cf7dbe8b08c317c78024880928617b7c20677
SHA512f11556f9a4a6054a464e238b9f67b9531e0537c6507233b21202a67e962d8a189c4f15f1e9092fb77f4c61593123ccd449bbaacab8d8e15236acdcc003d30014
-
Filesize
152B
MD58443f4e899e74dda603f9d27f3799f07
SHA110cb7f6f22064a5d9ce17ccea539e86eb739a97d
SHA256d15b3095a06a5c25379aca50934b53391b1695f469d51ffc94a0fd795fa630cc
SHA5123e9993b4d55efba98743921008986c870ecdb0a138c88c82cbb093d6db470612b7e0a60945a08e3b4373c20b12d20c6ccd6831c74ed980956cfa5582877be039
-
Filesize
4KB
MD5b99691b3f7de7701b33b918357cb2915
SHA1a6633a485a37bab4c3231b9a79c25b374ed26ffc
SHA256b701a89352f0c52ffd85b13ab0460c08a52943da7c1502c0e07a361d7c860340
SHA51236966989c513201b750b4979db9017e642cfafc2eeefcd1de2a5ff3a49bef5a7e393eeca72357e400aa9893922aed53473158718d4b5fb4247568bfb99064d63
-
Filesize
64B
MD58cc70f95045fb871c2c945539c65ee2f
SHA10b2567723f75521822b3725df42660fed709de39
SHA256f2f4b53ea35f55019120ccb8e6cce3216252c3866d3f7660d1fd92d6e2b0b22a
SHA512b15e6b5da82cd6b89d85863e129e3c32d7fcf85d071e69fd56ed9d8ddc4a860f3ae1ede78a517461df8e82d6d6a26a10ecd54d2a8910d724c9d653c43c7ddd16
-
Filesize
72B
MD55014dde3c37f5ed05d95d2426591ef4d
SHA13f352453670bb5e80549a72202ed441f057be13b
SHA256bbca00ea5535ed6146eed34557b87e50110202650caad5c268fd282c425f145c
SHA5125f971d527df4088a3220caecaad3b55fe630cf48f0329220a9a8e5bf1c05753aa9aa79c15e0cb93ad0f4dbf726c71e0b0c750740bde1bb5d64924f992666d934
-
Filesize
156B
MD5c7b36a41b4a76d3df57a8285ccaaba3a
SHA122518461df18edeb8d0f209d80de78ef4ab6199e
SHA25614cd135a9a360dcb88d32111057342e2134a3eb2c97d253a6e126041a929b2e5
SHA512ba432395c9d8ac243c6703d30a5d1ac037bd5b631fb22df89331aa17df3ad0fb45285dcfcb6050e2932a2e9eaab719eec72134606891bdec4da619add1169e5c
-
Filesize
129B
MD5f486f71c1bfe3be115edebb0379769df
SHA18f71b406007b482c031d08e773bb3e904ccc5dca
SHA25679ab14c27c1fcbe54aafb96b80ef09c88b3aae91f993941877cbcb584d6956ef
SHA5126f3cc29aa07e625252a87f4ac380f392a0225a97d3fabcdfb0ae8b75bca396f431bd7885d4cde5fc40892ca0b8b704c16455c0d87b9f8a75e020a54d93c18024
-
Filesize
27KB
MD568569746307d99d17a923991bb5f3b0c
SHA14ab665ca529ac46e607b0c6719c4e764bbe5c090
SHA256dd995cb9adcddb94244c91b1aaddc34740fce3398e97672088f71d002613ff8a
SHA512e87599e60485591c0b8364b318a84644d5ee935f6b550affe8a4d18d6f92b92edb0055147da57be17c8140e22026a7d3d63a0987f94a1c1e128b6db814a751bc
-
Filesize
6KB
MD51a24d148f5b983413d1993a02666907d
SHA188c358122597cb152f63b35f93cac55bba738895
SHA25605f4c380061237db46ce5671efad41eb55c6cbaf7322331a1acb7b0e10379e02
SHA512d2a557554a7492353bd416850d1a7d582a9eade0937d280944b2ce4743c3e00fbd88ee6e0b6ae85a1558a9e1c2d7820a808efff7344526eedb30f931b12f627a
-
Filesize
219B
MD50d1f7915c3af6c04bcd7eb08e36997ec
SHA136eaa82b40ebaf34cfef900d30a0c58faebee9e4
SHA2564dc56f0411592e318a653a9a624a278d0659ff5b45bcf63e35deb78898644d32
SHA51239bcf313c5b0ffe7f8fafbd7cfae2854550e1669065aa787f383ccbfe9fbb0dbc51cd9f4bce3d0d2e08ead0dfaea8ad25d5f8b1f588a8ccbd2077c29e0d7cfe0
-
Filesize
72B
MD5fda9182e3ed7babfe6cdfb2fc79f91a4
SHA163c41d4facdb15262581b9096fef50492c48c801
SHA256d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803
SHA5128554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217
-
Filesize
64KB
MD5f540eafa12b7f9a3b403441c7c2d84fc
SHA16345721340f2a83a66bae0936f71abb63e14e3b5
SHA256c98ab979afa6372430e3fc44722144207ce9d48ed4ffbe61417caf5683cf2116
SHA5128d84a4a7b932f36446db461e128e3eb9afdc9d240ae217047dd0d048d6990e5563a17a93928b6e59c6b984466b416f0731ca4c475773d19c8d56ff0a0cdd1169