Analysis
-
max time kernel
168s -
max time network
183s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
02-08-2024 23:36
Behavioral task
behavioral1
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral2
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x86-arm-20240624-en
General
-
Target
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
-
Size
20.5MB
-
MD5
662a29140ea32f87a19fa76996137563
-
SHA1
cd0a4bd3abbf0fe2773a9c7a7a589a0609582219
-
SHA256
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4
-
SHA512
511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c
-
SSDEEP
393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /sbin/su xspcmj.qiegf /system/bin/su xspcmj.qiegf /system/app/Superuser.apk xspcmj.qiegf -
pid Process 4448 xspcmj.qiegf 4448 xspcmj.qiegf -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/xspcmj.qiegf/[email protected] 4448 xspcmj.qiegf /data/user/0/xspcmj.qiegf/[email protected] 4448 xspcmj.qiegf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser xspcmj.qiegf -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xspcmj.qiegf -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 14 IoCs
flow ioc 48 anmon.name 27 anmon.name 29 anmon.name 34 anmon.name 35 prog-money.com 36 andmon.name 25 prog-money.com 28 anmon.name 26 prog-money.com 47 anmon.name 30 anmon.name 51 anmon.name 52 anmon.name 53 anmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xspcmj.qiegf -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xspcmj.qiegf -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xspcmj.qiegf -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xspcmj.qiegf
Processes
-
xspcmj.qiegf1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4448
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/xspcmj.qiegf/[email protected]
Filesize2.6MB
MD53bca1a576ba29bd493e42938a489aa5d
SHA10e5d4bc3a7daf6864fb3076e6c1e9685e254efd9
SHA256b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce
SHA51239a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0
-
/data/user/0/xspcmj.qiegf/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
124KB
MD5f15335a640f24813c9b345c99da7e16d
SHA1a0e7fdc85b3c1420bf342676be577f146f5dce49
SHA2566baf6ee8c7c503ed9962ff49957fe3c0b707171d1913450d97c84856a6ae31b9
SHA5125f51ec199de29b23e398d143c4f0faf58ba655a4f455ecafd5b6303c0ef428f3165f5db49daf4697f1dba3033da51113730ee5ad158a9ea9f8f6b9a10b044f19
-
Filesize
96KB
MD5b5646f46383810331b218b45b97c2ff8
SHA184da3456d2b58711580b8bf41d9df4ea24c90e40
SHA256c15b1b740e138232b5413ab72ba2f47e49970e30109ff85c95334abf1c50e578
SHA5128d0388057d69fb0a4e9972b13013dec4d2e3350f7253059b6b05ffacec1feb6ab84d59c2b8d6612a390f822e80646fd855e493468b96734dc548a7c85ab04c98
-
Filesize
96KB
MD54889f8effd46e0a7ce86f563929647c9
SHA1961faec88ddb38e7a52dae686d83c3496a0eb9ef
SHA256f29ae378d37c995c5b2225a0b09b56c3f2d9f1b65b63cd454a8966e8f6e126ea
SHA51296a4657fc9e63b57480075e34d1b757689c17d31cd9e4d8c23800aac9c5accf2a860f220136695c7b2c0ffea0c55f21f99f53a1785c5acf14f05c444ce72a350
-
Filesize
96KB
MD5856d55c8d56d91e74570884512d66d84
SHA1eed5db0b7b3b5068ab658cfb04213998e280412e
SHA25694049f5480d2e82f67bbb4a114bbdd11c51d7ea9f67b0b211c060e71dadae2c0
SHA512de1926b277ea3e1efb02a078d30d8c12cf83c197cc93d6a959dd3d92928be0c1d1061e3f81f6581956945b492ace62051620fabd4cf253b58c40705a8b48a1ea
-
Filesize
96KB
MD5cf34fc0815548b357316e209f8885ee4
SHA18d98cdcf58de895f0264345d3520d2d28392a9bc
SHA256836a6c9801b2b80a6a17ed8bf82f7b924dbf5bd54fdd6fbc86349d06f0681a06
SHA5129a16d8436c6204fcd9c0d8530b04ce9b39c96faec3d4eac2e6a0c80cb1010b1a8ceab66586e32ebe29806a168c108a56af9cc390d1a8219fcdeabcfc42bc46f8
-
Filesize
172KB
MD5d070ead530fc93804137f30e5d1eebea
SHA15a04d53462687a708f41c029bc93d087b8d24ae2
SHA256bcd5b22e5efcaff9bcd842434473e9227e71036c5e6889b8c5bee9bb6b8a157a
SHA512bab4f2e2682a7e74da19fced012e0354a6c3c4d6525c80e3b5467aa75433fe0029cd3a21751d308ee851e53bd30307cd959b898e5ad8c8de58f91a750cb03db9
-
Filesize
512B
MD568480db09e03c9cffb922815858f405c
SHA1831ab0dc33ed287ea29850dfb0214abfec6e8e79
SHA25623bda157d5ad8cc183efd613d585d1da4c355bc13cccff3f08afbf608afbc970
SHA5121ec9f21239516dd3525888f0bb14918689b60e66bf12f5728272a54d5c9d0753bfdf2f5df95e02a7cf9e34d5c31b9fc6946c94fc60b58d272c3ebdc43d7c01e8
-
Filesize
8KB
MD50e321c7abd7782f69c6e1a96b374d160
SHA10808f0c51b3a80259234f2cf24143355e09c406e
SHA2563c64b1e56a7cf38c9f6a8f689f63a94711a8bb090fa2be109bb47fe50461f4bf
SHA5124bb5e449d8a084cb0f8921f44449cb206983efca66330545257647d97009a119d701714212431db61483090d76a0ab95cbd162ef0b38de91680af418e06770b5
-
Filesize
4KB
MD513de7e5bd9aa7f4b7b0ab17ecf41781c
SHA14c07fdd6e5dbd09525b874d86c9e99ed1ef462fa
SHA256a8a97129b5549177cd718a1ea000a09f562ea3d83a40bd95ebbae0ef8eceff19
SHA512f2b6b0e0c8dce3b79c02e7d6acaf6fc68cc034278042bf0fc380e40b81eddd4a0caf3bf41f450bd3cbdbc21702521f1fa8fea511e0de4cbd2213282b65f21d65
-
Filesize
8KB
MD546bdd6220f882b18bc2d8a69a120dff2
SHA18e94bec651f7c81af6737c80718ef01d3f85ac8a
SHA256a763699142800abe086ca2061a68617dcd902c9d217634c4dd47eeffb7c333c6
SHA5125bfb0ee8aaebcb8b1e2fb927134d2b1a2d6c046cfda242acaa60a00d2dd87fcd5577677ef616f92bc82fa04e09ab32398c0bf63978de4bae14b7d7f481b7bdae
-
Filesize
12KB
MD54822ec0a9440e626536fc41011dbd619
SHA1fa082e308a1a2006b6967700bd907c8fed06cc5e
SHA256b9c083f72d50161278b9744379c3dbf2cdda37f2785f92ac7167613ef7fd0f82
SHA512616b933799fcb4d20be38040ec661c4084aa30bd4a2e6bc6851b73ee36d5d79bad7d5b2872ac328b7e305d21dfb3adcf0a8b96010487e83392b97963de752d78
-
Filesize
24KB
MD51ca49c96504a5dc0f139925783a54e55
SHA18e69b2a56a11e0b7eeb14605e6f2276f54d6236c
SHA256ed3c58e4405d6b5177e95d7fbae76f1eec8777f3d42df073f3a00dcd5b9bfa4c
SHA512799951b6c4398bee939a2ae635914630623edd87cefbe6887489f956fda61e402c7aa1f50abe67521218cd64cbffa6f83590ffa581e96f999636421808f7934d
-
Filesize
2.6MB
MD58aa5d8f3622ac78fa2cc58d58c87dfaf
SHA133071f0a26c21320a749a25a5e94a694aaf346de
SHA256db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326
SHA5120ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5004689680fdb5043b5eb0dd4b6afa064
SHA18081eea1f499c832425cfc82d0738721c8a5208d
SHA2566974df47a3b0cbf52e0ca241c09c670ab6e419d03d6e38a9a4cff9eeabf8f0fc
SHA51275a90e8682534998c1858dcbe51ee5d1876bf9bc9271ae5576b798130726ebe7ea64b44aed2be1042e81f6189afcc272a874644921e400e6146c58b3f8422de4
-
Filesize
152B
MD5cd24f17b8d0c62970d32a0b0c33508c7
SHA1ae515363ee604dd814f634ef246a720ef41c8219
SHA25610165889550a16d13953da6e534666ac0e2ef3fabb95d72f691a3a8c5b79538b
SHA512591abe54bd9d8c08f6fdf3967fab52167231a1c3c8e24b7185457149156338d791c34a241e8f2a307cf11e21a0865c17caf22fa59db55c469b58877c30fcc56f
-
Filesize
4KB
MD5165a9f82b176db80f35dad2fb6a38540
SHA1ebab5090874a0d45fb928fc4c6a6f3432803a37f
SHA256bf5a41115f66b2dd0227e5d6ca1fad6f8828fad77c24858a06570732fa4b0fe4
SHA51241a284f122d027c6f07f0d6c5edf0ca0f95e6f98aea9b0fd15e74bcc0cc79920272c281104cb1c1dee82b204be4d72b8ca32eddc812d5c7aa40e9cae7255f7f5
-
Filesize
64B
MD5771474da195ef01692632d6ce9e8d9b7
SHA1b079c310d3572c31febe497868d8e6a52ad002b8
SHA25606b7713c0a27f3794d79f576dc010a2bdeb6ae102afba6e9296c6d65f92a6b9a
SHA512b4472e79751e8bbb9303d1ee7dd3d20d5250e6cf7454f2af566a3f745986b1333ba72c1c4e52394ce29e4449a646d80bac5d1e95e91c59303fca82cb499def87
-
Filesize
72B
MD5d2b4119bedaa2cd8f83eb3a34ae36e5b
SHA108da27c2fbc52c627e78dd54c66329676214d3f5
SHA256a42cf63f1c47cd35145bb7ef069437baba90040305a1335be10b2369a88f465f
SHA5128b4486e6d57892d2ee532a9c75dc40caa7dab8b690b96f743fe23f7089792a98df62dbc8492fd6ef885df0de01ba8b1c3c7d85029265465ebb8d2771581b4ac3
-
Filesize
183B
MD511b6f6eb3ec59c750f76e52229facdbd
SHA1b216ba7d79e0e984023c272bfaadf5caab3d8783
SHA256674bb63eedf734341e37c9b4db353d16b0d31ad1102de4f585f755f47327efdc
SHA5125892f1d7ee4e59e5694cab6c6ebad5e1c1625f912ab1937ddc7215f6c1196cd28e7a8efb6d33b5f46862e06bd559391e325cc2dc9735538380b0aa9a94d68f89
-
Filesize
129B
MD5af7694c4c798ec5ce6d61df05ef28413
SHA1bc629bf40a2b821f2e909713e496289a140a9033
SHA2567db3234a3e03e4f078de95fcc849949109c8360cc3dc06e53f154d25b8e25c84
SHA5122c4e61265230069d33a7addacf5b982723b7619aa140aaff71ddf36def7b823bb62a58483b7d2bbe2c9c3c027a869aa9af1ded51b206ca8f8ee87e55b43c0392
-
Filesize
26KB
MD5c0a9258b04fcff899522a59f966558d9
SHA1efac1f5050593c484e2ff7e078d5dc86578c9de0
SHA25655423b6ff99eacea48d2ea75aeb792fa4cd455fd000d62e13031f9be6abd6463
SHA5125f8c3e4f0fb31a545139b6b7fd00ba3941cf212e20fa9b832af4b67ebb49b88e687a0220c31438dcf7b5c9aa1e67aa0480830d55825c2c595c4d6f3d0eb9fdf0
-
Filesize
6KB
MD55a76a481843ddad7536431101b81c9ae
SHA10a237e57b0ab789690e29868a38f095dd58e8ce2
SHA2562234a72ca1300595b30ec3d6ce8f52e13a6be5e05e9fb2ae7adbffce743b3060
SHA512a7ca81e7c0afaf4ca932eb8d1d54cce8bd87e34cf8816d3167ee87d88d29ddfd424a96b578a035ff4523e193eb7aff3666ba9d328023277061e3936b31b9e851
-
Filesize
220B
MD52e6926d815dc45d5c77783ec864293de
SHA15c46fefbcd8cd63aef88cbbb72985a2e045d66e1
SHA256f4328f6ff093d2900e7014ca9205137d8770ab3a617874dd2ca7b2ad70aed43c
SHA512c46ac0284e116e7300cb1a149b3cfff5a8f2abc7f4c5fea39ab3be75fb518121ee6eb2e0ac072b87a9c680064a1a0f099ade36d168acc22e7ce7cbaaa19ed299
-
Filesize
46KB
MD5fae856fb7c3d5a7b65348e97a4ab1c62
SHA1b0fddd0125c1a87465594d2f2f71ffaa53fc970e
SHA25671a43b6a47abaa173ce499cea707bef1228c980076b860ec16112c7d71714587
SHA51243eac2f07eeafd3154be50681ded07979902975be5a56f6595e99c19e3f475e84882bbbdca40d447b645bce948ee2a7e31f720803c12c24f8838034981497dbf
-
Filesize
72B
MD5fda9182e3ed7babfe6cdfb2fc79f91a4
SHA163c41d4facdb15262581b9096fef50492c48c801
SHA256d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803
SHA5128554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217
-
Filesize
64KB
MD5bbf9158f13f7c701d80dab17d537c759
SHA18da97bdcc77cef438a780dc39157232d030aba98
SHA256e3942757502bbbb56faac1cac637f72d7c4f54cff3853916ed3c5d123d334d65
SHA512d4472f1129c7d30195d657d7145a9fd776df0c6c9d89f81f6e1b6bf5e54a7b4f86df4894e5f766088f4093d30d78b790a6785b50e8691188a3da09cd92ca3959