Analysis
-
max time kernel
51s -
max time network
61s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
02-08-2024 23:36
Behavioral task
behavioral1
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral2
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x86-arm-20240624-en
General
-
Target
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
-
Size
20.5MB
-
MD5
662a29140ea32f87a19fa76996137563
-
SHA1
cd0a4bd3abbf0fe2773a9c7a7a589a0609582219
-
SHA256
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4
-
SHA512
511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c
-
SSDEEP
393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk xspcmj.qiegf /sbin/su xspcmj.qiegf -
pid Process 4240 xspcmj.qiegf 4240 xspcmj.qiegf -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xd17ea000-0xd1a7c80c 4240 xspcmj.qiegf Anonymous-DexFile@0xd1592000-0xd16bd4b8 4240 xspcmj.qiegf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts xspcmj.qiegf -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xspcmj.qiegf -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 4 prog-money.com 6 anmon.name 13 andmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xspcmj.qiegf -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xspcmj.qiegf -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xspcmj.qiegf -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver xspcmj.qiegf -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xspcmj.qiegf
Processes
-
xspcmj.qiegf1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4240 -
su2⤵PID:4281
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD54c0ccabb25100a908b9db06434a6af8b
SHA1555d9ecfa42e17aec483e1c05be0fc1362db9e66
SHA25679aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304
SHA512b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb
-
Filesize
96KB
MD5fed95b33c44936c8a24ca967e0755315
SHA1336ddff9231fdaedad0742051071fa3e03dfda25
SHA2563b5b6f48ef65a593acd281c0ff88d8bd161c58b4f74c8ea0c95e92f0ca6dbd9a
SHA51220efdd46bee9b87049668cbf9a934226c501f393ca86acbcf22732536a10aff8bf54d8041458fd8f47a6a42b808b680ab65e1d32bdc9c63b5defd00b760d7fbc
-
Filesize
96KB
MD5b568faea564456246832f5232016c98a
SHA165783d4f3a42475de1a3ba800ec23e6d692e7f58
SHA256c816b0b3e2c9c7b37e5de633896eee7ba67f53e2c40c3e07a762d27012a01794
SHA512e2fa812bfcc6e6d5f56d7977c0373acf94da9bb037344cf5779ba9d55bed3dc8f475b2c97927aabc2077ef0192911174ed72c0398cfec9cc563f89508fd9f94e
-
Filesize
52KB
MD5b6815b344f6926d458cea05acd052cdd
SHA188f524aff1d4c5fee979a203dd952427871a7097
SHA256028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA5120431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade
-
Filesize
96KB
MD5c396df9e0551e9d7084e767b3dfbaa1d
SHA1969e1d39a9c452ab426f9f1e7236bec000e47454
SHA256914fbaf34bceb762a90351e62419d323a35a38d8ffc3b5c1640432db9a1a1982
SHA512bb00ce5b9a6335b0623d260b5565ccad900d4d7fa2534a63bd4eae0ef67199d02b67d7ee9e14b7284240ea64c657c7020e952c8ba6189b04dbd70c90b17c6092
-
Filesize
144KB
MD54ea488ffcbd17898b5d9af0ca5420fe6
SHA12c1c08b17fa30ae622c3ad1468da1c62200ae985
SHA256c10fc01de9d5d8aa5e0de2ac4ebd7b19ff2d71db9c73944102afffe582502758
SHA512582b1e6d096912e5f2603b7ced8bd1d7566211b0e16f93e4f28fdd4f09459f981672ee046c610cfd999b6e663c966fce43a1f24c305565c845b8f6bb47b61f80
-
Filesize
512B
MD5f4daef126c4043b8e1048de3fc44f0a9
SHA1dbfbeafa036676949858bbfbe186ccbc05594a6b
SHA25679be65cb9c677f02a0c70eef2aa8a352cb8c86e57bea781917c9530200915a95
SHA512342d17a34f612a5b757f8b6ff45cb2602708fb7c3901f068ebabdb7b06f27b3e564d6eb1c1932ea0916b58ca0f54efef4b3e691821529b3ed9024ddf9cb00594
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
414KB
MD53e0f6fef3ea4303643454ba4abb0eeb0
SHA1f3b5e9646138cb91799ac55fa2c3402836261795
SHA256b1590c0fe06882577401041da2aef76dc09c9ef5c09e1446e088f776af4ff2a8
SHA512f6de1e7f57ab7f200c640f58d8ecde30092fd71d6ac1defc43a803d8608c08725fc4164d3edd21eeaa6e82d1a2b2c665ccb4fe42ce63a4439bf894ebbfa449bd
-
Filesize
8KB
MD5bd0915544e25f5c0b6019cce2e3a1b3b
SHA1856a8ec90cc5fb6d09ca535d75c36f690d91490d
SHA2562dbe2f38764b34034478786674ceebb3fda5d08b2663cc62fa3d9d9bf324d3bb
SHA51264a11a310024d3db8febd26c9ab2a032fa4d50816ca62e02b31e0fb9d64204c27575cc0a1556a69d30c891d5dcd932a17b0e1c828fc71d5b61d3ac2fa6f59829
-
Filesize
8KB
MD5ea5d4f75f13926139625278618e3abf2
SHA1f4f06af306042dcaa69bae33648e35fe5926fccc
SHA256ce70763b607d4ddacaa0a86cf432f2a8d735427daf1762878be4c3dd6142770e
SHA5123b0f89cf5219742f079bd65b59ba55ee6d5ea5aea3ca348159d04449f6b405a389a57900aed99dae97fe63195692f7448f93a8d8a8089dba36b2113e185f5595
-
Filesize
4KB
MD5318567f6e02e14fc8bf46f0fe4ab01c1
SHA162c3c693cabf07649a91773f02c0f4cd65ad36a6
SHA2564f7abce42c114d343db15091419d59aab6a5d95da1c837adb9b0a33eaa2793d0
SHA5127544252828b17c5fe57ba2bc481baee6c119be11023a4dfc118ca71e92de1e0817e2555859f0fbc2e7d5a8808fabbe1100aa101a62dceb7d6506c98e3d70ebaf
-
Filesize
8KB
MD5bf1f749814b3433a004190071638dace
SHA16435a4a10407080b12d2ea87ce03e8dac304c89c
SHA256407073d0202db829ee447f7bbcff9ec0fb0c2deb100cee8858df45c50e18b289
SHA512e55e223d86726a1564d983ad4b796fe987d1d94a9b69b74677417dc89d61a25358abb101b693563232c7f2a608c5c1773c568aa420d1e64c10d72232591d457a
-
Filesize
418KB
MD5d7ce82c7490d19ff2c2b6c2d233e621b
SHA12e233b15133ec602b29b8ba105bbc9516d41d7b3
SHA2565ff9ac43771953a7f96897376bba411ef0b18c1586b06fb9ee842320cf4e9c05
SHA512967458605dbfe8ffbc7c47bf352976afbb306c9fc35b3b108bb7f5efee153f04110a03324501fa1d3a661cea853e776b73ecff901943d34ede5c248a3104b075
-
Filesize
2.6MB
MD58aa5d8f3622ac78fa2cc58d58c87dfaf
SHA133071f0a26c21320a749a25a5e94a694aaf346de
SHA256db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326
SHA5120ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5c60e63fa029d448851bc345768deb1df
SHA17dddc71c09b92e7448aa2881d55abbfebc9479e9
SHA256880950072b952d6a1cbedefd03c9f48315265faf1711bbff1dc41766b1f7d2a3
SHA5127548ad46a2c506451ec6b93494ffcc73fbcd25e6ff28c7f18d1cd905a78d364dffdc5fe526206bd602d2b24ad68e50a2eb21801f74e9b6f148a4803b75204600
-
Filesize
152B
MD59bc51d70004c163cc3e54cee24fefc86
SHA16628850fee2c3003d86802fb7792956b7784e9ca
SHA256eae5a9b13203562760727498252c7cb969636ad14ab45cf1ccccd6d5d442109d
SHA512bef4ab3b939a27bc362a188dc064f75916b204af7123bf1589a794cb6027e0f01ea7ae0ec6da4b57190448c50f231ed5de333b3b50b38b63c5e015312cf5dbf1
-
Filesize
3KB
MD591195d01094c83397ae0d566db73245f
SHA17afea7f1f88146ead9be2126512441d2d8d47dad
SHA256ce299da82753ec29b4fb21001d3545211c4f38e21dbc4f03c8f698fbe6a0edf1
SHA5128625b18dad36265d440b8e821aa8ab3d464321120879a312b5e03fc126d58c555adae1c876316520136cdc029d8370af69c7d88c3a38b1b8ec0ceb5b67899325
-
Filesize
64B
MD5f8a2d9dc08bc93642a5645bd84342ae0
SHA1b7c1db65840a57e975685140a04b4bccfd829ed7
SHA25696a0aa23558a6baee2e8b6a4081dd6825a29639458cf2cb5a5e59a14a0f013c2
SHA5128b07a3f098735a9a8d74fe55578af95aed6742fdbe6dd20a988895923a38efe09c15294207aeebcf2d72b3924498e085c4ad9dc8af628961b6079eb9c7110080
-
Filesize
72B
MD5cac84bfeb45cb98c0a6733e8fa37a515
SHA150660282cab91fa1d1b69e14d1309a162156a421
SHA2562366cc09617d81a6b506278bf609c2b8cd6a8a861ef7f9242cd5794cd080ecec
SHA512addf14da489a4eb557aefb71ce9fdb9832dcd5797a765b9248808d0548ef5c5d76125906c91b3ca4c815d2b45611c7c4f7955d05bd39a1d75034e415e4bb4ad5
-
Filesize
153B
MD5680701185af3414b9f665700ebade94e
SHA1aff298070ad2d3a8ca8724d6b85c8eb4721f40bb
SHA256984ec62a80864b919c7a5afac7acfcf81fd9abb4b93874cd5070e8605ed590fe
SHA5122b2a205f906bce54fd909f16f8594841075f7e05d6dd2fc1fb6a66d7dec0fa7b0379df188512f958c7668203d7e72a9d520020b77f53aa32086fb89dcf310c9c
-
Filesize
129B
MD51a1e84d6b02da79c8f0f1bb2b64a3367
SHA1ab439a7bc63986289ada3abeecbf8cfab664c6fb
SHA256233319b372144a749410706f5246e27b647aa014d53c12ce6ab4d4351605903a
SHA51213e02eb58e02d1faf0f7c0ad2d6eb95b8156827895d855cfe2d7e0448275f9342712111b67eadb523054a105a8aa67b59be14f7de23ef6cf2272db7e77346b63
-
Filesize
28KB
MD5084b5f7bb68d7f2d53042633be0c3f74
SHA1854f112e9ff5966ee5e13e3bd7b6b6198851a4ae
SHA25689f59b7daa6f53bdbb59195cd556656e3f97c7dee3ecdcfd9bf9db73c9b2a647
SHA5129737ec2cf47ebfd46225551397d5ce484213dd644d9a76b1701fee04a3cd02c2ba67081c1f5a40d59463e7eab90cd2299c04c9edbce3f0402a5c62a00f0e9fb0
-
Filesize
6KB
MD5cd5fac06097d103425d66b1b99c0df4d
SHA1c592adf0397a9be7896bb72d814ffca8080c675d
SHA256ef53c9e19d5ac08e4605e9c1a1fbbcf528f7bcca923aa017ab92b189d108a615
SHA51215cd8d25ade7086f6afe78142424e316f856e814a7e8636afd4ffe16aba1022b12a907fda4793eef4b395209cd5e9c456fca3babd1890fb8bd6af93d038a5f45
-
Filesize
220B
MD5817914b62cc2c07c07fd6ace52cc9715
SHA192a32435fa66c99bd60d7284aed887a47362ca59
SHA256e1001327e65d3a7eaa85ab79c4a1fbae37dafaa44ca50e4f0b5165d6c05404d1
SHA5123a886998c6b6e4c27a3eedc41f9ebcb5ad06170157525f27485c4c4bd839eef67a495c3d87472a6231f64a02ff8b66d3d128223e7243d2b5b709aabc2a28a242
-
Filesize
72B
MD5fda9182e3ed7babfe6cdfb2fc79f91a4
SHA163c41d4facdb15262581b9096fef50492c48c801
SHA256d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803
SHA5128554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217
-
Filesize
1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
2.6MB
MD53bca1a576ba29bd493e42938a489aa5d
SHA10e5d4bc3a7daf6864fb3076e6c1e9685e254efd9
SHA256b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce
SHA51239a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0