Analysis
-
max time kernel
166s -
max time network
173s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
02-08-2024 02:07
Behavioral task
behavioral1
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
-
Size
20.5MB
-
MD5
662a29140ea32f87a19fa76996137563
-
SHA1
cd0a4bd3abbf0fe2773a9c7a7a589a0609582219
-
SHA256
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4
-
SHA512
511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c
-
SSDEEP
393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk xspcmj.qiegf /sbin/su xspcmj.qiegf -
pid Process 4253 xspcmj.qiegf 4253 xspcmj.qiegf -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xcf318000-0xcf5aa80c 4253 xspcmj.qiegf Anonymous-DexFile@0xcf60b000-0xcf7364b8 4253 xspcmj.qiegf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts xspcmj.qiegf -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xspcmj.qiegf -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 4 prog-money.com 6 anmon.name 14 andmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xspcmj.qiegf -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xspcmj.qiegf -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xspcmj.qiegf -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver xspcmj.qiegf -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xspcmj.qiegf
Processes
-
xspcmj.qiegf1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4253 -
su2⤵PID:4295
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD54c0ccabb25100a908b9db06434a6af8b
SHA1555d9ecfa42e17aec483e1c05be0fc1362db9e66
SHA25679aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304
SHA512b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb
-
Filesize
96KB
MD503e0545916304d37650604ad2e6c3ee9
SHA1c72e8dec118da4930006ff5a73530122df528247
SHA2564369c676e8c51a8cea10c9956d1b10ca655dd479c26b2b8cab6aa15bf486dec5
SHA512069e3f2c36215cedae469c07b9db7a6d1dfb93fa4a65d81fc34da04271961a018ebeba247242541791909410ffcc7935e88212fa0ca61b3a09d8a308cd85c96f
-
Filesize
96KB
MD54368f35a7f3d2315047b349138770d69
SHA101fba9cb01d14d1a603381f24b6b61ead1bef6e1
SHA25679ab1537247f14efc09f3eefcd0b8e376969c986b1bda40b418e340bd27056a0
SHA512dc3a99f995cb629e441864263ebb4edfc80991f3200b2e4b068adb7c534116fe9e46affc308ac8825f14cfa6b10f65d24d3d8c614f9260ef03976ea270a94cea
-
Filesize
52KB
MD5b6815b344f6926d458cea05acd052cdd
SHA188f524aff1d4c5fee979a203dd952427871a7097
SHA256028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA5120431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade
-
Filesize
96KB
MD527ef279f99a4960d80ab3e48342b1e6e
SHA156e153bd600e11ff9fed9dd765c6cc340b03608f
SHA256cc7a89085ab7cba279ede22352834d6a7d039cba4a692bd65450d29b02e4bc77
SHA512a116f778a1786764725b863723d161a1c64b8e707b3322cfe982d594675796d3c879361521bfa79012ea7cb078f08c6e4d785f4fdaa8ad9bfacf430ca5bc136b
-
Filesize
144KB
MD59f69b9d5a90f43cfeb04e9ed68db2b0c
SHA1f3c16aae41d2dbd9fa3325fa7ceed6fff79eaf20
SHA25625f1e4101019ac36d4af1c9ec64c2b53abf1096ae88c180eb735f1cdb2f12810
SHA51260aa8bd0c7480e983ca009d6c6f96d7d33c920084320f0b411bcb676f68f99e0bd9ab26306355463379df804a806caf633f45de1316c65ff10626ba4ba81a531
-
Filesize
512B
MD535a4b26c6ba05200451a1013c6774ff7
SHA19c6180aacd2e12818ab767296a0c1d35c1a0ca76
SHA256f8058ea124b21e2c565068709d0142ec2fccf59486b80bc0b57563d16834ce84
SHA512b2c19f74f037d341b51f1696ffe13cd7f69ea3d08594572f78f4abf22dbb9cc7628fe5086acca66cb52ceb489fb2ad9e4a46fd94d3408bf6e4a866d78b3fb671
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
414KB
MD59610f71bba928bd8416e59087d5a848a
SHA160bd37e242b7d7b93a5989c30b0078f593ed7ced
SHA2561eba97c1d194721f33bfaf1e87b25f850daeb53ad40897435f5032033b166d15
SHA5120984f45229f457319829c672848b6634269710bad7392f6a1efce4737e2b5857ef8dd05ae4d928b9b7ec034f94133e33e4ca91609e6f79eeb99efdc8038735f5
-
Filesize
8KB
MD554a0eb0a8f53cc2d2e3a9afb6d3c285a
SHA1d053667facde597c639d9d3595ac7aa0dc19e58d
SHA256cd2b0154f762514c0baa19537e2ddd15549eca9f13808d2908452741d5f91427
SHA51248ff59c945ef7b901dbaed093f391af6c5ecf3d926bc9f196366d527a1ac90d1fde8c634be22b88b131b3a6d070f53d0060792223ef1aa47aa0877da9b3971b7
-
Filesize
8KB
MD50fe3ba6198b3366ba4158633ab6d08be
SHA180cba1e0226a241afdb5a6d0a691531e008c6c51
SHA256ca4030a12b76899fb74cbbcc2710d9ca336c9749f85af2efcdcfca87eeb47016
SHA5128b03a72a079d2e78fbc32856b8bd3350afd2c211dd3e6e41454e122f6f3d6797f200394e3bc0f179fd721bc91bd440d28e107e228f349088f1b9ca6743ef9327
-
Filesize
4KB
MD5fe8bb7844ceb0512aa43a579de032b52
SHA115ddec53304cd4addd8f7003b990ba5d14790b42
SHA256bf09912dd7c4ff9a8ed2e1a26796bbef98467a9de37b45d969be593522c16c9d
SHA51230757753ed6c08a6ab3dcb535d065e036bcfd171d38b11d59374a334d9a8e857940a432e318a4107a542151091215696ed5af5f05bba081f3e22ff315a69f618
-
Filesize
8KB
MD5a1f7e7620f327ca27626121808788923
SHA1604ba9b5c2572be019864cc10f1590cd95912733
SHA2565a0f66d7156943fed5cca062a24578853300cdab598b1ad289c5fa0112798755
SHA512893610a880469ed321e46637020deb3a470c3abf62fb6c7b622390d577066158115c8fce34cdd8d3ef83fed530cf3880466153e49b0b1b89df57dba5230b4664
-
Filesize
418KB
MD52e349b58b94cbf6cc503e6fa9c658e64
SHA1c68b17143fc20500d369cc0a5a2d173a1d994c59
SHA256281cc4c56794ac4ceda4f550e22ad7cf4a43c413ac949380dab401f0df3d4519
SHA512ebebdafb7d8f3f486eafae3d1d95dc4172670418ab63db56a948c1f5a7faddae43bc1307bf5f44e22bf00f38bae2bbe4fb7aeaa0b0b6bf360272fd466ae959f2
-
Filesize
2.6MB
MD58aa5d8f3622ac78fa2cc58d58c87dfaf
SHA133071f0a26c21320a749a25a5e94a694aaf346de
SHA256db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326
SHA5120ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD57e43c4df153aed9a83f925ba5826bbab
SHA1fa5806913b4509dc0cdb91682eb8e6685f8927e6
SHA25668b2afa0c3e38c2aec99c232230b1b5f48d47f54a9bae412d1966da86501d432
SHA512608614480c6d3bca013a9ac64a415616c68543e892474982586fee82689e304213abad413e010ed462ca43dc06492e8b743e4a9530a4af0a70d974b7509fe5fb
-
Filesize
152B
MD5635166e98f6a6d337ad70df4771c6ab4
SHA1c7be3aac5b369b5a18f0753bd5b464d48736f5b7
SHA2562fa865a9770b5726eef835a686bd97685f37578f400bd35b7b4a057618216fe0
SHA5123ad3ccb9a7618eb771d0287e8ca39fafa375748dae4397752f2ed9ff839955a873423f15aa0ad485b373b47d1d936819b4f63d25259b2281ac31c7bb011dc516
-
Filesize
3KB
MD5541d6f5abf0575384a395f8c64e4637c
SHA1f3ed96d0f1848ca4f247385b25948adf56cb7ba2
SHA2569ad65c643c189366a1c2975fffa7dfcda4e876773b0aebeb743ec7ba94a115d7
SHA51214bb89d544c140a802985a180bb00de78a387304cb91ac6fc3ff5d32ec6d1c7e86c0bb738a827ec6294724a63fd425cc4643b342ad5345b6fe2970f423a67d24
-
Filesize
64B
MD59bdd9a9e5679e74b567a5003e5ae4f78
SHA1ddc87a3b92e07244aec316cba6387e9fd308ff6d
SHA2568390ff2660b16fc9cc4d261ff7ba1d7192d4a7675082827e534f304103b0dd1b
SHA512884d5a5f884f40238055d01e974878a465eb0756cff566bc7b6ef3b7d9b7187a927e184a0e1cfce3352705de4eb8c724fc3ebcf8b5d31e1e248b92bd04cb913c
-
Filesize
72B
MD55ee3cc9917c931300b9bc77039e2a50f
SHA17377924661ca7fb7b720370f522169f250fa5769
SHA2568a6338cc6635f86c69bcc9bb788b557f150b5beb064fbfa8a33361299a727ff4
SHA512ea4d89203289b4a670b3de27f80794879a261fccd6c3cfa39cb0348c6069372ff17ff7c22d142eb44e929de547d277ca79fd54352c56b652e0b50e6da31a92c3
-
Filesize
153B
MD599fcb1e0350b65d91c2f15d1a1a11f26
SHA16fd3fb7f7f060905425efe6bb5cb8b1e610e1de7
SHA25661a1f224af544db506ac2b2e4eb2761fa3da85e7500b5c4422108464d01e8c3c
SHA51228c403a948ee51fec1f29ec408bf9a12bee317b4319a5c9a89f471c97c0cafd08a2d6581698fddb9e1c56721001ac4d7dae150e0ef79c4542879bfc43505449c
-
Filesize
129B
MD503c30944fbbab74fc31998e33156e675
SHA1e45633258b25e2a4fc94c8c17e5fee28d4576e45
SHA2566b61aa908923632558dae2010e141105aa999016ad63a9dd8494bf19c8608d21
SHA512990511b488e95748827a63295abf911a4ff5287a60b14fc070fd6b7053a465e8019c164481b9502305e31a3125f3c9213bc691c9a8aba04037fdb7e8003fa050
-
Filesize
24KB
MD529f4e855cced193ca76610e0f6a98808
SHA14e94e8043124e3646bfc26e01e527578b27c5473
SHA25663d6ddde864e5890fc9d44965436edab073433cbbf6b93caf4bd1f440bd7e51e
SHA51296c6ac79fc23369233c5bd20b4c919e74d71143ba82aba0d567ed65d351e84794a5af1b0f8e890eb1d3076c8ef836d7a5a49d4bdba55bcc5ddaedd91763e2a40
-
Filesize
6KB
MD5768dda7ac8f66a6f5b3d15138fc87615
SHA12c90ca9b4bf53bef67e42d2ba9b5fa4ca4e06645
SHA256b92d33f534b3aeb52be29ae3d2485d2e70fb2490ef316813dc6d0ff87f092725
SHA51228ab914a15d80e29ff95220c23b964830ffad70c4c3a99b8c09c2be3fa2cb50ad9123d6bf01babc3d671317dc9ed1e728fe636a54a0cf052d5391a46e1f1192a
-
Filesize
220B
MD5015cb28b475fba1757c8bd6badc2052c
SHA1234aa1dbd61b1ff8f53a41e3c000a427d938848d
SHA2566ed6f0977383975f388e0d2198c11c9d49c432f85eeb415291c4f0943a216c60
SHA51200eaefa49f9aa46cac3f37f62d6eaca385118e1c18ef5f602478bb5a98186036c09f2c4263932ad89f06b1cae3a17046fa41b034e0e4fc23bed62dcb1da80bd8
-
Filesize
72B
MD5fda9182e3ed7babfe6cdfb2fc79f91a4
SHA163c41d4facdb15262581b9096fef50492c48c801
SHA256d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803
SHA5128554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217
-
Filesize
53KB
MD5de94217e1d19221c964f0c158c995817
SHA15ebf89fe6183e60e105ef3459fb6744241a24f50
SHA256f266d122fbff1b9e1380403a8e11c51898403a2e7dc0dd024e323997e682a9ac
SHA51279f14cb896a63bb9a4e8341802877a10200a07297450e09a61e1f93f0e778cbfa31ee32a8c69f59594d3327504985d81ea6b5cb8c54e889187e87fa2d07d83b5
-
Filesize
64KB
MD566083c4afb0b0c7b2bc397e5d55f73f8
SHA1f76af2ea4df0649ff7a2505ee0d33f7e7f0d661e
SHA256c9b830dad8dfc1bea8ac1bb478af1729aff2356ac782cc29c757bde54e07a2db
SHA5128ca65286dfb51428e9bff09d334587d8806793b41dc95d43661bc26a8491322c3c95d9d1447fc9d8fe1afd0a8ff067da5903ec33c9911dc3bbb9f245d17dea7b
-
Filesize
2.6MB
MD53bca1a576ba29bd493e42938a489aa5d
SHA10e5d4bc3a7daf6864fb3076e6c1e9685e254efd9
SHA256b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce
SHA51239a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0
-
Filesize
1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87