Analysis

  • max time kernel
    111s
  • max time network
    1816s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    02-08-2024 19:37

General

  • Target

    960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk

  • Size

    20.5MB

  • MD5

    662a29140ea32f87a19fa76996137563

  • SHA1

    cd0a4bd3abbf0fe2773a9c7a7a589a0609582219

  • SHA256

    960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4

  • SHA512

    511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c

  • SSDEEP

    393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 64 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Requests dangerous framework permissions 3 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • xspcmj.qiegf
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Requests cell location
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4935

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/xspcmj.qiegf/databases/SettingsDB

    Filesize

    124KB

    MD5

    9cf7e03179a00e0097bb8292c310a7f8

    SHA1

    8046f1a0d32003f672b2da8ba6c7eb8f54ffcd17

    SHA256

    b428664066ed6496119d7ef35afee74fe8f5eb834939f9cacbf55804aa592438

    SHA512

    1d046cd7d5a96b0b4f0c5d218f97ebc850ea4a3385658ea4a9d36dc05363659d1dc53660f94d4d7d87794cfd60b94593f304e9011421d35f3f17296d28c28cb6

  • /data/data/xspcmj.qiegf/databases/SettingsDB

    Filesize

    96KB

    MD5

    6c5a98d2a5073de4658d549615fe9945

    SHA1

    c61f37a362fc2bdee990fe59abd313a5e64c1ba4

    SHA256

    98e87c6c9126eeae0d628f9a6886984211879d5346e2b25630e7f6b1d8a56904

    SHA512

    56c0893daa212bf235c4f01f89b297f4e2d10f17f4d2e7f2e49de8bd660c5f1a484968b58ce300c57922d80d2e443257c1c4a09cc7402a7b1b9b2c5ceaa58aa8

  • /data/data/xspcmj.qiegf/databases/SettingsDB

    Filesize

    96KB

    MD5

    a96c14ec9a256f6ea53077e9f71ff779

    SHA1

    c2e1dae962637438aa20dba117b73ac2cb8d0563

    SHA256

    d9543f343d02915f4fdff6412a72e0d0f51a67949f8432b1b8305ca67a97ffdb

    SHA512

    d054260c3f5128bb362f6f1d0d45b05871c3b5c141b851657bc46c8970778ebbc19122e1d075dbc85abc1e910f85866798798b455e240fe6d0198fddc48c8b58

  • /data/data/xspcmj.qiegf/databases/SettingsDB

    Filesize

    96KB

    MD5

    d28f3e1e69678431596304830b3bb3fd

    SHA1

    2dd6215a5a2d0dd61e2a841155df44050777587e

    SHA256

    947832e21a975ed1fa21f1cb1e184b289f4ee1bed9c871ae110d1804df4dcf6d

    SHA512

    b7d33f427a78672a39296b1f4ac50f4c98a4df32d5d52b54082af26e47f7b538a0790b3da58c49b0e735df3bb50809db340ab835f7346ec80adca73e7f3a6116

  • /data/data/xspcmj.qiegf/databases/SettingsDB

    Filesize

    96KB

    MD5

    61b4064794134228d8fd07e5832e1687

    SHA1

    ae37cc1d203ce476ebe0d3aaf85cb4e794d1ec1d

    SHA256

    f8469f741d265f507e666fce112d3a1fdfb774ea69c63f216fd378b5aee2c65b

    SHA512

    4d80c99fee48e42f46f3c64f82ac7e3d1a60f0bd725f17d71871bc26b4f95fc001195eebad36f892d31c55412933c7204de1a3c09075abbbb13e500e9264d3ac

  • /data/data/xspcmj.qiegf/databases/SettingsDB

    Filesize

    160KB

    MD5

    42e097b531e8f3ee3bbfc10808997516

    SHA1

    f27c59725ea9c0771e4e9d0e8cbd2e02150cef26

    SHA256

    a2f6db7549b90a0dbbd6a457265e3d514d8f6d4c6350c165fd80081d5fa4b8f9

    SHA512

    e32aea48354efcb6a1c835193c381b4dda50a91369d0fd8a16716413c74f6c6d62a32c6115dd8d8017f3a3bd99c9f6f5e8890b300a0bea917340b53048a43a27

  • /data/data/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    512B

    MD5

    ae4783f9802ba554f9cd8a87be1ccd7f

    SHA1

    8020bb2d1830b8639224c2c30f9ff70431688f4e

    SHA256

    86f736280c1cdff46cfa74cd31bbd37a95627c7beea8f66c14b23fb141f55337

    SHA512

    d91ea09f57ef7f118bcac3a988c10c190832966ae848f35e0b4d1750b0a457b38347eb133ab7d74fbd7e471cbb63d59110d8f671bf7f42c3938150ca4f7914d9

  • /data/data/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    8KB

    MD5

    581a3c359deda5a08c09b0398732bd24

    SHA1

    02ef4c0393e364e053de3ff02c0eb23247c715f8

    SHA256

    d1c4a6acd6d4c5392c577af95e4bea62aca6ab7c51ce4beeef2b578bc5e86316

    SHA512

    3388c907f142b67018cb2714abdd2e06a9b31525efc366e8e6a37d4d0e91286f139fff198dc575d5cc015328cb5ebea79a321abfcb0570ef03d61530f0a458d1

  • /data/data/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    4KB

    MD5

    47f8fa47922c54d5cfaba5cecd4437f1

    SHA1

    c375fcfe5ee33b703e7b4505501c67b353733fd4

    SHA256

    461344856ceadbd5c11acfabeab5f33d6cf0dc3904705d6ae8c61a154613799c

    SHA512

    6540ed3b7d79ee5ba0b7d6fb9701a436c1fdc8c52bcf54a52c423b1bc27e6d821a165166760885ef57c49736f0362caa3992e384d157d6da71c6dbc013acfd44

  • /data/data/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    8KB

    MD5

    ebd2c6fba6bf04f02c3330ca1893db3f

    SHA1

    1cb3382f5ac31df33c85ba9a133c7db4c63d7ddf

    SHA256

    5753707a826a704473abb236b8d5404d38791d1607c0ddd271087f7d7ab0917c

    SHA512

    3b2dcea9471546a2c6b95e5489afaaa8be0a930bc09d5933d4c67842146a9e7dcece7ca9d12b1d560246d0e78d4927a0ff2d5e6c54dbf2a97ba4471295604e8f

  • /data/data/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    12KB

    MD5

    ef7b0483b5216709951102d5cbc84286

    SHA1

    dcebc5b98eda71c2c73d19ea3ad4a866b61a5aac

    SHA256

    e3880fecfaa79206964d527de0d83aece357efcea193f80b1d11a551dc246085

    SHA512

    b831cc8b8a105fb6d896a0d79b4327b4b2608758775a8f29205a8037d0a8d6a3846d710292ed12bd29cca4e78eb3f96d9c4b22bb262e11971f84cea00c7a1f96

  • /data/data/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    20KB

    MD5

    716512078767add7c8d371724e492c8e

    SHA1

    56919beee817a681ee831013e728dde5f06d0697

    SHA256

    dc607c419bfcd44544c43c3c7adbfb409ef9badb705520d82aa81cbe35f5726a

    SHA512

    a43e1f9076a01730030b276551a5aa14c70de557071b56e0dcdcf92ce803ee84498077d925bcad35073b1858da2a5abdc492a3a4f396f32fe71359df8afa29f2

  • /data/user/0/xspcmj.qiegf/[email protected]

    Filesize

    2.6MB

    MD5

    3bca1a576ba29bd493e42938a489aa5d

    SHA1

    0e5d4bc3a7daf6864fb3076e6c1e9685e254efd9

    SHA256

    b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce

    SHA512

    39a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0

  • /data/user/0/xspcmj.qiegf/[email protected]

    Filesize

    1.2MB

    MD5

    336921950a9f279733cd787f1203d73d

    SHA1

    cefc36a7c17909054cf2a507b34f545af96c0e36

    SHA256

    c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

    SHA512

    6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87

  • /storage/emulated/0/.am/dm/md/main.md

    Filesize

    2.6MB

    MD5

    8aa5d8f3622ac78fa2cc58d58c87dfaf

    SHA1

    33071f0a26c21320a749a25a5e94a694aaf346de

    SHA256

    db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326

    SHA512

    0ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251

  • /storage/emulated/0/.am/dm/md/main_tools.md

    Filesize

    1.2MB

    MD5

    51112e0a7f7962a8e02bc885025414ef

    SHA1

    40622959af4fe349d8881c885b9b30441de8804c

    SHA256

    2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

    SHA512

    f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

  • /storage/emulated/0/.am/log.txt

    Filesize

    173B

    MD5

    7ea7f99b9e1e1723d671c8c80081dbe2

    SHA1

    f208f2adab82887ab102d04108581b88b51624c3

    SHA256

    e32611d35fd471d3f0e4848efbaa1e709d6233aa78b8894aebdb8e43eb800c38

    SHA512

    be98dbbfb1bb76c5ab7ff1f376090d9d581f9fe4b42368d0fbf8f6c7b27917a52e4a6d58241f09de6439e3ebf6b9a30a2c10f0324ed961250f7460df36da1cef

  • /storage/emulated/0/.am/log.txt

    Filesize

    152B

    MD5

    ae3b9b2369d66704ceb75a8826cb8620

    SHA1

    728863009b09fe07815da1747fade5e208c011cb

    SHA256

    db2193d4932d803d6c7e777e7c20471f7156372d2f932266ccc8198df191ea41

    SHA512

    690156ce1c9ab264b8e7a2ae7681ce7ddd4597d0809042937f32460b2ea8d958a54a8f36f6b602677d61decd73c3ea1b440815cfa27261a97b40a5235e38a10a

  • /storage/emulated/0/.am/log.txt

    Filesize

    4KB

    MD5

    050bb9d501a3abbabcbb3c8fa38e6a93

    SHA1

    eb7555dfe7618580f2ba47c6f88a8bd084b9d640

    SHA256

    4e5c5f3a4075f21532195950788ea730bef044b1f90e78ee1d4e63d412706aeb

    SHA512

    aff84092d192ee09e1a999654d5d75ce91979d8dfc8046cf9fe84223fd98b3bff2999ac3074740df52ca7a7d87404b93fa3be3f7868f32898c8d4b613701a76b

  • /storage/emulated/0/.am/log.txt

    Filesize

    64B

    MD5

    a9a70e9e188bed1d219912ae8ea37c22

    SHA1

    6ad77a0efd9da29abd321aa36328156736bb3e02

    SHA256

    67e5ffbeeb35d6a8ee10b2e157bc16e6e956b8e03104f2ba766a478e26a50fef

    SHA512

    036d547078d61422223c1ee8430e414a6589f54b5443c6e8d1585f4d15554deed0bf4077fd3735547fa7ab0e2b5ce4b8edf82b94a7221fe70cdcfb91cbe30765

  • /storage/emulated/0/.am/log.txt

    Filesize

    72B

    MD5

    81d955efbf1f919727825ae705dc649c

    SHA1

    fa49a018819e287be33c2c35109da33e421d691f

    SHA256

    47fca5b2981452472648018bdde9e74663b23a6d02ca146814b791acdbb94d4a

    SHA512

    4fb269fc3124d99c424aec5ff219ce27775f9610bb18c73b6d02204c0122630aca74c235d1ce351f932e1efb96e1fbfefe56a5710bb2481f5910521e94b951b8

  • /storage/emulated/0/.am/log.txt

    Filesize

    156B

    MD5

    3b2a7b7e45b7615fd26533a6e09a480c

    SHA1

    fa12c3f73e28c69f3ab7e7168a085050cdc7b4a8

    SHA256

    eef836ed02836952c37d9b6bd56711f2f9afe1e010263ce6cd18f793f9595e90

    SHA512

    2388ba951114e2b1e4ba060e22346847e1a9bdd0d9d84d3eea23738926397b3acb8b88d27c1b8e12906b042a6fff27257895a632407a4d37dfe0a5b42bf52e5a

  • /storage/emulated/0/.am/log.txt

    Filesize

    129B

    MD5

    7ab8e8d4c3565d0ce0982ecd459d7c8a

    SHA1

    0110a1c2ec400e6b8ad8af60bfc1a1e2468b1cff

    SHA256

    e8638c33b3d2913dfe61c91f9d26545e8ec4f0367088e086a613685179e6456c

    SHA512

    c2355be71ae19bd804c2b883df3bd4d6bcf8e376614801fe8885cf67ee2526c81bbd490e3f781ee5a9aed01aaf3b813fb0e8c4053abc4bb36ac2ad0971e04314

  • /storage/emulated/0/.am/log_.txt

    Filesize

    27KB

    MD5

    136d875a5f84af634a83467c21958e77

    SHA1

    0be880e786e0f916258f2d0fb5589ce049b78549

    SHA256

    32ae6fc769fd81cec4bba1ed11b84533dfd5dd423a45a05b21739b1a05e37fc8

    SHA512

    19ad64e834e23105160001436ac10082086b8ca84124908791285e441356a6e65c5748bee091b9cc35e94796ec84eed5cf91dbedb8fa8c37350966b43a76a3f5

  • /storage/emulated/0/.am/log_.txt.zip

    Filesize

    6KB

    MD5

    fe9b2fd109422a4a9d40bab7fb806b2c

    SHA1

    47dcd55bb5e1b30561cb75b07d0c317930dc2f1b

    SHA256

    e3825bfe7b352c9989505e6520ef5e57664ddef00de1d117446a100854cd6b4e

    SHA512

    d70b3d32864d2b70ae2e27b56c8d28a0076dbbbcf56fad2cca0174e78c9aca8fa5d27874517709cba9e337bca3bd8e0e107606146f8e8ab0d664e3d1b7206225

  • /storage/emulated/0/.am/log_1722642700275.txt.zip

    Filesize

    220B

    MD5

    09e451d53de53fe10a88fe1b575314e2

    SHA1

    00c641c9a8b2a3ba715f37f28c7a24e0d741fa46

    SHA256

    6820812ec7677c13f532aa57ff69307ecb526130ea792c5e9719610c01826712

    SHA512

    be6581ddf4788d3894f0876d27ba716a2b3079d1576b280748bffd7f14e3bf6a16311930b25d7044b8f75e74eac89674f4b696aad365ecece11c5fc657e83665

  • /storage/emulated/0/.am/prog_class.name

    Filesize

    72B

    MD5

    fda9182e3ed7babfe6cdfb2fc79f91a4

    SHA1

    63c41d4facdb15262581b9096fef50492c48c801

    SHA256

    d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803

    SHA512

    8554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7

  • /storage/emulated/0/Android/data/xspcmj.qiegf/files/Download/mch.apk

    Filesize

    64KB

    MD5

    13684d2547f64dabfe299d1c6553a05f

    SHA1

    b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

    SHA256

    3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

    SHA512

    e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217