Analysis
-
max time kernel
111s -
max time network
1816s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
02-08-2024 19:37
Behavioral task
behavioral1
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral2
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x86-arm-20240624-en
General
-
Target
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
-
Size
20.5MB
-
MD5
662a29140ea32f87a19fa76996137563
-
SHA1
cd0a4bd3abbf0fe2773a9c7a7a589a0609582219
-
SHA256
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4
-
SHA512
511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c
-
SSDEEP
393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk xspcmj.qiegf /sbin/su xspcmj.qiegf -
pid Process 4935 xspcmj.qiegf 4935 xspcmj.qiegf -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/xspcmj.qiegf/[email protected] 4935 xspcmj.qiegf /data/user/0/xspcmj.qiegf/[email protected] 4935 xspcmj.qiegf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts xspcmj.qiegf -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xspcmj.qiegf -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 64 IoCs
flow ioc 117 anmon.name 177 anmon.name 213 anmon.name 36 anmon.name 51 prog-money.com 208 anmon.name 211 anmon.name 164 anmon.name 185 anmon.name 199 anmon.name 212 anmon.name 10 anmon.name 11 anmon.name 162 anmon.name 173 anmon.name 200 anmon.name 55 anmon.name 146 anmon.name 163 anmon.name 165 anmon.name 196 anmon.name 197 anmon.name 52 andmon.name 115 prog-money.com 167 anmon.name 181 anmon.name 194 anmon.name 210 anmon.name 8 prog-money.com 174 anmon.name 201 anmon.name 219 anmon.name 155 anmon.name 188 anmon.name 195 anmon.name 215 anmon.name 151 anmon.name 191 anmon.name 140 anmon.name 118 anmon.name 132 andmon.name 186 anmon.name 207 anmon.name 154 anmon.name 182 anmon.name 187 anmon.name 220 anmon.name 175 anmon.name 184 anmon.name 206 anmon.name 209 anmon.name 9 anmon.name 193 anmon.name 168 anmon.name 176 anmon.name 183 anmon.name 198 anmon.name 214 anmon.name 218 anmon.name 5 prog-money.com 145 anmon.name 113 prog-money.com 141 anmon.name 152 anmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xspcmj.qiegf -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xspcmj.qiegf -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xspcmj.qiegf -
Requests dangerous framework permissions 3 IoCs
description ioc Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver xspcmj.qiegf -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xspcmj.qiegf
Processes
-
xspcmj.qiegf1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4935
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD59cf7e03179a00e0097bb8292c310a7f8
SHA18046f1a0d32003f672b2da8ba6c7eb8f54ffcd17
SHA256b428664066ed6496119d7ef35afee74fe8f5eb834939f9cacbf55804aa592438
SHA5121d046cd7d5a96b0b4f0c5d218f97ebc850ea4a3385658ea4a9d36dc05363659d1dc53660f94d4d7d87794cfd60b94593f304e9011421d35f3f17296d28c28cb6
-
Filesize
96KB
MD56c5a98d2a5073de4658d549615fe9945
SHA1c61f37a362fc2bdee990fe59abd313a5e64c1ba4
SHA25698e87c6c9126eeae0d628f9a6886984211879d5346e2b25630e7f6b1d8a56904
SHA51256c0893daa212bf235c4f01f89b297f4e2d10f17f4d2e7f2e49de8bd660c5f1a484968b58ce300c57922d80d2e443257c1c4a09cc7402a7b1b9b2c5ceaa58aa8
-
Filesize
96KB
MD5a96c14ec9a256f6ea53077e9f71ff779
SHA1c2e1dae962637438aa20dba117b73ac2cb8d0563
SHA256d9543f343d02915f4fdff6412a72e0d0f51a67949f8432b1b8305ca67a97ffdb
SHA512d054260c3f5128bb362f6f1d0d45b05871c3b5c141b851657bc46c8970778ebbc19122e1d075dbc85abc1e910f85866798798b455e240fe6d0198fddc48c8b58
-
Filesize
96KB
MD5d28f3e1e69678431596304830b3bb3fd
SHA12dd6215a5a2d0dd61e2a841155df44050777587e
SHA256947832e21a975ed1fa21f1cb1e184b289f4ee1bed9c871ae110d1804df4dcf6d
SHA512b7d33f427a78672a39296b1f4ac50f4c98a4df32d5d52b54082af26e47f7b538a0790b3da58c49b0e735df3bb50809db340ab835f7346ec80adca73e7f3a6116
-
Filesize
96KB
MD561b4064794134228d8fd07e5832e1687
SHA1ae37cc1d203ce476ebe0d3aaf85cb4e794d1ec1d
SHA256f8469f741d265f507e666fce112d3a1fdfb774ea69c63f216fd378b5aee2c65b
SHA5124d80c99fee48e42f46f3c64f82ac7e3d1a60f0bd725f17d71871bc26b4f95fc001195eebad36f892d31c55412933c7204de1a3c09075abbbb13e500e9264d3ac
-
Filesize
160KB
MD542e097b531e8f3ee3bbfc10808997516
SHA1f27c59725ea9c0771e4e9d0e8cbd2e02150cef26
SHA256a2f6db7549b90a0dbbd6a457265e3d514d8f6d4c6350c165fd80081d5fa4b8f9
SHA512e32aea48354efcb6a1c835193c381b4dda50a91369d0fd8a16716413c74f6c6d62a32c6115dd8d8017f3a3bd99c9f6f5e8890b300a0bea917340b53048a43a27
-
Filesize
512B
MD5ae4783f9802ba554f9cd8a87be1ccd7f
SHA18020bb2d1830b8639224c2c30f9ff70431688f4e
SHA25686f736280c1cdff46cfa74cd31bbd37a95627c7beea8f66c14b23fb141f55337
SHA512d91ea09f57ef7f118bcac3a988c10c190832966ae848f35e0b4d1750b0a457b38347eb133ab7d74fbd7e471cbb63d59110d8f671bf7f42c3938150ca4f7914d9
-
Filesize
8KB
MD5581a3c359deda5a08c09b0398732bd24
SHA102ef4c0393e364e053de3ff02c0eb23247c715f8
SHA256d1c4a6acd6d4c5392c577af95e4bea62aca6ab7c51ce4beeef2b578bc5e86316
SHA5123388c907f142b67018cb2714abdd2e06a9b31525efc366e8e6a37d4d0e91286f139fff198dc575d5cc015328cb5ebea79a321abfcb0570ef03d61530f0a458d1
-
Filesize
4KB
MD547f8fa47922c54d5cfaba5cecd4437f1
SHA1c375fcfe5ee33b703e7b4505501c67b353733fd4
SHA256461344856ceadbd5c11acfabeab5f33d6cf0dc3904705d6ae8c61a154613799c
SHA5126540ed3b7d79ee5ba0b7d6fb9701a436c1fdc8c52bcf54a52c423b1bc27e6d821a165166760885ef57c49736f0362caa3992e384d157d6da71c6dbc013acfd44
-
Filesize
8KB
MD5ebd2c6fba6bf04f02c3330ca1893db3f
SHA11cb3382f5ac31df33c85ba9a133c7db4c63d7ddf
SHA2565753707a826a704473abb236b8d5404d38791d1607c0ddd271087f7d7ab0917c
SHA5123b2dcea9471546a2c6b95e5489afaaa8be0a930bc09d5933d4c67842146a9e7dcece7ca9d12b1d560246d0e78d4927a0ff2d5e6c54dbf2a97ba4471295604e8f
-
Filesize
12KB
MD5ef7b0483b5216709951102d5cbc84286
SHA1dcebc5b98eda71c2c73d19ea3ad4a866b61a5aac
SHA256e3880fecfaa79206964d527de0d83aece357efcea193f80b1d11a551dc246085
SHA512b831cc8b8a105fb6d896a0d79b4327b4b2608758775a8f29205a8037d0a8d6a3846d710292ed12bd29cca4e78eb3f96d9c4b22bb262e11971f84cea00c7a1f96
-
Filesize
20KB
MD5716512078767add7c8d371724e492c8e
SHA156919beee817a681ee831013e728dde5f06d0697
SHA256dc607c419bfcd44544c43c3c7adbfb409ef9badb705520d82aa81cbe35f5726a
SHA512a43e1f9076a01730030b276551a5aa14c70de557071b56e0dcdcf92ce803ee84498077d925bcad35073b1858da2a5abdc492a3a4f396f32fe71359df8afa29f2
-
/data/user/0/xspcmj.qiegf/[email protected]
Filesize2.6MB
MD53bca1a576ba29bd493e42938a489aa5d
SHA10e5d4bc3a7daf6864fb3076e6c1e9685e254efd9
SHA256b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce
SHA51239a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0
-
/data/user/0/xspcmj.qiegf/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
2.6MB
MD58aa5d8f3622ac78fa2cc58d58c87dfaf
SHA133071f0a26c21320a749a25a5e94a694aaf346de
SHA256db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326
SHA5120ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD57ea7f99b9e1e1723d671c8c80081dbe2
SHA1f208f2adab82887ab102d04108581b88b51624c3
SHA256e32611d35fd471d3f0e4848efbaa1e709d6233aa78b8894aebdb8e43eb800c38
SHA512be98dbbfb1bb76c5ab7ff1f376090d9d581f9fe4b42368d0fbf8f6c7b27917a52e4a6d58241f09de6439e3ebf6b9a30a2c10f0324ed961250f7460df36da1cef
-
Filesize
152B
MD5ae3b9b2369d66704ceb75a8826cb8620
SHA1728863009b09fe07815da1747fade5e208c011cb
SHA256db2193d4932d803d6c7e777e7c20471f7156372d2f932266ccc8198df191ea41
SHA512690156ce1c9ab264b8e7a2ae7681ce7ddd4597d0809042937f32460b2ea8d958a54a8f36f6b602677d61decd73c3ea1b440815cfa27261a97b40a5235e38a10a
-
Filesize
4KB
MD5050bb9d501a3abbabcbb3c8fa38e6a93
SHA1eb7555dfe7618580f2ba47c6f88a8bd084b9d640
SHA2564e5c5f3a4075f21532195950788ea730bef044b1f90e78ee1d4e63d412706aeb
SHA512aff84092d192ee09e1a999654d5d75ce91979d8dfc8046cf9fe84223fd98b3bff2999ac3074740df52ca7a7d87404b93fa3be3f7868f32898c8d4b613701a76b
-
Filesize
64B
MD5a9a70e9e188bed1d219912ae8ea37c22
SHA16ad77a0efd9da29abd321aa36328156736bb3e02
SHA25667e5ffbeeb35d6a8ee10b2e157bc16e6e956b8e03104f2ba766a478e26a50fef
SHA512036d547078d61422223c1ee8430e414a6589f54b5443c6e8d1585f4d15554deed0bf4077fd3735547fa7ab0e2b5ce4b8edf82b94a7221fe70cdcfb91cbe30765
-
Filesize
72B
MD581d955efbf1f919727825ae705dc649c
SHA1fa49a018819e287be33c2c35109da33e421d691f
SHA25647fca5b2981452472648018bdde9e74663b23a6d02ca146814b791acdbb94d4a
SHA5124fb269fc3124d99c424aec5ff219ce27775f9610bb18c73b6d02204c0122630aca74c235d1ce351f932e1efb96e1fbfefe56a5710bb2481f5910521e94b951b8
-
Filesize
156B
MD53b2a7b7e45b7615fd26533a6e09a480c
SHA1fa12c3f73e28c69f3ab7e7168a085050cdc7b4a8
SHA256eef836ed02836952c37d9b6bd56711f2f9afe1e010263ce6cd18f793f9595e90
SHA5122388ba951114e2b1e4ba060e22346847e1a9bdd0d9d84d3eea23738926397b3acb8b88d27c1b8e12906b042a6fff27257895a632407a4d37dfe0a5b42bf52e5a
-
Filesize
129B
MD57ab8e8d4c3565d0ce0982ecd459d7c8a
SHA10110a1c2ec400e6b8ad8af60bfc1a1e2468b1cff
SHA256e8638c33b3d2913dfe61c91f9d26545e8ec4f0367088e086a613685179e6456c
SHA512c2355be71ae19bd804c2b883df3bd4d6bcf8e376614801fe8885cf67ee2526c81bbd490e3f781ee5a9aed01aaf3b813fb0e8c4053abc4bb36ac2ad0971e04314
-
Filesize
27KB
MD5136d875a5f84af634a83467c21958e77
SHA10be880e786e0f916258f2d0fb5589ce049b78549
SHA25632ae6fc769fd81cec4bba1ed11b84533dfd5dd423a45a05b21739b1a05e37fc8
SHA51219ad64e834e23105160001436ac10082086b8ca84124908791285e441356a6e65c5748bee091b9cc35e94796ec84eed5cf91dbedb8fa8c37350966b43a76a3f5
-
Filesize
6KB
MD5fe9b2fd109422a4a9d40bab7fb806b2c
SHA147dcd55bb5e1b30561cb75b07d0c317930dc2f1b
SHA256e3825bfe7b352c9989505e6520ef5e57664ddef00de1d117446a100854cd6b4e
SHA512d70b3d32864d2b70ae2e27b56c8d28a0076dbbbcf56fad2cca0174e78c9aca8fa5d27874517709cba9e337bca3bd8e0e107606146f8e8ab0d664e3d1b7206225
-
Filesize
220B
MD509e451d53de53fe10a88fe1b575314e2
SHA100c641c9a8b2a3ba715f37f28c7a24e0d741fa46
SHA2566820812ec7677c13f532aa57ff69307ecb526130ea792c5e9719610c01826712
SHA512be6581ddf4788d3894f0876d27ba716a2b3079d1576b280748bffd7f14e3bf6a16311930b25d7044b8f75e74eac89674f4b696aad365ecece11c5fc657e83665
-
Filesize
72B
MD5fda9182e3ed7babfe6cdfb2fc79f91a4
SHA163c41d4facdb15262581b9096fef50492c48c801
SHA256d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803
SHA5128554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217