Analysis
-
max time kernel
1817s -
max time network
1825s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
02-08-2024 19:37
Behavioral task
behavioral1
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral2
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
Resource
android-x86-arm-20240624-en
General
-
Target
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk
-
Size
20.5MB
-
MD5
662a29140ea32f87a19fa76996137563
-
SHA1
cd0a4bd3abbf0fe2773a9c7a7a589a0609582219
-
SHA256
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4
-
SHA512
511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c
-
SSDEEP
393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/app/Superuser.apk xspcmj.qiegf /sbin/su xspcmj.qiegf /system/bin/su xspcmj.qiegf -
pid Process 4636 xspcmj.qiegf 4636 xspcmj.qiegf -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/xspcmj.qiegf/[email protected] 4636 xspcmj.qiegf /data/user/0/xspcmj.qiegf/[email protected] 4636 xspcmj.qiegf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser xspcmj.qiegf -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xspcmj.qiegf -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 64 IoCs
flow ioc 69 anmon.name 93 anmon.name 27 anmon.name 48 anmon.name 49 anmon.name 68 anmon.name 28 anmon.name 103 anmon.name 45 anmon.name 106 anmon.name 109 anmon.name 55 anmon.name 108 anmon.name 139 anmon.name 26 anmon.name 35 prog-money.com 52 anmon.name 53 anmon.name 91 anmon.name 107 anmon.name 87 anmon.name 104 anmon.name 105 anmon.name 110 anmon.name 24 prog-money.com 72 anmon.name 81 anmon.name 82 anmon.name 102 anmon.name 111 anmon.name 125 anmon.name 25 prog-money.com 71 anmon.name 94 anmon.name 97 anmon.name 84 anmon.name 90 anmon.name 63 anmon.name 64 anmon.name 67 anmon.name 75 anmon.name 36 andmon.name 88 anmon.name 126 anmon.name 73 anmon.name 89 anmon.name 113 anmon.name 76 anmon.name 83 anmon.name 114 anmon.name 116 anmon.name 127 anmon.name 132 anmon.name 85 anmon.name 96 anmon.name 115 anmon.name 117 anmon.name 92 anmon.name 112 anmon.name 29 anmon.name 50 anmon.name 62 anmon.name 70 anmon.name 86 anmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xspcmj.qiegf -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xspcmj.qiegf -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xspcmj.qiegf -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xspcmj.qiegf
Processes
-
xspcmj.qiegf1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4636
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/xspcmj.qiegf/[email protected]
Filesize2.6MB
MD53bca1a576ba29bd493e42938a489aa5d
SHA10e5d4bc3a7daf6864fb3076e6c1e9685e254efd9
SHA256b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce
SHA51239a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0
-
/data/user/0/xspcmj.qiegf/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
124KB
MD5f15335a640f24813c9b345c99da7e16d
SHA1a0e7fdc85b3c1420bf342676be577f146f5dce49
SHA2566baf6ee8c7c503ed9962ff49957fe3c0b707171d1913450d97c84856a6ae31b9
SHA5125f51ec199de29b23e398d143c4f0faf58ba655a4f455ecafd5b6303c0ef428f3165f5db49daf4697f1dba3033da51113730ee5ad158a9ea9f8f6b9a10b044f19
-
Filesize
96KB
MD53c3619d9a67fb37f41efb93b7e0e0404
SHA1185115b6f3eb3f0badda385b3da9d5fe19e4848f
SHA25612299d57fdf638c610ddf110847d7b63e866eaabf397b5253b3c35292b345f75
SHA5123d9704a1f91e8d2f1ddc2f3737dd92310cdc54895ceebb4ae59b8921f1b7b4650733f6c576e81f5f2aa2ec97dfc77f033e043549bfe843ae5f12df887f43803e
-
Filesize
96KB
MD5ab97d43f2c4f24a0016aef1600fd92a5
SHA1ef2af35028e27ebfc3987deeff6710e0f71de4fb
SHA2568d61501a21edd7889d050d38ac8036e862cde1264618b37552bd0c290430ae20
SHA5124d74aa1987aabaa821b8759395a551ac03fa4c66753718a5953595f9e245500e2ad9d91f73735e01b286811924274ac9277b89b4d5297fcf35754906dc890187
-
Filesize
96KB
MD572768b4efe61d3ed4b909679d96c4aaf
SHA16f06972be82ca1cd2563d8eedafe4987fa90c178
SHA256eaead603ede0a08a53d5587b087552b073cad8af5848a7287ee196b96e60b2e7
SHA512709622f4af8de22c0795e0e0ce9100b7380558d079d8b2091e42a5ef017935d16e6945481acec3cd8dc0e9c5f2e6ad365692ec471dc2e4e2157cdb0cf63d5504
-
Filesize
96KB
MD5f412bb8d33e081740b75f1ace9ff3485
SHA1dc1c9d5c9d1664a59b14fec20677010b0a31edca
SHA256311f78b823cfd9e8ef5a3789c8b892abb441bcae16cb070288caa9a82a011d3f
SHA51256c00782010fc99246cecec86a4d15505f6051a03f786535abfb8d3deea599afb6cb4e98ec55257ce7fc0952dd5e934a6b6f645bc8f63a3b43376e4b36c1958e
-
Filesize
172KB
MD5b58bb9a8b7fae9063dbc964e898d5367
SHA1252e4deb2c457e1383f0223386f89e711e8cc1c9
SHA2565bbcbbf51c00db8d0283278725dfde9b0583bb3bb144b7ebf0f8bcba22e2f265
SHA5129d2227aad74695061403b9201528f3374e62852b13cb94e3a6bb75941bbac7f3910dc9305c0e36facd0b77da5739be4f6689571302a37310df94c4011a74466e
-
Filesize
512B
MD580ce83a304121904870aff57eaa5068e
SHA1b32fd210aae50de5e7226a2bdadb0f17bbe42e07
SHA25694f1c65d7fa8b7a30c59778037eb1b3418ad40df8b8ea1788c932f2ff5fa1430
SHA512c1e6443ce432fa9370cc78096542105c82e08c758e83f782ade3b135f039ac2b43f831fbef515f9065e80cfffa3ee6110056d813e14ee32380f0fc10ac694148
-
Filesize
8KB
MD52421fa083f226059886fbad0e08d966a
SHA18a101cbaefe39c61a48efbf906dd88502b4d17ee
SHA2561bdfbbaec87ed4ca119e9cf1fda5ee40173f50dfbf8970c01956a203f6faadb2
SHA512b7610599496ada8f43786085a1ef63a308e516d30f3efadac52b6e51c4653f124c9e171412ba561f252aef26cf8bd2affa36e84b0fb60482cc59482c51cac031
-
Filesize
4KB
MD5f5570df02e212a14b05db1bd5a838488
SHA12a3f2cead4d37cdaf5a54948e8d06b4793ba8b65
SHA25653144784bb11009d207003625433bfc5ef221c537de276243e37d3efc0300e34
SHA512ebcd07a443389b798608881ddd0bfd0382bc3290b388d2f092cf2cf9c5af648cc79574e41ccba9f92c8c5a2f3477de7d8dc38910520ed3ccc81b479d8a06af3d
-
Filesize
8KB
MD54e4830192270d5640b88cf9a17106441
SHA1a5c63eae109746fa1b7da5c374d26861e77d4c5b
SHA2568266f5177a30f8571e470116f9cc4f6c5f2a3941fbb9762a0ec96f58a7380d74
SHA512223dfb8c51896680adac2d24db36ba4cf78114703c75b0b2f28c140c7e399f3ad937810b909e78e12c690f4b25ffdbf78541f805468296da9aee82f0dad27a62
-
Filesize
12KB
MD54f6f0ec4ff44117cd1ab712e1595e742
SHA1e64dcefaa3d2fa7863c27913984588b5923beee7
SHA256ae23e73911a8a7fa0465c80966d139fd825970d826ccf27cd9fc9b9a5f45daa0
SHA5122abf9c40b93bc2eacf6d51ea9cb5d0f552af0ac2a28075624cd4c6e74ede1496cfff6f359c7360903ed946bd55977b2a35721c79a1c798d18a7d08e72632b8e9
-
Filesize
24KB
MD5091da3fffb0f9437176ad96b1856a802
SHA1716b7d32dae09b9fa459bb6a0413e130009727ba
SHA2563374a0c372e31d2fea4b78d89a72461ae6e781f8cca2100dddb454739b7cc34d
SHA51267de6afe69a9ed4c8ad5f798e046da8c69b468bb98e7bb5ad093363aa7a468734f8400677c1c11377718c8029bbb0f3e141ac4b2f5cc22f59fff81bc04fe459d
-
Filesize
2.6MB
MD58aa5d8f3622ac78fa2cc58d58c87dfaf
SHA133071f0a26c21320a749a25a5e94a694aaf346de
SHA256db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326
SHA5120ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5b60b62e406eb2f7be6ad4ad1da897038
SHA12a69521859f4848728d14e301425419582cb9064
SHA2567df194d78e120d2b64ae6197a3bd898a9f78572583f8c43f5f01a4d5e575017d
SHA5128f38781035a6f9ed6f3575576e912f6d1700b2c0be23dd32756ea5480ae9170d46d161a8e941ff07767effe4aab7fad2d5c6c2b6b6b1341fc005bdf66e0f4a0b
-
Filesize
152B
MD5fbba0b36389720be5455598fb78fa9b7
SHA141ee865dba210ce2e2c40f3b338de1f93f38d430
SHA256d6220d5889b61d7d8182f5f2d32e439dc6e354248bd4af335d9ab9da204ead02
SHA5129c504cb5cdca06f0954f2236483903d2feaa6c5da649659100c184bd934611279aea259b723fc4145ffcb36fa3941e8a7e4f8593bbc87106113bf29e122b175c
-
Filesize
4KB
MD53db705ed1e50ba25c9c3e792c3fd825a
SHA13f1c50c5cb4ee25682fd1491a4bff6fa1f10c3f2
SHA256df1e4a1ce3aec2b415311d9184e33bed47f858f6ec49a9a78214192f96fabb3f
SHA5123a4c6d5abe24e7e57e5d62b4a17563a1efe38d0252642f0d4230bacbd13ebd1425700039b168581d1b671595e1a99f91b27f0114b3a6383f8632463899ebe62f
-
Filesize
64B
MD56fe60740265991d42afd079005b94dc0
SHA1da186e310b5e6176cadba79e39996caa3c60fe9a
SHA256c7ad823e748c89abc55dd7cdc482d066fecc5e891844e2c436788026ded09126
SHA51203982c119f75c66a22e22fc3b9dca9a27b708a33b58f84817636002549a314bb3bced27782a780db854d0b99e1b25dd0d0abcf89ba78bd2da95b24d561fa3b41
-
Filesize
72B
MD593ed26736bb5303b8b9ffcc9e9ec00cb
SHA1cb118868f2b4f45cfce54bf1b644210f855e972b
SHA2569569151200d7efc2968705a6482701e16ade28ca3b343eff0267cc9f61133b47
SHA5121afae8380f56dfdf6748fc726330bc6aff75e83aabbd8e2531c0ab5e3b223883b8067442e220e43c3790c064bd57ae6ce672fd9f62b73b0ab66b45a000b59f07
-
Filesize
183B
MD5f6809fec140c901b4deaebcf0e5db710
SHA189dd87ff3e16b431222685bba444ac5b796e0a9f
SHA2561058a71512f3d7eed745cb4cb9e39be61857edd04f717387d4abe4295cf2a939
SHA5120ee83d1b37894bb9e20ec84d4f988a900634a204502afc9b3d7dfee88568ef2c68582d1c03c1f6b8d6e810475beb7311601cf63b72d31ccc15f746810cf938ec
-
Filesize
129B
MD5d606bf680f25571ed90438b25707efd0
SHA12f09643b874e02cfad7fae2ea213f77dddc373af
SHA256d811ec6303f2ca459070822d02858914c2f82757bc95149b2317d3a39d0cb848
SHA512ce467128c0df16c52a96ded391504108f64b3b7be7b0214e4b43e88309a6ed423c41c092694714392f4c91040863fbff8443f096234c51fc3e3cef54e98ef6be
-
Filesize
26KB
MD5fa2d5ea8f2b317a8fb3726ee7159a993
SHA18c5488e656ef71021dea78c284518e6cd0d81061
SHA256f28d62433c0ea22a7924670f35a5bd578b591ad8b92ee993cc5c48cd85e6edf1
SHA512e984606986faa9acfaf14ea3db07745389103d7a2f2fcebd0bfe5d0789180b5ede6bb9e295ddcc3d53cdc578ad18231e2b77e3b7d5b0df95b3f356132c6ce9f9
-
Filesize
6KB
MD55ae7aea69d47bb9a7078389e4a01f4cb
SHA18fbc85db7721172d99cb6c57d29f6fe0404eee90
SHA256b60a06b7e528293cce02d173ce9f893b5d77f0afa608f6bb84651a01dcaf20eb
SHA51222064292b25a88c56d44ea27ae6439ef545774d82b59439ad99b7d8db531076c784967344a4c484890827386aaff657cffaecb92035082a7ae87e922b80ff46f
-
Filesize
220B
MD5a2545cb2ed3bd78060ec8f43e3a4f763
SHA167940177694f99d552152a36b46b8bf17d54f0ec
SHA256b501e55eac9da9c1cddab05046e6e043d2d6220da907b72dcb3b09a579eef299
SHA5122cc0f86234e15996c16a900b31527e071242dfc646851be52662943eaea1021e5c8e761a376d184e64da6c51899b8b28197f9f4d9d89635a0569569d90def4fd
-
Filesize
46KB
MD596b98ae18607f59122e8d700da2bdbac
SHA15a1b79a23dcff1ad3185cad02cd18032d12dde0f
SHA256284f76fa6e5080d66e455b4e5b1d3bbb71e8936daed0e147a3be95e11f8f4bb8
SHA512afdd256144106eb09e8514d2cd13e8e2cec86f042e397a90090ad293651ff94cd48d2e8912c0f6c9542222cc78fda7fa34ef128ae136ad3cdd1d5fcde34bee78
-
Filesize
72B
MD5fda9182e3ed7babfe6cdfb2fc79f91a4
SHA163c41d4facdb15262581b9096fef50492c48c801
SHA256d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803
SHA5128554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217
-
Filesize
64KB
MD5bbf9158f13f7c701d80dab17d537c759
SHA18da97bdcc77cef438a780dc39157232d030aba98
SHA256e3942757502bbbb56faac1cac637f72d7c4f54cff3853916ed3c5d123d334d65
SHA512d4472f1129c7d30195d657d7145a9fd776df0c6c9d89f81f6e1b6bf5e54a7b4f86df4894e5f766088f4093d30d78b790a6785b50e8691188a3da09cd92ca3959