Analysis

  • max time kernel
    1817s
  • max time network
    1825s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    02-08-2024 19:37

General

  • Target

    960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4.apk

  • Size

    20.5MB

  • MD5

    662a29140ea32f87a19fa76996137563

  • SHA1

    cd0a4bd3abbf0fe2773a9c7a7a589a0609582219

  • SHA256

    960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4

  • SHA512

    511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c

  • SSDEEP

    393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 3 IoCs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 64 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • xspcmj.qiegf
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Requests cell location
    • Schedules tasks to execute at a specified time
    PID:4636

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/xspcmj.qiegf/[email protected]

    Filesize

    2.6MB

    MD5

    3bca1a576ba29bd493e42938a489aa5d

    SHA1

    0e5d4bc3a7daf6864fb3076e6c1e9685e254efd9

    SHA256

    b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce

    SHA512

    39a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0

  • /data/user/0/xspcmj.qiegf/[email protected]

    Filesize

    1.2MB

    MD5

    336921950a9f279733cd787f1203d73d

    SHA1

    cefc36a7c17909054cf2a507b34f545af96c0e36

    SHA256

    c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

    SHA512

    6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB

    Filesize

    124KB

    MD5

    f15335a640f24813c9b345c99da7e16d

    SHA1

    a0e7fdc85b3c1420bf342676be577f146f5dce49

    SHA256

    6baf6ee8c7c503ed9962ff49957fe3c0b707171d1913450d97c84856a6ae31b9

    SHA512

    5f51ec199de29b23e398d143c4f0faf58ba655a4f455ecafd5b6303c0ef428f3165f5db49daf4697f1dba3033da51113730ee5ad158a9ea9f8f6b9a10b044f19

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB

    Filesize

    96KB

    MD5

    3c3619d9a67fb37f41efb93b7e0e0404

    SHA1

    185115b6f3eb3f0badda385b3da9d5fe19e4848f

    SHA256

    12299d57fdf638c610ddf110847d7b63e866eaabf397b5253b3c35292b345f75

    SHA512

    3d9704a1f91e8d2f1ddc2f3737dd92310cdc54895ceebb4ae59b8921f1b7b4650733f6c576e81f5f2aa2ec97dfc77f033e043549bfe843ae5f12df887f43803e

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB

    Filesize

    96KB

    MD5

    ab97d43f2c4f24a0016aef1600fd92a5

    SHA1

    ef2af35028e27ebfc3987deeff6710e0f71de4fb

    SHA256

    8d61501a21edd7889d050d38ac8036e862cde1264618b37552bd0c290430ae20

    SHA512

    4d74aa1987aabaa821b8759395a551ac03fa4c66753718a5953595f9e245500e2ad9d91f73735e01b286811924274ac9277b89b4d5297fcf35754906dc890187

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB

    Filesize

    96KB

    MD5

    72768b4efe61d3ed4b909679d96c4aaf

    SHA1

    6f06972be82ca1cd2563d8eedafe4987fa90c178

    SHA256

    eaead603ede0a08a53d5587b087552b073cad8af5848a7287ee196b96e60b2e7

    SHA512

    709622f4af8de22c0795e0e0ce9100b7380558d079d8b2091e42a5ef017935d16e6945481acec3cd8dc0e9c5f2e6ad365692ec471dc2e4e2157cdb0cf63d5504

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB

    Filesize

    96KB

    MD5

    f412bb8d33e081740b75f1ace9ff3485

    SHA1

    dc1c9d5c9d1664a59b14fec20677010b0a31edca

    SHA256

    311f78b823cfd9e8ef5a3789c8b892abb441bcae16cb070288caa9a82a011d3f

    SHA512

    56c00782010fc99246cecec86a4d15505f6051a03f786535abfb8d3deea599afb6cb4e98ec55257ce7fc0952dd5e934a6b6f645bc8f63a3b43376e4b36c1958e

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB

    Filesize

    172KB

    MD5

    b58bb9a8b7fae9063dbc964e898d5367

    SHA1

    252e4deb2c457e1383f0223386f89e711e8cc1c9

    SHA256

    5bbcbbf51c00db8d0283278725dfde9b0583bb3bb144b7ebf0f8bcba22e2f265

    SHA512

    9d2227aad74695061403b9201528f3374e62852b13cb94e3a6bb75941bbac7f3910dc9305c0e36facd0b77da5739be4f6689571302a37310df94c4011a74466e

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    512B

    MD5

    80ce83a304121904870aff57eaa5068e

    SHA1

    b32fd210aae50de5e7226a2bdadb0f17bbe42e07

    SHA256

    94f1c65d7fa8b7a30c59778037eb1b3418ad40df8b8ea1788c932f2ff5fa1430

    SHA512

    c1e6443ce432fa9370cc78096542105c82e08c758e83f782ade3b135f039ac2b43f831fbef515f9065e80cfffa3ee6110056d813e14ee32380f0fc10ac694148

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    8KB

    MD5

    2421fa083f226059886fbad0e08d966a

    SHA1

    8a101cbaefe39c61a48efbf906dd88502b4d17ee

    SHA256

    1bdfbbaec87ed4ca119e9cf1fda5ee40173f50dfbf8970c01956a203f6faadb2

    SHA512

    b7610599496ada8f43786085a1ef63a308e516d30f3efadac52b6e51c4653f124c9e171412ba561f252aef26cf8bd2affa36e84b0fb60482cc59482c51cac031

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    4KB

    MD5

    f5570df02e212a14b05db1bd5a838488

    SHA1

    2a3f2cead4d37cdaf5a54948e8d06b4793ba8b65

    SHA256

    53144784bb11009d207003625433bfc5ef221c537de276243e37d3efc0300e34

    SHA512

    ebcd07a443389b798608881ddd0bfd0382bc3290b388d2f092cf2cf9c5af648cc79574e41ccba9f92c8c5a2f3477de7d8dc38910520ed3ccc81b479d8a06af3d

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    8KB

    MD5

    4e4830192270d5640b88cf9a17106441

    SHA1

    a5c63eae109746fa1b7da5c374d26861e77d4c5b

    SHA256

    8266f5177a30f8571e470116f9cc4f6c5f2a3941fbb9762a0ec96f58a7380d74

    SHA512

    223dfb8c51896680adac2d24db36ba4cf78114703c75b0b2f28c140c7e399f3ad937810b909e78e12c690f4b25ffdbf78541f805468296da9aee82f0dad27a62

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    12KB

    MD5

    4f6f0ec4ff44117cd1ab712e1595e742

    SHA1

    e64dcefaa3d2fa7863c27913984588b5923beee7

    SHA256

    ae23e73911a8a7fa0465c80966d139fd825970d826ccf27cd9fc9b9a5f45daa0

    SHA512

    2abf9c40b93bc2eacf6d51ea9cb5d0f552af0ac2a28075624cd4c6e74ede1496cfff6f359c7360903ed946bd55977b2a35721c79a1c798d18a7d08e72632b8e9

  • /data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

    Filesize

    24KB

    MD5

    091da3fffb0f9437176ad96b1856a802

    SHA1

    716b7d32dae09b9fa459bb6a0413e130009727ba

    SHA256

    3374a0c372e31d2fea4b78d89a72461ae6e781f8cca2100dddb454739b7cc34d

    SHA512

    67de6afe69a9ed4c8ad5f798e046da8c69b468bb98e7bb5ad093363aa7a468734f8400677c1c11377718c8029bbb0f3e141ac4b2f5cc22f59fff81bc04fe459d

  • /storage/emulated/0/.am/dm/md/main.md

    Filesize

    2.6MB

    MD5

    8aa5d8f3622ac78fa2cc58d58c87dfaf

    SHA1

    33071f0a26c21320a749a25a5e94a694aaf346de

    SHA256

    db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326

    SHA512

    0ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251

  • /storage/emulated/0/.am/dm/md/main_tools.md

    Filesize

    1.2MB

    MD5

    51112e0a7f7962a8e02bc885025414ef

    SHA1

    40622959af4fe349d8881c885b9b30441de8804c

    SHA256

    2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

    SHA512

    f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

  • /storage/emulated/0/.am/log.txt

    Filesize

    173B

    MD5

    b60b62e406eb2f7be6ad4ad1da897038

    SHA1

    2a69521859f4848728d14e301425419582cb9064

    SHA256

    7df194d78e120d2b64ae6197a3bd898a9f78572583f8c43f5f01a4d5e575017d

    SHA512

    8f38781035a6f9ed6f3575576e912f6d1700b2c0be23dd32756ea5480ae9170d46d161a8e941ff07767effe4aab7fad2d5c6c2b6b6b1341fc005bdf66e0f4a0b

  • /storage/emulated/0/.am/log.txt

    Filesize

    152B

    MD5

    fbba0b36389720be5455598fb78fa9b7

    SHA1

    41ee865dba210ce2e2c40f3b338de1f93f38d430

    SHA256

    d6220d5889b61d7d8182f5f2d32e439dc6e354248bd4af335d9ab9da204ead02

    SHA512

    9c504cb5cdca06f0954f2236483903d2feaa6c5da649659100c184bd934611279aea259b723fc4145ffcb36fa3941e8a7e4f8593bbc87106113bf29e122b175c

  • /storage/emulated/0/.am/log.txt

    Filesize

    4KB

    MD5

    3db705ed1e50ba25c9c3e792c3fd825a

    SHA1

    3f1c50c5cb4ee25682fd1491a4bff6fa1f10c3f2

    SHA256

    df1e4a1ce3aec2b415311d9184e33bed47f858f6ec49a9a78214192f96fabb3f

    SHA512

    3a4c6d5abe24e7e57e5d62b4a17563a1efe38d0252642f0d4230bacbd13ebd1425700039b168581d1b671595e1a99f91b27f0114b3a6383f8632463899ebe62f

  • /storage/emulated/0/.am/log.txt

    Filesize

    64B

    MD5

    6fe60740265991d42afd079005b94dc0

    SHA1

    da186e310b5e6176cadba79e39996caa3c60fe9a

    SHA256

    c7ad823e748c89abc55dd7cdc482d066fecc5e891844e2c436788026ded09126

    SHA512

    03982c119f75c66a22e22fc3b9dca9a27b708a33b58f84817636002549a314bb3bced27782a780db854d0b99e1b25dd0d0abcf89ba78bd2da95b24d561fa3b41

  • /storage/emulated/0/.am/log.txt

    Filesize

    72B

    MD5

    93ed26736bb5303b8b9ffcc9e9ec00cb

    SHA1

    cb118868f2b4f45cfce54bf1b644210f855e972b

    SHA256

    9569151200d7efc2968705a6482701e16ade28ca3b343eff0267cc9f61133b47

    SHA512

    1afae8380f56dfdf6748fc726330bc6aff75e83aabbd8e2531c0ab5e3b223883b8067442e220e43c3790c064bd57ae6ce672fd9f62b73b0ab66b45a000b59f07

  • /storage/emulated/0/.am/log.txt

    Filesize

    183B

    MD5

    f6809fec140c901b4deaebcf0e5db710

    SHA1

    89dd87ff3e16b431222685bba444ac5b796e0a9f

    SHA256

    1058a71512f3d7eed745cb4cb9e39be61857edd04f717387d4abe4295cf2a939

    SHA512

    0ee83d1b37894bb9e20ec84d4f988a900634a204502afc9b3d7dfee88568ef2c68582d1c03c1f6b8d6e810475beb7311601cf63b72d31ccc15f746810cf938ec

  • /storage/emulated/0/.am/log.txt

    Filesize

    129B

    MD5

    d606bf680f25571ed90438b25707efd0

    SHA1

    2f09643b874e02cfad7fae2ea213f77dddc373af

    SHA256

    d811ec6303f2ca459070822d02858914c2f82757bc95149b2317d3a39d0cb848

    SHA512

    ce467128c0df16c52a96ded391504108f64b3b7be7b0214e4b43e88309a6ed423c41c092694714392f4c91040863fbff8443f096234c51fc3e3cef54e98ef6be

  • /storage/emulated/0/.am/log_.txt

    Filesize

    26KB

    MD5

    fa2d5ea8f2b317a8fb3726ee7159a993

    SHA1

    8c5488e656ef71021dea78c284518e6cd0d81061

    SHA256

    f28d62433c0ea22a7924670f35a5bd578b591ad8b92ee993cc5c48cd85e6edf1

    SHA512

    e984606986faa9acfaf14ea3db07745389103d7a2f2fcebd0bfe5d0789180b5ede6bb9e295ddcc3d53cdc578ad18231e2b77e3b7d5b0df95b3f356132c6ce9f9

  • /storage/emulated/0/.am/log_.txt.zip

    Filesize

    6KB

    MD5

    5ae7aea69d47bb9a7078389e4a01f4cb

    SHA1

    8fbc85db7721172d99cb6c57d29f6fe0404eee90

    SHA256

    b60a06b7e528293cce02d173ce9f893b5d77f0afa608f6bb84651a01dcaf20eb

    SHA512

    22064292b25a88c56d44ea27ae6439ef545774d82b59439ad99b7d8db531076c784967344a4c484890827386aaff657cffaecb92035082a7ae87e922b80ff46f

  • /storage/emulated/0/.am/log_1722642714304.txt.zip

    Filesize

    220B

    MD5

    a2545cb2ed3bd78060ec8f43e3a4f763

    SHA1

    67940177694f99d552152a36b46b8bf17d54f0ec

    SHA256

    b501e55eac9da9c1cddab05046e6e043d2d6220da907b72dcb3b09a579eef299

    SHA512

    2cc0f86234e15996c16a900b31527e071242dfc646851be52662943eaea1021e5c8e761a376d184e64da6c51899b8b28197f9f4d9d89635a0569569d90def4fd

  • /storage/emulated/0/.am/mch.apk

    Filesize

    46KB

    MD5

    96b98ae18607f59122e8d700da2bdbac

    SHA1

    5a1b79a23dcff1ad3185cad02cd18032d12dde0f

    SHA256

    284f76fa6e5080d66e455b4e5b1d3bbb71e8936daed0e147a3be95e11f8f4bb8

    SHA512

    afdd256144106eb09e8514d2cd13e8e2cec86f042e397a90090ad293651ff94cd48d2e8912c0f6c9542222cc78fda7fa34ef128ae136ad3cdd1d5fcde34bee78

  • /storage/emulated/0/.am/prog_class.name

    Filesize

    72B

    MD5

    fda9182e3ed7babfe6cdfb2fc79f91a4

    SHA1

    63c41d4facdb15262581b9096fef50492c48c801

    SHA256

    d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803

    SHA512

    8554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7

  • /storage/emulated/0/Android/data/xspcmj.qiegf/files/Download/mch.apk (deleted)

    Filesize

    64KB

    MD5

    13684d2547f64dabfe299d1c6553a05f

    SHA1

    b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

    SHA256

    3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

    SHA512

    e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

  • /storage/emulated/0/Android/data/xspcmj.qiegf/files/Download/mch.apk (deleted)

    Filesize

    64KB

    MD5

    bbf9158f13f7c701d80dab17d537c759

    SHA1

    8da97bdcc77cef438a780dc39157232d030aba98

    SHA256

    e3942757502bbbb56faac1cac637f72d7c4f54cff3853916ed3c5d123d334d65

    SHA512

    d4472f1129c7d30195d657d7145a9fd776df0c6c9d89f81f6e1b6bf5e54a7b4f86df4894e5f766088f4093d30d78b790a6785b50e8691188a3da09cd92ca3959