Analysis
-
max time kernel
36s -
max time network
50s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
22-08-2024 18:21
Behavioral task
behavioral1
Sample
am.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
am.apk
-
Size
20.5MB
-
MD5
662a29140ea32f87a19fa76996137563
-
SHA1
cd0a4bd3abbf0fe2773a9c7a7a589a0609582219
-
SHA256
960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4
-
SHA512
511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c
-
SSDEEP
393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/app/Superuser.apk xspcmj.qiegf /sbin/su xspcmj.qiegf /system/bin/su xspcmj.qiegf -
pid Process 4465 xspcmj.qiegf -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/xspcmj.qiegf/[email protected] 4465 xspcmj.qiegf /data/user/0/xspcmj.qiegf/[email protected] 4465 xspcmj.qiegf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser xspcmj.qiegf -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xspcmj.qiegf -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 6 IoCs
flow ioc 26 prog-money.com 29 anmon.name 30 anmon.name 32 anmon.name 33 andmon.name 25 prog-money.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xspcmj.qiegf -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xspcmj.qiegf -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xspcmj.qiegf -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xspcmj.qiegf
Processes
-
xspcmj.qiegf1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4465
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/xspcmj.qiegf/[email protected]
Filesize2.6MB
MD53bca1a576ba29bd493e42938a489aa5d
SHA10e5d4bc3a7daf6864fb3076e6c1e9685e254efd9
SHA256b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce
SHA51239a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0
-
/data/user/0/xspcmj.qiegf/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
124KB
MD5f15335a640f24813c9b345c99da7e16d
SHA1a0e7fdc85b3c1420bf342676be577f146f5dce49
SHA2566baf6ee8c7c503ed9962ff49957fe3c0b707171d1913450d97c84856a6ae31b9
SHA5125f51ec199de29b23e398d143c4f0faf58ba655a4f455ecafd5b6303c0ef428f3165f5db49daf4697f1dba3033da51113730ee5ad158a9ea9f8f6b9a10b044f19
-
Filesize
96KB
MD5230d4315daec407232a12ea66fdbacff
SHA1c309267a3d813a4a1817f52c0d36f8b35bd34ad4
SHA2568153f4b29495a54aaff819354ee4d982df37620f2e0b03a4a9651da3f73fa3a5
SHA5121110a04eb021e6cc965795e65274e830dea6c9721d41c1f15bd4473a5d7c78f2bc635f2d2541a57bdceffd7b2938389d7380096f615a47e75ccd556e0d0945d5
-
Filesize
96KB
MD575adb76dc4949a6e407bca70d87d7522
SHA19d45e5347688d4f49b39756a1bf3e5ca2fb7c5d5
SHA2561cc33bd4a2dc12e4237330f8ac5fe16c53192f617b0252a9eae8d3ecd9f0b6f9
SHA512f26969dda3e2c39f2713dc0ff2720d4f5e38be2322f8cc17bb33a645ab43a68ceabd28de8bbd9bb9cdf578ed57669b512948bb9b091aa614080b2c2efecc3991
-
Filesize
96KB
MD5b15d98e5ea286fadd200d0b0ec8eaf0f
SHA1356bae25def71f2cdeb83f44c6363a0f1410ab9a
SHA256e20286ae2d2c64e5123e492baa2ecd56b9b33490f72b46e28162f5e00f62c352
SHA51258588514d6bba5403f8b06b5f8e11115f3997d85f251b128aebc90d4e900f96ba7b8d1ecb767337bf5af21658958df1b996dc0e1483cb3f352aa865b1941e72c
-
Filesize
96KB
MD5496e8e8203e1deb0540a892d8fbcc46b
SHA1f0ffda7be7066cb62519f1ca37df94a3772be8d2
SHA2569f4e3d856734dc303f129680f800efb670b2feeb054c44a4d6386ec2506fa0c4
SHA512369f646b6bc13195977b2f4fcc19adb6ac729c6c6573e14b0efdcca999eb00a0bdb03e981013992c9536445e5c4502c746d0be0ca537b32806e6b7ce34d0ca8e
-
Filesize
140KB
MD56ef0517f0231c21cc5c149bc14f4c02d
SHA119df616a1f332bd3af7475d04b204097d9eb3909
SHA256d526031acf1300a166dee79a3a04d4ea311479306833da278b3b0d1f59333408
SHA51292a82321c45be6ab1d43e06f44021403ba6491a32dfc9feac77afe7ce0ae41b41195573f254ff2b55468076371b2b7cbd4e3591dfb6bd4377dc32e307870ed74
-
Filesize
512B
MD5fcd13a6dff95c5bd0aa614b2df5fc4ee
SHA187b97b92f522c67c2b50e7d67199c5aafb9ae137
SHA2569a0d81fcaecedfae006182368b2f2a62ac2c4a09c192b3a5d8325ba1a5f312a1
SHA512bf6aa4a9eb250890d20c9b7670b887f1ab117c4a50b2052883fc67a8051535192916f4edf5204c76ae5fa74aebc4931ae4470aeec717893b70bc4f1a14f1ffd1
-
Filesize
8KB
MD512ff418079602ce761126ecdab76d31d
SHA1cf295eb40d48d1f0d4056de106b262558f5cf697
SHA256c347752d122b64d94167dec30b80fcc376b0b4966428d74788ced19bc535505a
SHA512f4a642f5cf3a6e467e08aaeb1b98bc7ddf698c753ac8dce9aba178f5a6788fa1d529f3bd2869825f0b8ebf885c1dd2c9459c26922876dc40e83df229199497fc
-
Filesize
4KB
MD5e62157e23ffb5435fad7b99a293a9697
SHA19209bde7c879792761b3c9b6a6b6330635a86eff
SHA25666fd655ec754213b390702e413e9895001470d5584840378235e2a4579c01594
SHA5127e59ffc2e3313f8d44f2096333c1e9d949342f05a9771c930d14f5feb3e9c24649d6a286d2790b68fd8fb9f4170d742a0ca1dc19b2d93e26646f029c84df8bd0
-
Filesize
8KB
MD5ff23332f030071cfd30c5657e1209f88
SHA138726ea1b55ceed83f3e62ed424ce12b5717887c
SHA2566ae23b97c72539a989cc6b22ce345305f4b7454e231bd41bcccc7d22254b906e
SHA512c08aae555e61306cc2f7e4b7ea8239b3e49f0e90d679dd98466e9804b1188b0259cdd7a08c9b9cf47ca6e44e4122fce0d9997e338a6e36028fb377dff8840d1b
-
Filesize
12KB
MD51f67975b16802764f454eeb45510c6ad
SHA158685f186f77f09e6ec586948d22ff206e50316b
SHA2569d98c0513f03c4a7c343f1af7a61b6091c793e5b2a999753a7e8635fd1cff392
SHA51214b368a1bcf9e98f9d206d3f29e9ba5893a7c0e5e42cabd12761a6626a3b06aa8c9b1710367b13a764ff0a2dd41f2138c0ae178d1b9fb0844d5fc7c516455d9c
-
Filesize
20KB
MD59788480840c9566155f008d6f03ef4ce
SHA1370d343858dc3102d0ecf16d8d9742d7949348d0
SHA25638b62bf53f3b4ed9c36cb9ebf89c40a0a18282f43467b9acb9d880effffb479e
SHA51298a3bdb4824723aba05eb1e422e03aaa2e89d6043642f818bcae45a96b911e102c9bb3176108692f512a0facfca2df8eae08b9ccabda42aa60509bfdd41428ec
-
Filesize
2.6MB
MD58aa5d8f3622ac78fa2cc58d58c87dfaf
SHA133071f0a26c21320a749a25a5e94a694aaf346de
SHA256db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326
SHA5120ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5f73f42f71cebe0d54a55323a574b0ba5
SHA12d27ff6e90ababea983b5ba7ef2358a2c320fb37
SHA256b12471288b17c20580054c6b3186412d330fe6c096ac1e57e93d88db5ebcfa44
SHA512b3bf25b554b26ef2d8ab65e27f619100e893320499ada35f3ced4ec5b00868febebd91ebf5f2a5b9e8db945e4c3b6081c74057bd43c9ef6a7202ebdd3ecee30b
-
Filesize
152B
MD50866d72feb046360bb153e0e010022b6
SHA182ac22a3c06a94930a0f444b5ea6567156c6d3ec
SHA2563baf56a61dfc90a893dbc217b6945e27fc7d13970d1d17f8a6931ec77fb7c95c
SHA51291e5aa8c0a79e4c470886ce8d5fde38c6fe1fd8e1ca5241dcd2333ca7cab9517dfb6d1c5da824fa8709f904c1aa8c09b38cd49a43637d8543509507dad7640d4
-
Filesize
4KB
MD58214faf3ca56db5d9961546a7df0ec28
SHA19132dea5b04aad972bcb57e76f0a1fc1f6ac7d5b
SHA25660c225abaa64bac230c92c90c16a1902f3d7f895819f4dc9450ced31a850c4c5
SHA5123d3a877f4af2f22a5683c147f84b8ad0a89faed34b6a41a5ee09dc3862c9c85a4fc2860c4324cda37d7af5184f405ac1278eb45db287f378da2b354e2c9df6f4
-
Filesize
64B
MD557c2dcb958b9634c3f23fa3abc15a87e
SHA1eee7f19c5cf4f4b92dcafd7b9798a5ef87e50b3e
SHA25625a09d4ecf8a33c6ce3de54b931b407de570fbd754fbe59c86e149dbefec276d
SHA5122f6729efa7f88bbd673e82657a7b12db35d30fab6b9d0965946c900006d91ca84a5a3e02ce6107da1c4aa12b41e96de98cc9b8e316e24c6affb650311e413fa7
-
Filesize
72B
MD59399d0e885ae89ab4904c6484467cea6
SHA138ec3b444658449f2f9433ddb7a83c33944cc8be
SHA2561eb35f182d896bc073802d1042c514f4d768099a940a933a416c603cd140100b
SHA512e4d103824cc11a2d4008fdfc96b77d8bd5bd6db5b920ab0d93f842d3751ebd16b659154d6d48a4e52cc7490666b65af2f3f3855a7dc30165968720c68b2aa1d7
-
Filesize
183B
MD595b1e174960ab7054421044a8e75e881
SHA181e0a2ab4eec421ca439d15367a648bde340e303
SHA2564c426250fad232f6047068988f04116169c6764132e9ff630b49872bdebd9d4b
SHA512d213594cc693d2c0a4dacc16fed3d456c210795895c0cf01c91ffd9c1f33b5c9a14fe64b0715bcde05d0eeade87854364b18802701a32fc048a06cb213ac2572
-
Filesize
129B
MD5f9b3ccebc4d802113b57b2190800f5bd
SHA1c9df48946fc0b5b240142f1b7c57e18037dbe880
SHA256e1123bca86bad2de1887855c2fbb665171adc60c1955e5eb6219b5c361ba1bd9
SHA512ad74ae978d1b470ad0bb33a99f43a6c6e9a9e7a5313c2af05dbdd2b775ba571bcfdc1d8d8098657be93c859f435410a47057e55ed69091b79fdfee6bcf347a8d
-
Filesize
25KB
MD5ff80fcacfacd90a9be2207be12f9ca45
SHA10b8cfe1694aedc4bfd7ff0f690b7189155bac487
SHA256aa16d2b871dace52d1954823945f30d25829a4ff8d0922f1e10c6250d3efe72d
SHA512b0b3d7bd1564c39be017fa046ad3e216b3a397aa71af5cd3002e1a463320ae86c62cc16b7f96d2338476a11ce0826d5cd9cc8456e8d889a5d33ed89a402f5668
-
Filesize
6KB
MD59b2eea369651faf6808606589e0fcc65
SHA1c6d3141da8ef7dca3ddbc037cfff4f732c2603d8
SHA25613b03b014b2f962d95d2deea01666300586658f3065bdc2e0749cb813041badf
SHA512fa737a7226b0228af96e888482951b586a86063ba5d6464287e957c6b92cf3cd2e6b7a151a4626abf5ae3558a90244f251cb220c20efcfabbe95d15c539e79ee
-
Filesize
220B
MD5dbcf787f758b1728edeab01cfe577c87
SHA119daaf2062b6fdb659d2be943946fac3eb25c617
SHA25650d84e5145515f39efdb9cf92dc9a4f765e3a869b820868aa2e79bc9e0748e8c
SHA512ffcc555dd838ace5eb2254abe64b0785e795fa0600dfe745f7532d65b7f4cae5f699a61a44c818cbabaef47508a6397e18b2a4f90b508ed7f561923f332cb484
-
Filesize
72B
MD5fda9182e3ed7babfe6cdfb2fc79f91a4
SHA163c41d4facdb15262581b9096fef50492c48c801
SHA256d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803
SHA5128554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7