andrmonitor | 583b68d3c917ddc713d8621959f97d7f2636654494027e494f2368409730f88b

Analysis

max time kernel
136s
max time network
152s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
01-05-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

prog.apk
Size

20.5MB
MD5

5682f19f3a2723db1c7141c9157ab93e
SHA1

748ea5d804fafc742824bd4c2f9c0259822de99d
SHA256

583b68d3c917ddc713d8621959f97d7f2636654494027e494f2368409730f88b
SHA512

63884b29b4b4714a2330d43529148ee9e8aba2b3ed62dbf85f9187148f330e846de2cf8516db3d2b8b7cd5b6cfa989b2e9a00e6df89da76e0b317d2ba415d46e
SSDEEP

393216:HHusJA35z7A79L+4wr1mbgafiubc6ZxbdT9i/zVN2I+TX3VsKpPbNiRSKcsLJJ:HRJA35z7c5KBmbBffcQxvi/zVN2IkHGl

Score

10^/10

andrmonitor banker collection discovery evasion infostealer persistence spyware stealth trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4277	zufxtk.qtqhxzzsr
4277	zufxtk.qtqhxzzsr

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
Anonymous-DexFile@0xc8ab9000-0xc8d4a110	4277	zufxtk.qtqhxzzsr
Anonymous-DexFile@0xc8d8e000-0xc8eb8958	4277	zufxtk.qtqhxzzsr

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	zufxtk.qtqhxzzsr

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccounts	zufxtk.qtqhxzzsr

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	zufxtk.qtqhxzzsr

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	zufxtk.qtqhxzzsr

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	zufxtk.qtqhxzzsr

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	zufxtk.qtqhxzzsr

zufxtk.qtqhxzzsr
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests cell location
PID:4277
- su
  2⤵
  PID:4311

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
124KB

MD5
4c0ccabb25100a908b9db06434a6af8b

SHA1
555d9ecfa42e17aec483e1c05be0fc1362db9e66

SHA256
79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

SHA512
b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
96KB

MD5
e253e4a0a9d437e61586d46ed6296508

SHA1
2abb9b45978ac7ab19d01b1a7d5567f2e42c4ed4

SHA256
0a15808a87f73126a659630d1c8e8fb8221864094796a2beec853e1596a3d5ae

SHA512
922498a4771bfd18bccd410ecf8817ca7a9f87407454172c23ece2d6ffbd3521396323d737d3cd06797a78254f37b1b1b16361a7a0056751d213561eb7e9b67f

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
96KB

MD5
a05db3e5ca50c364b0ed482cfbbac9d8

SHA1
77d9810f61c7c042c1a13421530fc96edcee8314

SHA256
4f6903ff0bdc9b733fda8421c7de18146d166ad17b19fcc4d855a632e7d8ed09

SHA512
be18ba48bf52707dcc521cdc3867ed678890116fbb39ec903c9dc09d7645922481b5d1961809c2bdb431cf6f7dabf0576fb647af7b1c839b25fde1144e7b303b

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
52KB

MD5
b6815b344f6926d458cea05acd052cdd

SHA1
88f524aff1d4c5fee979a203dd952427871a7097

SHA256
028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

SHA512
0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
96KB

MD5
bc373bbd70e6536eb1dfe8897ede4f7f

SHA1
d691686f3c0c7b49b7ed27f398139adabc3f7642

SHA256
a56487ea14263614417c37d7ef0d2076809b48e324f3400fb0c942b1d51559a9

SHA512
a26c0f4f59d6df20c68058b8c8c7e272de7e5282eb2cc62bdaf0ab9000953efea83061c2d71c91fef66d42b0a9928513c03506d0f211c325cf52cebabbbd94f2

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
144KB

MD5
77e884457df9d4d5d90c94d96fac1935

SHA1
95ccc8260a49da26c9eecace80ccab662e046b69

SHA256
4602464316022971fae813f83d69d3b18a2c87f47102c8ff3ca11aafb3b583ae

SHA512
5bcbff8d1c82bfc75eaa2975e6be597547c5e2690f9cc37fa9e464c0279560fb21b55f08e5a163737e3017ce124889ecbb6b838882a8f082424c752e04a2163e

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-journal

Filesize
512B

MD5
13df6b1948ff75a99573e352d3ef25d1

SHA1
edb06d354b86ccec2eb5d0a94fafbe81e68d9964

SHA256
4eec4744d428e6b3548e9fab4991e5b1cea40f8cf54f6fe114f84ff35af4739a

SHA512
b47747d19dc4f8a597c46e53a7d4dad3e8b5f7917f60cd9874bc08666748b42ab0decd5cce0533bff9bc3d9ad13fe981eda8c8752eed1d835ac5ef5dd7fd0ffe

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal

Filesize
414KB

MD5
2ec6e6fd5b1d736228e28e45eeee1106

SHA1
8eb2fce1f3fe865bd98382eb3aab2edee8f1e8ee

SHA256
33d450d214a4a4c28330db52c742660a07f03f0d9eb45357b0b4eb1ff3e6e683

SHA512
92361ecb2e63685f22b4acb2517ebd869a296298f3207cc30a05e8e669c999bb74f40dd5e403bd1c95363ac1a23764c2d748bbf212ac00269e22b4f1bf03229e

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal

Filesize
8KB

MD5
390f577d63cef54f5fc43eb3efd0370d

SHA1
729e8240a1ec92b86c5368a7514b5e9e204576ab

SHA256
2ea822915ae69057c8a4c2a57a2b24905e16d18920546c88f93319014547f608

SHA512
abdb72a2df602fad673f56bafae0d6dedf8bc9c32b5ed8829b4d769f201a991ead483242d5105eacfe180770cd7a0cd24ec886afe32ea4cc9fa4f96092244954

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal

Filesize
8KB

MD5
24ed42b01b9433b0a85dc4b53b22c701

SHA1
b1707b105cafa9b0450ca6eca3ca66d4afd6369c

SHA256
05d1e6993e127c8ee533e416599879599b32db2237c32999aef396d004560d69

SHA512
3bef44ef359f2a6b6a05f51843798e3240503a4ad85f3338c0be2a3e50078f78bf983098fa03caf3e2dd36dc36874b5a5fc14cb9b0f86a6cd617824c502dada8

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal

Filesize
4KB

MD5
1a19049f617dd1af34c98b8645cfa798

SHA1
667dd4c7dc5815307f0b41ed4175ec2230b1836b

SHA256
1f6889828edb5b1e7cf984df256c34ee3eba1cb601a29c0162a549e9d5594c0d

SHA512
6845ba96fb1f1e7b38f86937364863f104028322b13f87f356b1cbe78553517ddab9a2d5ee85a7e76fe09a243e0646e59c70c93f26af41af8a30363186151db0

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal

Filesize
8KB

MD5
a778ef08d00a30c6d059e854dfb479d5

SHA1
5207a429430c3a31c1e1816acd1cf68a85443de0

SHA256
eb56ff3ffad793fb1983ad4ad1e78293109242af486a4d7f6c1d73d03fcfbf73

SHA512
f2be770763fdbeaffc4c217b33b1954b17f81187b0c7942932797bbfc7769e597e3635415aa043cf6e11c76a0a25943f9673e5cdd858e8b50fcfe5819eb9f618

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal

Filesize
418KB

MD5
a21170258d9a281bbadb8d9d628b18ae

SHA1
17feb167d2cebd3907c416088478425f93934475

SHA256
39f32455e37b3e3296855fcdcc23e93d0416de3613d6a6fdba6f1a390f08ecf9

SHA512
420c7edc341643ec58390de074437f219f578b87e8c26e3acde11674d5d9e3b4c909c1ccbde1ebdcfd1efd7006bbed39cd4325518e79b6b8d732482e14af3547

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.6MB

MD5
6ce629031a213e71015b36dbcc18fe6b

SHA1
8c2dcaf0bc169b2a2cb21119182b32f65958e369

SHA256
afd06a2b7fea75b3f5a4ce8835846cb95d2e50ec87428798aafe9189868004f0

SHA512
1cba0ca71b9359dde78305ecd91248ebf14ff4402fba538777c105c5f997a1267fa62e264267cbe7cfd1561e045a38f92ba85f9220e2cd439712ab8a74b2739b

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
c74275c6f8cebd2e1510f9ed4a68258b

SHA1
5de002cb456a33b2e54f43a009680770d079dea5

SHA256
22dc2fb27037413dc9aab2fef27ed052776bcd68a740d96c997aa31dd8f1632a

SHA512
ded1c0604d1c6439cf569149d0e9f30d05d1ae8d7dbee2b0539c90027fe45046ae2ee6f582131055341a442aa7f8be4da73f948de88c2e5e6d1bb764f00f70e9

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
170B

MD5
1959281dfa180a89e76474fa776dcca3

SHA1
953bd3b8ce6c8445b819ef094a06a6e068812c82

SHA256
91df8f7e51618ac4fbbb1541221b61853fd8bf0b6244833756ce553e483c956c

SHA512
592166a4d19c5029157b6c8aaa73a5d809cd12c9210622b6d2e73c7854513c4a0eb8fad9ab032424ab986a3fbfe6ba2e650ff45a7ebad2b811b809eeaae93baa

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
149B

MD5
6e408cd6751a1d91e5e3bf21dad415bc

SHA1
4340ba3d709411ce0a15c09e2468215380619c36

SHA256
34634b6c8f7af0f2e622b47c1b79904e904662672bda0efaa72521136bc1bbf0

SHA512
513b1bc481f3374a3bb74bc5d4b9077fda8a4f74431ec7677aac6e5696a76c86db06669642b4d7ab70b569b81e79ca653a7b0daf282dc3d88c75d51cfa331871

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
3KB

MD5
3ff39a7bb1e148e86be5312633330ec5

SHA1
3bd05007ecf88576af66d884707b256a8677a66d

SHA256
8daa5765d83224eec5d3f0b13f2c8daecac63b2fbb00620de14b30fc7f6435f0

SHA512
a22789e8248578a21a2d66f0b20cd1b9a7c31ce1b2194728d68744c2439014b7943186d71dcbe2b3051a02d0d23f0ad9aa045fee346a9b5046d117ba2c98810e

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
61B

MD5
be42a44267032a7b7e26fe7d0ad40a27

SHA1
c322d7581e83b5ef10476899eb021cf1c4c08039

SHA256
7254b7862bb6e32a078049174386293eb1ed907527ae2efbf2b368177e6cee6a

SHA512
5246610da1da32a5f9f8ead76ae7984f85885379a987a93906de5fb441e8006dfbcf0315cbe9f1d89cebf451fcad98b128b59d09a5bac2d2a17b9978bbf86892

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
69B

MD5
6c12ddb1e8108c1410b01dbd5376fd4c

SHA1
ec28f5c9b21af6337d6f8f86a7b2af561127d0c2

SHA256
58b024e58a1ad15ba46d72e6e632e88578b92836466e89ddbebd96ba6327b145

SHA512
e8f876a0590beb6b36b6b22dc209865e3081901cbf65bbd5dabd2f4abe7c9d284d0ef31c78303308951055352cca1c8327c4f64547f4e203074170256a170067

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
158B

MD5
5dba9352b58c23706b2bf288c1b59325

SHA1
d99aaea5f68be5c51608a6f0040e6c98c7b729c2

SHA256
853208a592769c6246116eb8f8c726d8d5cf7ba589edce4a0e5d169e69aed956

SHA512
c0ad9610bb4f55b10546b8c35560935cef04b2e2fc450f1e0f7b5ec27b6eab25e5f02aea56ec36dcba75cef778c3be22e4386da5ca6ec7b26e0c1c5b40d00156

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
130B

MD5
aa0c200f35a71b67a7539a0129cf4733

SHA1
51b6ccfc98f196fb01896fd43b90f2e051866ed4

SHA256
2c3ee68966e15260663b4af36a762734be4908dbae1c30ac5ba15263c5fe740e

SHA512
e304424865aafed902fbdbb76bd665e4d5df09c42dd923743e3e3be25cd06851d14545ab6972549345a71487af4a4ac06ae282f324270a2e14d002757707302d

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
27KB

MD5
627e5ee1ba36ef476c7411c4562300e4

SHA1
0b73db699bb4559a180310a0047a85b032e49183

SHA256
4ae654c840cf6c24163d9775ee5eecdcacf1e0b13b13c8c0b0bfcf5e3b8baac1

SHA512
4a9999115d085908a41127728ba32ab6ab1c7d2ede94f13bf124cec321982bb5c50742a5219d84e2f07d45f9b6166717fe4bd45fe30a588af362b6e83e4ae0a1

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
6KB

MD5
fa159b1cc3426bc27b126d90e35d4b5e

SHA1
77cf5a3504cdc36262894e1d9d0833625b1d349f

SHA256
459e131784eacbebf443919c87eb7d30395b4016163035710593dab260ee907f

SHA512
8fa3764f921b2d781ffdc31f810fbec0eb395bfba3914b2e7172fc8daa562651233d12e7b773cc0303310b2389e80d7c839cf0a22aa1a6c053406106dee171c5

Download Submit
/storage/emulated/0/.am/log_1714529488512.txt.zip

Filesize
217B

MD5
2afa3e8191edcbccef488a9268acabe6

SHA1
8a63561c02643a8e38e6a51decf385cfbf021633

SHA256
929910c8d62344606fcf1e591562968abcc35a9291a1b445b48a6c00bfd5cc6c

SHA512
523c8cc4f2a3939493ed62381816a2fd332e987296d50282bdaceb8cecf537e442ed8f5a7e0f7747a40ed38074036638eb30e9c6c1d1f91c86a3290552b4f2c0

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
83B

MD5
826941bbac53d86e5d00e9e55cea925e

SHA1
804aa6bec689aa3fbb786cded95a5f5bb0a0e54e

SHA256
29e2e0b88aaf6f47825025253b1c3b11192c109f0e8587e0d620cd5e4e5163db

SHA512
cd75a77ea1ed59af80ce1971a43263fd14025c3ebe32e8168e97b8eeda8cd9fe2029d4fe4d7c45e608736a6746aba5e68e75e6b0b1f9abd0a639cfa43a1afafa

Download Submit
/storage/emulated/0/Android/data/zufxtk.qtqhxzzsr/files/Download/mch.apk (deleted)

Filesize
64KB

MD5
13684d2547f64dabfe299d1c6553a05f

SHA1
b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

SHA256
3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

SHA512
e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

Download Submit
Anonymous-DexFile@0xc8ab9000-0xc8d4a110

Filesize
2.6MB

MD5
0c7c6b52525074c2a1aabaaaa33cd625

SHA1
161ba0350dab8e50d0988249c06b2a1c757189b4

SHA256
8ecf2f3210764f98e3713b9284bf0e3f49db5472fc0940bfd3d2624d4df5bece

SHA512
c7a872f5360b97c18a121d7e8827da32352ea7dbdd4c6ec8a80e7e950bf85c7a468230c81a7675c6815623b7b0ff2ada29584a5b0a87ce48e47ba391681be44f

Download Submit
Anonymous-DexFile@0xc8d8e000-0xc8eb8958

Filesize
1.2MB

MD5
205a360b4d45a6e4688aec7a7265dc0a

SHA1
53f493d19040d517bf0b4a842d5f7e8865a443cd

SHA256
a78f1f6aa2fb421d336ac32befa711c6702050014dad9d07074528e8ee4598ff

SHA512
3c515d0d30b65fe025629a9a2da0b7c83a95d27ce87bb54739e15b719b99dbeb11e9db0f8bce1855fdc60c872eede02327c15a6bd8f57a7de2d22edcb972febd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads