andrmonitor | 583b68d3c917ddc713d8621959f97d7f2636654494027e494f2368409730f88b

Analysis

max time kernel
156s
max time network
165s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
01-05-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

prog.apk
Size

20.5MB
MD5

5682f19f3a2723db1c7141c9157ab93e
SHA1

748ea5d804fafc742824bd4c2f9c0259822de99d
SHA256

583b68d3c917ddc713d8621959f97d7f2636654494027e494f2368409730f88b
SHA512

63884b29b4b4714a2330d43529148ee9e8aba2b3ed62dbf85f9187148f330e846de2cf8516db3d2b8b7cd5b6cfa989b2e9a00e6df89da76e0b317d2ba415d46e
SSDEEP

393216:HHusJA35z7A79L+4wr1mbgafiubc6ZxbdT9i/zVN2I+TX3VsKpPbNiRSKcsLJJ:HRJA35z7c5KBmbBffcQxvi/zVN2IkHGl

Score

10^/10

andrmonitor banker collection discovery evasion infostealer persistence spyware stealth trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5089	zufxtk.qtqhxzzsr
5089	zufxtk.qtqhxzzsr

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/zufxtk.qtqhxzzsr/[email protected]	5089	zufxtk.qtqhxzzsr
/data/user/0/zufxtk.qtqhxzzsr/[email protected]	5089	zufxtk.qtqhxzzsr

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	zufxtk.qtqhxzzsr

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccounts	zufxtk.qtqhxzzsr

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	zufxtk.qtqhxzzsr

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	zufxtk.qtqhxzzsr

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	zufxtk.qtqhxzzsr

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	zufxtk.qtqhxzzsr

zufxtk.qtqhxzzsr
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests cell location
PID:5089

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
124KB

MD5
9cf7e03179a00e0097bb8292c310a7f8

SHA1
8046f1a0d32003f672b2da8ba6c7eb8f54ffcd17

SHA256
b428664066ed6496119d7ef35afee74fe8f5eb834939f9cacbf55804aa592438

SHA512
1d046cd7d5a96b0b4f0c5d218f97ebc850ea4a3385658ea4a9d36dc05363659d1dc53660f94d4d7d87794cfd60b94593f304e9011421d35f3f17296d28c28cb6

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
96KB

MD5
ffae8d015209d176ed4827c1eacd0ae6

SHA1
4921b32dcef47d8ee4397c2749f040272ceb6003

SHA256
6030f29959596e0bbd16aca78e0faf08122d1407c67e98b5449c343237d8b7b2

SHA512
37cc9568428e41da89c3b3e2f98fd6c3213aec862f7bc1984a9126439943e15c1095df9d82343e16981f82559b768538f04279a9c7ce886fc5d207a76748eb06

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
96KB

MD5
c6a4f757ef7e121e63a672577b557a67

SHA1
bbb29b8d7419b89914ba3f8511da3520fc563f74

SHA256
e80d693222ced1ab3bf22a66c28b3b6a67a2d24ac01a980d2bd910b116bbe0b7

SHA512
7f81273df82b834a491aaff330179702e44d08c68c1cd08910f5a1033ae39710497a2a749c9451aec5c12a2972be110529418ef1db3b53d6fbddca9fd1a0c8c3

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
96KB

MD5
d6b2e047f489cc06bcf99e9cf121685f

SHA1
04cac0a9e3710ac8db3048f597ca8ac40b95e248

SHA256
d922d6b417a68bed6168dd11b124d94bf915871d2d67a0ed83b91e3dd22cf4f7

SHA512
284c8f00040665e33d6e4b0a546b6f5c8ccd9a405fde61d20bbeabb47be2ca6781c2d1b7a94ef323dad16007ee4023c51981fd2c7784d1bbf0b526c9d05d6774

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
96KB

MD5
567fbabc9040694d8ef19a2c93f52fbf

SHA1
27126c7c850555a646ae8a22b01e61f83829d5e2

SHA256
ea5166dd67f0260fe4aebdbbea1d46c301bf1add18754ef84fc9d4f475592b79

SHA512
912b88e42b5a71b5aefd1163a18d8e94b9df49d883dfbb31bc2204476403bc48dcc570ec0f4f432f0f4b2b805b079952309be8a4e294d3aaae27e9debb206b0c

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
160KB

MD5
02b0376bd6b5f2074f3900708b2427af

SHA1
3c2ebab260e9c9a18896492399d435c0a2492a0d

SHA256
fc9b483b4aa36e7f8745154904838a6ad76265a0ee36369304c258dfde41b61e

SHA512
fa2dfa114e44189a29fb8b9da872d1376e5fdc4c30be4382fd43ec421b0ef360a6762281434eaa788bd439bdf529f5e2f43869b7edc7eca4ba30f8acfc0137df

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-journal

Filesize
512B

MD5
bc7eeb2c8cf18f5dca599f24d5e02c0f

SHA1
6db65d1dcb0cf0353f1cd482340a90735efc9da0

SHA256
f25da5fe1f4837c9686e01f34932b05493fb03b34e576fab0e9fc0cef67be89b

SHA512
a083605b74301aac7adc963f06a0f9f2ccf86d9e261797c39c47349b0caadd504625daaf7159e6e05166f484f9249b3e7eaedd04c3a143e516e23abbea18319b

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-journal

Filesize
8KB

MD5
3d68dc9940caaa72c812722353d32ffa

SHA1
cdf68bf46915fdc79bba5b72858a5291cc336553

SHA256
46f08bfa2fdeeb4e04a49012d33ff890715c8c957ca73a85a49ba88a634f3a53

SHA512
5d34991617d5f892c94fb27d5f0ef4e5dd915b7a3342f8f1b544a955c8e986bbd822315ed2b156e4d726a4807167a0f997990f8ecc64724b20706da9f4ba858c

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-journal

Filesize
4KB

MD5
a817d81dce02e968ed4c7943b8a30df0

SHA1
403615dcb9986c1c73da308c271f47732c120985

SHA256
5fc7a1989daf6e5a3b1e6116d1e35fd90c0ba25cdbf091a76fbed823b26fb893

SHA512
cd296272faeefb25b792d780a647064b98d8916314095045cabbbe640fe4ff5396c72912c8901c503335f1171db279c4fa2e8de930814a44015385615dd45d4c

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-journal

Filesize
8KB

MD5
a05a8165bc45417ad887bfad1d094f05

SHA1
1ecf0db2ac3443600ff961baad53750d9c2a86c8

SHA256
1dfc2d8db4bf5c665bf80bc512f31f5a6b8c4ee4e029e8b5378bb006d6b2fbd2

SHA512
26cf82c6a04a04986c0ca69d4d6fd573451c1404176101262d79ba0299a00cfc3bb7ef06145d8cbdcb003cdfc992412bf220764fba69ff3d3e2ed6bbf01563a2

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-journal

Filesize
12KB

MD5
e651f5c25a79da310c8bc6c86074c49f

SHA1
ba2ffacc705062dbafe9c3563408305e7d6f6824

SHA256
40c866e42babb73d6b17c9d3cedc7d8281aa75bc0c385ca3bf4efc9351b59ff3

SHA512
f6046e5b1809886bf37fd49c2c1b96a9467e9d2e2d19ed6b38b4f0354344b220ad9bbb4cf7f1155090cecef0196ba82246d7dcd50cd40236ab0a3df9b39435dd

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-journal

Filesize
20KB

MD5
f71b1f9d2f47113948f61338fb764a5c

SHA1
8403d97e5a4bb7e014a41cd1639ae48b92b4f153

SHA256
e310895fccf94d5c4f5f34664723daa6f7bd1cec3b9d58ef38efa27e1c478b49

SHA512
17a661d4b01e66591dcec979d418c7da0bb7ff6e710dcad9a7126658e1b8836576266b26779615e0da07c985a35068d7e02eb5477908a0b60fe37c022a01c2bf

Download Submit
/data/user/0/zufxtk.qtqhxzzsr/[email protected]

Filesize
1.2MB

MD5
205a360b4d45a6e4688aec7a7265dc0a

SHA1
53f493d19040d517bf0b4a842d5f7e8865a443cd

SHA256
a78f1f6aa2fb421d336ac32befa711c6702050014dad9d07074528e8ee4598ff

SHA512
3c515d0d30b65fe025629a9a2da0b7c83a95d27ce87bb54739e15b719b99dbeb11e9db0f8bce1855fdc60c872eede02327c15a6bd8f57a7de2d22edcb972febd

Download Submit
/data/user/0/zufxtk.qtqhxzzsr/[email protected]

Filesize
2.6MB

MD5
0c7c6b52525074c2a1aabaaaa33cd625

SHA1
161ba0350dab8e50d0988249c06b2a1c757189b4

SHA256
8ecf2f3210764f98e3713b9284bf0e3f49db5472fc0940bfd3d2624d4df5bece

SHA512
c7a872f5360b97c18a121d7e8827da32352ea7dbdd4c6ec8a80e7e950bf85c7a468230c81a7675c6815623b7b0ff2ada29584a5b0a87ce48e47ba391681be44f

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.6MB

MD5
6ce629031a213e71015b36dbcc18fe6b

SHA1
8c2dcaf0bc169b2a2cb21119182b32f65958e369

SHA256
afd06a2b7fea75b3f5a4ce8835846cb95d2e50ec87428798aafe9189868004f0

SHA512
1cba0ca71b9359dde78305ecd91248ebf14ff4402fba538777c105c5f997a1267fa62e264267cbe7cfd1561e045a38f92ba85f9220e2cd439712ab8a74b2739b

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
c74275c6f8cebd2e1510f9ed4a68258b

SHA1
5de002cb456a33b2e54f43a009680770d079dea5

SHA256
22dc2fb27037413dc9aab2fef27ed052776bcd68a740d96c997aa31dd8f1632a

SHA512
ded1c0604d1c6439cf569149d0e9f30d05d1ae8d7dbee2b0539c90027fe45046ae2ee6f582131055341a442aa7f8be4da73f948de88c2e5e6d1bb764f00f70e9

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
170B

MD5
b507c476c3485ec2469c6bd86d013f0e

SHA1
2e5dc2940d9b0dbaee977b7a448aee198a4cb524

SHA256
8d05ddfdd92790dd4dfa363930d35426dad44b0c1e800a799293c70858f4dd01

SHA512
1fecd6167eba909e097f9d20a298fe8068b732115467c3b0a9be11bf5ac2bbab8590a1306a036ee6298a3e234d514f6e3519a0e7132a2a7eb156b7dbd37c9e05

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
149B

MD5
cf923a9c04c070ba6b3b4ef2b10498b7

SHA1
e0364c74af4a7875bbecb8ba94f459d42099d233

SHA256
e4601d6146a2d634e57924568c2b776d9e4bb49faf970f5c67f948cf7505617c

SHA512
f2637196db28596ba3e05d10f381f5c624dc17aa0b52fc3e206db2574cf6e99caca35805f4aaa92a6689433370d11e21fa2afa94dbbf1f60b5bc5532d384e47c

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
4KB

MD5
34b2adf6b05588c0f961a8b36adae2f5

SHA1
b9486cda8b5edfb08767f3325eb682b4213de9b9

SHA256
17612fc325478553424e8899021d7ffd4f4d453f95a00ec6fae34e5be493f0a3

SHA512
9b7060ea0f8e21592c87169078a54ccec15872815e9a8937ce8c6d9fcaf7c277bb354e5a5b95f17471c0093a5e62adb87c318215a0a1e036864c28198472ac16

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
61B

MD5
b7b4262e429febc616074d245673d366

SHA1
5d74304b863d1859292aea1cb8d16b21481a1ec7

SHA256
573d5c24cb9215aff7541a2df59f5e3ed6b4db0b04adc2094bce7f722ae64eca

SHA512
8e4d7c3fca8878114bde53192f979d041cc40ec7050146968935fc879bbd02992695d233384dae439caaf4ebedc42fa70fe26f731253cecfb2db66d12378d1e2

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
69B

MD5
970e4d402e29b3f13b4b1a2331f841c6

SHA1
44feb0f2157fced81212a13778dc32d9efd531c3

SHA256
2aa83b396f5caea8cea42de45a120ec69a351494a5f7b2d340a81c76614a9e54

SHA512
68d423cc4d73f8470a3512672f57523603b62dd5e8cc002780663fce85c6e1ad5e273f714b11840dc27417d592628608b341f5e5742bba056c8012f416e11084

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
161B

MD5
617112eba47622e6d30f01584b27a876

SHA1
8add5482b1a09716edb332f366dcad49dd581afe

SHA256
db63746a3fa84e8bbe6916840a2a1a0c95a523e2d20e6e3291da8f2b84f23317

SHA512
a79a10dcb3fb8150102cf4dbd808d6e9cb836d49543a1e756382f72585b1961b722f0829ac9ae6633f66c396aea2c3d9601487600ba5d7e0a17a0f9f0167f8c9

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
130B

MD5
69ffc37951fa16ca53b9d06cd2e72eca

SHA1
27fec2234a07ee2369b44f470d54ff086066bddd

SHA256
e9da93c94c7591744a175e4521c51411efa7f96ae29459a496bdfeb6ef225e9a

SHA512
acddc22204517a148d1a6590db8aaac6d75d05c02c6e5824c9ac9f4207fa6f4e8c1f24e882cdd4078413ee292260dbfa911382f7761f3d8922491b88ffabf016

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
26KB

MD5
176b8f44009fe4767f540aebe04e30ff

SHA1
98143ac40793223098a13deec6ac087cd50d347a

SHA256
34aa700f2700c2b4aa123e22633199a2f6a3b7831a5c6c39dafbe72f27bedaed

SHA512
fcc5b8f097944e172dc9791672a8e48ef064b4006fcf27404e7486b4336bc63f29316e1adf219ececaf08b6dbd1f3398522e97ffeeb8ee655647ec4a7faf9b5e

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
6KB

MD5
391d8fecee590702485febf3294b6c7d

SHA1
28f23e58c372fd0aa035c605fba5847ba37fba83

SHA256
b02d968571aa08b3941c98ee3746fec5af1403b13b2347579084cabf2e51cd31

SHA512
22d76c7b78f44d4a1dc69e5342a1ba49da8f9d8e520c8e0c62d166033980eddd144f07e2ddea09a1148c2c14ec08b64c55b6515011c809d3c3b30776d2587499

Download Submit
/storage/emulated/0/.am/log_1714529488575.txt.zip

Filesize
217B

MD5
4b2985bc079d87f7ce51fdc39e592ba6

SHA1
9d5c369f794d183630ad03d8e080b687c97df42b

SHA256
c1ee5c3c4402a5c2519ecb49c0b81094c931a86b96e9585c02bf50aa8762da79

SHA512
bc6e77f77d40b12d72582150969c688b4e81aaf26dff04f2ae3847a727957116bfaeed3632e8dd195cdeffc7a7408b02323356b4c678ac0cd563470a554e681a

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
83B

MD5
826941bbac53d86e5d00e9e55cea925e

SHA1
804aa6bec689aa3fbb786cded95a5f5bb0a0e54e

SHA256
29e2e0b88aaf6f47825025253b1c3b11192c109f0e8587e0d620cd5e4e5163db

SHA512
cd75a77ea1ed59af80ce1971a43263fd14025c3ebe32e8168e97b8eeda8cd9fe2029d4fe4d7c45e608736a6746aba5e68e75e6b0b1f9abd0a639cfa43a1afafa

Download Submit
/storage/emulated/0/Android/data/zufxtk.qtqhxzzsr/files/Download/mch.apk (deleted)

Filesize
64KB

MD5
13684d2547f64dabfe299d1c6553a05f

SHA1
b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

SHA256
3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

SHA512
e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

Download Submit
/storage/emulated/0/Android/data/zufxtk.qtqhxzzsr/files/Download/mch.apk (deleted)

Filesize
27KB

MD5
0ddb4560e7f11afa2333ad5f0eee3771

SHA1
0cb0313a639f17a7a3c07935ca45496a921edcca

SHA256
0119003bd50492aaffa4ebc2231bb953f16118d9f82a2bbe3e8752492c315565

SHA512
f9b7355f0f5ef957edd2a7b058222008827c989d77f78af6f1aee94d9a8fcc13364bbcff165fb03fa48131d2d116a93d73209c60b8dd82660df261ea7cb095ec

Download Submit
/storage/emulated/0/Android/data/zufxtk.qtqhxzzsr/files/Download/mch.apk (deleted)

Filesize
64KB

MD5
76adc5e529086a81e630c594e674e7dc

SHA1
e076a9bc3e043961d20e7427cf33c2408379119c

SHA256
4f8e433b7767a7acef829356a6c72b922b16cf681c051cff57175995394860d8

SHA512
508d04a167db2c4da28e2dd83b97a812ddfde23962707bfbac12c0ee1c6e2faf20bf19ec01919bc1a821c01b713fedaf75d2f4387ef8b04e82c95f4fc5e5cde0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads