andrmonitor | 583b68d3c917ddc713d8621959f97d7f2636654494027e494f2368409730f88b

Analysis

max time kernel
140s
max time network
149s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
01-05-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

583b68d3c917ddc713d8621959f97d7f2636654494027e494f2368409730f88b.apk
Size

20.5MB
MD5

5682f19f3a2723db1c7141c9157ab93e
SHA1

748ea5d804fafc742824bd4c2f9c0259822de99d
SHA256

583b68d3c917ddc713d8621959f97d7f2636654494027e494f2368409730f88b
SHA512

63884b29b4b4714a2330d43529148ee9e8aba2b3ed62dbf85f9187148f330e846de2cf8516db3d2b8b7cd5b6cfa989b2e9a00e6df89da76e0b317d2ba415d46e
SSDEEP

393216:HHusJA35z7A79L+4wr1mbgafiubc6ZxbdT9i/zVN2I+TX3VsKpPbNiRSKcsLJJ:HRJA35z7c5KBmbBffcQxvi/zVN2IkHGl

Score

10^/10

andrmonitor banker collection discovery evasion infostealer persistence spyware stealth trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4193	zufxtk.qtqhxzzsr
4193	zufxtk.qtqhxzzsr

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
Anonymous-DexFile@0xce3c8000-0xce659110	4193	zufxtk.qtqhxzzsr
Anonymous-DexFile@0xce047000-0xce171958	4193	zufxtk.qtqhxzzsr

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	zufxtk.qtqhxzzsr

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccounts	zufxtk.qtqhxzzsr

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	zufxtk.qtqhxzzsr

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	zufxtk.qtqhxzzsr

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	zufxtk.qtqhxzzsr

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	zufxtk.qtqhxzzsr

Requests dangerous framework permissions 3 IoCs

description	ioc
Allows an application to read from external storage.	android.permission.READ_EXTERNAL_STORAGE
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps.	android.permission.SYSTEM_ALERT_WINDOW

zufxtk.qtqhxzzsr
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests cell location
PID:4193
- su
  2⤵
  PID:4229

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
124KB

MD5
4c0ccabb25100a908b9db06434a6af8b

SHA1
555d9ecfa42e17aec483e1c05be0fc1362db9e66

SHA256
79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

SHA512
b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
96KB

MD5
5bdcf2f1f0cf9fc4a5027baaf94e9ba5

SHA1
5d26f57aa9cdbc64ae4c6720db2bced04c5db106

SHA256
3351a8583bef7141f59f3f8fea383bc7fcb180657ad10de040723be54c25070b

SHA512
ada9eec421d3cd62a1a2dde4615ab91c80b33c50c532e0bd9ba77c78a1fe91484699b5346893fe3c5619acf848d8c280935909f9adead61837c210252f1538db

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
96KB

MD5
80aa917e90e085e04148614c38238937

SHA1
1ee5920582ec1d8ec23c3b1da55bbc38bb1aa7a8

SHA256
27425077014bd2534634e0f3327dfd4a0d9d0ac04ca2ae1d8fc2f6e4b65b2fdc

SHA512
3b762d9e77f935daffcc9e06480774b2a6da22a51a888c3776382ef3e093fece00a6787ebf3f11c31865f9bb2f3d52b379b7fa59aec91390d7d7577c75a883a8

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
52KB

MD5
b6815b344f6926d458cea05acd052cdd

SHA1
88f524aff1d4c5fee979a203dd952427871a7097

SHA256
028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

SHA512
0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
96KB

MD5
7005fbd2de4831d09853b6970312049f

SHA1
7d6cfbc7c411daed30e255a24e811c072c18bdb8

SHA256
f6438968525c125c67805d3602d44998c250b98fd5a01ba8702189253d43c1d5

SHA512
7d4e16077d393f11646cc9a54129e174285525bbafdd39ef0eb7b64d1093084838fbf26c9d7865ea88f6dbcbb22e4400504632b11ba019a64a0f7797f1e9b102

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB

Filesize
144KB

MD5
823501fe56b2c476699fe9e530422ca9

SHA1
ac2fe2199a0964cdd51e4c7ae733aa980c54f8cd

SHA256
8fcbbec2fcbc784cf3aae7426f1e3cbfa51d26e7ef2538024e400bc1c31749b5

SHA512
e05791ea7986a4c51fb1a7698e8d562c75a7cff7b696ec8bf4fc65f4475438a3302527a9c1d32bdd6565cfbc42da311ed8790b27d1bb1e48e194339cee38c8bf

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-journal

Filesize
512B

MD5
eec90eaccd957c016d416d4ce42fd55c

SHA1
bf5b1887a8b55a7063ba2bacf6079696b43e8dd5

SHA256
98e6473a256ccad7a2323d7254ff9bb7b5c545a153b946b83e6b6373a4844601

SHA512
393eb58a33e1d9d4d0a4aa2963532727ec29fef6525986955f66f69d5a61ff209ac050d12940c1794b29168670f737ed751b6397c51af9c4e5176c6b9b74d749

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal

Filesize
414KB

MD5
4dfb66a9dc1ce66c9bed3bafc403fe40

SHA1
a513d3ad252367e96b8d04bfb44af13734f1e972

SHA256
9d5d855c418b9cc7c95d9955b37ba2f208b45a929dc9bc045639927f5dbfaa99

SHA512
bc26845d568c14455e8aa65a41af314f9f83ab05cc9ae97e5ccd58a63674972accbab5481962924b89ccd3cf5037f0855a347be0a8b1e751a7e2a36181519957

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal

Filesize
8KB

MD5
7f3c82bc87834b5446b0ec0b94d1284d

SHA1
4acc50e67992815998ea5b22f5d57f0660794e5a

SHA256
289b5f2af67364c674b007220ab35b738470e81240ebb91687f1c34f98329d99

SHA512
7b2dbfac29ad240deb8a34221f01e2a608891106cd9a63daf399e608614575f211c89b4797e22748026a8e83d392fc69a23cebf639135eb46c4d953a57cfc1a4

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal

Filesize
8KB

MD5
c062be12ebf1c989a23c9d5cd6c46c6f

SHA1
58afbfd0d4bf30572019a812b40accf72e872efe

SHA256
d443a34751cd212096af7f2378f11a590eb88ae8b14d8d578215e5cb0d34c1a0

SHA512
87e0ab810412adf3a266e0c09fa8d6e2eb4575b04364a61afa5199bc6739434e2e9a6dc672cc315c4f8710742acc4a870ae8ebc957e8b65ef59abbcca3f2abbe

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal

Filesize
4KB

MD5
7b4f8465187e50d6b617a60bf3d5a919

SHA1
321bac629ca38ef5024872131ccb91d2abe5cac1

SHA256
c6cb1ca11f4428db3bf2af88b0bf5e66d78d1291e73ff9dbb85e3f5b18d59553

SHA512
008c71c4c561a4f66ca4f7a2cb56cb6ea7d9257a98e256220d4be12e12bfe611d71d898cde3f178e15297ff9e6a3dcd0c67032b4ed509413bb9f5809ee9cb2bb

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal

Filesize
8KB

MD5
000b8eb187ac8a48362d747e9178a796

SHA1
86b0f6c9bd8b659ed0e5c4a84550861181dddce1

SHA256
e8f1e57a8822a6c0b2537c69c2f241aa461023a3ae21015b09786056be439f2a

SHA512
8d6c5b40b2dcfb018df3640fdead16306697ac2a093b7adf9f4527e561d5b31b9335320076e139b0ed1706fc325fbe399d64866d3e0077fb07f4db33cd113859

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal

Filesize
418KB

MD5
ed3679e07aab84a68bbb0445b994f1dd

SHA1
abea848e8a4e66c6463d1e848bbf07a02e08c1cf

SHA256
ba80e334e2640614c02893e732b02b0fdb1d9b21296092288e3b5cf670bde5c4

SHA512
d065dfbd886598f114db38362d9caf233895e72da85f5b5b1c1c4c968895c67c36bffaf2d1e6cb712a959ede8cee51625ddf18657830e6729786f068911c9149

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.6MB

MD5
6ce629031a213e71015b36dbcc18fe6b

SHA1
8c2dcaf0bc169b2a2cb21119182b32f65958e369

SHA256
afd06a2b7fea75b3f5a4ce8835846cb95d2e50ec87428798aafe9189868004f0

SHA512
1cba0ca71b9359dde78305ecd91248ebf14ff4402fba538777c105c5f997a1267fa62e264267cbe7cfd1561e045a38f92ba85f9220e2cd439712ab8a74b2739b

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
c74275c6f8cebd2e1510f9ed4a68258b

SHA1
5de002cb456a33b2e54f43a009680770d079dea5

SHA256
22dc2fb27037413dc9aab2fef27ed052776bcd68a740d96c997aa31dd8f1632a

SHA512
ded1c0604d1c6439cf569149d0e9f30d05d1ae8d7dbee2b0539c90027fe45046ae2ee6f582131055341a442aa7f8be4da73f948de88c2e5e6d1bb764f00f70e9

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
169B

MD5
7ecdc814e1ea3d5c1b69a903ebf7ac58

SHA1
006a9a49a69d0f0cb6184f7cf9f9fc4a80f8bd49

SHA256
5397f12434d597319a3fc41564f78a8e589cb13129e39f1a5ce8218c9242f315

SHA512
891f258c849c98150b962fd01c078f602072219e90ee93800aeddaa99be439505e099c49bacb76a0a99d16d38d5b4be8001aa3dd0412cd1550b43dcbd9d5a9d6

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
148B

MD5
041db60c36e315adaaea8a651e4d22b4

SHA1
510e9fb3d1399954bb802d5404daa47dba21fc94

SHA256
4653fa92112680d6895fe9b306384c4b305886e675721246565ff550fe82d63e

SHA512
84a89a8732cf477309571196ff32cd3a330bf379fe53a131e1b407fa06cb5aa5e6fe2061d79c2667c83da456ed485820250dbb748e10ecb572c0b32dea3498fd

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
3KB

MD5
abab1134cf1cfd913f75826a689078e5

SHA1
2538d266b054f75d54e702b5366d0b3b2df42ada

SHA256
7695d6e71e4a413263d5750e8c66b797ade27277fb8c8fa13582b865c8cb2776

SHA512
bdd1fc917f99113ee1c0f9cf9b1cbf818f52f6e0a044177e1903ae6321f809d567c8c38563d77da6b20248b3f95a10cf3ed429fba8c546dc4f3c1773a1fe53d1

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
60B

MD5
93993b1768bbf6f6f853aa6c3b626716

SHA1
5b9b6ac2ef91ed99388070517e9fbfefbc09e808

SHA256
4c002b1769443999846fa6b4204280fb7da68e9f5618546fd5d8429520143544

SHA512
f019a9c7b25617fb2ba58417b31837210ffe3db04618f4ecdebb7253f2e1fcb76c387c885e90eeae984e3ab0c761a991bf16b872fda1c79ea19971b14d76c1c4

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
68B

MD5
1c0e8b2bc076a7e37cdbd5f8ba3ac0c1

SHA1
1479fe6878404f207812a13bfd988d3a58761672

SHA256
3957c8e656c63e09e6a1e782d8017830d7bd5fa02a483e8a7ed3f243ce859874

SHA512
e7684828fcf545d9d24c6dad35d2db8d57409aeb8bbafe4ec1a2d93984aeb74cc3aba627b4739602ddf67c19ceaee1a61efe5206943a81e762dd1bf003c0d733

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
157B

MD5
3e16b1352481639850f8974453d890bd

SHA1
ef74687042669f860c9a456435d03e1b05dba88e

SHA256
3c82c7f914e83971cce0e32c8b472ebd9f89f52f2bcdefc3e360bb7f58082fc9

SHA512
0a213faf7b00c60f5ba05dceef6d2d2e94013d4b40ae57c98aa539a8b1ac46b5386b583976c4b46bff76429c0468334b4a90dc9296c3b3df8704e36885520073

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
129B

MD5
0057911abc66e1a8d07b079e94dbb7b8

SHA1
dc6a1aae946d1a908aece999348f4ea402aca37a

SHA256
e9bd84eab8e3edd7f106e527036084b645241c237ccf3260e564a1e6cf625c82

SHA512
6d5a804d7a75af6434b25c3af551ae0b53767e8a45c97c921e581d4a0c9f482d06aaddf204144317632f94968c52bd8af22c0aea24f9c2599977a1cff3365e9b

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
26KB

MD5
aa6284d9d46c813973f49eef056e3c48

SHA1
3863a6effbcb7d95506e0168d79ddc061c31e01b

SHA256
611c706c5c227964b22ef0d019badbbfd3a79c073cdae9b5d7848b820cd262dc

SHA512
b7b8648f6d99d5ffb026e24a8a3ac11b37d71c258a233cdc29752541bb628fece3e5f5a86823a14ce7a5f5d23b2382aef6805adf745aeda20041be67c1dc9f1c

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
6KB

MD5
898f63fe7c13532b6c593f2726fb687d

SHA1
6ab19461f76786b39ee5f4536f362d0e2c88e9b2

SHA256
6cfbfd1c820d7b569b3dab058fc47a3ab966dc3b565928ca065f8e217309a4d2

SHA512
227f0078667f16d16379ec7350583fb9f77db7f4f317ae7e9252c548e67cd1bc970c2dd498a0f9ab9615231d1209d5a5b29e8a6f88a03ce880f1defecd418d84

Download Submit
/storage/emulated/0/.am/log_1714529535101.txt.zip

Filesize
215B

MD5
feb7f7f68e75ccbb46385b9a46195602

SHA1
f9e2eee1c7df746f6f0249e3bb0cd6d67a6a6ef4

SHA256
ed9e86349a40fa4d56535c97404b8cdd842eba7cb37f7e91d6a4f4c443b57b94

SHA512
6fc8d809d65a471ac9fccaa353f5e304bd430ac479256fb5347ba674d1d3b568b86527992e52c93adf8d4025f540e2cf848167b6cbec02f39304af89974c6fae

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
83B

MD5
826941bbac53d86e5d00e9e55cea925e

SHA1
804aa6bec689aa3fbb786cded95a5f5bb0a0e54e

SHA256
29e2e0b88aaf6f47825025253b1c3b11192c109f0e8587e0d620cd5e4e5163db

SHA512
cd75a77ea1ed59af80ce1971a43263fd14025c3ebe32e8168e97b8eeda8cd9fe2029d4fe4d7c45e608736a6746aba5e68e75e6b0b1f9abd0a639cfa43a1afafa

Download Submit
/storage/emulated/0/Android/data/zufxtk.qtqhxzzsr/files/Download/mch.apk

Filesize
64KB

MD5
13684d2547f64dabfe299d1c6553a05f

SHA1
b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

SHA256
3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

SHA512
e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

Download Submit
/storage/emulated/0/Android/data/zufxtk.qtqhxzzsr/files/Download/mch.apk (deleted)

Filesize
54KB

MD5
2ea21074e05dd97a864a457ba5d259b1

SHA1
1102bb02aec66ac7ba9c67dbf959f7e01efba554

SHA256
4c77c1782ea71adc9be260b0cfd849e0c98d393b9af7bb2338fe599e9f41a456

SHA512
34919b30f35822c7405c43921a8c3e28c36eed25e0d5c15fd6f123d4b90bef585ada0d8b94863a1c76bb48c8bb6b7eca1a0e3db65fa8fab6580dcef9d442dc32

Download Submit
/storage/emulated/0/Android/data/zufxtk.qtqhxzzsr/files/Download/mch.apk (deleted)

Filesize
64KB

MD5
900bff5906bce179f7a42f46ae98813f

SHA1
8046b3254f0a6280ed8cb0cc684c730d66a28550

SHA256
9d3d5c2b869b0da192c67a1fa79a06cc1ab137e09d5f2786c2fe06598be04d4a

SHA512
b4d6916c327ef0ba90189191d5f184b87475e2fd93764615543081614bea46b41df5a6d4198e8d226fbb9ff9650a438de55bf01178afa76bafd242d3c7ebb599

Download Submit
Anonymous-DexFile@0xce047000-0xce171958

Filesize
1.2MB

MD5
205a360b4d45a6e4688aec7a7265dc0a

SHA1
53f493d19040d517bf0b4a842d5f7e8865a443cd

SHA256
a78f1f6aa2fb421d336ac32befa711c6702050014dad9d07074528e8ee4598ff

SHA512
3c515d0d30b65fe025629a9a2da0b7c83a95d27ce87bb54739e15b719b99dbeb11e9db0f8bce1855fdc60c872eede02327c15a6bd8f57a7de2d22edcb972febd

Download Submit
Anonymous-DexFile@0xce3c8000-0xce659110

Filesize
2.6MB

MD5
0c7c6b52525074c2a1aabaaaa33cd625

SHA1
161ba0350dab8e50d0988249c06b2a1c757189b4

SHA256
8ecf2f3210764f98e3713b9284bf0e3f49db5472fc0940bfd3d2624d4df5bece

SHA512
c7a872f5360b97c18a121d7e8827da32352ea7dbdd4c6ec8a80e7e950bf85c7a468230c81a7675c6815623b7b0ff2ada29584a5b0a87ce48e47ba391681be44f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads