andrmonitor | 7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2

Analysis

max time kernel
172s
max time network
185s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
01-06-2024 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk
Size

20.5MB
MD5

95b2280beecef198e0000141611c25f5
SHA1

412f94db6e1472f3157a4ff2c3f73a090474a18c
SHA256

7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2
SHA512

91609c6b985210db45b578e261e13c5de8f070405b7d81a611fc3375e7603fa8e728bfd19fb9003369488ed4e906c3f10554a13b5c50530df4de86a7e12fff18
SSDEEP

393216:o5pST5h6sJA35z7A79L+icn1mbgafiubcNZjbZT9i/zVN2I+TXt5kKpPbNiRSKcG:btJA35z7c5k1mbBffcrjTi/zVN2IkdCd

Score

10^/10

andrmonitor banker collection discovery evasion execution infostealer persistence spyware stealth trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor

Checks if the Android device is rooted. 1 TTPs 2 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	ultfp.xluluazofns
/sbin/su	ultfp.xluluazofns

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4298	ultfp.xluluazofns
4298	ultfp.xluluazofns

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
Anonymous-DexFile@0xd3522000-0xd37b425c	4298	ultfp.xluluazofns
Anonymous-DexFile@0xd3354000-0xd347f250	4298	ultfp.xluluazofns

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	ultfp.xluluazofns

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccounts	ultfp.xluluazofns

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	ultfp.xluluazofns

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	ultfp.xluluazofns

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	ultfp.xluluazofns

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs

flow	ioc
19	anmon.name
32	andmon.name
17	prog-money.com

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	ultfp.xluluazofns

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	ultfp.xluluazofns

ultfp.xluluazofns
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4298
- su
  2⤵
  PID:4453

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/ultfp.xluluazofns/databases/SettingsDB

Filesize
124KB

MD5
4c0ccabb25100a908b9db06434a6af8b

SHA1
555d9ecfa42e17aec483e1c05be0fc1362db9e66

SHA256
79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

SHA512
b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

Download Submit
/data/data/ultfp.xluluazofns/databases/SettingsDB

Filesize
96KB

MD5
e45be2eb3fe3b762d462db7ae5c867e9

SHA1
1141b49457d410e07dd4c41b4be15e20338d8eeb

SHA256
bf2dcbe6edcb03673c3468bb5459084822687154e383bd404e667c9229755a17

SHA512
2a2a1a25405fb8654ee144f88040f8944c0ce68c95555af8194b250a695a3a86710fecd0161c74a977d4544baf840ff8e30c701b874152dca99add16dde426e1

Download Submit
/data/data/ultfp.xluluazofns/databases/SettingsDB

Filesize
96KB

MD5
76ccb3097c110cb3e6fa68317f7a48cd

SHA1
a04e0bb36ad613663336647c682e67cf2e14cc6a

SHA256
b3570b9ec59a8dd954aaf6b82a6d5529b996500d369db979fcc9c28eea5c5894

SHA512
c60bcffd3667129be6054f704ccd30ee6eefa145c2c0446a2c164b5d798f178a8d777d862435412e53da2123eba427e10b0e0e70490f0da862cf5478f285b2cb

Download Submit
/data/data/ultfp.xluluazofns/databases/SettingsDB

Filesize
96KB

MD5
b1d787e6ba83c0a0127875d653b1d376

SHA1
bf337be0d9d2336cc9ce99afb1a102bf7641b2fa

SHA256
66d1d67468da0158c0d0f181d5dd8a66dd2123489b811fabc65dd322e4f8b1cc

SHA512
68192762129f706adf89b9a90ac000b5ed5b6c267bdb659a487b3be9d2519f89512afe58927229b0c068a59b84f3a5c8364d059f9db2ebf7082f9eca5e1b4354

Download Submit
/data/data/ultfp.xluluazofns/databases/SettingsDB

Filesize
52KB

MD5
b6815b344f6926d458cea05acd052cdd

SHA1
88f524aff1d4c5fee979a203dd952427871a7097

SHA256
028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

SHA512
0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

Download Submit
/data/data/ultfp.xluluazofns/databases/SettingsDB

Filesize
144KB

MD5
2b143845ac04baaff16292c30e748ad9

SHA1
b5ecbfb2c85243f149dca48501286eee6170c946

SHA256
979e34631f45c3e021ce647553dd7b9619281f0d7864df8d77959418787fb0d2

SHA512
063508496fe6b66cc7de715c7ccb039a2dbde10c4d09476cf6c6e5e931115984c94c6ab6e41ac098fde213fa261fb2d222b98cb76178b73e48de1866e00a723c

Download Submit
/data/data/ultfp.xluluazofns/databases/SettingsDB-journal

Filesize
512B

MD5
597a9daf62f58456bd00be6474758e38

SHA1
4962f0296f77305cf6702bb5585c760ce0cb53ab

SHA256
aaa37e2a6d912702f8bf3bef0ff9373937c364bf22310f8e104e1d321769fe69

SHA512
30b0d8bac34175b274432cb81733f88d72b5d5eb53d10d87888f71b0ca3ac02adad02a5a8bc9845a6dbe5389c1f9b810bd77e9af65627d0ff122c82e87465057

Download Submit
/data/data/ultfp.xluluazofns/databases/SettingsDB-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/ultfp.xluluazofns/databases/SettingsDB-wal

Filesize
414KB

MD5
0308ca44ebc0c7cfb3a6eae3e1b95fc0

SHA1
ad8365ea40e673081bc07c06155dccec3ed251d7

SHA256
069632d5cea5a21c5c4c529257801607ffce6077277d6e37fa5018837a88c9ab

SHA512
a0c2c24694cefe37901062dfc5a1f4282540230d780d78b0ee018d62273e8d02f7abdc17f42ccba7c0f0799dc48803ba1c9ac091cb671636dc108c4d78aac349

Download Submit
/data/data/ultfp.xluluazofns/databases/SettingsDB-wal

Filesize
8KB

MD5
c62bc12efc37b4bf74863b30b829a481

SHA1
61915b8585327c67337307ae6b46c343c988849e

SHA256
c5b77183e9212c2800bf2a41e2c100c1c24d62db69873dd359e2e21e4d72b1e3

SHA512
f628ea85aded0f3d2c16e4a1e8132e4c5f4def1826d8e6439a9cbddb02dc2df7e2aa27959b7d97205af3ef6ea6db6c62098f16c09c79eecb8f8725be71616aaa

Download Submit
/data/data/ultfp.xluluazofns/databases/SettingsDB-wal

Filesize
8KB

MD5
9de50276ab811973466036c46037d993

SHA1
71a1931dcae81e6934571b7a73af941e64d4fb38

SHA256
dca9f99cf7752b7071b64d53e0dc937f7e6f991f900eee506e40e14d466b2dec

SHA512
c3d9a22f00881725b84594872b56c99fb1f2ff84d08c948e1105fa0d21f3cf2de298ed8fb1470125415fbee8dab4dbea4e8a9d2fc34bf8a19435b7f8886b0cba

Download Submit
/data/data/ultfp.xluluazofns/databases/SettingsDB-wal

Filesize
8KB

MD5
bc24393870b2afd31831a12cbb96740d

SHA1
376f4c45486d87aa2fdd627de44905574e6427ed

SHA256
23b0873ac313e623bb2d9512819327f6236402c37966ccb65488f0d3cde230e2

SHA512
fcb84cb1e495e68ed57aece4b81ea24ed4a2f7e7d3a95c7f878ecad4d6c20249150fc136e1e4c82e10729ecdc4d25db061a456744f5ed2d77e07737f8dbbd2a0

Download Submit
/data/data/ultfp.xluluazofns/databases/SettingsDB-wal

Filesize
4KB

MD5
060ead69f06cf38a3e5b948414aa6f79

SHA1
cd5978d6ed4f0c886ac26f45109ecf6668474d5c

SHA256
8c349dc072a830b5cfcb087e150a0298916e08f61531119cef939d4310c92eb2

SHA512
e5ff8b85ec6c0862098836ed4b96d7fe936f127b105bdc4ff37b047816a199d3a9b7c1d16e7041405336e579ae4cfcbd788417b217c659f1042248f797057440

Download Submit
/data/data/ultfp.xluluazofns/databases/SettingsDB-wal

Filesize
418KB

MD5
e67c813ae94cfaab0a3c80a4aa1c898e

SHA1
3b25328ffe2473f7a4a176d9b4a68d4e00fadab8

SHA256
d9d2340d99b31b11b3e6e04507f2e77f8035062204fc89cb3124fa0b800cf8df

SHA512
65a2ecd642e6e2dd68e11f6ca7a26d3b0b8812905fa3cf75b60384479c33cec70c72a439329caff72ad4264513c8e59ea35dc7b5a79ad30ba25acf9a2f662557

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.6MB

MD5
b6d3a4cf3c50723d4c2b606550f66078

SHA1
fe6541e98b3cc04a31d269c3dd51beda11814796

SHA256
e10b67c58d2778bbcafa71e34353c26a089eaef19021b8a52274708c6c664a8b

SHA512
6b482bec5b3bf9f39f09164b67a416f238973e799a88245422a06caeeda73daf0aa0fa4e319384e6ac6c03c99c5808c9cba990ab5028169e820a2d8694eb7c5e

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
1e05a2d987a9b8ace6ec423e1de9ae2b

SHA1
8ba9fad037667f9a091541ac11cf4e27965d5288

SHA256
743e7d3660de8e672bf0d07078d8e540b1cdb17d216e63b8703fa180c97179b6

SHA512
1744113900cd787eb4ee34c9fe5b72dbefd4e6c334373f6f32adde0e3de22044a2cdb1ed9a6137e4dfdb7ec53a7b77fd5d059e07976569a30e192e680233d54c

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
171B

MD5
35d5d63d53982710dc0f45f72f0536c5

SHA1
3c4292e12247d6cd3809c24abe58f488f00e7842

SHA256
97c6203a202d2e94f2e909f5d2e48e7963a9e75baa8cc5e33b798d9a4b22192e

SHA512
a07ed4ac5ee184928b2f838a6053176d64d00bad3cb3a1e83b9fc2f3d2dfca3cd778ebff488ab02d6930987afbad43b1667bc334310c1d1a5e614804618cd7c0

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
150B

MD5
cff6583e9691bf8f35a4793bfb43b123

SHA1
ff6c94f58b07bb22cf794d820efd7f9f753487d5

SHA256
3c831e5d9210b342fddd7f67eabad69b47dede63732cb96210132b6272a66452

SHA512
2263999c67e9b8f0913ad3557bc643a7506ef056c8c99876363994e81bdca9ba8acba5e89796059645dec70cccdbe986ccf2e3c1185ad3f243d4368cd2facc6e

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
3KB

MD5
8861ebcd516b9b2e7a135288e5eb80b0

SHA1
b14b732faa737a1a9c29da2373837dfdd193bff1

SHA256
2d16eb0108e291ef99bcbeee8c11fad70a81f657cd9845708010f9ec5740a05d

SHA512
195ebca83c7a5c8cfa269ca9c327da600855a31ce2e16f81854ad69bcddb2ff4aa38d9798ffec716283db3401518c27deb3b5eff9089c851c0d46bae8efce470

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
62B

MD5
51e35dbb77a237bc07b660a87c1a2e55

SHA1
c622ecf88db2f428c2cd4f34b2fed1b19106eef7

SHA256
3d028c38d877ec1d54bd89bbdf4edf7771340295ba7f33fc40a2bf30ba625617

SHA512
35f82632dbd1b3d0051f6c2416074fa10caf84b9fa25eedffd0ede56febc132b0a8a51f1f2f8fd425cf953981c7dfe3681e027f8563012e2d96c3e19de1aa8a5

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
70B

MD5
97b078f0c252e6f94064e35ea75b7beb

SHA1
415356d9592445933bfc27ef773e206eae701420

SHA256
2d9f4ecc9c7c51612661b9b9ecd5e3b13830184d8781c65bef31cc02533be72e

SHA512
1d2a85668fe3bbb7bec6d3a9266a45b5488a26417bf030824baeddee7471a89cb1efac185762c1af7fa0b079656c39bbb8072f6659dbbf25d3fde419bea37d8b

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
161B

MD5
ad7bd8016cf13c2345cd4fc4cb1fd7e3

SHA1
4d5101e02a4e98cf399ff95825dce8c268ad5047

SHA256
4034477d862ebff94fa10e9011781f148165aaa71eb9b04374470f7204c27ffd

SHA512
783002294b88e71c4e3efaa74459f981347fff6b4a47e058312ed1653e9568b5fc0a071c7e5886311e122af439057f6c4509708a51e2d9362b5fb4a26cfacfa1

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
132B

MD5
4804056f31373295142eca5eea7c7bb1

SHA1
c3c0941a236bec474cc84a3116364491b061a916

SHA256
bea4739cf932447754f2d97a68cf0b20fb4a7a1f6ea9304fc984d4a52a970ea3

SHA512
69695f4938f967cb640d9cc342dd53bbe962cfe629c073d6f6de5ef5419f7d0bc602894c925fdb36091b43cfd1ae528cb61b3786db1b1c5ac358e5a999a77013

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
26KB

MD5
e026da8375ba18c3b795c6095494b862

SHA1
860d4ee072d3c86e841caf8d21427ed29b8b172d

SHA256
aeebe46c6e97d4deee8724425bc1a17899252e816ff0e93261fc7b300ce68585

SHA512
d547f4da4879b2355ea43e3d71b1ee4af85d8b1612f961244fb203338e14a3992e9e2d81f24590834c6f6cb903e8180647e9b7bca9de6d011bbafbc3c1b4eca0

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
6KB

MD5
03bd08f899e085c4261d48cf6fd7e68d

SHA1
cd998fda2a1e4400c389876f17cc16e38aeb47c2

SHA256
5687ac207e3c277473d3843dc3ecf7793c6d103f601a9ff238ec4f55c9c078ed

SHA512
2fbec2f3e735c62f8eb59799276cf5c1ee611d5f7d1732c9248e2c078a2432f21f30f4d7455e1a624539edc669905393152fbbef9f17c625383ec77259dc11b7

Download Submit
/storage/emulated/0/.am/log_1717207585423.txt.zip

Filesize
218B

MD5
aca42e3e167e9569bc443349c8f6e0c9

SHA1
a234ea5281d99c5f92baa79ebbdff1a7c3b1c638

SHA256
a8ba11673cb6d2a77f18660017ea936ea871fb3c617a82297da5afefa5b4d924

SHA512
048d745982cbfdc078bb4efac3affa3541ce206029fc05a13a6ea3896016536c75b65d7470a8396b5af0e58b214c2381fa964d8173541ccc299ee337f7314452

Download Submit
/storage/emulated/0/.am/mch.apk

Filesize
41KB

MD5
7e9d5df67efb089b7f400c3c8ad6d6e3

SHA1
b762b5efc24dd6f769831b5c729ed6643cb8e872

SHA256
3322c95e6d9fc662619c5e404dfda40ab5563d2b0b5c051c132e168c26488384

SHA512
5d43c00e9d26a9649a72a1d9cf286ad276e8e35dac0395dec10c8ba9034e5443c81bb25515bedb2a625e98228bddbb694c4d070aba8b83f5e64f879616d8d5a7

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
81B

MD5
b8b5f3bfc09d894b59b046a334c95afb

SHA1
63553f7add999d1f9279baae996086f6da7e5c63

SHA256
724cec8037ad196328560e2dee682aff4e295682d738789468d8123e9d447871

SHA512
30d8ca6f0c05b027d1fe1504a5c95efb8b48ab61a8da85fbe49fe5c24cd23266450e95e48cc735244e764019c6065e5b8420d615baaa39d3abc6489479f66b67

Download Submit
/storage/emulated/0/Android/data/ultfp.xluluazofns/files/Download/mch.apk

Filesize
64KB

MD5
00b85e08322864c14674331dec66b3fa

SHA1
ecd64d575233b1651bf6517b473b985087db48df

SHA256
ef0b823cd3e1ada6e962ca70159e43ced5db09d2c72136a6ef4de16b527f2e40

SHA512
9c3ac05342fc7510a168a59f5c91cc47ff8e44f80a5cb7e43080bd9b06ab009f3e47c8f2cef3b140385b54e962c3b0dbf70b5182bee4fb34a21a947e10628588

Download Submit
/storage/emulated/0/Android/data/ultfp.xluluazofns/files/Download/mch.apk (deleted)

Filesize
64KB

MD5
13684d2547f64dabfe299d1c6553a05f

SHA1
b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

SHA256
3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

SHA512
e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

Download Submit
Anonymous-DexFile@0xd3354000-0xd347f250

Filesize
1.2MB

MD5
cb16f947895faf71d09cb5ad792b0e35

SHA1
c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7

SHA256
e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef

SHA512
8ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba

Download Submit
Anonymous-DexFile@0xd3522000-0xd37b425c

Filesize
2.6MB

MD5
a11095265b09ae16734bc3b64a287e71

SHA1
880f31b9f8816a40960b0276447e2252194d5f0e

SHA256
886111a93011a48dfb6eb6231c42864b42364bd8a71d0efc229188653dbe0a9f

SHA512
81963a169cfbe9dbc6a47a5d5c52d3f25ad3b56e82ad24206b24b257f0118d52393174a4219f6b27b4cb3a2ba8eeb832e61ea5bfb2b2160cee63a895a28cddc0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads