Analysis

  • max time kernel
    170s
  • max time network
    184s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    01-06-2024 02:06

General

  • Target

    am.apk

  • Size

    20.5MB

  • MD5

    95b2280beecef198e0000141611c25f5

  • SHA1

    412f94db6e1472f3157a4ff2c3f73a090474a18c

  • SHA256

    7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2

  • SHA512

    91609c6b985210db45b578e261e13c5de8f070405b7d81a611fc3375e7603fa8e728bfd19fb9003369488ed4e906c3f10554a13b5c50530df4de86a7e12fff18

  • SSDEEP

    393216:o5pST5h6sJA35z7A79L+icn1mbgafiubcNZjbZT9i/zVN2I+TXt5kKpPbNiRSKcG:btJA35z7c5k1mbBffcrjTi/zVN2IkdCd

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Requests dangerous framework permissions 3 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • ultfp.xluluazofns
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries account information for other applications stored on the device
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Requests cell location
    • Schedules tasks to execute at a specified time
    PID:4306
    • su
      2⤵
        PID:4369

    Network

    MITRE ATT&CK Mobile v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      124KB

      MD5

      4c0ccabb25100a908b9db06434a6af8b

      SHA1

      555d9ecfa42e17aec483e1c05be0fc1362db9e66

      SHA256

      79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

      SHA512

      b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      96KB

      MD5

      d1e7fcfcc0c1a9655088b927e3deefd6

      SHA1

      9e9dd5d71c867bcd0b0350f3bf389b718d4a6085

      SHA256

      ba3ec415da502e17f686283a48b5cae89d73b07d8cc7f514649d931f732238a7

      SHA512

      30c2ebadd75489b5d499af7507f5c20bb747a37a200a52ff77433d1872fdb2f0c3014f4fa7ed074fff8ad702f577265f476348becb9ab0e9041a83b284876a99

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      96KB

      MD5

      e50a52918bf0bfe26bfba940008b69a8

      SHA1

      b3098823e01d5634e22eab8856ec2b8161bd0e57

      SHA256

      92e62265c965a034b1fc49c713a21bfaeba9c4f566631fe377edc592338aa934

      SHA512

      9a473d100afc834f98ea3967d07822fac3ce9788cc1caca8812e8cb009b78b3b68c0e44ae00f24073323d75a0bf4ceebf031726d599fa0f1fd9a7f5e53164dbd

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      52KB

      MD5

      b6815b344f6926d458cea05acd052cdd

      SHA1

      88f524aff1d4c5fee979a203dd952427871a7097

      SHA256

      028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

      SHA512

      0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      96KB

      MD5

      5252e52b4761653f304ac31958fa81ec

      SHA1

      04780d14c95328314419d39c408a4778ed3843ff

      SHA256

      133016c9e42a9052c3200d494b4a76440aace2cc2ec433ddfecc671210c7e7de

      SHA512

      49a15ef897484f1f649ac247ec221a7d0deb0e4a6c8b60c80d70f238a45c6545101c86f7cf3746347eb6325362c6fa6c451de74103b9674dc06316bb7b6ad034

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      144KB

      MD5

      a88f528602a5c4bf52f6e4dda1e66e8f

      SHA1

      f6b105c2ce724301a57f4732cceb34e787e42cdc

      SHA256

      6aa3754efe950c0d29e15af091d81bcffb0a21d8927ec1ac4fab86bc16567c10

      SHA512

      483589c431e345b83500c0b547ca94ea6e925dc3b4172032e21f08ab4dd0c8725d050ec0c98c3360e8435e676451f81231b6049d1476dd9d8a44326df7468345

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-journal

      Filesize

      512B

      MD5

      0cccc20155796f97ed55b18e8cff1211

      SHA1

      59fa9c2f8e86251f0310e044c52595d90f32b22a

      SHA256

      cc9ccbf3036d77083cb1a4242c6282b09fa914269063f8e4323cc53117e2641b

      SHA512

      a5b115f012124fa52490b24b169a63b4e029ebb51aace2c490bd79a937263c56eeaeb6a2464cf5d7ccc89aa73ced5d5e448e3d188d6a589eac1bde0ec176624a

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-shm

      Filesize

      32KB

      MD5

      bb7df04e1b0a2570657527a7e108ae23

      SHA1

      5188431849b4613152fd7bdba6a3ff0a4fd6424b

      SHA256

      c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

      SHA512

      768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      414KB

      MD5

      a65a2c60b895485c9182b079e5d97c7a

      SHA1

      f18ea64522ef88cbc5a8b97b61b913b5b0fe68f7

      SHA256

      aaf531555d51e1a93e35a12aa0700a6c2964c43cd8a4a30a7d88dbb2bbc5cd73

      SHA512

      5930e7605bdcecfbe1b65ae6dab6bb02e4e935303f25044353afc66721c02b76843447b24f8ed08bb484c6ddc91e2583b6850cf937ca59f3e2dcc4aa98b2dbdb

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      9cdf94af6498a32d5792495e0f5ba46f

      SHA1

      90efdbba42c05fdd84f5223f77438aa14d9af2f9

      SHA256

      1fcee6710753f16b073e108ec3dd7b4b70bc3ed2fc1b067bbe71ff3c15c64c2c

      SHA512

      2e2feb856c2c996973fe2771a320a89d9927dea670943875c1e777b0c69ee83bd76e75e7eddd63bd53fcd35ba79b6d99f4d9b83c8bddfcd05407912d0142d6ae

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      2eb9fa9664ddd2519f55102fded47fb0

      SHA1

      0e790937cc757ebe6bde72c42626cc46285c9d5c

      SHA256

      2ffc5a3dd1f34232f34d0b9fbe7793c2a1c36ba5c28cf5ddfa431a2e28ef143e

      SHA512

      570675c8acb077aa0ce6109995a3166f97b85c2b9503fa979ea4fbf311d8d18ae835ccf2626a221db18aec108b07d07cae40c78b4bb38a41b29494bfb5b7ad2c

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      4KB

      MD5

      5a8eb0114a3f115095366709527d18ce

      SHA1

      bb094ec9d19d390a9dcb48c86867b3b3e0d9fd3e

      SHA256

      47f41c227ba60e06c873ba1b75d6a70ce4e5c9a2a0c72ae9b3d355cafe8a0a80

      SHA512

      12daceb3130228c5d858bd01ad7b0f7b3a1490aa7217ecade3a5826b4ac4a01a167e4ca54465aa7dd55e164ddf0e81cff70ee0766ce9f492f246e2533ddeed2a

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      3396d612e2d4933e589f249a49557856

      SHA1

      45fa5e1b5a5cbe313a5554674b423cbd0063f295

      SHA256

      285a8e3be6536d14021c8247d5aa475dbdecf2a6ceb90c11dcbf76c52ff859ba

      SHA512

      70978bae83bd50125ad762fa75393c72881249e51f5dd0c16883df6f428512889dfdd1320536bec032a4beef52bde93896e78cbb47d0ac3d4feffe7cdd8662f5

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      418KB

      MD5

      81763752e150bcf094e806b5deb3f5e4

      SHA1

      522389c200f8deff0d61de44efb4bbeea675a3f4

      SHA256

      dc592c6601742443b46f91c6ccd38d932c6670b88e3c33407a3be2e1c985d6b7

      SHA512

      92d5c88c72a36c2a279cd7def34f524722625cff450f1b2749bdf132dc4c537f33bd8b58ce03da8bf9ea7ba373d936e1b1cda16e99acbd359d6e4c4d4c094c63

    • /storage/emulated/0/.am/dm/md/main.md

      Filesize

      2.6MB

      MD5

      b6d3a4cf3c50723d4c2b606550f66078

      SHA1

      fe6541e98b3cc04a31d269c3dd51beda11814796

      SHA256

      e10b67c58d2778bbcafa71e34353c26a089eaef19021b8a52274708c6c664a8b

      SHA512

      6b482bec5b3bf9f39f09164b67a416f238973e799a88245422a06caeeda73daf0aa0fa4e319384e6ac6c03c99c5808c9cba990ab5028169e820a2d8694eb7c5e

    • /storage/emulated/0/.am/dm/md/main_tools.md

      Filesize

      1.2MB

      MD5

      1e05a2d987a9b8ace6ec423e1de9ae2b

      SHA1

      8ba9fad037667f9a091541ac11cf4e27965d5288

      SHA256

      743e7d3660de8e672bf0d07078d8e540b1cdb17d216e63b8703fa180c97179b6

      SHA512

      1744113900cd787eb4ee34c9fe5b72dbefd4e6c334373f6f32adde0e3de22044a2cdb1ed9a6137e4dfdb7ec53a7b77fd5d059e07976569a30e192e680233d54c

    • /storage/emulated/0/.am/log.txt

      Filesize

      171B

      MD5

      de47b416a35abb2a217360e00f73a5f2

      SHA1

      4d5967b0445dc521628a095d267e3673d207f71a

      SHA256

      3598fdc271e2ab47e4a1d0425699f0484e3619b7f4b40dc15ceaa53666c852c7

      SHA512

      68fcb89c808ba736db75bc4a6a98521ef22c9350b229c115030b687f344b8e2bb62ed0a5080a208b6a9970d462e55a5d230c3fb18b4dfc26c09cdb77ce91fa41

    • /storage/emulated/0/.am/log.txt

      Filesize

      150B

      MD5

      09640b2f63d79083258dac8c1895a183

      SHA1

      20104f1258f0d9b006ae37eef4ab3ce2d8f7d426

      SHA256

      8a5bfca3abdf16761b0f01da31e0f58265d958fca4aadf8c2f595fa4b1747fc7

      SHA512

      52c2b3d3315560f25619edf331dddc9b44fd73d4109f4b3edd5cad582f240092c2f3f4e8ea257c8a7b8f799b87ad87bd0fd325fa3e8aac34e25c4d0b2c305e5b

    • /storage/emulated/0/.am/log.txt

      Filesize

      3KB

      MD5

      b545f9d19480314ed1e1a8155a069523

      SHA1

      459802f641f9368da566bd909068276c72d0ae8c

      SHA256

      b81a63c31f5b8f744bb47b798f537f97ea91562ecb8d0a60f6fae847f4699a7c

      SHA512

      7aaf4cbe90a907384ceda07a5130a354d53827e4da8b01584aac0a8142d99ee57b03ac8503fe6d711fee445abd050f2be3f5ff6ad95f849cbefca9cbd357e658

    • /storage/emulated/0/.am/log.txt

      Filesize

      62B

      MD5

      a08f5f68fcf0f5bfc174e16523a753fa

      SHA1

      aca9ce9661774f942736ebaa405f0434ee37adc5

      SHA256

      e9aa6dd8113fa25cb0a65a6819f753983e43dd7bff42713e4b44ab87bbfd88fb

      SHA512

      57a647c853687607bb9228d728d1946c580fa731307889d4ae5ff46e3feb1d7a3433639f7c20ed7632bafe74cd3056236b1d2f073b290caf58e99f1a523bba74

    • /storage/emulated/0/.am/log.txt

      Filesize

      70B

      MD5

      9063e478d9799ae385380168cfac2416

      SHA1

      29c183093c1f658b5fb58df856e3d97df576f023

      SHA256

      533b91bf8bc6e088b9a5fef3d20e62c05311f331b8879b117ec7271b99ba10c3

      SHA512

      9117be92e596ee07b8d91a14a70affec62a212643d48938e750dc81c23c613c5311d75878f5c343ded90680d369ace07791accce81e9d67ea96d3491ea8910fe

    • /storage/emulated/0/.am/log.txt

      Filesize

      161B

      MD5

      bfe97f4d19dbbedf968697fab4035ff6

      SHA1

      3ce6cd91932db01f4ee8c327b02d1a10448318d6

      SHA256

      5797461d2d5e74f0c5c786f65fbabc69370d49894a06f38d1393054d869860c6

      SHA512

      9d64d0f4558a1765a5afc4a179dfa355775a861678d367d84baff4fc8009dd038da6e5e1ce2136c9872b7d228b220195e683dcd58a91df021985f91a27a94461

    • /storage/emulated/0/.am/log.txt

      Filesize

      132B

      MD5

      47cddc8e8cf62c0e6b398ddf855d5e95

      SHA1

      2e14ff1b1b48f9aac933fde2eeb1ceccbe9ad138

      SHA256

      0005ff2c306b02938bdcaaf0b7a44551951667f33aa540b0a61f659642263d49

      SHA512

      931c12876988dddb05b70099a41deaa8d58dff111a3d330996aadcc65da5ff4af2df17c8720d644e0c9594a8c575eb1abeb3798f2fe2c521cb381ccd45ae0ec6

    • /storage/emulated/0/.am/log_.txt

      Filesize

      25KB

      MD5

      cd2aad46f526b499d69eebf291429fa5

      SHA1

      364cd68dafc70bb88d34a67eb1711cb1f3e9ec63

      SHA256

      31470b901038abd0d00cc8feaf214cd320fb6b48781ae6f4d428ddd5646cfbd4

      SHA512

      08dc79e6a8d751b5639dff162b4f5daff7772951b2a94d1f0c41e974e6bcea5a29f138fc1381c05bac9cdcaefda12cb8bec1c51d683c9ea2561bf51b122c2710

    • /storage/emulated/0/.am/log_.txt.zip

      Filesize

      6KB

      MD5

      543f14159b11a9780724a555bda12135

      SHA1

      45d4de9c7a71f33d10db443f8cd62503835d3b42

      SHA256

      ed9da89440f4725fa05a1be232195d19e2e560e34ca39dbc2ca13233a3e5ab94

      SHA512

      31821a680d62108e313ee58a2410452fa1fccac41e641f058826737a1c712d93717621c23a6e7a8f21bb15b945bb6d6e17e52b56d9d9f801f5ed77deecace2e4

    • /storage/emulated/0/.am/log_1717207586330.txt.zip

      Filesize

      217B

      MD5

      8d07776795a482de0abd338f56e5bdef

      SHA1

      c4087acfe650ca60916c003a71aa6e79f62e58e4

      SHA256

      3b9fdaedfaf768efa17d65728e4fba30f02465f2fea98f863b46db321692a6c5

      SHA512

      0bacc1b34b62feaeba857b7cffe3b7062f3d61e56c5a1ffd840099e24f55f564c95dfc82fa740c41e3287a79494e49a14e83bb89d18b6e3a9377729b4cc1fa85

    • /storage/emulated/0/.am/prog_class.name

      Filesize

      81B

      MD5

      b8b5f3bfc09d894b59b046a334c95afb

      SHA1

      63553f7add999d1f9279baae996086f6da7e5c63

      SHA256

      724cec8037ad196328560e2dee682aff4e295682d738789468d8123e9d447871

      SHA512

      30d8ca6f0c05b027d1fe1504a5c95efb8b48ab61a8da85fbe49fe5c24cd23266450e95e48cc735244e764019c6065e5b8420d615baaa39d3abc6489479f66b67

    • /storage/emulated/0/Android/data/ultfp.xluluazofns/files/Download/mch.apk

      Filesize

      64KB

      MD5

      13684d2547f64dabfe299d1c6553a05f

      SHA1

      b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

      SHA256

      3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

      SHA512

      e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

    • Anonymous-DexFile@0xc5d3f000-0xc5fd125c

      Filesize

      2.6MB

      MD5

      a11095265b09ae16734bc3b64a287e71

      SHA1

      880f31b9f8816a40960b0276447e2252194d5f0e

      SHA256

      886111a93011a48dfb6eb6231c42864b42364bd8a71d0efc229188653dbe0a9f

      SHA512

      81963a169cfbe9dbc6a47a5d5c52d3f25ad3b56e82ad24206b24b257f0118d52393174a4219f6b27b4cb3a2ba8eeb832e61ea5bfb2b2160cee63a895a28cddc0

    • Anonymous-DexFile@0xc6117000-0xc6242250

      Filesize

      1.2MB

      MD5

      cb16f947895faf71d09cb5ad792b0e35

      SHA1

      c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7

      SHA256

      e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef

      SHA512

      8ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba