Analysis

  • max time kernel
    168s
  • max time network
    180s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    02-06-2024 01:17

General

  • Target

    7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk

  • Size

    20.5MB

  • MD5

    95b2280beecef198e0000141611c25f5

  • SHA1

    412f94db6e1472f3157a4ff2c3f73a090474a18c

  • SHA256

    7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2

  • SHA512

    91609c6b985210db45b578e261e13c5de8f070405b7d81a611fc3375e7603fa8e728bfd19fb9003369488ed4e906c3f10554a13b5c50530df4de86a7e12fff18

  • SSDEEP

    393216:o5pST5h6sJA35z7A79L+icn1mbgafiubcNZjbZT9i/zVN2I+TXt5kKpPbNiRSKcG:btJA35z7c5k1mbBffcrjTi/zVN2IkdCd

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • ultfp.xluluazofns
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries account information for other applications stored on the device
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Requests cell location
    • Schedules tasks to execute at a specified time
    PID:4263
    • su
      2⤵
        PID:4350

    Network

    MITRE ATT&CK Mobile v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      124KB

      MD5

      4c0ccabb25100a908b9db06434a6af8b

      SHA1

      555d9ecfa42e17aec483e1c05be0fc1362db9e66

      SHA256

      79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

      SHA512

      b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      96KB

      MD5

      424f6078b1c5a150e5d9bcc5d8b18c86

      SHA1

      064074a019b9644bb3e4a994551eb53dfd0586d2

      SHA256

      50faac0b29df32804ce5d3402efa2719cd6e88daf9e3830e35208ccd256867ee

      SHA512

      d5e10bd5b033cf48cf1445d205d7821d5c6e16e3697e28a772c680c724343d8c0f0be8efb6e231b2d4fcba96a6cc965de864c9a5a2539d38c2d50d26efd42635

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      96KB

      MD5

      4b418bab8f363a4dc8ae5b0153414466

      SHA1

      8f34f3ad19dfa43f84df35f995451f8ac374d969

      SHA256

      5faa8d50b9f331acb62aa94ab2b8329ec3bb092fd733f83d28aaba01a94db7e0

      SHA512

      9efaf80a4f8c510b4010775cb80a4200ee98c2fb8f78a0f873a4de5ac3e69e59adf923bc0556838192b9db8da2e21663dfa02c8114ec614f1edd95689f9b1353

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      52KB

      MD5

      b6815b344f6926d458cea05acd052cdd

      SHA1

      88f524aff1d4c5fee979a203dd952427871a7097

      SHA256

      028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

      SHA512

      0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      96KB

      MD5

      33aa39ae80a11ee1d329341f9432cd06

      SHA1

      406f3e6e56d1ae5d71e7fececdd0963f626c37a7

      SHA256

      5125e687bf58afee620d63767fcef7f54e1f600f27586dcc6c9106950fb48229

      SHA512

      997c63f2e18c710a413b21c92a1d5d9e0d1cd7607a45fe106a1289a56edfabbe9566d1df85ecda4386735ce08797afb2e38f8070b7bb79d46f6af751e0b255cf

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      144KB

      MD5

      829c0eb29b813c5e9b6f100585e6bbf2

      SHA1

      4cd72e3baac00c36bdb01ed5a1d4c65176cde47e

      SHA256

      1324de10b5c4fed847ead7e9d6d6097c146b93228223c901ecdfeba7b2005869

      SHA512

      df1494bb526e14b6450892e85d5184f3a212b3dafd6e055571b08f60b75cede5ac47b21c665036a02ef5187bf00acb265d46b59fd867cb4216679c5c4b8139b7

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-journal

      Filesize

      512B

      MD5

      8c1b9db298630b562b62832f4e14ffb9

      SHA1

      d892b197dcfec3f3c9e39c3954994ef0d9e3f397

      SHA256

      a49e50b9d60691d421e2c164352c6e76a8a8d47a75705529cf7f9fd446114d2a

      SHA512

      b46c3af013bcf3359f41de6125e0bb98093d0cbe734550739d557310d840c5ed87baf769a6a1c63936d79d2c100f109f10429251b1f44a8b2162c1acfc5762b5

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-shm

      Filesize

      32KB

      MD5

      bb7df04e1b0a2570657527a7e108ae23

      SHA1

      5188431849b4613152fd7bdba6a3ff0a4fd6424b

      SHA256

      c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

      SHA512

      768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      414KB

      MD5

      4594666ff2402706517bbf3c27d914a3

      SHA1

      2bab1567e7721d358aa66d6e234001be046272e0

      SHA256

      5e56601ecc33bd4e01eb24372ba23fa89fcd36ee2a1445b09724c4d7d6f3f6e2

      SHA512

      8ffc3f83e03651951f35dc25fd667c2bbe7771375cd7083cf3b3cae95e6b83df20dbbd5eba860930da48c03941d978c17a61a4b0bc16c557e2042527650a1ff0

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      5b985f59a313981d38bd9d6894f9ac5c

      SHA1

      5dd73005cc09a4dfd328bdf342438242f4a0404e

      SHA256

      98ef9985bea9bc81f62b53358e8b98be8048c66571acde699a83bf4e6a283c70

      SHA512

      9385e859c5b4ba1daed37f80e8293937b0243ca8f696229199b3a406027f1de2c6b8bf764d39859aa47ae7dc3be70059d4fd7acb2be9100fb361136b59e3e11a

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      8d8affbe1076fca40562f156fffbcede

      SHA1

      66316205981c679eaf8c3cc96a07064505f6c83b

      SHA256

      58e6bd17e5e1ca0e4e77aa2d3a74816c9161b6d3ea095bcd5e0fe1a4cc0ba953

      SHA512

      6a46e233f0522364d86f7f041f06f16e7327594d147ee92b5382979e4a1cd4550d0455916c4006d7754adaab439d8c3a0f993d771cf174afd5465d51ace58c95

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      4KB

      MD5

      a6fb1153cdd713908a5e432b736c6331

      SHA1

      845311daa694d6fce226e1ca616f114cd2bcda83

      SHA256

      4c7c5027e07b4945320fc9e5e386ecb77ab5991767c9ef37b315eca5c4de11f0

      SHA512

      d9e2155db31a91426078a6586c83752d419a6547a3530e55efeee76230309ae5940c5313e3c1847febb098b94e72301bbdf63ff46d99cfbb8a7e6c10b756c1b5

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      91bd18e00f2abde221db0de7dda738b8

      SHA1

      2319a52c7466835dbf274f844f01eaaee806a07a

      SHA256

      077642a2a17fc789f1168bc2f6a92a965fa223a2b8a2b3b4410be16db1748513

      SHA512

      f17f85a1fcbcbc080e11e4fa7b53c866843d4250d26e7e036f179ffe28441e6b650e7d08494ba395e35cf35b933a7826215d75502cfa1998ecc60b72cb63329e

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      418KB

      MD5

      61239bf36f138f881cc76a1e098469a5

      SHA1

      fd5401f516b178cc9db5c0d3ee9b79fddfe5c378

      SHA256

      b3e9bd3d33b38291ef1e33b6a8d8d5ea55623e6452b3fe046b0375956a13606c

      SHA512

      42d3b8bbccd830bdd8c1f72a4b11a57d34e67c4f497cdebc4a2370bc559d3db53c6621bb7d823a805efb9cbd6e383c16acc90f0cb0740f6bd5f547a946e8b261

    • /storage/emulated/0/.am/dm/md/main.md

      Filesize

      2.6MB

      MD5

      b6d3a4cf3c50723d4c2b606550f66078

      SHA1

      fe6541e98b3cc04a31d269c3dd51beda11814796

      SHA256

      e10b67c58d2778bbcafa71e34353c26a089eaef19021b8a52274708c6c664a8b

      SHA512

      6b482bec5b3bf9f39f09164b67a416f238973e799a88245422a06caeeda73daf0aa0fa4e319384e6ac6c03c99c5808c9cba990ab5028169e820a2d8694eb7c5e

    • /storage/emulated/0/.am/dm/md/main_tools.md

      Filesize

      1.2MB

      MD5

      1e05a2d987a9b8ace6ec423e1de9ae2b

      SHA1

      8ba9fad037667f9a091541ac11cf4e27965d5288

      SHA256

      743e7d3660de8e672bf0d07078d8e540b1cdb17d216e63b8703fa180c97179b6

      SHA512

      1744113900cd787eb4ee34c9fe5b72dbefd4e6c334373f6f32adde0e3de22044a2cdb1ed9a6137e4dfdb7ec53a7b77fd5d059e07976569a30e192e680233d54c

    • /storage/emulated/0/.am/log.txt

      Filesize

      171B

      MD5

      cc23a564a62d345cb1e2ae2ad2e2ce7c

      SHA1

      fa737f1258caa9620252f0a59fe1a4a80de14311

      SHA256

      3ec474dfab107721661c23cab0f66ebe60b260cd1e5bcb7bcce9ea810c8c4e0f

      SHA512

      f73e08a7656585c48832c34ebe58b3a049af0a079df1145ed6f3acc6860d172b43985d1cbd5720d6a0070989466c268cd7aa38927f3da03786ba745adab6a002

    • /storage/emulated/0/.am/log.txt

      Filesize

      150B

      MD5

      9570a70578418a95688108df6c8ba252

      SHA1

      5a5a7c914046c4837b235d834bbef291e76e8dc6

      SHA256

      cf61d2cc55674793b2e1a6065dd45d663538020a3dd98904d41321a9b57e49b6

      SHA512

      e4ca0e4291af244f874c09957fe528c65963db57f8dff18fb00438d761a139d514f00d9835164ad16f9ec62a5cbdb21b33a845b4c425feb17ee14416df69e84d

    • /storage/emulated/0/.am/log.txt

      Filesize

      3KB

      MD5

      3b5c09d0b4bd4eb2fa2409668c9a375e

      SHA1

      ef646483ff3806f89b8f0458cf1d9cb93c750d03

      SHA256

      c2ec28c42fedc660cc5b02a78cd2c7266f5ec46427c5aaf37062b9e414f84137

      SHA512

      b567c1405bdc52ad4f64dd41d21b3b51bc573ae4ea934e7ce53c8df73f4fa4124aad601015c5eb68a916fa9fb457afe3a1f31490b4412ca62873dda97d08f982

    • /storage/emulated/0/.am/log.txt

      Filesize

      62B

      MD5

      cf051a52c085d2e0795d71379ca77327

      SHA1

      8d2090e5e67222decd4e1b9d3229538ab6c4db45

      SHA256

      671640bde87c01f81308995c26ee86693b1e661561c6794fdc3a01fda1328aeb

      SHA512

      ee0e61549a306c187c81ef81897cdfe5483f55fa8605da824861012cfbd83a2d9b80d3613dc22bb6e36ef322c8a1d2bcb8f999eeab8326cbb08c67e24bb20e19

    • /storage/emulated/0/.am/log.txt

      Filesize

      70B

      MD5

      8e2e6384a7e83e56e41a68cd4a27faa2

      SHA1

      bd05c62a4099b33fb2cc49b6e191c6d2d40f82aa

      SHA256

      307bd7c309f3df90126ea65ee2e65cd263e36cd51ea49e22c84ac3b66a10cce5

      SHA512

      14b0da3d1a86b8c7859e403a7b961a0458c87233946ede7027f6d3986e4d5d11f7f5cc02e77e8906effc70deb52b4134834b65ae8e35bf11a5b328298de260c3

    • /storage/emulated/0/.am/log.txt

      Filesize

      161B

      MD5

      15adca37742141fcd8b27db56a2fae6c

      SHA1

      96c14d1fa0ffa870876f1f644f894b1579642ca6

      SHA256

      26abfc870a3cf69becda96f9a37babad814c196ec33219347f1e6063253f553a

      SHA512

      489bf3145908ffa55fe872c193b51070a927611d2f0b86ddc3a0c3783685d987c82d8501b6b60d796734b0fbc3ce84a8c5177778eb3603a7472dbc5a1d21863d

    • /storage/emulated/0/.am/log.txt

      Filesize

      132B

      MD5

      e134d2885f35ca210e698e83e0d0da40

      SHA1

      1e726edc7482544bad49d892fa5df6ef58bb6ce0

      SHA256

      dceb834ba2e0db24023a8d063b15fe2ee38d4bf08c3ec9b86ab8e2447e5d0a86

      SHA512

      92102ba23315c3760705c30a3fd6172ea82d12a77cfb989709989d54ad96c5e16ead68d6d7e0260fe28c97f30ac260bef22d117cbc5708262b1c5f3f890830b7

    • /storage/emulated/0/.am/log_.txt

      Filesize

      27KB

      MD5

      fa396c636eda862697a146aa41d6c7f8

      SHA1

      e2a80bc6fa6758cbadd42a2e750c336dc8f2a1bb

      SHA256

      d03d16f94d2330ebc85526e293654be1c05662181a971a40748d912a7bca43fa

      SHA512

      e22c1778af1ae616fce9aba19bf80c3f8389ad4f96d251b097ea2462ab1fd434aeace35be0176c381ca4fc0914a060c95a036f9b294917ea98a95afe5e501c2d

    • /storage/emulated/0/.am/log_.txt.zip

      Filesize

      6KB

      MD5

      23fccb9a7f497c484ca34dc6deae56a2

      SHA1

      93179d833bca22f8b4243baed473e82f44b42d35

      SHA256

      44819145e58a2677935413c2919981fc609537f0d5d519e26e50d2a7682b72c4

      SHA512

      0bfab7eb930249bed372bb27253a52c292599a89a66fa42a579ccfd66cbc3278f023ae78c8cfd4938b07d8bda063ff7373f356753907e50cd3429a4120467c65

    • /storage/emulated/0/.am/log_1717291057281.txt.zip

      Filesize

      218B

      MD5

      7babac7e189b913d5ea5bd0b17387b4a

      SHA1

      0e6efc984591eec7a0ca572649bbd27e35595c0f

      SHA256

      853cb08308e15385c2df5cf0649abd4d312fc3b537005269f4f50813e1621e4e

      SHA512

      8c8a578415ec21059c3a0b2ee4de42805b4184e965474e825eba883f11a622067f9671dab85f53ca92cc5b0189c2e39d678af438ca5b12de33a13d2c05c9dc2d

    • /storage/emulated/0/.am/mch.apk

      Filesize

      61KB

      MD5

      387ce317030907af74c43fa578b371ac

      SHA1

      ce9e3f105bfeb73588b177c31349bd4acd13ce42

      SHA256

      1556adb56d93e9982c7acfbaa9be30bdce96b7fce4d9dd074e43832cfb6555af

      SHA512

      df489c399371363cf1ecefd282634b458f4e162792381b6e271b5fd1cc046155361d217d95d7c92446f4230a865da035b0f0effe7b17323df86d2190a888b259

    • /storage/emulated/0/.am/prog_class.name

      Filesize

      81B

      MD5

      b8b5f3bfc09d894b59b046a334c95afb

      SHA1

      63553f7add999d1f9279baae996086f6da7e5c63

      SHA256

      724cec8037ad196328560e2dee682aff4e295682d738789468d8123e9d447871

      SHA512

      30d8ca6f0c05b027d1fe1504a5c95efb8b48ab61a8da85fbe49fe5c24cd23266450e95e48cc735244e764019c6065e5b8420d615baaa39d3abc6489479f66b67

    • /storage/emulated/0/Android/data/ultfp.xluluazofns/files/Download/mch.apk (deleted)

      Filesize

      64KB

      MD5

      13684d2547f64dabfe299d1c6553a05f

      SHA1

      b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

      SHA256

      3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

      SHA512

      e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

    • Anonymous-DexFile@0xd284e000-0xd2ae025c

      Filesize

      2.6MB

      MD5

      a11095265b09ae16734bc3b64a287e71

      SHA1

      880f31b9f8816a40960b0276447e2252194d5f0e

      SHA256

      886111a93011a48dfb6eb6231c42864b42364bd8a71d0efc229188653dbe0a9f

      SHA512

      81963a169cfbe9dbc6a47a5d5c52d3f25ad3b56e82ad24206b24b257f0118d52393174a4219f6b27b4cb3a2ba8eeb832e61ea5bfb2b2160cee63a895a28cddc0

    • Anonymous-DexFile@0xd2c6b000-0xd2d96250

      Filesize

      1.2MB

      MD5

      cb16f947895faf71d09cb5ad792b0e35

      SHA1

      c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7

      SHA256

      e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef

      SHA512

      8ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba