Analysis

  • max time kernel
    169s
  • max time network
    180s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    02-06-2024 08:52

General

  • Target

    7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk

  • Size

    20.5MB

  • MD5

    95b2280beecef198e0000141611c25f5

  • SHA1

    412f94db6e1472f3157a4ff2c3f73a090474a18c

  • SHA256

    7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2

  • SHA512

    91609c6b985210db45b578e261e13c5de8f070405b7d81a611fc3375e7603fa8e728bfd19fb9003369488ed4e906c3f10554a13b5c50530df4de86a7e12fff18

  • SSDEEP

    393216:o5pST5h6sJA35z7A79L+icn1mbgafiubcNZjbZT9i/zVN2I+TXt5kKpPbNiRSKcG:btJA35z7c5k1mbBffcrjTi/zVN2IkdCd

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • ultfp.xluluazofns
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries account information for other applications stored on the device
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Requests cell location
    • Schedules tasks to execute at a specified time
    PID:4231
    • su
      2⤵
        PID:4326

    Network

    MITRE ATT&CK Mobile v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      124KB

      MD5

      4c0ccabb25100a908b9db06434a6af8b

      SHA1

      555d9ecfa42e17aec483e1c05be0fc1362db9e66

      SHA256

      79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

      SHA512

      b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      96KB

      MD5

      508e308665e3cd511b65d82bb542e684

      SHA1

      9c4ce4d7d2a9a993f4783b956a0f2d4567dfb0cd

      SHA256

      798c7b8017750dc08ef6d50771860a2506fa53cb0e991ff33fdd8fca212bc632

      SHA512

      1c615b8308d58acef0be8c0d41efda451f73ec75432f40e429934e4ce95b2ffd21bb724bb13bb3e8ebde538f62476a9a2d59d27359b234de7a0eb468f500cf45

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      96KB

      MD5

      e9624614f831c692a9b11e3ed759d0ed

      SHA1

      3b8ef4f30f6c104ea0a508d62ae06cc1bc1e5f06

      SHA256

      feaa31a85e8e5ebd13eeeb2bc4c7eaee7a7d0da4d9591cf60881bee3fd7ba8e6

      SHA512

      b1d1118ee54b50f026340e0e6b0e3d0ba706fdcfbdfdd1ed0800a7ca890b1d734e9525c8d05863cd9dfce116139f12cec444d7ad165aac2fce2903cda5db3739

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      52KB

      MD5

      b6815b344f6926d458cea05acd052cdd

      SHA1

      88f524aff1d4c5fee979a203dd952427871a7097

      SHA256

      028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

      SHA512

      0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      96KB

      MD5

      101c617139fc2dd8c77cb7fd50ce92e0

      SHA1

      bb851c0425043c9def897bc0026c91c46018c18e

      SHA256

      4e41c0205f5197c6eef61409c0969df1d044a65b8fc00b8308a0677217871dad

      SHA512

      43754847185ebabe9b3aa9f006a0c9f3119ec971583609f3b6bb4e24db74258c86228c48265cfb6b2a8ee49b1ec64b155610c51cae0ff14dd53775c69a7e17d2

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      144KB

      MD5

      12dec06d7435bc91ec630eb3b7265c76

      SHA1

      60ae7e942d534d55d915f485e3c07687b046d1b0

      SHA256

      f4245724454b9b3315108f5c7b6abb7add06c194b095a7c4a3b6679fbdd14d41

      SHA512

      215f4475ea8459afe633366e976c56df87e705450826585bf9d511406928e1bd6a1a93fbbce0edd55f78b4c2f8de7bf6712a8c51fa2f68b2c8c334fa95924736

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-journal

      Filesize

      512B

      MD5

      2ff40289a4e049421d3ebe9800eeb2f0

      SHA1

      97a5dbb209c1855514b52d9e066b8c74a8f1dfa0

      SHA256

      a57ad096c7ab947ff6bfcc43ad097e586faf65ab881cb109222497add712c94b

      SHA512

      e8191a616d848131786b3c98d189f2779e04f88da6ce233ca8bf43d3bafa445c0f518685d9d36d6b15dd444ef2fa694c7a90d3ca65d0796db458a99111379369

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-shm

      Filesize

      32KB

      MD5

      bb7df04e1b0a2570657527a7e108ae23

      SHA1

      5188431849b4613152fd7bdba6a3ff0a4fd6424b

      SHA256

      c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

      SHA512

      768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      414KB

      MD5

      19c67783085d8d116bd04798f1e2312f

      SHA1

      ea123755f16c9814b4d702195f7b578684b69874

      SHA256

      d8a3a15fe1964857b1e40901c4f4b646624624ad52ac9b3503536ba9aedbf360

      SHA512

      b8b7c1f86e3d740d9cc320d0f29c6ea4fb2fb27b38c55f9875dc61ed18f5ca049b4d827e103d3d7b57d77c5b5636e84046f9ca6bafbe73d838d3ac88c72dcbe7

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      0e5772c299a3c454820bacbe4944807b

      SHA1

      f2eb3044b2b8f854f2d10e3e096b9cc2b9a85950

      SHA256

      f25fce0f252c7b984aeabc29b718c2da2042832e9f8ca7d1c70226164f295d19

      SHA512

      3303fcfe671ecfaa69503571f17c791ea0c6b5e6f977f621ff940cbd1555e1752e9aa7d9954157dd66837c86621776137339dfe48338415a4d764c8164898c9b

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      f056c5fde3ad0dddbf42c44873b71470

      SHA1

      cc437d008016c1d12819b366f769a43a796998af

      SHA256

      e6deb9b6f09b2ccb1e2be7effcea0375d2b6e725e5c4fee4c9ece1b1cb9c5a5b

      SHA512

      279209251572a18be6f373c47b0bb86c6fa79fdceae1ccb9173a735ac64e5da8f3f316e3413a9479685ac1d9aa52844ab403c5976dd1598a9cd1342cc47ff9e9

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      4KB

      MD5

      49e2400f49f1916be5fdde6cf26c5c26

      SHA1

      f676aec5d544c0b11ea5b2ab32b0a2fa7768b180

      SHA256

      e04dbd5ff2bff64ec519d502ac413747ad88a3cf119470323c9da908cd679f15

      SHA512

      9ad46634c3b9e38bbed184af64fc2faa015ac82ee6bbbd4afe3bcd3a2165a58cdcb59060855faa1d2bf4fdcf2852804feba2b7cd8daa1d17277fa47e7a98209c

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      9eaf7c713bf67f0b475d3eaf227d5931

      SHA1

      f193d45bd824ee1248c3c7c7e594e2a34f22cee0

      SHA256

      4e8fc94ad793b920846be8d7ccb0c59ee124f063e17432a96759ed47ce391c2e

      SHA512

      49ffec56dcfa2970dd6d6510abbe6ea1b512738e57b181731895cecf12deea9e6e252e19d477399776ac58567c2079c65bc1063e3e1e7d203b286a31c293def7

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      418KB

      MD5

      07990000d3b98beab8464d2d8bd8dda8

      SHA1

      2aff834e746ea7d7f9b911cbe919ab6501211fda

      SHA256

      5c631ca8646a3e9a1fc425063db0c64fad53677df298688683bebfa2fc17a7e2

      SHA512

      8bbcc467cfd51a13623361a371ef1cfe81e653c66f55208523a7298fdf1065afc41059f97192d58ba6fcabc2d1db1786cd2240e078e79efef57600265837a848

    • /storage/emulated/0/.am/dm/md/main.md

      Filesize

      2.6MB

      MD5

      b6d3a4cf3c50723d4c2b606550f66078

      SHA1

      fe6541e98b3cc04a31d269c3dd51beda11814796

      SHA256

      e10b67c58d2778bbcafa71e34353c26a089eaef19021b8a52274708c6c664a8b

      SHA512

      6b482bec5b3bf9f39f09164b67a416f238973e799a88245422a06caeeda73daf0aa0fa4e319384e6ac6c03c99c5808c9cba990ab5028169e820a2d8694eb7c5e

    • /storage/emulated/0/.am/dm/md/main_tools.md

      Filesize

      1.2MB

      MD5

      1e05a2d987a9b8ace6ec423e1de9ae2b

      SHA1

      8ba9fad037667f9a091541ac11cf4e27965d5288

      SHA256

      743e7d3660de8e672bf0d07078d8e540b1cdb17d216e63b8703fa180c97179b6

      SHA512

      1744113900cd787eb4ee34c9fe5b72dbefd4e6c334373f6f32adde0e3de22044a2cdb1ed9a6137e4dfdb7ec53a7b77fd5d059e07976569a30e192e680233d54c

    • /storage/emulated/0/.am/log.txt

      Filesize

      171B

      MD5

      263a0a4d8f8b9c8a883a3d690e93419d

      SHA1

      4e85ba27f008d876847eb3e51b812612ef19f5d0

      SHA256

      f2dd6e182eed2b7b9e3c291dd258c0edff368eca84f914f597251cdc86afd9f0

      SHA512

      8e25aa82fb12d31f0cdfe7d22be7c7b7178fd64db10e6f88c3916b62bb8f1133ed0b083563976e3a17c1ebb634e1e8252d21216c1cb608b894b094cc8bf770c4

    • /storage/emulated/0/.am/log.txt

      Filesize

      150B

      MD5

      f2e52129a7a2fd3d005f2c3714a45023

      SHA1

      f2ce6fb219efa23813b37c6bdcdfd2d8df749541

      SHA256

      cfd09b8bcc5b80133ce7533add0ce0c86b33272409cb014f2a6e7cdb9ac6b492

      SHA512

      bc863c02e279d7f1350328c2efc6cc9b261e1b579d49ced84f0e9cc9d727c343e29f05d7cd7e7128d15061a5e04a43c8f64075642b60c9d731890bdd851a9677

    • /storage/emulated/0/.am/log.txt

      Filesize

      3KB

      MD5

      b9a444be5b060b5ef237565a6dd258a6

      SHA1

      d538b793f5ac7435c6f42b5982e53b68ca463dca

      SHA256

      636642a859ffa924afbfe3722eabf8e066c25fcaf77b22ff4471cacabdbdeeae

      SHA512

      5380af8e5211da35fe7243adbea633d69e1534bd6b327728e01a54ce252e4c7532bc93b0ef86252d4a9cb7e109c59c615dd27a29d2b080bc6797a68f24a573cf

    • /storage/emulated/0/.am/log.txt

      Filesize

      62B

      MD5

      1797a4898519db65b90a5b266c5492b7

      SHA1

      6b439e02d3ec9c82db39a445725c339dd9ee45b1

      SHA256

      2dd71adb321e6c69945e6e34f20fb3160d04ec3471052edf9b5d2fd5ab744f5d

      SHA512

      9321b01b1d9ff747415bbe2dca4677c244ad6c7fc18661227edf6e2234a7d742e9f6b9d257a290d3d5bcf3204492232638d7d5c258a7a8218615ee754bdbb1b7

    • /storage/emulated/0/.am/log.txt

      Filesize

      70B

      MD5

      0f96310627b8163153379e1bbf0eb387

      SHA1

      6d88563d907187b0fb9c97690f7efae2aa63c97b

      SHA256

      ce36f88df3ef7566e4f9251ece674eeb881804f64e981ba51d1cfcc0a784af7b

      SHA512

      e111e5e8c356c9ccf09f9cfe3c19323c25577fb7e2ebe81413aff2c6057729a59055b55f5ca3c5429fb6ef43014aabbfe52a097de4880714cd5cd80a1176af5b

    • /storage/emulated/0/.am/log.txt

      Filesize

      161B

      MD5

      5350433970d104fce5ad1fd003061de6

      SHA1

      c488646d404517e9e0dfda91b1681416871b0dba

      SHA256

      d378911768edbb6d1c2bd6f212359b14a1cc268410751b8274fa2dce5b65003f

      SHA512

      5d2736a70a3551ee79a619d36f3fe1af1e6a4a122855641e261246cb8682bae131c9412e6977f3e38b3bd7e267270a38979d3d380660ecc67049e5d59cca4d73

    • /storage/emulated/0/.am/log.txt

      Filesize

      132B

      MD5

      24286d4187e9a766be4fba1a82aef60e

      SHA1

      e7cf6fb7208d4352f24af95ebe9692be7b97056a

      SHA256

      5c3a265ade7f9f2e20a862290fad020ff9a92556bbaab4bff6f7a68459cd8fea

      SHA512

      0cee4df506e8380a4c94ca5f579a46cfa984b78b6206b0c2525b8644d04fab5043b710a31ec7edc6f7f2b6360b37734c9d38aca5993addee7c14237911fb1118

    • /storage/emulated/0/.am/log_.txt

      Filesize

      27KB

      MD5

      d43606b275d7a3c89b45ec653454f4d9

      SHA1

      46398cac95958fbb3b42cd98031496be613c238f

      SHA256

      d5b85880d50c03c1c9fcf161686d7aa18d3d64c2ac1701fff80096dd5c7dc487

      SHA512

      548102073390175da117b4fa1d20e6669c531e49071bd75a83f9c9ea94ed73a5ed9cf5ee9ef6061b1c9dff59397fa847f54ebbd15a8ba377b56d01f5fa88ff4a

    • /storage/emulated/0/.am/log_.txt.zip

      Filesize

      6KB

      MD5

      2faf20a78d87cd707dd815dc62387ae2

      SHA1

      dc90cc1e035eea1113267cc4e3a2c89de164b2ee

      SHA256

      932e07c9c29f27fcc366c87429ff75b4d9c46670d3fbcd050abfae319a49988f

      SHA512

      5cd5f45db451aeeb6132aec86a773820549e7a2562fdd5ce01aa259eab82682c374884e34b8ac1fb63d62c31116b1b1f19e079a2e9b8f78019335d929ac4607e

    • /storage/emulated/0/.am/log_1717318363216.txt.zip

      Filesize

      218B

      MD5

      fac5ead0d6ee93af876bcd3caef66740

      SHA1

      c779e9f5b39f0d4d03312694c7269347073dca02

      SHA256

      b49d62e229a3c769d804be3cc8408b9e684c1ce37ee7b83c46ec69adc4717ccd

      SHA512

      d5dbc32154c4b390c311f689a868fd2ad41790c1ee342669c1b660ef8becdee411a7c4ec6600bfc3c5b805efab8518e4097440f59056d5c1fb65f595ca11eca9

    • /storage/emulated/0/.am/mch.apk

      Filesize

      39KB

      MD5

      b8cc1d0cbaea87bde5807dd249ec919d

      SHA1

      9dd70fbb0c83a59d0fccbeb881bc25b34285cd42

      SHA256

      dcb870a7be3d6ce1086b6ba14101f1d3710a2450638ead593de468a77d10fb50

      SHA512

      261aef3232aed406c2d1c96a9a365068594ee7dd4750bca8acc2659a5529d9bd11f981d688472448e642c4586ea5fe048d09c3dae5207c36193bca897ef14d6c

    • /storage/emulated/0/.am/prog_class.name

      Filesize

      81B

      MD5

      b8b5f3bfc09d894b59b046a334c95afb

      SHA1

      63553f7add999d1f9279baae996086f6da7e5c63

      SHA256

      724cec8037ad196328560e2dee682aff4e295682d738789468d8123e9d447871

      SHA512

      30d8ca6f0c05b027d1fe1504a5c95efb8b48ab61a8da85fbe49fe5c24cd23266450e95e48cc735244e764019c6065e5b8420d615baaa39d3abc6489479f66b67

    • /storage/emulated/0/Android/data/ultfp.xluluazofns/files/Download/mch.apk

      Filesize

      64KB

      MD5

      4d48683c7d94ce23efe44a67a1c3ae39

      SHA1

      bb85e13bcc11b6fd12ada7d2d97cde39d55dae44

      SHA256

      725dd06122d50279501c5c2a9c3ea55280ca6d25c4bcd25b9e2ac4aea2ba965a

      SHA512

      fcc32c08b7987c16f79a5cd5030de9f023e75f766c7cd0c54bb6d8f0bb806ecf8f3882135ab1f032b92d3a7f84aab0896069a1e8173af66a06f3f4ee0e269e1f

    • /storage/emulated/0/Android/data/ultfp.xluluazofns/files/Download/mch.apk (deleted)

      Filesize

      64KB

      MD5

      13684d2547f64dabfe299d1c6553a05f

      SHA1

      b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

      SHA256

      3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

      SHA512

      e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

    • Anonymous-DexFile@0xd283a000-0xd2acc25c

      Filesize

      2.6MB

      MD5

      a11095265b09ae16734bc3b64a287e71

      SHA1

      880f31b9f8816a40960b0276447e2252194d5f0e

      SHA256

      886111a93011a48dfb6eb6231c42864b42364bd8a71d0efc229188653dbe0a9f

      SHA512

      81963a169cfbe9dbc6a47a5d5c52d3f25ad3b56e82ad24206b24b257f0118d52393174a4219f6b27b4cb3a2ba8eeb832e61ea5bfb2b2160cee63a895a28cddc0

    • Anonymous-DexFile@0xd2f48000-0xd3073250

      Filesize

      1.2MB

      MD5

      cb16f947895faf71d09cb5ad792b0e35

      SHA1

      c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7

      SHA256

      e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef

      SHA512

      8ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba