Analysis

  • max time kernel
    170s
  • max time network
    182s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    02-06-2024 08:52

General

  • Target

    7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk

  • Size

    20.5MB

  • MD5

    95b2280beecef198e0000141611c25f5

  • SHA1

    412f94db6e1472f3157a4ff2c3f73a090474a18c

  • SHA256

    7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2

  • SHA512

    91609c6b985210db45b578e261e13c5de8f070405b7d81a611fc3375e7603fa8e728bfd19fb9003369488ed4e906c3f10554a13b5c50530df4de86a7e12fff18

  • SSDEEP

    393216:o5pST5h6sJA35z7A79L+icn1mbgafiubcNZjbZT9i/zVN2I+TXt5kKpPbNiRSKcG:btJA35z7c5k1mbBffcrjTi/zVN2IkdCd

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • ultfp.xluluazofns
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries account information for other applications stored on the device
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Requests cell location
    • Schedules tasks to execute at a specified time
    PID:4320
    • su
      2⤵
        PID:4385

    Network

    MITRE ATT&CK Mobile v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      124KB

      MD5

      4c0ccabb25100a908b9db06434a6af8b

      SHA1

      555d9ecfa42e17aec483e1c05be0fc1362db9e66

      SHA256

      79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

      SHA512

      b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      96KB

      MD5

      76de84a55383229901174dd4deb12cbb

      SHA1

      a5f821738c30229f8b8a716c30beecf848b75176

      SHA256

      717e7192d057a197d66de2d1dd5e25ff161a37ac615fac0f5739cf830abab290

      SHA512

      bd953f1d6ec32f4f32eb4622a7ea1991b3340e1fff832738535f7e37f805e3ee38521c64fa258448e0bc02198665b1ff482192c093ac212752de1206d9cabea9

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      96KB

      MD5

      19fc99bf8e0ed170f07dd5dc5fc6e7e0

      SHA1

      df25efc82016ed5253e486872c2b7a68fff39aa2

      SHA256

      b9cc06ebd87b4df97e214a93453614adee559b7e22fb25ad949cc3bb1678a57a

      SHA512

      7e11b32f63e6c70bd0c522b1ba58e44cfd833ab32bf4be3ff23c39e1a7f6e610525f7b4d7b6048b65ea0c0e236f2737d1119de3110ba477d4641fb3b4f16c789

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      52KB

      MD5

      b6815b344f6926d458cea05acd052cdd

      SHA1

      88f524aff1d4c5fee979a203dd952427871a7097

      SHA256

      028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

      SHA512

      0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      96KB

      MD5

      c5631cca90626ad88ca11ac05a1061a5

      SHA1

      bf827527252f12b39dc0a173e8ebfe935fb21287

      SHA256

      a8248aa4232d0965e63861ff58ac7c18175e2953f2ab3b589cc4bf2721009d98

      SHA512

      229b0cd592dc2ffeb71806750d1dafd72afc49cd602aebd1cf31ef2281073fa2387141d048db9e38901ca2a3c3cdd9dbbf1deb15ddf6c2f28884a8d24e20d8a0

    • /data/data/ultfp.xluluazofns/databases/SettingsDB

      Filesize

      144KB

      MD5

      9e94c72787af7e914ac7798efb7008be

      SHA1

      d205c33f9418541acf2955e72d05e4f4563a1ccd

      SHA256

      ad413b6cc1977fc176e735c64c0d9626edcd74382bf622ee1c36d2e318550ed3

      SHA512

      07e0c7dd843a67eabbb1fd369642f067278ea98edc35a6027c276d426a52075e05b5c56697b0950d38a87e910fd14f3e64aba3b2561f111381ffe148cd2965eb

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-journal

      Filesize

      512B

      MD5

      560eed448d718798f39d0300484ecfbc

      SHA1

      70a45b48a25a004bfc1302533601f8f40aabb214

      SHA256

      8d517c5c7c37de44b82269ed5b142276442a4c39d474df1afffe60abd081873f

      SHA512

      7f6e559d7acbb89a6af9ebd6044a9deafcf3ae31b8ef102cdecf1c5a3c8c654d18a30ec8027dbcb62ce0eb706d33435f222b24928de22370ca4c202524712eb1

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-shm

      Filesize

      32KB

      MD5

      bb7df04e1b0a2570657527a7e108ae23

      SHA1

      5188431849b4613152fd7bdba6a3ff0a4fd6424b

      SHA256

      c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

      SHA512

      768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      414KB

      MD5

      0ed18faae6f3e2bcd5a225bb6b498098

      SHA1

      441a7b9ec476ae29d3bdf76f40568ec2da2ec225

      SHA256

      7f49f72ed41748328d1135aac00bec98d7b92be0f9f101e309d15f8027940085

      SHA512

      fe542b82b2c733be3e59531058ea462ebe3e93e9d046d9952f6ebc69a0f38a916acb6c6284a78f842c61d2d7ad0e2caaf54578e7cdf41939f715d984e4731df6

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      f34baea0d4f5853f648ed750c2dcf501

      SHA1

      a064e1120f7d410baf3a656cef96699e6b8be0b0

      SHA256

      e347ebe58b9a0f27435ebd7da2bafa494584fb33fc17b06cd86377848478fbb9

      SHA512

      4e6e07635b0642a1c60303ceceae47d2067c0816a793d424defbb62b38c0c7f793953fea72f1a21addab9b7eda36e17d2dccd85fa2cac26a69b434c198dc2477

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      5c036181aa3d01e33ee79c3f14ef325c

      SHA1

      60b9c53e01c9b7d8b108f8625cd6df1dfbd2375a

      SHA256

      dcb7cc0d3d5cbb219c66081a89ac574701c9cf40e423c60aec544f11236daa38

      SHA512

      1400979bd02d8fbe449bb7bbef72402b125d71f63306fc9bf2eef02d4a997021f1fc0bb46ae1e3cb42f15e67c71b5a613e4dc48877d9653a011b4a379170a844

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      4KB

      MD5

      a569e2185542cf83bf816949982917aa

      SHA1

      c2cee029e83a0786f79164570aa617780c7b7d87

      SHA256

      a7f9e93d29741cdfd485117a07277b5b743630b3f4144e49e0b4de4627b0ecba

      SHA512

      d4057a1bca2c0a0ece3653498e4d1a0deeeec9d357bd4a059d4046a0acce7126145c2f0ff4a8e0c701545adae757f1d755df051e689db4c4d4c0fb0f21a39150

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      073adaa9c845d15902a4b5d120d32246

      SHA1

      4d1f562becddce85461b40195cf780f7c3a339b7

      SHA256

      59e4b98ab85f9590e4fe70ddcc9b15db073c03a5d8e00bd1cd8bea01ab232adc

      SHA512

      77e236dfd3ead790c1c61a8117163048d20c96553aec350b63d59c966c49bd6ffc9ca5dacf86a4629dd467d119afc2ea05fe2b69838e396fd1ff9cea4b998693

    • /data/data/ultfp.xluluazofns/databases/SettingsDB-wal

      Filesize

      418KB

      MD5

      f1c7ef426ae6d9f3bdd811c27e54c6af

      SHA1

      8195c2638293e6d689cded9970f1dcfdd7b41e07

      SHA256

      b1642b8bb5f0d3f391966baacb317abb5d06249707fe9019cf58a3888b03b2c8

      SHA512

      6c6a3380a504617464bc7e5cb7771d58819266a15afbf2c1ce5c8b46a54c030572ea8ea130b13e7e1c84933c6fbcfd658567dd2b07737c738482b93deb483c7b

    • /storage/emulated/0/.am/dm/md/main.md

      Filesize

      2.6MB

      MD5

      b6d3a4cf3c50723d4c2b606550f66078

      SHA1

      fe6541e98b3cc04a31d269c3dd51beda11814796

      SHA256

      e10b67c58d2778bbcafa71e34353c26a089eaef19021b8a52274708c6c664a8b

      SHA512

      6b482bec5b3bf9f39f09164b67a416f238973e799a88245422a06caeeda73daf0aa0fa4e319384e6ac6c03c99c5808c9cba990ab5028169e820a2d8694eb7c5e

    • /storage/emulated/0/.am/dm/md/main_tools.md

      Filesize

      1.2MB

      MD5

      1e05a2d987a9b8ace6ec423e1de9ae2b

      SHA1

      8ba9fad037667f9a091541ac11cf4e27965d5288

      SHA256

      743e7d3660de8e672bf0d07078d8e540b1cdb17d216e63b8703fa180c97179b6

      SHA512

      1744113900cd787eb4ee34c9fe5b72dbefd4e6c334373f6f32adde0e3de22044a2cdb1ed9a6137e4dfdb7ec53a7b77fd5d059e07976569a30e192e680233d54c

    • /storage/emulated/0/.am/log.txt

      Filesize

      171B

      MD5

      c4f12b4359a50e7c0c9de8fde8606b07

      SHA1

      e626fa8efb128167caccf4a3f18f268bd0f66956

      SHA256

      4334adfa207d1512ad845dffa658aaf95857200f9e97272c800aabe1745a357f

      SHA512

      2bb47a987edb46dbbe53069e1da46dad1ae80edc74e8326c4f81646a6b0a5298e0514123b57d42a0a24342e7c7959bf00742c7f790d49366cee0b617d2edace1

    • /storage/emulated/0/.am/log.txt

      Filesize

      150B

      MD5

      698d208007ef1aaba52f8acbc19e77cc

      SHA1

      ae3d38974bbcb049dc20b0eab85e14605ffd423a

      SHA256

      4cde6155ed6f82c5e878ae6284d555f954994bedb169f544af951257f5a4e4b6

      SHA512

      15282a747d09a184b0e74219ee5e2ebc8a69519fcd9c62bc8133397e2abe47bb366b211ec1d0bdcc5e404b2f4bca669de7e2a264d07cf8f6c7c3dcf999808d5e

    • /storage/emulated/0/.am/log.txt

      Filesize

      3KB

      MD5

      58e8a23dd4d437e25af1e208f13698bd

      SHA1

      56ac0531675cbee7d170efdab7eca69e622b6bfd

      SHA256

      23c71b941d4a23d3cb8ab66c0ba9795920f8bedd6d385b2a329274d3e78b9e82

      SHA512

      f5dac58c939b98adda62a6abcdc52681436cc8610ef494226631f764e07210d1e851de15db3db09c670347a27ddb3ef35e2ac517077af8f4dc6dd05803099b77

    • /storage/emulated/0/.am/log.txt

      Filesize

      62B

      MD5

      fe44349c74323464f3cf73a1d4ab145e

      SHA1

      8a035b8b57d20e92c20382c193b664038d0e3066

      SHA256

      74d99f8e2e6036271a614ecca6e776803b62fe0b65d84db0ba7c99cf9ba3ee5f

      SHA512

      72b70755dfaca24de2058871d79adec015dabfb06517aa48e4886d9d0c194826e58432c0678ed1d9533a715dbe247cf5d5322b94c547d4ed2c2b4323187d58e3

    • /storage/emulated/0/.am/log.txt

      Filesize

      70B

      MD5

      7f00b727fd77965825ca12e61a8d5e92

      SHA1

      33eb5e6aa38679f824674377afe5f60c4d742a84

      SHA256

      e5922982319913b3d05d60d61790ac94d993add3dfec3246f3d3cafb87a1e999

      SHA512

      8cc62aff88aee14581447093fca98e9505f5f03a3752a24336701c2dcfc68f039f588dfe5443804da0b7c1feb8192f2ce525c93cfc19993c8bf04fae7bb1ec07

    • /storage/emulated/0/.am/log.txt

      Filesize

      161B

      MD5

      67580e20f7f62fc9946f86076e98dc76

      SHA1

      e17ba504c1ee47b859cf1e2364b5cac0f5f3dfdc

      SHA256

      6477b32c9d2b489234302a1def57982664f80de56ff804dab1d0f4e3b376d534

      SHA512

      32e9542992e9fd1ebfa984d256aa36e840fb50c59ace67772e3ccdb8d48506f738133e7a18041e362fa22afab2b155eca53bbe0c0d09fce1db63790eb279af7b

    • /storage/emulated/0/.am/log.txt

      Filesize

      132B

      MD5

      720465e7e5f833a6bbe2d8aa85ff8236

      SHA1

      e3ac63a93aac769dbf34a29e003638ac9be9a97f

      SHA256

      c1f7225e0862f5820c452dca5ea14fdeb297c2cb47e3ea03f25d0e3b4f8c6b1c

      SHA512

      dce8b6a59a39fdddec428fff4619224423f3b0315d0c5700fb8fd9ac1f1ae5ad25b7d63468af6267b9d0074d6e829c6f914baaca42d2209e52ed6374f85ad6a0

    • /storage/emulated/0/.am/log_.txt

      Filesize

      26KB

      MD5

      ca19c541dc0220c75f0851b5d5451d4f

      SHA1

      823a524a9e2e5ce6751863b9c05c5916c6eb323d

      SHA256

      5ac2ffce93ea073ac0dfb602b8219423bb041803586a56af7ef7ea1fd3c77153

      SHA512

      a58d4cfeb54406fcb837a67a4c0c14b7e39de8d625c40ed1a683e38bb9cdf70c65bc15c01440b368f62a79d9ba26ec4f1d5f8c92a880e88f5555413e40c04e80

    • /storage/emulated/0/.am/log_.txt.zip

      Filesize

      6KB

      MD5

      b2d97d9ec76873945a62142d521333db

      SHA1

      0b16d1cba3622f7dc8aa0e7041d54360a87bfb2b

      SHA256

      b566f6fefd829cdf67412ab7d50c7499bf2e8b8bb54aa6c57699787e84899da0

      SHA512

      ec72d386f9a89189444ca77756fa12d2a1d72db7848eb9293af7fb8a6045a65dc2c07f5d51dccac9a613ca7d00d7b3c23d76994f72ac066467e811b1cd902b6f

    • /storage/emulated/0/.am/log_1717318371416.txt.zip

      Filesize

      218B

      MD5

      718b5636f292c6f27d4644b5ef3b1ef4

      SHA1

      700d03f83cf4aa16959581e82e644a23da7062d9

      SHA256

      807278a5f7582d62bc391d3760728369dd7aee1ee9aed92b16044ad3c8a55669

      SHA512

      32ff20282f3e985c86c2084fa14c172488fd265bc4d92a017ed49d2ce5d124e6d2c4f53643acfa3d968028b32798aa93e2ae7da37ea5d0d25cf4412d312e959d

    • /storage/emulated/0/.am/mch.apk

      Filesize

      47KB

      MD5

      1d76d1ffe610bb3d811fa9e3f2e7779e

      SHA1

      29b750bbda8088b2c592eaceb4017ed8134564de

      SHA256

      fe880c38f164b74b4d220478566abf88dabce988024f274c0954703e9f5c5ab8

      SHA512

      c2ce72ed3df022b05f4a392d6d8b0523b917713bd81923f925866f0d50a3811a013c25e557e03ffeba6c87920bf42ca2fd507e0d7f38fb13ad290f96ad6f6fd8

    • /storage/emulated/0/.am/prog_class.name

      Filesize

      81B

      MD5

      b8b5f3bfc09d894b59b046a334c95afb

      SHA1

      63553f7add999d1f9279baae996086f6da7e5c63

      SHA256

      724cec8037ad196328560e2dee682aff4e295682d738789468d8123e9d447871

      SHA512

      30d8ca6f0c05b027d1fe1504a5c95efb8b48ab61a8da85fbe49fe5c24cd23266450e95e48cc735244e764019c6065e5b8420d615baaa39d3abc6489479f66b67

    • /storage/emulated/0/Android/data/ultfp.xluluazofns/files/Download/mch.apk

      Filesize

      64KB

      MD5

      0ccc0f17377e4637ea0c10f351ae7138

      SHA1

      7fb7cbebe1fea5c7cf7e580675adf7d7ffee0b14

      SHA256

      680873d8b7b42f0db864f0d500743193cfa61506d48c696cd6161a15d17e6c6a

      SHA512

      54ee1e4ac16d165616ea57c1529adad08f0438431f05862949c706ffd36c472a3cdd6555ca7cc92a63557aa4ec417b9cb06fc361ea244c4945d8266bb6f55f77

    • /storage/emulated/0/Android/data/ultfp.xluluazofns/files/Download/mch.apk (deleted)

      Filesize

      64KB

      MD5

      13684d2547f64dabfe299d1c6553a05f

      SHA1

      b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

      SHA256

      3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

      SHA512

      e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

    • Anonymous-DexFile@0xc5c1d000-0xc5d48250

      Filesize

      1.2MB

      MD5

      cb16f947895faf71d09cb5ad792b0e35

      SHA1

      c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7

      SHA256

      e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef

      SHA512

      8ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba

    • Anonymous-DexFile@0xc5d49000-0xc5fdb25c

      Filesize

      2.6MB

      MD5

      a11095265b09ae16734bc3b64a287e71

      SHA1

      880f31b9f8816a40960b0276447e2252194d5f0e

      SHA256

      886111a93011a48dfb6eb6231c42864b42364bd8a71d0efc229188653dbe0a9f

      SHA512

      81963a169cfbe9dbc6a47a5d5c52d3f25ad3b56e82ad24206b24b257f0118d52393174a4219f6b27b4cb3a2ba8eeb832e61ea5bfb2b2160cee63a895a28cddc0