Analysis
-
max time kernel
23s -
max time network
185s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
01-07-2024 02:15
Behavioral task
behavioral1
Sample
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772.apk
-
Size
20.5MB
-
MD5
69a3362a56aceeae697d711b85ea1bd0
-
SHA1
05af8c183ee7934be6bb1077992be1aa79a4d17f
-
SHA256
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772
-
SHA512
75f50d474571b4d722d623f7d74857fd831553f941bc5fe7b7b5b310ee2c8367adca0f4e32ee44ba9c5d945e76b8b6269d4197dcbd5efcea245dd6da118ae61b
-
SSDEEP
393216:/rTNsZsJA35z7A79L+piJ1mbgafiubcrZzbfT9i/zVN2I+TXu1qKpPbNiRSKcsaT:vzJA35z7c5R/mbBffc1z9i/zVN2Ike84
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk wzfj.mxwub /sbin/su wzfj.mxwub -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xcf1f4000-0xcf4864e8 4242 wzfj.mxwub Anonymous-DexFile@0xcef9c000-0xcf0c7250 4242 wzfj.mxwub -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts wzfj.mxwub -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 6 IoCs
flow ioc 4 prog-money.com 6 anmon.name 13 andmon.name 42 prog-money.com 44 anmon.name 56 andmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground wzfj.mxwub -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo wzfj.mxwub -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo wzfj.mxwub -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver wzfj.mxwub -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule wzfj.mxwub
Processes
-
wzfj.mxwub1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4242
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5650dd681bde64f1ef1afa4fd3521d1f1
SHA1300fd6661cdcdfdd0bf443037be254869037451c
SHA256311fc261ece19d07b1b6b222f2cca476637400fbed571f60bb42acc86c72cd7d
SHA5125f2885da7c47030c7da7cd03eaed537696041b3ba188bd16cdb2728ef231e075d380332549c29cab4a34df5e1d8fda449081527bfe1982969747278668504923
-
Filesize
171B
MD5fd9eb4a365fc8d9cb20083305a322aaa
SHA11c4b7c03a8792796c42fc414a4ec07e1ff17fa1e
SHA2565f18ffa74d753313d4fa685f0e5670bdaf416a26f16dcc786e83ec3d354a7b02
SHA512c98f38601cc39e9bd03dd9fba473b7e57323976bf00cb533e48478aa34c14ac81f4dc99721770ef3b1a35197c597c5535c92682ad27548678e9483625bc4d50d
-
Filesize
150B
MD5f78be70b3031d4a135b105f3e2999c3b
SHA199f3879e13f4fb3d740e534279b8ddfa130d1b9c
SHA256c4943013a4a07a138974e5dcd6ba1eb2d9d13e6af2fc1872aa0748d09b6b91f5
SHA512ff1b925e27cef035845b8a30dc504187c9a98d34e6f19ec5035d699554642e75eb5fff77debc64595b04412ef9d76377ff8a8ba43b4c7a14dbeb95e8a1a6d46a
-
Filesize
131B
MD56cb2f72683460cc418543c7de87fba83
SHA1ee74031ceef878a0d03753d478a0dfcce4f97f3b
SHA2563b3bf5ddba18c2660c9b3c54f659a8026465bc309d1a389edffcaa817936cb9a
SHA5123f7dc83a955ab02fc3e62bc0b385dfffeb9db1478dededd67561dd30c150f4cbff2fcce0c606acd51af90455172c302cc2b21976f45ad7f089b7817be01546a3
-
Filesize
62B
MD5dc5f3edc36e676f8ae4db7bb8c95c947
SHA176565578fa7d98823bb6cedbe52e94359acb2565
SHA256a2edae23f51ddb18006f111334471e4564e9e45149928ed0a0c37019f0e1c37c
SHA512ef8b337c8b75a6286ff6c77708494d6b0ca8e0b4fb7ecd7d6bceab4a9e1d47286875a360a049b598e74fca840ff14d51352141cf307b97d17c5e3cbb66d05405
-
Filesize
70B
MD5188b43e3987ed818198b9b739d3933d2
SHA185b784499a7d6fb1bbfcab593dc6f2745b4eea2e
SHA2565879b086f1dbe60f0a8ae56f1461417e4a003e7dce5cf371a1e7c169a0de0035
SHA512b4cbf8eb5dd962e48a80a14ae619fb5facb4731209b21fdf52286e66608b40245a2eead55592cae413ab604a1652515778fe4c543903e9f8f5a4819e09d7d9b3
-
Filesize
147B
MD584da15501aec5cb3cad4d055db459db2
SHA1a56eb9d4e3bd6658e2abec64931f47fb7652421b
SHA256d8b2b56d2a158f798f46c4bf128edfc617bd2c29d62225ab95e4aabe535d3c2a
SHA5120f66caef7f4e658a6abc653d18196897be6fb084fa9213188f5261ee0604727ea1b69507d93ed0847bcd243c1362677fa639de2d273b58deb1a6bde881f77cc2
-
Filesize
125B
MD5e9d9b674383ac69b058fc055fdaf9c6d
SHA1c406920b5f89e7fece8e2f98d1817716ad5642de
SHA25664f2d83784924affeb61b18d59e751d63129ea5e3163618ad24ff128d38348a6
SHA512a348f84ca978465499ff8d19ead49b1cafa4299af0bfcf4016ae9fc1285d311e6686481d657196e771bafaeddb07391d8b41483f7b8404b65eb4544f81820f22
-
Filesize
1.2MB
MD5cb16f947895faf71d09cb5ad792b0e35
SHA1c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7
SHA256e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef
SHA5128ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba
-
Filesize
2.4MB
MD5404506862ed9dcc0325f821d80ab9f80
SHA1bd9da5abddb723dc0dfcf34e9d75688819d32011
SHA256e874bd5eaaadb6e47303377524a12dbb228734dcb7ecb371a69f154d55788f10
SHA51283df201d4ba55c53429274442c53d36cba00bb35e216e4a7111b6982992e9f462e2f5c7f0724a5f1170f3ebc8e15c08326e92123e00662907497b49b206aee0b