Analysis
-
max time kernel
171s -
max time network
186s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
01-07-2024 02:15
Behavioral task
behavioral1
Sample
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772.apk
-
Size
20.5MB
-
MD5
69a3362a56aceeae697d711b85ea1bd0
-
SHA1
05af8c183ee7934be6bb1077992be1aa79a4d17f
-
SHA256
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772
-
SHA512
75f50d474571b4d722d623f7d74857fd831553f941bc5fe7b7b5b310ee2c8367adca0f4e32ee44ba9c5d945e76b8b6269d4197dcbd5efcea245dd6da118ae61b
-
SSDEEP
393216:/rTNsZsJA35z7A79L+piJ1mbgafiubcrZzbfT9i/zVN2I+TXu1qKpPbNiRSKcsaT:vzJA35z7c5R/mbBffc1z9i/zVN2Ike84
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/app/Superuser.apk wzfj.mxwub /sbin/su wzfj.mxwub /system/bin/su wzfj.mxwub -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/wzfj.mxwub/[email protected] 4348 wzfj.mxwub /data/user/0/wzfj.mxwub/[email protected] 4348 wzfj.mxwub -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser wzfj.mxwub -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 9 IoCs
flow ioc 36 anmon.name 12 prog-money.com 14 anmon.name 20 prog-money.com 21 andmon.name 32 anmon.name 35 anmon.name 11 prog-money.com 13 anmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground wzfj.mxwub -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo wzfj.mxwub -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule wzfj.mxwub
Processes
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/wzfj.mxwub/[email protected]
Filesize2.3MB
MD5f351ac2b6d45a6c71f98b9af3d566607
SHA13b24242ff000e7b5c00526ba7a0706369c4dc073
SHA25634b0aec7c02820703cb9f22a786253cd0bbcc78c60a70eb4a8f422d6609d248d
SHA512bf4a683f06931002ec191e0e7dc26f8de88644834c1559703a915b16987946c510e09d0c03504519d251962d816f199d05212c1eeba207326b1caa4d3e9d7d07
-
/data/user/0/wzfj.mxwub/[email protected]
Filesize1.2MB
MD5cb16f947895faf71d09cb5ad792b0e35
SHA1c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7
SHA256e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef
SHA5128ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba
-
Filesize
2.1MB
MD54ff2b064cc25929cef9b4d11bb97e3de
SHA19399ef3be9af39099959ae53a9e9f700f73e383b
SHA256b45b3bbf8b4326f432daf833a14774c8bd0521b4c9ed4b4f2d4ddc6c5799a72c
SHA5122e5ab81962cf0df7406e09193a45dbae998195d8a1aaf6cfed0bb440d6c81b0baab91a3526c843293634f8d1030741c6834fc3e3d36fb6df4a1193d5731fce44
-
Filesize
171B
MD5813ef5b4e43732f445294984246addaa
SHA1fbd01c1b88eab59ca1bc67108dca1ec01ad009c7
SHA2564d8258955555ec0a4a5c3b85adb9a44018e4c0c9fc9b66b9cd00d5163c5427ad
SHA512585a4804229ff4aff7cdf78fc25a6ba677618783afc1335ef71e4d82b7a8d3dd75f05c05c0db8315ae975265c523be3119560b0258aa9425bba37d2150846f7d
-
Filesize
150B
MD54ca726acd3afa1595f8eaeea71921252
SHA199934ee3cc0a5a7a4dfeeb2407806c4cf46ebd39
SHA2560f7fc77c14cd1f7e66733174f46bc19be9b7e8a99849d93fd25cd7abedc9d3da
SHA512f195a5c2c3afad15dc8477eb74a5dc57a3bfd1707969e8609309ef8df6a7e85f368436c3bbe106a85f86ceef8ac0bf942bee1ce8f5e53254ed5f7c2696f22130
-
Filesize
131B
MD5a9ed7d9c40507ad4c8e2895ef3489ed4
SHA1c65441b9206f3bf4a0c3a3d6d171e3f35cbf4b86
SHA2563c6cc16617efa59c6eace4259a0105826f1154f9670dd78b1708935a39d17538
SHA512c5e8db12b2be5b896b3dd64a1e7d7fa167e3c7b216b27427a14bd4274b460bb2cb4bd7d7a08bcc8a453637b0cb1c98dce9c0f2bdf0cd076c1506e9ef56a589c9
-
Filesize
62B
MD5fe6c26554bb51fa9e9170fefdbe9c90e
SHA16bcdab43a045625d0e4b8a6fee38daf94706ab25
SHA2562ab0ecd0b4b158a6940ff2f1be68ccc9e3e417b137004fa73bf31e74bfe4f8d7
SHA51201e91d1ee80870a96d774c3ef6985991e066ee98f8f80f76481439315f26bb690f632f1091d95d15f3e3fa0c10e099247eb79faf9abfdc6803b0066f76ced5c9
-
Filesize
70B
MD53fd9a8b1f0a4817ba38ab2a7f6ccfafa
SHA1c6643208bef38d8418ba09ef85f4d1b1c90d4476
SHA2568339556d9bec9c9531eb457e0ce32ff270ad080464dee3b5ac56a770faa41af4
SHA512723039578eda5fc22d770c5e75eed5554f580ac420616007d0422639fcc3fd645b0ed0eafc7d0db66f603c638b5d6801f72ee99f56617e9e416bacf488c1114d
-
Filesize
177B
MD5384ac24fc25d1a3f11be9e56f9f53d44
SHA134eb3620c045cc0e1626e945f434eec3e0f075d9
SHA2561170296ba87ed4d614736e03e6188f758ef7cef90434caf6b31983b83426484c
SHA51281952c1d509b55043242c15db04bcda24b41f920f0bcc1e26214485a9cfff72d033463e1a5aaca4798a8ff6e565d183d4427a647c1df45ae02ddad18d986036c
-
Filesize
125B
MD50c82d37a1c2540ff0ba67305f2b31963
SHA1c510293c6f1be3ab2e74930deca0d0df3c7014a5
SHA256924127e71bc04465d73708196a2683b27d32b568e53e1f35e5f7a5486095b825
SHA51286123cf42d72e40b9531899897fb75aff59af48f63d6d035ace972fd2f2407e174327b2cb8dfde2ec4ce410809ac0007dd444d46213b391098c3c77c69cda023