Analysis
-
max time kernel
167s -
max time network
177s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
02-07-2024 01:53
Behavioral task
behavioral1
Sample
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772.apk
-
Size
20.5MB
-
MD5
69a3362a56aceeae697d711b85ea1bd0
-
SHA1
05af8c183ee7934be6bb1077992be1aa79a4d17f
-
SHA256
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772
-
SHA512
75f50d474571b4d722d623f7d74857fd831553f941bc5fe7b7b5b310ee2c8367adca0f4e32ee44ba9c5d945e76b8b6269d4197dcbd5efcea245dd6da118ae61b
-
SSDEEP
393216:/rTNsZsJA35z7A79L+piJ1mbgafiubcrZzbfT9i/zVN2I+TXu1qKpPbNiRSKcsaT:vzJA35z7c5R/mbBffc1z9i/zVN2Ike84
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk wzfj.mxwub /sbin/su wzfj.mxwub -
pid Process 4257 wzfj.mxwub 4257 wzfj.mxwub -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xd1935000-0xd1bc74e8 4257 wzfj.mxwub Anonymous-DexFile@0xd1e4d000-0xd1f78250 4257 wzfj.mxwub -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts wzfj.mxwub -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock wzfj.mxwub -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 6 anmon.name 16 andmon.name 4 prog-money.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground wzfj.mxwub -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo wzfj.mxwub -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo wzfj.mxwub -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver wzfj.mxwub -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule wzfj.mxwub
Processes
-
wzfj.mxwub1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4257 -
su2⤵PID:4299
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD54c0ccabb25100a908b9db06434a6af8b
SHA1555d9ecfa42e17aec483e1c05be0fc1362db9e66
SHA25679aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304
SHA512b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb
-
Filesize
96KB
MD598a74b817983777721192314a4191b18
SHA126a265d8592d17e23d22e38e1a174be2c42e9af9
SHA256edeeffafec0d3fc401c34f1d8a52a7b4e346a61a98c9c1665bc0518762be4730
SHA512c9eb1e44917e29462509aae90c90f2f7e1af8afef765925e4d4c5b6046c18e584904e3dd89128731c4809e82720a0baaedac8046ab40e892c981caed8e7c5925
-
Filesize
96KB
MD5b7f7997004d519afe9f5efa3e5af5c6c
SHA108c2a8e16eabe1fefaf7928829aca8cef187686d
SHA256a6ea8ab0064a5b581944ff2015bb76b178cae7fe23eb99d4b401080ee98c551e
SHA512b54e87741c73a55a455bd9fc620720387ac2da66eb1bc34eb238d86c841af1ed5acb59db2bed5535403173bac5455780ab853170d68191287cf119b7747cb937
-
Filesize
52KB
MD5b6815b344f6926d458cea05acd052cdd
SHA188f524aff1d4c5fee979a203dd952427871a7097
SHA256028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA5120431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade
-
Filesize
96KB
MD5752ba3b7a91b2a3557dab8cebfb695e2
SHA130e6e472939c96460f28420fa76278f58aa24a8b
SHA2565d2c74a102b3a9851f412a1116684c5ee1b262c96d10f401a65a6ff3bf483b87
SHA5129e349b920e9964411f7f72c3182c41ae80e25459819fcc5cb37ffde2791e09b1223390249d83aefd768842466f65bbafb2a10d339d2a06a6dfe2196af5f073dc
-
Filesize
144KB
MD59359c53a8ad5f0a17e1145d888c1fac0
SHA1cdc9f8178120427ad9829efde6ad6240c50a0c7e
SHA2567f763cb05606d37d20d4d1addf33e38ef5e63ae1d3ce4fb15ff4b25acab0256c
SHA5124cf8316b6075b7a47e5d92a51a2b50c54f9bbd9c4ef7cae2d12958a75e18badc52c523c291ebcf6252760d9b9da31f686a9f9cb62fa469e74cd9abf06923b0d4
-
Filesize
512B
MD55b35468ab47bb1f358bda22b528d9ff5
SHA1a640cd1fa28cf24ec0ad124bcf0ec98a1fb77edd
SHA256b9e16eb388ad73d9ed9e148fee7e23a850e702d72767fc099927547515a54e10
SHA5121a0c6d882ab0ea8df49d2423a3ae3249456214a93b0663a6d76e79cb8f12f5b7f4da48c4759afdc584149591c80c1e8edb48cd96d642c357c267151e8bc7fd2e
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
414KB
MD5a3f991434d3298d715d67ba0a4e7bb45
SHA1c37283160f679c75ac3cbd5171f871809ab48a63
SHA25699692e0ce08d21c994b7ed503c7a3f918e8f0d44db4c35b34f8e986c26707c41
SHA5129230f85a85ee45d93082bd2fa961c4bd73fc9054fb4f0211185f40293582643a4b7f5aec5f967ab35b29ec3c0f1b44bb15e547b3cdab10e0507c2c81d3ba0cc1
-
Filesize
8KB
MD5d0493c6c3e89b58e3347f89f6229e472
SHA10761103fc8aabcb882702c939f73ae64ab5ae30a
SHA256de58976bf9890e74356188c614d4c027c9717eca0672edc9abfae6470392e216
SHA51287f0d2efc1a1a2b8ca08587bf8a13e5d89ecda585ff348a824526303a1f39e60ce5794cc4f791219f73615a0f0a4d749b974acbbbcca242d4b7fe5ba40baac6c
-
Filesize
8KB
MD5103db8600f85a5cb399ca931020ca276
SHA1b707128106017451810a9b475d2b76c1dd73ddef
SHA25648f765080aa66864b0820e7355f60ab89d324bfbbf5f1a65df43e34fdd29b2cf
SHA51219bce8cdd63e1e15b6e9024f28a7972f0f80735daa1e6e65d9f5f5152626514729a47404f5afb8fef2198e67e617c53a5cc3710cd81e7437d782f5845f4b9906
-
Filesize
4KB
MD5acfae39eab21f0f85295ebb291d5883e
SHA16691c22c72e6a55fc6f30bf1190053adbd7d5d4b
SHA2568829c64ca9a16e7e42c51e1767e66909ad2c2de6a2620dc1e624f219021fd346
SHA5123ad4826fa340a1d18d521057ff618427d77dba1750cd4045e9d40f905eb875d5ec7467f355e6ff50dbaaefcab733cd8ce299072167ae0fecc3429aac2e636b5a
-
Filesize
8KB
MD54fcfa8f81d2b630d2056019072fca4a1
SHA1318aa4f223436c74737adb5e8bac19f866b388ff
SHA2564ea913a0d69b20e9c4fcf311c049621036c1c554c471e57243bc3cffeb3164e4
SHA51215af1da3fb5274a30af8e8b6623a1500b680b643e9640170dea20f76f83889108eeaf60c7c89b4219d480c1d2e47d33116c5770b5d5a9329e45fb1ce8f85777a
-
Filesize
418KB
MD5253cf7c2b38e45dcfb6f805aa389ce4f
SHA188a628dfa90ba14cc12b417d046a7ae58ae903b4
SHA256121a01cbd3d3534c19a5a6094ad901d98af2426ca7ad2b24a998e59d8f587927
SHA512032044c8121f0d5816cba7537573a93ad3dee5526b91de04ada4ec7a93f309b4f8bf1924296fdd9058c6a224f1f4d2e43f49fb1cd5ec852cf08b483943a0eab4
-
Filesize
2.6MB
MD5558d5aa7136f7b710a2c5100138d2390
SHA127b5a2c0a2ce93b2b9186dd3cb653ea5cca9e08b
SHA2568f92f889d237db8c29741086d76b3fa430325c240801f3153a90b83c42640321
SHA5124a9d967d95b41257c74e1fc692bf3156e84bf1aa7221898effd8e2025d1f2b19a5384416c69865165ae07d5ded4ff05590f9a5d76c3037112bb44bcb78a9183b
-
Filesize
1.2MB
MD51e05a2d987a9b8ace6ec423e1de9ae2b
SHA18ba9fad037667f9a091541ac11cf4e27965d5288
SHA256743e7d3660de8e672bf0d07078d8e540b1cdb17d216e63b8703fa180c97179b6
SHA5121744113900cd787eb4ee34c9fe5b72dbefd4e6c334373f6f32adde0e3de22044a2cdb1ed9a6137e4dfdb7ec53a7b77fd5d059e07976569a30e192e680233d54c
-
Filesize
171B
MD57010bfb1f301280fe32bc6cbe01784c1
SHA153f6a0621d751ca1298ef38f0034d4e5b387df96
SHA25678f84eb554249f72125e3b16d0ce317b89ac53b89eb1a8e6db3419e9d6f7351e
SHA512061cc1129c5443f004efcfa2a5d6403a829b5a9e82a4139a5de3065f9072d4bad22ae68dadba6052287f3d98b72e554f16b1e632c86007a45cfa8c120450f79a
-
Filesize
150B
MD5fc6d80169b4668e06cbe0e8f1f573da3
SHA1da4e299a835a596cb8c4b4c3fee06b587a627fd4
SHA256c40dfbb4a3ad0312ec3a5b85b7a40dfc2b02c646e4e3f41ce4a677255fe52704
SHA512553a735e290d71a3c5534b2fa15b75e833fc8355e3334b7766e12877ffa6c67769b9e75bfc2dc5ea50b07e5c8ae5eac1c1ed0b812a97471f2cc74edc0414af5a
-
Filesize
3KB
MD5ffd5118752d842c4abcae0be976dcb84
SHA1be02f9ae09fe00fa4f25fe4f47921a1d28a48b1c
SHA256a0cbba5018525c9b9273140d177ec8832b03e2d8f7efe205b05b4c959d16e40e
SHA5123d5a170cdbc0c85a4f0fe4f3028aa13ed142c3ef374b6f75a5ec898adfdfe1001406e7709035639dcd88484ef2e3759e8193a26dd7c73e385b3add9c17153a7c
-
Filesize
62B
MD55a939f92a3d984ceece41191c93213e3
SHA14f7e78e94c898addf6f560da3ff9c2ddc6e745ff
SHA256021928bc91a288aaac07037ab23f52e766885c641ebd4cf93bd394b213e81625
SHA512700c7f2c86bdf14daa2dea5f26fabe8adec23855eae1e1c38d6489b9d588d7652f342357ffb3a7dea5f331b0c6d58d6d682daa4f4f2dcfb694f452b9138f0599
-
Filesize
70B
MD56d6eaf51d937f56c1370088b83cc240e
SHA1030af0b7d2f9e53450a728cd35a2a6a02223b057
SHA256c18b998e0d87e8114dba44de26b1136f71f55155a96475ac18d085da05a532ff
SHA5120c06bb9c704e8c28bec8066065a48f57a2d855635bf4d7400206f8153a8ed616fced283dc4506f9877f88663f4e442e2da7cdd35170ec8328e6373d59c14c222
-
Filesize
147B
MD5816cc70ed584b692c7b3c03acff5e4a8
SHA1b29e4232b74d401189203ad4c3aa9ff17b5cc742
SHA25623bdda922a6347d324eae24368f42d665242aa1e9b53572f57d880f63663969d
SHA51209fc71c82b004bafca46b05d53a7e7015d6354858740eeb4e76252a7863061ae6461a6ab97b6cb2b16378a32de50a2f68e9d749fb616debc92d4fb9396064f65
-
Filesize
125B
MD5bec381cfdedaa1ed6322fb5b496c6ca7
SHA1062b8027d52ea8b560c9ad24ce6de08cea26981d
SHA256f1d65affcc69d313a6ef0dd9a459c5d2b84de0af23ecec02ea3340daa5a9f387
SHA512a1a1b0a266c5c39ce5d9b4bf5d4fd9e2f8d3757ed256eac6672e7d1b7e9f72f18be01440d886d675244f504e4fdc4d407c6e31accb667ead6854158b0840c017
-
Filesize
27KB
MD5c0d3a8d73fc99a770ffed2763fcc7de4
SHA18a119a2bc64c4a491ac46ee0e6453e3e54470acb
SHA256b9401512c083358da5dac4322fc6a89c49df135a7b9eaa864ef54dbc56d245f9
SHA512767073daddbec50778915b149990f23fa548c39c1907003ada3b8319e7a1ed6679836fb7573059acff25a23e5231dd7dcc9599e59bbdd9773eb8b33f061b5453
-
Filesize
6KB
MD560b490545e89f370cf2fafb7c8978c7e
SHA13e6aa40683ad5f1fb43b2689ca9050e3d6842928
SHA256ec42f4b20b8172b151b1fdfd077f3e87aabb8f26a1e2110df625fe45b07f1270
SHA5120b054f197634f307b1d2eca87d67860cfca29f79b36f57ce5f587994c64758e9fa8a2a7f13eb4b9ec3c9d1f2c5068cd22e0e3c627c911a200c2abccba930a21f
-
Filesize
218B
MD5cc090f5dd11824c94013472e6b97863e
SHA19189a130f6e6683a21d9ff5a165751ada632b24b
SHA2568533c43277352fbb11193bc1f7d8f21ca351b9c55c4bb6391f266afde859af66
SHA512c3f85fc378185644d07e198b21ac19efe29467294b38444371320f2e4e2f7ec250403f57a41084b2efa6b8ef31251cf17fcd6c3cb0f08643f26360d228f732ef
-
Filesize
55B
MD5101c484352bb59877382ea9109d6a681
SHA1d5693b21c30ea1a15a8a9ab9c3722feab1d0b4f8
SHA25606c108ed059bfff10335645acedb8d014706a2b9f0f83dbafc845f256fec6d2e
SHA512e5cebc32bc60d69dabebe614ddc441426c8f78e717c08274dcc227b2974b5b4f449d5507f7d48924f169084f71c5e4021dd2e11aee0cbc4196dcda537b554af8
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217
-
Filesize
64KB
MD514e7336bfa2b8d361e2c973e4dcccb85
SHA1ec79fd59e40d271ce33f7bbd7c087ad3437b9d5b
SHA25646189157904a7b9acdfe9627515ebf3dd7f922fcd9f92e05ad402c9349c0ce8d
SHA5123f550a5620959323063cafefe98aa6cbee5bbd3aa91ef20b9dfe6e210d15d63b3240674e898bdf8730a1c3e1cc5fe8f670f604b15395f0b81746c0ac84abc62e
-
Filesize
2.6MB
MD51b5d7af0d254b409f3abad6d01570547
SHA17c496db9cb7bfcdb8832246bcec5276f5a280c75
SHA256e2f0cbb3e3ae65a8b8289743d576d21db62b62158922993759ada8479225fc34
SHA512c1f2f5a61fba8d3333d1b65eb4e1c536cb5660239f1d32183610cf463dc300a896e7b8fb96ed324946ffccb88d29ca03590e07535d4d426ed2a88b83acc788e8
-
Filesize
1.2MB
MD5cb16f947895faf71d09cb5ad792b0e35
SHA1c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7
SHA256e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef
SHA5128ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba