Analysis
-
max time kernel
166s -
max time network
180s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
02-07-2024 01:53
Behavioral task
behavioral1
Sample
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772.apk
-
Size
20.5MB
-
MD5
69a3362a56aceeae697d711b85ea1bd0
-
SHA1
05af8c183ee7934be6bb1077992be1aa79a4d17f
-
SHA256
ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772
-
SHA512
75f50d474571b4d722d623f7d74857fd831553f941bc5fe7b7b5b310ee2c8367adca0f4e32ee44ba9c5d945e76b8b6269d4197dcbd5efcea245dd6da118ae61b
-
SSDEEP
393216:/rTNsZsJA35z7A79L+piJ1mbgafiubcrZzbfT9i/zVN2I+TXu1qKpPbNiRSKcsaT:vzJA35z7c5R/mbBffc1z9i/zVN2Ike84
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /sbin/su wzfj.mxwub /system/bin/su wzfj.mxwub /system/app/Superuser.apk wzfj.mxwub -
pid Process 4487 wzfj.mxwub 4487 wzfj.mxwub -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/wzfj.mxwub/[email protected] 4487 wzfj.mxwub /data/user/0/wzfj.mxwub/[email protected] 4487 wzfj.mxwub -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser wzfj.mxwub -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock wzfj.mxwub -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 14 IoCs
flow ioc 28 prog-money.com 32 anmon.name 46 anmon.name 51 anmon.name 27 prog-money.com 36 andmon.name 52 anmon.name 29 anmon.name 33 anmon.name 49 anmon.name 30 anmon.name 31 anmon.name 34 prog-money.com 50 anmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground wzfj.mxwub -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo wzfj.mxwub -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo wzfj.mxwub -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule wzfj.mxwub
Processes
-
wzfj.mxwub1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4487
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/wzfj.mxwub/[email protected]
Filesize2.6MB
MD51b5d7af0d254b409f3abad6d01570547
SHA17c496db9cb7bfcdb8832246bcec5276f5a280c75
SHA256e2f0cbb3e3ae65a8b8289743d576d21db62b62158922993759ada8479225fc34
SHA512c1f2f5a61fba8d3333d1b65eb4e1c536cb5660239f1d32183610cf463dc300a896e7b8fb96ed324946ffccb88d29ca03590e07535d4d426ed2a88b83acc788e8
-
/data/user/0/wzfj.mxwub/[email protected]
Filesize1.2MB
MD5cb16f947895faf71d09cb5ad792b0e35
SHA1c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7
SHA256e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef
SHA5128ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba
-
Filesize
124KB
MD5f15335a640f24813c9b345c99da7e16d
SHA1a0e7fdc85b3c1420bf342676be577f146f5dce49
SHA2566baf6ee8c7c503ed9962ff49957fe3c0b707171d1913450d97c84856a6ae31b9
SHA5125f51ec199de29b23e398d143c4f0faf58ba655a4f455ecafd5b6303c0ef428f3165f5db49daf4697f1dba3033da51113730ee5ad158a9ea9f8f6b9a10b044f19
-
Filesize
96KB
MD5b5662fc4f74d89d7f1ba86749b49a613
SHA124ec8d0ccde0abd6c11c857aa7c12c3a2fe700a1
SHA2565a8ac4bddaaadd96d3006f7e09c186db562cb90ddddec45b9549e07547104027
SHA512221cc6ff74971b6a94c6be83edee16e7fd40c5cc45e8c9c11e97c38108a870d0d5305a13439f565dd9b99dd6a98cd130c46a0d81a8030173e4427f7f45f49708
-
Filesize
96KB
MD52d1772056c4a9a912bd2961936b206e7
SHA1c00db18e6cd3ba6ce0147ae9e499385d7ef34025
SHA25608108dd34c55c69f9dc04641e4b19c61f96681187369c493a0b02ed10d7274b7
SHA5129dbacb079fd49f9ba5f346ff77560893dbb7ef2c6db488e038ba8003d84ddc659386240b7123879acadb9d6ab44c00348ffb8945064c2c18b079118922d3155f
-
Filesize
96KB
MD5f2e6297bad645b267434faa28881f387
SHA1132c445d57aa1196a637115a14a4a9bb4eb47de4
SHA25612b56b638e532e32dc4ebed91be8fd6d60f6094ef93cdf22c163abe455fe16f3
SHA512060337fd778273f6f892700514f27314fab68dea2f7d2e70fbed41898a6ea554f1340e36c20308cc6799f8e266003d2866ba62952281203caa4817f6450c3819
-
Filesize
96KB
MD568498ed6948b9d5f59690f7975bc0fc4
SHA106e3933afd3cd163eb7038faa73a57003b9ca308
SHA25629e2bd11af94b055ac815437a7f6ab90642d84922c62d01838ecdae09896b309
SHA5120d8ccd66662d156f7af171bf134a018195c2d1829091ebe5781a2e6fde16b85cc27146cefd2f61c893363378e19d795555e651537edc659d100aff901d966d3b
-
Filesize
172KB
MD55e9dc039d357bc7244fe9cf0d0e8ea8b
SHA18c972e82e460366d100344539991e4a47a212f43
SHA256dbe27442e1039c3231b60ffd5b93b36ce8920fd87328eb39cd7bf3f998daf547
SHA512183fe011ad96e96663c5f58925e5d580bcb89d0cfa087aad47c7dcc8e92699ad57ee7afef3d363b84652a04119ed02cef82f06cb1c1f4d0990c85203d3075d62
-
Filesize
512B
MD53d3088f566dfaf83f70030562de744db
SHA1609270bba08937bbffb9370fe5352e94cef0ab6b
SHA25688ee7b069a11b07f77975496394e5e3c3a6e179d8940f112d361cfcef014545d
SHA5123aa36d1b64dd721467b4a63908521abdecd5fa86c14108c185a9dab9179454ac6034f91498d03d6e8e93261e4fb2beb7b4929333bb604a3a39f801bfac99bcfe
-
Filesize
8KB
MD57eadb36b8a56b78b50733ab262775684
SHA1ba8a414fecf1404a8aab74427b2a9115ed905e34
SHA2561d2d6c4737309a23db9f3d1645c9cbf840006c32db5fda4d878a279b09a790f0
SHA512294c1ba037cba506711dab9e1f7f34547ac8cc754539edf7a1e493c746c858610bbc3132ea9ea559d4e1cf69ed23821350f79fcab76605e6a0ce9e477fd7fec7
-
Filesize
4KB
MD5e61813b01b36e91fb422a9ebc6743b8a
SHA1b4eedb2336a88647e881be466a26b4a56f315247
SHA2562a2828c504e3807ae62163e00dd6348db46618ef5057bba5a0257795d16b2c53
SHA51207446f438bac0bc923a7799c31b106264064ee69a9a3d78624571f1001bd9b60fbbc2cd4615452fed8215657705edca4fcf3a2585ddeec499a2998ad2354d2c5
-
Filesize
8KB
MD59af7905ff4daa72ad317297eaa8fc425
SHA1e4ef3312949d1e8525c02516fb75580c47e6ee95
SHA2565e45d165132316c9a97606605cd680b1d77c0b72ef66da6ff8da86d001e61ba8
SHA512d5fb17a275f037f08168f238e93be2fda08752800c5deb22dc58042ebf596c17fd9fc53ec9e03bd4ec8757a2d7f7e9e5120b94e342d17c95af371156892f3b31
-
Filesize
12KB
MD57f09ef2deb8f16f5158b04b06455065a
SHA1623c84b76e72672ef0bdad0b88f47d5e475216b2
SHA256785b65fa1873ac9ad867a6474d9f93ce6ffa1bf475181b0176e7357b7931846d
SHA512fe54f4d2f0cd263322542f6495aec8443e5cae148ddafae5477cf050533f413f0e08e0848f7630d7f56c2db298501e7af6cf323579a8d1188b3856885fee9506
-
Filesize
24KB
MD5379314076eb4de7f6ce49e0ad3efd51f
SHA1537aa2729d66e3b358f117adcab17c411bcd42f2
SHA2564dc18eb9a6cc0cab13aaa5a6e361755802cbc24aae34d6431e7f274299e9b118
SHA512f35b175a87fea603b14236c39e62791d4eb4e349d572c479c92cf1d2472ef6c1ee9e74f866d7597a6f0d06e875a53bc0a8b834df08dbdc1bfcda318c62439e71
-
Filesize
2.6MB
MD5558d5aa7136f7b710a2c5100138d2390
SHA127b5a2c0a2ce93b2b9186dd3cb653ea5cca9e08b
SHA2568f92f889d237db8c29741086d76b3fa430325c240801f3153a90b83c42640321
SHA5124a9d967d95b41257c74e1fc692bf3156e84bf1aa7221898effd8e2025d1f2b19a5384416c69865165ae07d5ded4ff05590f9a5d76c3037112bb44bcb78a9183b
-
Filesize
1.2MB
MD51e05a2d987a9b8ace6ec423e1de9ae2b
SHA18ba9fad037667f9a091541ac11cf4e27965d5288
SHA256743e7d3660de8e672bf0d07078d8e540b1cdb17d216e63b8703fa180c97179b6
SHA5121744113900cd787eb4ee34c9fe5b72dbefd4e6c334373f6f32adde0e3de22044a2cdb1ed9a6137e4dfdb7ec53a7b77fd5d059e07976569a30e192e680233d54c
-
Filesize
171B
MD5eb2b6c22151ee29ed9e11e03cfff6477
SHA18e477d2c07a6efd2e2edd05b77ef6fef075ef6bd
SHA256784fbcfd94c08ba7412de3303d91b5600f1a864e419de2f7dd820d9196bd677d
SHA512a7de72ad7fbbb8d178c7aca7f49553085e766220c2c44d277c6e00b4b87a98d734af76df3fe14b9173884751b761d021c587d1f24e9f877fd15dfcddabea99ce
-
Filesize
150B
MD5ec716a8aaa9b91bd5c337e472bb57602
SHA11c852d73ba6d076f6897d78905a50b46f6e1b9bb
SHA2566137b46300b4440836f45de3eafa9c855d8e365a7cefd3dc5628b74664c8e6a1
SHA5129a5e7bb97ef76b8c7bf4419be0ccf9c8f2a9026a68a6e62d5badde2493b4b01782fa67acc8746b2d4fedce3451968f53c65a00fb8c7bfad7c8aff0325043050d
-
Filesize
4KB
MD58b595c69bd138cdda308ea37d818e1c6
SHA1cf09ca7e2776f50ef349eb86bacdbb4c059f9ff5
SHA256efb4a7c7627d172ff3b38c5bfe38d9646723f14939745f2f9356d4064eb464f9
SHA512bd764a1026ae6bb339b879c2626c0806f80a75e0ea42ffa0ffd67ae57847e431395133469a4782b697379b2b61eb1533e85bf9617258ee9dad57132fa1a69577
-
Filesize
62B
MD5d98ce4475f06012a270792a7dda9adb5
SHA1730c58f832d4072cdd321263d1c8fc35a2e497ea
SHA25638250f28a29667339ae8beb68be5afff0af419b9505c8b167c6d8953bab7db40
SHA512e3b0dea6da6830ac4b8d4e10cc71af08b5a1474e480a8a28860745b6f9cfa61decaf3397ffdb8f43c71d9b78def1d6fb5eb5ca37fc2fe248dc892d78a719b122
-
Filesize
70B
MD5069a82770da0f183a402c6787b11da45
SHA12610d2a036e83ee72267ca7935cc7f11c08989d9
SHA25658484b1f6a8b49e10b9da78ac82d4b7172b4376e9e9128ff36e8aa4b16196052
SHA5123e2ebe45cfb733e4ffe9e8a4eab5098d4f8e0c288033c618968ae06db81b029ee5ebfee5ea2a121d68a78b49dcfa0c7c0f3d59c8f01237a4642a49105b0c33b3
-
Filesize
177B
MD55e5cb4f3040e241e77e74f14f8b6d4f8
SHA1b3cd762ab5c1e103ebdaf1de552490a8786f920d
SHA25630c100c5fb142fd8519b36fd24abd0a7964a8467445c8d44339c639d00dbc56c
SHA51201a35356b93d933fe254bd4ac1e9c727c0f2de0edc2d4a0d94575080dc4126dc3990de01ef346231094b9dbc9d5141768416395c65229501a9464c9ca8c817b4
-
Filesize
125B
MD51d6d0ccec113537fbc3e87dd31853cbf
SHA183fa4df55b98bdf138c7342346b053df889513db
SHA25667b8bea42de1b84621eb60db9d53fc63de3bc753c4037d58352f770d67fc4b56
SHA512115419effdf7d60d307d2f2acaab826a415e9d1eec33216313933660c9d88859f01925b137462e7c63ac64f8cdc44eff2375fbd17f2d5aabbfd3f28e6b442fa1
-
Filesize
26KB
MD5ababc7d510c3c0ac3b36570ec2eb2b65
SHA1070a4a4a13a55766e8ffb1a253fa65fe238799b3
SHA256b39fc1a15798c77be71a3c6648355ff9316e72ac2faaffe1f6778a6255381dbd
SHA512299500849c43e44597050ffe933b8a2f1a450e2adb00d47ee2d3478658ea4287fb32e1316620bb56619bcd5fe31a0c4d06ddc478b4fb8870ebfeade45030caf0
-
Filesize
6KB
MD5b7e9fab71fcb8d2bb2be787361ca00af
SHA1357717e7bb3902c3e96d8f991c363574e7a97686
SHA256442012713b58a382467b904e7ba38f9ba38533d14e3843ffbcbdccc758d4b729
SHA5129b80e5a8c7a588edb939c337f2895d8b2633c30f29d6eac46f7084b22683c93eb48aa3ca6416376d9d1be8160ed76d742b5440c896d397f81bff4bb6d5dc3a72
-
Filesize
218B
MD5a1e8530b2b9ee252dedbc97d56ebec44
SHA141dcd8af3b4b9581f0ddc4527aaa8793c659c26e
SHA256e0e7e12a19a4f4bf062674a5e2f515d7cae66891cef95d1b99bdafe35f7f4eb0
SHA5127e7cbd4bd2aad114d37dbb232c7521819d94108d3d5f4c730e3af3ea0c1b6a1cb7f70aab7b209afbe5c31e093f73b0f1e024d3c4467a10454a89d305830a46f4
-
Filesize
55B
MD5101c484352bb59877382ea9109d6a681
SHA1d5693b21c30ea1a15a8a9ab9c3722feab1d0b4f8
SHA25606c108ed059bfff10335645acedb8d014706a2b9f0f83dbafc845f256fec6d2e
SHA512e5cebc32bc60d69dabebe614ddc441426c8f78e717c08274dcc227b2974b5b4f449d5507f7d48924f169084f71c5e4021dd2e11aee0cbc4196dcda537b554af8
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217
-
Filesize
64KB
MD5f540eafa12b7f9a3b403441c7c2d84fc
SHA16345721340f2a83a66bae0936f71abb63e14e3b5
SHA256c98ab979afa6372430e3fc44722144207ce9d48ed4ffbe61417caf5683cf2116
SHA5128d84a4a7b932f36446db461e128e3eb9afdc9d240ae217047dd0d048d6990e5563a17a93928b6e59c6b984466b416f0731ca4c475773d19c8d56ff0a0cdd1169