andrmonitor | 960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4

Resubmissions

22/08/2024, 18:21

240822-wzd6estdnj 10

01/08/2024, 02:15

240801-cpkexa1cqg 10

Analysis

max time kernel
167s
max time network
180s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
01/08/2024, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

am.apk
Size

20.5MB
MD5

662a29140ea32f87a19fa76996137563
SHA1

cd0a4bd3abbf0fe2773a9c7a7a589a0609582219
SHA256

960b8e06d0db96f0bfcd044167a1af9b7397c73a13f222cdcce13f4824a8ffd4
SHA512

511b9d8e95dc7fa26fbf385c4f8bbdd0120830d7a4a031ac6929807bf265e7edafaa4778cdae6e80e632b8f1cfd4e7fb194a776328082402fbd2d22b79174b0c
SSDEEP

393216:tGtsJA35z7A79L+v291mbgafiubchZHb9T9i/zVN2I+TX3VyKpPbNiRSKcsbJo:tLJA35z7c5vLmbBffc3Hfi/zVN2Ikn08

Score

10^/10

andrmonitor banker collection discovery evasion execution infostealer persistence spyware stealth trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor

Checks if the Android device is rooted. 1 TTPs 3 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	xspcmj.qiegf
/sbin/su	xspcmj.qiegf
/system/bin/su	xspcmj.qiegf

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4457	xspcmj.qiegf
4457	xspcmj.qiegf

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/xspcmj.qiegf/[email protected]	4457	xspcmj.qiegf
/data/user/0/xspcmj.qiegf/[email protected]	4457	xspcmj.qiegf

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	xspcmj.qiegf

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	xspcmj.qiegf

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 14 IoCs

flow	ioc
50	anmon.name
27	anmon.name
34	andmon.name
48	anmon.name
26	prog-money.com
28	anmon.name
45	anmon.name
29	anmon.name
32	prog-money.com
44	anmon.name
49	anmon.name
25	prog-money.com
30	anmon.name
31	anmon.name

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	xspcmj.qiegf

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	xspcmj.qiegf

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	xspcmj.qiegf

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	xspcmj.qiegf

xspcmj.qiegf
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4457

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/xspcmj.qiegf/[email protected]

Filesize
2.6MB

MD5
3bca1a576ba29bd493e42938a489aa5d

SHA1
0e5d4bc3a7daf6864fb3076e6c1e9685e254efd9

SHA256
b1da8dddf686b15b020b54c3509896b4a96b080604cd9d9cbf302e4beee473ce

SHA512
39a80b04bc764b98d47e035fb46ad89607bf599110bb5f62dc394f50e2c329fe913fe4be70b2a7879be3e2d7650eb9322f026e4996c62a45632e4045cc71bdc0

Download Submit
/data/user/0/xspcmj.qiegf/[email protected]

Filesize
1.2MB

MD5
336921950a9f279733cd787f1203d73d

SHA1
cefc36a7c17909054cf2a507b34f545af96c0e36

SHA256
c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

SHA512
6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87

Download Submit
/data/user/0/xspcmj.qiegf/databases/SettingsDB

Filesize
124KB

MD5
f15335a640f24813c9b345c99da7e16d

SHA1
a0e7fdc85b3c1420bf342676be577f146f5dce49

SHA256
6baf6ee8c7c503ed9962ff49957fe3c0b707171d1913450d97c84856a6ae31b9

SHA512
5f51ec199de29b23e398d143c4f0faf58ba655a4f455ecafd5b6303c0ef428f3165f5db49daf4697f1dba3033da51113730ee5ad158a9ea9f8f6b9a10b044f19

Download Submit
/data/user/0/xspcmj.qiegf/databases/SettingsDB

Filesize
96KB

MD5
37175e36486134c2872071e9979b87dd

SHA1
4b56a9aca27f6cc2211d338116fd76c7faf087ea

SHA256
3b8719bcf36b8bf90ea2891f2f7010b70b617d8b616aaac7e0bcdfffefbf4add

SHA512
38a38ead52c25579930df740ab25ca586bb08f495de8e4357d00cbe1bb11b4b13c51a429fd4296da7d27acbf9142d4f331bae6567060397bfdd0a7963017b30e

Download Submit
/data/user/0/xspcmj.qiegf/databases/SettingsDB

Filesize
96KB

MD5
359874b585d21440c85c8db31c7dbc16

SHA1
59ca24082477a3fbfb05ac09fa41b393b9979c42

SHA256
56f5d56518404771abe6903a432475eb889b9b803539aedafa57b35f4ca19e67

SHA512
c92f630d7a39d9816cc5bdb7b95366acceee55b79c92c2e6890501103eef42b814c64e516829be68d18c7c42938f441fcb6b02175d3cf0ca2ff4851becb675ed

Download Submit
/data/user/0/xspcmj.qiegf/databases/SettingsDB

Filesize
96KB

MD5
691240bcdb507c8450637b0d363bb4ec

SHA1
a09419bbe6e0b52a9a5e240f8bb340d530884ec3

SHA256
aac6fec7ef3f68ec76bb77a35c66ac29461ce50461550832cd236d2d3367dff0

SHA512
70787996ec4714813eaa9fa0555fc960c705b5464871c861bd83a81f90e59992b60b5d6d6d44eb25b4b593243bc982fd1b9e72eaa1a2e6dfa1a7706ff50e6411

Download Submit
/data/user/0/xspcmj.qiegf/databases/SettingsDB

Filesize
96KB

MD5
c6c8de334b0939a41c73065344c55e56

SHA1
5a68294b101d55a5f6db2530f5ddb82bb5ac1564

SHA256
6562c2415ea4290742969c7a439584b4b90fe74d543733ebbdc134f8f98e1d58

SHA512
a70f55ba9dd1d0ca548fbfa76e54933d8111c8e73d25d5879f1538b31e73e3394f836a54e1a74cec7022ff501c69eed074ebc2cce39d76da91a610ab3253d13f

Download Submit
/data/user/0/xspcmj.qiegf/databases/SettingsDB

Filesize
172KB

MD5
90e79766b30ff7fe985c555d13e06303

SHA1
f450fe780afc216d01e8a5adcf421ac27d5859b3

SHA256
548134851f57e65fac4de6d619e227612f4fa8ffd6afbc260ffd1fd4999eb28d

SHA512
dc78e777154b90cd75c4de9238ee5e41180933e24828fba6b55d51761a15c483fa4b3297e23946125c34730effb651743a07d028fe1362a4165d765f5cac23e2

Download Submit
/data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

Filesize
512B

MD5
d43fdff80d0db897f733f556fcd18e2f

SHA1
58e14599f21740cb6e1d4009368a6b7470f3c59a

SHA256
d769682a8098aa6167218bf8d1bc43fa3628c42720dc3309dff73d87d262ac61

SHA512
28de6106e9aac426fa99d51cdde51bad3cade579badbdafa92a301688d959069cdf23865aad72417143c48f3c35ae6e1f260724a338caa47701cf79584e28738

Download Submit
/data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

Filesize
8KB

MD5
c4a18d6da520b3b314f5b5dca5d4e065

SHA1
701adf69d5598ea49e752fbd6c0ed3383cfc3902

SHA256
dc71f15875f2211b1b530927d6bbb6cc110956ffa2f2f8426b9ac25d7fb24044

SHA512
8d76aba406c8a656969b0f4f7635f4d37bea31aef9ef3531efc50274668a121e94a4bbace05f49bc5d1e09974064fb31e3054e43485f448d383237fa6f04040a

Download Submit
/data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

Filesize
4KB

MD5
f66c83c4866a6614b6d1e0f361e589f6

SHA1
0e7549fe7e79006367556068b396177bb59b8730

SHA256
4c80a474d1a10fd88de06a7bd7b7d641f22edb62bfe584f8ccbede4119e539e4

SHA512
afe793e615ce93dfb9df0011b077b3618ed7de4275f0a5a5de8f0241ca33d99060ac9e8bfc92b85687124eb3664062f003ec2a009c5a68d89a835cf7711b0f42

Download Submit
/data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

Filesize
8KB

MD5
a24422d3497f5eee93f16a24fa726ae6

SHA1
e2adb53569a07b82ec8e1972bb6ef02eae307d33

SHA256
5fe595aa2455c98bdc00cceadcfc77d27231a3fde962895fd855512070275495

SHA512
93d8a397df63401b57cb777e1470047e9d79919bae051e4eb6171a8f545799ebc1f2a174ff7356e978edf1c5ae642cce9d80b9a55569e30228de1a22a0dd1ac4

Download Submit
/data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

Filesize
12KB

MD5
8d5a6ae6d8362dc84163db867687d15d

SHA1
0a726c7029bbc5bfd2e16878ec271d2f2bde6501

SHA256
f81a89d3e54c51c1d063a26f07d1155b0d5ca8890195a8571953887383e598e7

SHA512
be321b3a2a4e568377bba728a068158d8232163df3a396ef1530dbe17e72a42460521e9daf8f3972cb6ecbde70b2715a101b3d746eb8a1916419208433371b51

Download Submit
/data/user/0/xspcmj.qiegf/databases/SettingsDB-journal

Filesize
24KB

MD5
93335d974c5229a501d5da656762f7cb

SHA1
382328e77685fb299b32b5e086ccd334f25d9ab1

SHA256
c48176f5f961502740d65a154d51acba3fd83cdc498e41382ab1f2b90dff36f4

SHA512
98dda4ebec194193a8fb08a527c28f2be9229f8c2a03b1ee419403995bcc8b6885b7969e0124b8139adf1d3a81851f548bf2af890e907fae975e12bdcc568444

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.6MB

MD5
8aa5d8f3622ac78fa2cc58d58c87dfaf

SHA1
33071f0a26c21320a749a25a5e94a694aaf346de

SHA256
db50acab3ed87a8cf5df819c8c88e3364f966dd5279d1f3a3f8e3154ab8cc326

SHA512
0ca20d27a1e8511ef0d588d15fe4c6f443a706af90d414e94d4d7e021080309f574892c327054c9b072a6a8740a9ab88e774116d2d815ed839ea7f813ef35251

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
51112e0a7f7962a8e02bc885025414ef

SHA1
40622959af4fe349d8881c885b9b30441de8804c

SHA256
2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

SHA512
f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
173B

MD5
254685a47cd754ac544ac0ae59969aed

SHA1
fc20189c73cb0f3a72149203e42bd492312e7582

SHA256
55e85e7c1a46f624ff8365e42b41e6c39100f60175074e89ebd7b95a27c94c26

SHA512
7a428a04a15db6ad0971000217d71ceac43bb106956ea5f90321fcba362fb37e1bd0bd6ba4a11b2b70626e69e1983e4bd68ae2be29234e9991c8ab37e3d7cd72

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
152B

MD5
631b492a3be753611564e3a870c07d39

SHA1
0d4159706f193f806f73482f47b8d9321b791874

SHA256
3cdb0ad43276d9b81300f14aae2499485d23c72ab9519d4827d6a76c08e488b3

SHA512
4a6183bfb5b4c6f45b06f0ef81bbee4bb4a6c90447b0f3e300074a11fd2b4c720451da7797555eba0025b902a8cc1f325411becb632fe2d99795ab6442fac5c7

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
4KB

MD5
31ccee45b968dea306c7d331fae6796c

SHA1
952219da1a6c2a5e5a35642548624e3e74b16562

SHA256
2cc4a40e8a4ed226e25a12d267c77803b12bfec7bd7d67bc24f5d6981f77853c

SHA512
2cb813da3d972f34557561535a5c66f7006f4c71e10d69b4b16605f16b44f6f7d9afb577aa64fee06e0a408df1b765ec61c6c89562d43ec5f7a55e7963d223f9

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
64B

MD5
d153ad9c0eb72e3862093dcb9f4545c4

SHA1
18e9647e5d7a675ab0a40aa2a2bae7d4fa6278dc

SHA256
32a1e2f620da43af12dd0de80433656a9f2e8d1aa7ddcd95e71cce0171327f7a

SHA512
9c8fd8319190c4a5cb2af6a6940e1c4a708cddd4e3e3016b4bc9125271c9f4251568fb3d39b5684325a4beed600b589d82675e8285778a3ca2339777e05b1278

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
72B

MD5
f427b06b7dfc443cc42ea30e6588cd9b

SHA1
d390a2118eba8b3e8ff284f05a25b89fa65e0443

SHA256
185d9e56ffb1497bd7953381e5b7d98bcda2bebc516b9f3520498c4c901ff14e

SHA512
e40080bdebda880ef807310af1fa19d5fd2dbe79cd473cf68c03383cae5712c518de7bfd3f6d021145dc2c1e246723ad23ce0c04847e7300da2a42559f34f3a4

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
183B

MD5
ea21a15f3b49eee3bbd72740c1058b3f

SHA1
9d8d0daf5590726c651252855cafaa5413b9a7dd

SHA256
4c504f5774c593fe5d4b05fba213f96dd319942a91f83c79928a16c54ee61602

SHA512
494536f28e7d34b252265c17ee4a1d66505e8cef3478bcfb66f6ba8ce8b9a9d273a8b35802481b479be37f4519e3c8fc751dd0088fb11a489f90efc8505697ed

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
129B

MD5
883d9ebdfd10d81ef3e4a9a3caaa43c3

SHA1
606578edb34c03831f146a8cc867121e57eaf744

SHA256
62623733c16354f6edc854437e2f8b52335f193f21f31a543a3f86689ba2b2c2

SHA512
f3e3a14ebfd65715ef0aa9fa0aa2342b8caf852db5b4f133ded0f022b2831d825379cc58d0a3aade9d8876699d9de7c666c61e95dc7375203c2e88157314d74d

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
26KB

MD5
7f9acd83527bc9ae3fb03416041ceba5

SHA1
0cd6d70915224bb6a5dfb99b01439edd79ecff75

SHA256
92b6a63064266ff4ae5b4e8e89eafcbf91d12f3bb53b02a7bc146aed25ef2366

SHA512
b15ed3b041f876914a7ee216ac8b4e51e8d76307dced9e7e80828e08264348042d093c42b1a34d3ef8d5e636ee26c10187e159487910285ce34c516bcdf0a429

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
6KB

MD5
66de031fd8a11d09d17f1e70bde19fa9

SHA1
01ede816c595a6faa19c10205daa1d1598ccfa8b

SHA256
d0df4df12ab384144dcfb9caa4b699dc56a93b2950c06fe6816892b22a8ca257

SHA512
3044580dfd855370330105bab785f9baac07037efd14a15cad5a9208ab2f50e0963259d0618fb1d8a04048d02796539916b0b4c2ae099fa22e0525eb248506fc

Download Submit
/storage/emulated/0/.am/log_1722478524700.txt.zip

Filesize
220B

MD5
07ddb30bf18993a7788db3f562400672

SHA1
2310de0f21dd7f5e7fd6ac1dd89d10394d519f60

SHA256
c0210064c9f9b33119e2a75eb39955a92d042668cda9900410688dae96540d9e

SHA512
7be163b4162baefc3e1140edc93341d04abbc09c3a7af8c130c52d056519b2355be0b08c0545208e568c53d480ae42cb3e378dc3442d8188fefb2c216185db85

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
72B

MD5
fda9182e3ed7babfe6cdfb2fc79f91a4

SHA1
63c41d4facdb15262581b9096fef50492c48c801

SHA256
d09df77525b05a62e89c70cc207651dd416cf2b9a73d0ac5b37db77e93325803

SHA512
8554dbe745a8b52ee7cce25f4cd6ed4a92601223b616ad8357bcce09a9907b09dab3042220d2c41649b3b70b409124c1c2c8efac855c10d8c347c662bb3f98d7

Download Submit
/storage/emulated/0/Android/data/xspcmj.qiegf/files/Download/mch.apk (deleted)

Filesize
64KB

MD5
13684d2547f64dabfe299d1c6553a05f

SHA1
b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

SHA256
3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

SHA512
e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

Download Submit
/storage/emulated/0/Android/data/xspcmj.qiegf/files/Download/mch.apk (deleted)

Filesize
64KB

MD5
f540eafa12b7f9a3b403441c7c2d84fc

SHA1
6345721340f2a83a66bae0936f71abb63e14e3b5

SHA256
c98ab979afa6372430e3fc44722144207ce9d48ed4ffbe61417caf5683cf2116

SHA512
8d84a4a7b932f36446db461e128e3eb9afdc9d240ae217047dd0d048d6990e5563a17a93928b6e59c6b984466b416f0731ca4c475773d19c8d56ff0a0cdd1169

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads