General

  • Target

    am.apk

  • Size

    20.5MB

  • Sample

    240901-vpyawawgqm

  • MD5

    f95cf2c20d492d6647885e8428d808cc

  • SHA1

    3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa

  • SHA256

    7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c

  • SHA512

    3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5

  • SSDEEP

    393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ

Malware Config

Extracted

Family

andrmonitor

C2

https://anmon.name/mch.html

Targets

    • Target

      am.apk

    • Size

      20.5MB

    • MD5

      f95cf2c20d492d6647885e8428d808cc

    • SHA1

      3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa

    • SHA256

      7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c

    • SHA512

      3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5

    • SSDEEP

      393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ

    • AndrMonitor

      AndrMonitor is an Android stalkerware.

    • Checks if the Android device is rooted.

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries account information for other applications stored on the device

      Application may abuse the framework's APIs to collect account information stored on the device.

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Requests cell location

      Uses Android APIs to to get current cell information.

MITRE ATT&CK Mobile v15

Tasks