General

  • Target

    f95cf2c20d492d6647885e8428d808cc.bin

  • Size

    20.3MB

  • Sample

    240903-cfdk1avgmc

  • MD5

    a65fb13891afc37f4ab92f652afa2879

  • SHA1

    4a70763618bfe165f33bb4a36bb1032ffb97b3e3

  • SHA256

    d354a5eeb5bd1b07595fbf25152b5944c1a0e0b9d512aed1b1f630b5fb2383df

  • SHA512

    1eb3a85089148bf4c1a1e5609b4fa4d15029148ae37c94bbd8efeb6cf353183f4d415129e02f62bca3f73fde8205c81f3d49e4626b2a6b948e2e710240de0a7a

  • SSDEEP

    393216:WCN9ihhlt+2pS9GNlme1pgfT8dv1qAqEc8bdN5XjuprKkpyK2nZpC:Wq9i7UClmeTgfT8dv1qAqErDawHnZpC

Malware Config

Extracted

Family

andrmonitor

C2

https://anmon.name/mch.html

Targets

    • Target

      7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk

    • Size

      20.5MB

    • MD5

      f95cf2c20d492d6647885e8428d808cc

    • SHA1

      3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa

    • SHA256

      7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c

    • SHA512

      3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5

    • SSDEEP

      393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ

    • AndrMonitor

      AndrMonitor is an Android stalkerware.

    • Checks if the Android device is rooted.

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    • Queries account information for other applications stored on the device

      Application may abuse the framework's APIs to collect account information stored on the device.

    • Queries the phone number (MSISDN for GSM devices)

    • Acquires the wake lock

    • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    • Queries the unique device ID (IMEI, MEID, IMSI)

    • Reads information about phone network operator.

    • Requests cell location

      Uses Android APIs to to get current cell information.

MITRE ATT&CK Mobile v15

Tasks