Analysis
-
max time kernel
135s -
max time network
139s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
01-10-2024 02:32
Behavioral task
behavioral1
Sample
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk
-
Size
20.5MB
-
MD5
adcdbe1e25a3e03ae1e454363012432e
-
SHA1
83381d32b8a6ce9854e8e7213a6c90ac3e17f011
-
SHA256
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df
-
SHA512
597546c877c4ac04c910f123c3bfbe236a342e61ff7a94ddcf1639401da76b04df858da2bbf145c8d10cdfe299f2b946d7ebe75554afd6f749acc8f4d387f9d6
-
SSDEEP
393216:3OsJA35z7A79L+r2d1mbgafiubcnZbb3T9i/zVN2I+TXadaKpPbNiRSKcsjJY:3RJA35z7c5zrmbBffcZb1i/zVN2IkKk4
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk xuzjgkd.sstlojddh /sbin/su xuzjgkd.sstlojddh -
pid Process 4253 xuzjgkd.sstlojddh 4253 xuzjgkd.sstlojddh -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xcf255000-0xcf4e6640 4253 xuzjgkd.sstlojddh Anonymous-DexFile@0xcf66b000-0xcf7964b8 4253 xuzjgkd.sstlojddh -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts xuzjgkd.sstlojddh -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xuzjgkd.sstlojddh -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 4 prog-money.com 6 anmon.name 14 andmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xuzjgkd.sstlojddh -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xuzjgkd.sstlojddh -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xuzjgkd.sstlojddh -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver xuzjgkd.sstlojddh -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xuzjgkd.sstlojddh
Processes
-
xuzjgkd.sstlojddh1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4253 -
su2⤵PID:4294
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD54c0ccabb25100a908b9db06434a6af8b
SHA1555d9ecfa42e17aec483e1c05be0fc1362db9e66
SHA25679aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304
SHA512b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb
-
Filesize
96KB
MD552c2b8ca72be882b79b1796240baf6b8
SHA1960ceec90ae674dfde2bb42e3168d267c595a28a
SHA2568eed365379485c24efd601683520a14924df51c40cdd635eae99c220c16d2332
SHA51230d6a0490784a6acc8a2398c133c2b3bc595a8f7206b90b08093d616639068ed14d0c8e707f82cd398b41c8ef608417d05b84e5c147810042664932342e7fb28
-
Filesize
96KB
MD5ad1140bc082e1b36a5a0a72c30c1f038
SHA18e33d0a5dd7f4a9c3ba835a89a8708c26ccba34a
SHA256f61f8e6ff2d114f86706ac0ada64744d4c105f0467ed5ddcb95975d894446cf7
SHA51248c8f2649dbb152289b06c0e709b189ab05188af1a8696d08cae7d823c7cb17f91808fb97a94d27ee205d1fe5e06d5b95563db860e59248c991c03773d218a60
-
Filesize
52KB
MD5b6815b344f6926d458cea05acd052cdd
SHA188f524aff1d4c5fee979a203dd952427871a7097
SHA256028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA5120431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade
-
Filesize
96KB
MD5cfb0b0e682a1ffb472e1d18daa055266
SHA1d45b70595f5ad4f89af117583cfbb3c77450cb02
SHA256cb08f3ce33a22bc3a6ce0e13acf5a8b7c297cb1011728b49faa213fea4a09b79
SHA51211733b53d8bec6c1a0101ac368c616c45eb0fab07f4c01eb839fc9c29313177239e999513d4b7c9156de5fa6b9bd173d17edc329925eb655e2b111ab86270dc2
-
Filesize
144KB
MD5bbc81a88fa4e9ad222194d1b5c28b970
SHA1243705a037523e789e61b31cdfb6334209762ffd
SHA256e749c071bb1106a7ed8e0328a1a1412337ebfcb0dfe451c4c046642edadef173
SHA5124d53bf5c4dd455f1a192b13ceeb7564c2c3e8d50820502ede6239f4ea9549bcc8543224c22ae4847c1696e5d7290582137aece44df09a6453276757ca2980e01
-
Filesize
512B
MD5c4fb2cc52f83991689dcddda8d6ca3a4
SHA1356a032d74394dacd69ca5b6c724fd80551fe51a
SHA2566db0c0c9727dca9001c98e35394f6d9d1ea329f51785ad18f6f2c16c0c04213d
SHA512a54c4e98737d77799e29227db1c94de55d7c4b787f5ea68e816b7fbf6d5fbdbb4d35855f3250f274743036ab76e859dd170538a3881f3d6781628c56c7e81a1a
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
414KB
MD58b61b572031aab6ffe3217c6157cb5d3
SHA167fb79155aaf977c35a28793c5c2f4d30aeb39e1
SHA25611d17219234361396ab6ced97b50f355eab29fd3062e2b4ad6ef461085933b9a
SHA5122885532b690235ac51eb0d41f53afb20ad254acd7d2b70687a21b9de1c85741ddee43c6a98d74900b4c259a5fb13dd078f485957aca32cd8838a7611343b2ee0
-
Filesize
8KB
MD5f62c1017e0c4e04c816649cfadff5483
SHA1495eef79409ee838a0987b0ad3a0701fa7d0aee1
SHA2565a5872fa7105bfe8c3af40286e11a0ce36923194f828e6eee700dfd0916733b9
SHA512a006c9ea3c78c66ea1b6c6ad4e7e9f3da08c122df9ce3d87218dacd1128f6bf99f6a4a70949f34ffefc19bc52614dc0b0c0f6159f88bbcdd52b7155409ee1f56
-
Filesize
8KB
MD5efd26fed3396e7a0c4ce390daecf8f9f
SHA107c977a1cfdd9d3dcdf762ec1d83e98649420c7d
SHA256c70a25ccc641f55a39572c000ee53e6ddadf94089d164cca4852ef1ce748f2d4
SHA51299c32fd971d4da1e80cd66e1a455b1be36fa88d1fe9078b309cf1adb381cbc9e4c29ac467386b4a9187ff5b2db341379257362ea832f45ba0eed45efdc98bf81
-
Filesize
4KB
MD58cdbc608da0970d58f3b4aeb1abe6ba3
SHA1b3bc2f1a6a22385a144b19c9aa6868f9eb04487d
SHA2561cf327cca4d1186c3f7ff9348050e390857cd85920376cafb2506c65ed69df96
SHA512e0cd4c36e4c04eded3436daa3434d6130c1207a75e80255ee8865846457b92739f23fe7ab01ca589b5d55ff8f53f4080a2d9087e24a08aa7d4fc65976ca1b038
-
Filesize
8KB
MD5aab2f95b8cdba1007b178fa82f27ced8
SHA1eeaa371c1594afbcb7f00bdbab7d5f2f9833319e
SHA25657e406cc719bc1853864bb78e34fb6c94835eb7fb515762f21d8a1cf34af235c
SHA51234c99af2c93c31c17439df3a44552245f39d204dd839907d4b495f608817d789a00302214432195f9d9459f879e4fbb81d48434df97d8281b1b29e1600741652
-
Filesize
418KB
MD53a7c29f3a050c2351f563ce45630fbcd
SHA12d1fe45b283a2d8b259982e581be3d8ed085236e
SHA256c6dd508c734901e278e6131174152a695a1f0ed092f4eeb8226fb39c8e815843
SHA512c62176e35281fdccd76d6880281d5482242bdf68ca62eafe75da88ffc0c020ed5eea37bc791c62dbb4cc0124745c9b5f87b904ff2a63ccb179da3a1bd92347c3
-
Filesize
2.6MB
MD5ebec0623df12f3d7e493604884e808dd
SHA174fa9c2749e8af6bf4f00bc232089e4ba8876ba7
SHA256546b24036b300cfb4b6f17e5df3a0b14015d2eb4d654faee2283526f337e1d2c
SHA512d404aca340c2461c5611b0e4822d552ddae48771ab059e1b13edd3493031e9f0b0d95fa82b6584f6b75bfdc5bb54b76526cc4790cda994b6405a275a48ea8ea2
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD50507428a4c7c480b5bcdc10b5c53f16c
SHA1a5bc681a40e58762acec6973a75dbbdc82899aed
SHA256a27500b6d260f714663fe3696ae928777f542ef358f1f81325c9fe379159b097
SHA51265f02ca4beb1f9df188a390be52ae0f708fa73e0c8c7a2848a1c6d6ad80e7a4be3aec58858b2819f8bd9d01fa161a460e7c79afbfe067e274f4c1334bb07df95
-
Filesize
152B
MD53d6e13e92058f6a7fdda9b353cb29847
SHA12aa6ba980bdd5d827e537d46757ccbdf4bd2e7b9
SHA256b7d15bdb04be52b9a7f1e72af5ea76341ddb79463ad8f7ca6939a6d11952c58d
SHA512bfcdc7d093acc9f03b3136730cdaf1c61af9dcedad4be593a8f0992f3a355f74f8e392e1d50005d43f81d38b39dea06c5a90120e0b0f27b073874d2e6959fece
-
Filesize
3KB
MD5872b08fef74aad6b6b504ef991bd3a32
SHA17ab9ee76d98a0135732f574145a616c8e18d4374
SHA25611562613a8763b461f544de1f1a70231d822e53763fcb2a12c5ebaece69145be
SHA512d9d7d970c48d52c7434bb39ff42ed48ad18e1ea0a9e568aa2ff8c35965c3faa26f631ea32db3f4f1c9fef4eaf149b11304a4e3dd2ce0be4aac19948d6ed78d07
-
Filesize
64B
MD579c77132d9608e682f3cd681802ff483
SHA158564328847581ff953032c9bde567e025bc9228
SHA2565a67e6d1b13d1c40622010f049cacb8156457108980d20fe248ea1aaf6cb4635
SHA512f8df4090302ea7761e78c6f80ebdaa8a3d520e49be60b87d90db5d65d64c51979eb4d79645930adc752eb2267952bdc729fc2cf5ccc068a878f9660c8254029b
-
Filesize
72B
MD590c6bc002ed9c64d80ed184e234ae0d2
SHA16b6c48717b82b0bed61672c12227bcd8cadd18af
SHA256621cd72511fa24d46ac2fbda3c46faa56062b1e131ee8e28847e2a13e98622a2
SHA512a358401a7bce7bce9ba91f6950781f44d57655c5e560fcab8f56c7ee62314e9aced0198f8ba3a1ebcbe27e7507a7c864f911e57b6bb2d88969241f6b9e50a725
-
Filesize
163B
MD56c1a02cc415c7c326c65205d85eef599
SHA1535fd5bc314629c3b0e60a7481b233ab75050b3e
SHA256d9f9aacabeaef9a8e30639ef92082df576e59144c043162253168ba92d3d2ab1
SHA5126669844184188e186ee9d733ea75cad0784d844aa6fbd14215a13f630e621de6888a4a848fbcc055c29d64d9167b700efede36d7d279ba0cb8e6d6ee0be1df87
-
Filesize
134B
MD5664ab012feaa1edd3bfe7881a5d82167
SHA1a40786ae97d7107396b32822c1ea218667198855
SHA25609a27fc918856101792093a46a51311dfa3f6dde3c9ddac2157056ab4bd8f29b
SHA5122a0a91de70baef829fdec73f870ab06b531ba7ea7213a5d898d8d2b7055ce70832aa98d1f9ce54bed9455d48669cac0bc101ca54739cf07961bfb303fcb47963
-
Filesize
26KB
MD53952806292ff83b9c1e0543c45a2a053
SHA1fcd7a9c2f963d4261b65f00fa4bc3fa933cad61e
SHA2560663e5cc180d4be68a9e38d72a81bc7618693f2e4e1fa61e3f81794e42c1b70e
SHA51282b155a0ea3ecaf9569273e99ad7666f78b04bae8329275e3144c418fe902161c7a201529c8d7b362266cd81ea282497dda5a7f3f24ca7345cf13752d96b212b
-
Filesize
6KB
MD5517f58825f67b8e1f6c4eced1ff3c754
SHA13bdad22276b7cf68275c161334a8470ce6e94ff6
SHA25648878a3d88f451537d4977d171be70b87a621c563ab305356d432ff01faa1357
SHA512df9967e56ccd03b45b0a8010f63ea45311f261902addc96da040aefe85004e9223fbf2f1ef9015c13c8c0c913e8ac90814b241c1aa43ac11b61806dad7f56cf6
-
Filesize
219B
MD5265a17cb69131708faac01be985a1a8a
SHA1a0e09e511226177c261787515c4d7a1c67e26e82
SHA256ac0964bc5369c9bcffbe388fdccb402a71b2c57588320e14e832f9471c8d87c1
SHA512bb4b9bef87a705d1d9cfeb1b501a7c6599ae09af74820b1b924281ac1509b95590f4ab7f43e4f877034ea034a2d1b769864ab91cd75830df516e34955ec97947
-
Filesize
73B
MD5647e6c66ab347eab81c9d3ea0462cbb8
SHA118fc7323e638dd74eb14290c550b6af4d9957ab9
SHA2564a5fbe96836d0122c584507966ecacafb22e8542a80922cc7198b59fc1287a54
SHA512721e0b6fa92636dc0b310f16b4d9aa2f0c34c0544d5df4cda47a07fc2f2a1a7a5029bc175a2d24d751d0cb1664475f3642631c4a92a462b3cc8b7f4b65aac2dc
-
Filesize
2.6MB
MD5c804156b95a21c4bf0b1e2c8a133894a
SHA1dab8c525d3c86618f2f70a8de71979df529e959f
SHA256395c690bb3c3ec85b3c36ae8498ebbb895b71e745acf9e7f120578a9033d9a68
SHA51252110dadace88fb28be4d9289d797346d5b4e4dc753279769101be18e7d2fa90c2b315e9cff2f89e694c2e0a64f943002116e46c4807ead7d852adc2cf54e7e4
-
Filesize
1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87