Analysis

  • max time kernel
    135s
  • max time network
    139s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    01-10-2024 02:32

General

  • Target

    ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk

  • Size

    20.5MB

  • MD5

    adcdbe1e25a3e03ae1e454363012432e

  • SHA1

    83381d32b8a6ce9854e8e7213a6c90ac3e17f011

  • SHA256

    ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df

  • SHA512

    597546c877c4ac04c910f123c3bfbe236a342e61ff7a94ddcf1639401da76b04df858da2bbf145c8d10cdfe299f2b946d7ebe75554afd6f749acc8f4d387f9d6

  • SSDEEP

    393216:3OsJA35z7A79L+r2d1mbgafiubcnZbb3T9i/zVN2I+TXadaKpPbNiRSKcsjJY:3RJA35z7c5zrmbBffcZb1i/zVN2IkKk4

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • xuzjgkd.sstlojddh
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Requests cell location
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4253
    • su
      2⤵
        PID:4294

    Network

    MITRE ATT&CK Mobile v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      124KB

      MD5

      4c0ccabb25100a908b9db06434a6af8b

      SHA1

      555d9ecfa42e17aec483e1c05be0fc1362db9e66

      SHA256

      79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

      SHA512

      b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      96KB

      MD5

      52c2b8ca72be882b79b1796240baf6b8

      SHA1

      960ceec90ae674dfde2bb42e3168d267c595a28a

      SHA256

      8eed365379485c24efd601683520a14924df51c40cdd635eae99c220c16d2332

      SHA512

      30d6a0490784a6acc8a2398c133c2b3bc595a8f7206b90b08093d616639068ed14d0c8e707f82cd398b41c8ef608417d05b84e5c147810042664932342e7fb28

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      96KB

      MD5

      ad1140bc082e1b36a5a0a72c30c1f038

      SHA1

      8e33d0a5dd7f4a9c3ba835a89a8708c26ccba34a

      SHA256

      f61f8e6ff2d114f86706ac0ada64744d4c105f0467ed5ddcb95975d894446cf7

      SHA512

      48c8f2649dbb152289b06c0e709b189ab05188af1a8696d08cae7d823c7cb17f91808fb97a94d27ee205d1fe5e06d5b95563db860e59248c991c03773d218a60

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      52KB

      MD5

      b6815b344f6926d458cea05acd052cdd

      SHA1

      88f524aff1d4c5fee979a203dd952427871a7097

      SHA256

      028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

      SHA512

      0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      96KB

      MD5

      cfb0b0e682a1ffb472e1d18daa055266

      SHA1

      d45b70595f5ad4f89af117583cfbb3c77450cb02

      SHA256

      cb08f3ce33a22bc3a6ce0e13acf5a8b7c297cb1011728b49faa213fea4a09b79

      SHA512

      11733b53d8bec6c1a0101ac368c616c45eb0fab07f4c01eb839fc9c29313177239e999513d4b7c9156de5fa6b9bd173d17edc329925eb655e2b111ab86270dc2

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      144KB

      MD5

      bbc81a88fa4e9ad222194d1b5c28b970

      SHA1

      243705a037523e789e61b31cdfb6334209762ffd

      SHA256

      e749c071bb1106a7ed8e0328a1a1412337ebfcb0dfe451c4c046642edadef173

      SHA512

      4d53bf5c4dd455f1a192b13ceeb7564c2c3e8d50820502ede6239f4ea9549bcc8543224c22ae4847c1696e5d7290582137aece44df09a6453276757ca2980e01

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-journal

      Filesize

      512B

      MD5

      c4fb2cc52f83991689dcddda8d6ca3a4

      SHA1

      356a032d74394dacd69ca5b6c724fd80551fe51a

      SHA256

      6db0c0c9727dca9001c98e35394f6d9d1ea329f51785ad18f6f2c16c0c04213d

      SHA512

      a54c4e98737d77799e29227db1c94de55d7c4b787f5ea68e816b7fbf6d5fbdbb4d35855f3250f274743036ab76e859dd170538a3881f3d6781628c56c7e81a1a

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-shm

      Filesize

      32KB

      MD5

      bb7df04e1b0a2570657527a7e108ae23

      SHA1

      5188431849b4613152fd7bdba6a3ff0a4fd6424b

      SHA256

      c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

      SHA512

      768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      414KB

      MD5

      8b61b572031aab6ffe3217c6157cb5d3

      SHA1

      67fb79155aaf977c35a28793c5c2f4d30aeb39e1

      SHA256

      11d17219234361396ab6ced97b50f355eab29fd3062e2b4ad6ef461085933b9a

      SHA512

      2885532b690235ac51eb0d41f53afb20ad254acd7d2b70687a21b9de1c85741ddee43c6a98d74900b4c259a5fb13dd078f485957aca32cd8838a7611343b2ee0

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      f62c1017e0c4e04c816649cfadff5483

      SHA1

      495eef79409ee838a0987b0ad3a0701fa7d0aee1

      SHA256

      5a5872fa7105bfe8c3af40286e11a0ce36923194f828e6eee700dfd0916733b9

      SHA512

      a006c9ea3c78c66ea1b6c6ad4e7e9f3da08c122df9ce3d87218dacd1128f6bf99f6a4a70949f34ffefc19bc52614dc0b0c0f6159f88bbcdd52b7155409ee1f56

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      efd26fed3396e7a0c4ce390daecf8f9f

      SHA1

      07c977a1cfdd9d3dcdf762ec1d83e98649420c7d

      SHA256

      c70a25ccc641f55a39572c000ee53e6ddadf94089d164cca4852ef1ce748f2d4

      SHA512

      99c32fd971d4da1e80cd66e1a455b1be36fa88d1fe9078b309cf1adb381cbc9e4c29ac467386b4a9187ff5b2db341379257362ea832f45ba0eed45efdc98bf81

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      4KB

      MD5

      8cdbc608da0970d58f3b4aeb1abe6ba3

      SHA1

      b3bc2f1a6a22385a144b19c9aa6868f9eb04487d

      SHA256

      1cf327cca4d1186c3f7ff9348050e390857cd85920376cafb2506c65ed69df96

      SHA512

      e0cd4c36e4c04eded3436daa3434d6130c1207a75e80255ee8865846457b92739f23fe7ab01ca589b5d55ff8f53f4080a2d9087e24a08aa7d4fc65976ca1b038

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      aab2f95b8cdba1007b178fa82f27ced8

      SHA1

      eeaa371c1594afbcb7f00bdbab7d5f2f9833319e

      SHA256

      57e406cc719bc1853864bb78e34fb6c94835eb7fb515762f21d8a1cf34af235c

      SHA512

      34c99af2c93c31c17439df3a44552245f39d204dd839907d4b495f608817d789a00302214432195f9d9459f879e4fbb81d48434df97d8281b1b29e1600741652

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      418KB

      MD5

      3a7c29f3a050c2351f563ce45630fbcd

      SHA1

      2d1fe45b283a2d8b259982e581be3d8ed085236e

      SHA256

      c6dd508c734901e278e6131174152a695a1f0ed092f4eeb8226fb39c8e815843

      SHA512

      c62176e35281fdccd76d6880281d5482242bdf68ca62eafe75da88ffc0c020ed5eea37bc791c62dbb4cc0124745c9b5f87b904ff2a63ccb179da3a1bd92347c3

    • /storage/emulated/0/.am/dm/md/main.md

      Filesize

      2.6MB

      MD5

      ebec0623df12f3d7e493604884e808dd

      SHA1

      74fa9c2749e8af6bf4f00bc232089e4ba8876ba7

      SHA256

      546b24036b300cfb4b6f17e5df3a0b14015d2eb4d654faee2283526f337e1d2c

      SHA512

      d404aca340c2461c5611b0e4822d552ddae48771ab059e1b13edd3493031e9f0b0d95fa82b6584f6b75bfdc5bb54b76526cc4790cda994b6405a275a48ea8ea2

    • /storage/emulated/0/.am/dm/md/main_tools.md

      Filesize

      1.2MB

      MD5

      51112e0a7f7962a8e02bc885025414ef

      SHA1

      40622959af4fe349d8881c885b9b30441de8804c

      SHA256

      2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

      SHA512

      f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

    • /storage/emulated/0/.am/log.txt

      Filesize

      173B

      MD5

      0507428a4c7c480b5bcdc10b5c53f16c

      SHA1

      a5bc681a40e58762acec6973a75dbbdc82899aed

      SHA256

      a27500b6d260f714663fe3696ae928777f542ef358f1f81325c9fe379159b097

      SHA512

      65f02ca4beb1f9df188a390be52ae0f708fa73e0c8c7a2848a1c6d6ad80e7a4be3aec58858b2819f8bd9d01fa161a460e7c79afbfe067e274f4c1334bb07df95

    • /storage/emulated/0/.am/log.txt

      Filesize

      152B

      MD5

      3d6e13e92058f6a7fdda9b353cb29847

      SHA1

      2aa6ba980bdd5d827e537d46757ccbdf4bd2e7b9

      SHA256

      b7d15bdb04be52b9a7f1e72af5ea76341ddb79463ad8f7ca6939a6d11952c58d

      SHA512

      bfcdc7d093acc9f03b3136730cdaf1c61af9dcedad4be593a8f0992f3a355f74f8e392e1d50005d43f81d38b39dea06c5a90120e0b0f27b073874d2e6959fece

    • /storage/emulated/0/.am/log.txt

      Filesize

      3KB

      MD5

      872b08fef74aad6b6b504ef991bd3a32

      SHA1

      7ab9ee76d98a0135732f574145a616c8e18d4374

      SHA256

      11562613a8763b461f544de1f1a70231d822e53763fcb2a12c5ebaece69145be

      SHA512

      d9d7d970c48d52c7434bb39ff42ed48ad18e1ea0a9e568aa2ff8c35965c3faa26f631ea32db3f4f1c9fef4eaf149b11304a4e3dd2ce0be4aac19948d6ed78d07

    • /storage/emulated/0/.am/log.txt

      Filesize

      64B

      MD5

      79c77132d9608e682f3cd681802ff483

      SHA1

      58564328847581ff953032c9bde567e025bc9228

      SHA256

      5a67e6d1b13d1c40622010f049cacb8156457108980d20fe248ea1aaf6cb4635

      SHA512

      f8df4090302ea7761e78c6f80ebdaa8a3d520e49be60b87d90db5d65d64c51979eb4d79645930adc752eb2267952bdc729fc2cf5ccc068a878f9660c8254029b

    • /storage/emulated/0/.am/log.txt

      Filesize

      72B

      MD5

      90c6bc002ed9c64d80ed184e234ae0d2

      SHA1

      6b6c48717b82b0bed61672c12227bcd8cadd18af

      SHA256

      621cd72511fa24d46ac2fbda3c46faa56062b1e131ee8e28847e2a13e98622a2

      SHA512

      a358401a7bce7bce9ba91f6950781f44d57655c5e560fcab8f56c7ee62314e9aced0198f8ba3a1ebcbe27e7507a7c864f911e57b6bb2d88969241f6b9e50a725

    • /storage/emulated/0/.am/log.txt

      Filesize

      163B

      MD5

      6c1a02cc415c7c326c65205d85eef599

      SHA1

      535fd5bc314629c3b0e60a7481b233ab75050b3e

      SHA256

      d9f9aacabeaef9a8e30639ef92082df576e59144c043162253168ba92d3d2ab1

      SHA512

      6669844184188e186ee9d733ea75cad0784d844aa6fbd14215a13f630e621de6888a4a848fbcc055c29d64d9167b700efede36d7d279ba0cb8e6d6ee0be1df87

    • /storage/emulated/0/.am/log.txt

      Filesize

      134B

      MD5

      664ab012feaa1edd3bfe7881a5d82167

      SHA1

      a40786ae97d7107396b32822c1ea218667198855

      SHA256

      09a27fc918856101792093a46a51311dfa3f6dde3c9ddac2157056ab4bd8f29b

      SHA512

      2a0a91de70baef829fdec73f870ab06b531ba7ea7213a5d898d8d2b7055ce70832aa98d1f9ce54bed9455d48669cac0bc101ca54739cf07961bfb303fcb47963

    • /storage/emulated/0/.am/log_.txt

      Filesize

      26KB

      MD5

      3952806292ff83b9c1e0543c45a2a053

      SHA1

      fcd7a9c2f963d4261b65f00fa4bc3fa933cad61e

      SHA256

      0663e5cc180d4be68a9e38d72a81bc7618693f2e4e1fa61e3f81794e42c1b70e

      SHA512

      82b155a0ea3ecaf9569273e99ad7666f78b04bae8329275e3144c418fe902161c7a201529c8d7b362266cd81ea282497dda5a7f3f24ca7345cf13752d96b212b

    • /storage/emulated/0/.am/log_.txt.zip

      Filesize

      6KB

      MD5

      517f58825f67b8e1f6c4eced1ff3c754

      SHA1

      3bdad22276b7cf68275c161334a8470ce6e94ff6

      SHA256

      48878a3d88f451537d4977d171be70b87a621c563ab305356d432ff01faa1357

      SHA512

      df9967e56ccd03b45b0a8010f63ea45311f261902addc96da040aefe85004e9223fbf2f1ef9015c13c8c0c913e8ac90814b241c1aa43ac11b61806dad7f56cf6

    • /storage/emulated/0/.am/log_1727749954849.txt.zip

      Filesize

      219B

      MD5

      265a17cb69131708faac01be985a1a8a

      SHA1

      a0e09e511226177c261787515c4d7a1c67e26e82

      SHA256

      ac0964bc5369c9bcffbe388fdccb402a71b2c57588320e14e832f9471c8d87c1

      SHA512

      bb4b9bef87a705d1d9cfeb1b501a7c6599ae09af74820b1b924281ac1509b95590f4ab7f43e4f877034ea034a2d1b769864ab91cd75830df516e34955ec97947

    • /storage/emulated/0/.am/prog_class.name

      Filesize

      73B

      MD5

      647e6c66ab347eab81c9d3ea0462cbb8

      SHA1

      18fc7323e638dd74eb14290c550b6af4d9957ab9

      SHA256

      4a5fbe96836d0122c584507966ecacafb22e8542a80922cc7198b59fc1287a54

      SHA512

      721e0b6fa92636dc0b310f16b4d9aa2f0c34c0544d5df4cda47a07fc2f2a1a7a5029bc175a2d24d751d0cb1664475f3642631c4a92a462b3cc8b7f4b65aac2dc

    • Anonymous-DexFile@0xcf255000-0xcf4e6640

      Filesize

      2.6MB

      MD5

      c804156b95a21c4bf0b1e2c8a133894a

      SHA1

      dab8c525d3c86618f2f70a8de71979df529e959f

      SHA256

      395c690bb3c3ec85b3c36ae8498ebbb895b71e745acf9e7f120578a9033d9a68

      SHA512

      52110dadace88fb28be4d9289d797346d5b4e4dc753279769101be18e7d2fa90c2b315e9cff2f89e694c2e0a64f943002116e46c4807ead7d852adc2cf54e7e4

    • Anonymous-DexFile@0xcf66b000-0xcf7964b8

      Filesize

      1.2MB

      MD5

      336921950a9f279733cd787f1203d73d

      SHA1

      cefc36a7c17909054cf2a507b34f545af96c0e36

      SHA256

      c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

      SHA512

      6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87