Analysis
-
max time kernel
139s -
max time network
142s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
01-10-2024 02:33
Behavioral task
behavioral1
Sample
am.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
am.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
am.apk
-
Size
20.5MB
-
MD5
adcdbe1e25a3e03ae1e454363012432e
-
SHA1
83381d32b8a6ce9854e8e7213a6c90ac3e17f011
-
SHA256
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df
-
SHA512
597546c877c4ac04c910f123c3bfbe236a342e61ff7a94ddcf1639401da76b04df858da2bbf145c8d10cdfe299f2b946d7ebe75554afd6f749acc8f4d387f9d6
-
SSDEEP
393216:3OsJA35z7A79L+r2d1mbgafiubcnZbb3T9i/zVN2I+TXadaKpPbNiRSKcsjJY:3RJA35z7c5zrmbBffcZb1i/zVN2IkKk4
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /sbin/su xuzjgkd.sstlojddh /system/app/Superuser.apk xuzjgkd.sstlojddh -
pid Process 4248 xuzjgkd.sstlojddh 4248 xuzjgkd.sstlojddh -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xd3583000-0xd3814640 4248 xuzjgkd.sstlojddh Anonymous-DexFile@0xd384b000-0xd39764b8 4248 xuzjgkd.sstlojddh -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts xuzjgkd.sstlojddh -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xuzjgkd.sstlojddh -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 11 andmon.name 4 prog-money.com 6 anmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xuzjgkd.sstlojddh -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xuzjgkd.sstlojddh -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xuzjgkd.sstlojddh -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver xuzjgkd.sstlojddh -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xuzjgkd.sstlojddh
Processes
-
xuzjgkd.sstlojddh1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4248 -
su2⤵PID:4287
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD54c0ccabb25100a908b9db06434a6af8b
SHA1555d9ecfa42e17aec483e1c05be0fc1362db9e66
SHA25679aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304
SHA512b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb
-
Filesize
96KB
MD532eb36fd89cb29369ac7940d327c192c
SHA1de8274b554b141366260494786d6f84da5d89b95
SHA256af502afd18aa481cc6c693c490692a38c5f85fff7bc5e2186e9f0cf9e2e0ab15
SHA512c9acd332a38efdd5c915404cd5c9cf510cd407d25f0ac1f2e0a209b6242d91df625add3747fca60ee96b79ae306f7c15be7e31856b48ab8a8b34d832a17db530
-
Filesize
96KB
MD53fbb5b29e86e120e70525446d8829dfc
SHA1b2ecd30db3b9de229e0cf024509b47cdd5820cbd
SHA25624ba8cc18b97745dc5cacd89e2ef6e14a2105969f7867cd3d5525fbeae76dd9f
SHA512f93b51c7020f885eeb531f8fc22d4630bf43e3586e3be65fe709149bd11a6871fb3aa52dc8c5cebcc38083eb1cbcb871c54e9f3c3a686c6f3dcf846721c5abb0
-
Filesize
52KB
MD5b6815b344f6926d458cea05acd052cdd
SHA188f524aff1d4c5fee979a203dd952427871a7097
SHA256028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA5120431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade
-
Filesize
96KB
MD5753763488e19f8bdf6abb3643f08b044
SHA1807920e79ce8b9f5123732b847e3f07fea40b017
SHA2566594cc2bab41b9fa97a87050826c41094d0d82c24e3a6e63419d5ea8ab8b1e2b
SHA51292434b9d29aeb234926c90b36882ff3d5f5218aa0bf6a4bd6b704c47f919732bd327a2c6978fecf0fe170b490cfe6241092bc08afcacc1654a5369632797f233
-
Filesize
144KB
MD5136ee537d5a2b7517079626ff38ac41f
SHA12aef4f23423d841c70b12aa300dce57b36755dcc
SHA25645860dfae2b4e7bc0ba25598aaa696469e497b134017680292946afb8c61b619
SHA512630841bb7e7816e7b3fca13f3c66adc6d13b66de3a43c47b70eefd913271c23a3bbde5b269e1087772ede72a2defc72f9997c910b8289206f6fd2e1f7ced6942
-
Filesize
512B
MD5941532757333abd610a66b802e3e5d2a
SHA198bca46e2631bd5fa73b1bb8420a97010ec1e005
SHA256fd127254ae22033df3d5c8379f43b69bbe4e0e549c2faf58f589dc9faf44c83a
SHA5124a855cd6892000576442d542b1f754c01772b16d017aed1e2af6c91defd71a647a799c24b90fd60dfd51cc6d200b077d115600db53ea277ac00ad3ef252b1690
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
414KB
MD50a31bf39bd16a6e6907800327c48a0eb
SHA1dd8122b23251ddda995b93c713a1904c81ebec69
SHA25602ee0e1c773384fa776d80b271ce3bad7ea3a7959abb3308ad6ac2ba184b2ae7
SHA512b8df13382a41892356bd404a33022fae1a0d058922b86243232316b3d724acc2a5c760eda58258aa3f017a79249bb9390f3459baf4a48e3161e9d88d6187b332
-
Filesize
8KB
MD5672d232abd02d0656ffb07e7a7fbccb3
SHA1d95ec0cab44e990e84a3987d2115ba35e1a44c79
SHA2561e6cbc337187f70194467e8296883683a2242547b47813f2bf7a8da20b4d4a55
SHA512042f1064ed3f1178f0e262f287e0f004bf547db9b85fcdf5461843ca721a01dd1500f3192d936c2987ab9ab6504c2b9c862efff3c94140a4423d358d08cba9d6
-
Filesize
8KB
MD5fc9bce68537b74d108c386bf510a6575
SHA136f40bdd2c358dec0c3929c9d6d4e75565bf5c07
SHA25604fcb1331193398c198e20a4f77d435601593bfd9c43c5aa49faa4024c6b4ce3
SHA512346910a7fabce149de48407540d2bde896a1b3e0da3a5b7cfd4563ab64238f2b4a3bc09ef0d39b4569c6103ffb97c2ac162cfedaaaf420c828f370805cade5d9
-
Filesize
4KB
MD5e542683feca1340903500aba269d179c
SHA1a267af5f66d90ac456cfc748560d4371c74ce53d
SHA256eded064fca6cf2ad009cd0e1c080785a322ef46ebac9b16783eab77c83cfe77f
SHA512f803a7411a6c648b7be02cacd158429e536d73d6734316c1ca17cb5a0ce8c61fcc097ceec79576a04d2b4fabd8d5af6a74e0130bdd675514e513035032bbd4c0
-
Filesize
8KB
MD537761324e531606a479d8ee371519c3c
SHA1409aba2b6cc6e24826690f82fde2b023a5433485
SHA256883ebad5027d1c79053e8a095acc97ad922fd35c395f727cd016c68a9e704c78
SHA512476b5af7aea09d554b594f61610c61c63d5e8938adf87ac515e32cde8c83ddb8db7b1a15529116981c262240165b8e52e2b23dfd8ca5cd73ee41a117ceb94655
-
Filesize
418KB
MD52673727afc5b5d008bfaf286b52ef550
SHA1b547745b3c86bcfc6059ef8bcb254192d2721612
SHA25601cc340bb6569f1416d3358f7e99da4cb484a3d4698280abd47ec62f7a0b817c
SHA51268bd3e4e1955a4e63e009c9f43cd9d0c72ea1df0b15bd71fc6a264b97965c1edbb01b041db916d8b2e2e8190535ba429ee9ccadfbd7fa36582aa4715f0cf4073
-
Filesize
2.6MB
MD5ebec0623df12f3d7e493604884e808dd
SHA174fa9c2749e8af6bf4f00bc232089e4ba8876ba7
SHA256546b24036b300cfb4b6f17e5df3a0b14015d2eb4d654faee2283526f337e1d2c
SHA512d404aca340c2461c5611b0e4822d552ddae48771ab059e1b13edd3493031e9f0b0d95fa82b6584f6b75bfdc5bb54b76526cc4790cda994b6405a275a48ea8ea2
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD57854172b9dba02ae95818a5c78a0f2ee
SHA19e133c79ebe20c40454000795311bec9a612e828
SHA2565a49ad87b255ff5a4e7d6991097791e3e6080c243a59fe67cddfd8771cd7dca4
SHA512dfb3e1052ceddd07ab58eebb999cbcdcef234e2a06e78a87d18cc7a61c8197e98a032108cee0d29cfae8c314c36c6a53d31cc2474da479e9b9e77750c60bc1eb
-
Filesize
152B
MD545faceca0ffc5a22e13ee970729611c2
SHA16927d6b14dad173a41dbad38255b57185efc20d3
SHA2560793e9ae6febaf2ba0b052fb8fc8f32abaa8d42c3e5f63f93c7817f412d205af
SHA5122a73bee9c485a59425917bfe71380d93fe3f40e7fa27096409a5f6604d9ec61e4a0954a25c75c4e60e8e9539546715058f20ed382e523ff6b00cca538bb3f169
-
Filesize
3KB
MD5baba8e92c8befd850a12613059b411a5
SHA1b79e20b764104595df349676e48cdc4bc7abc37a
SHA25626002974876daef5fc06f07c379e588a5533d73aa96305ee6f54801977cf2ea0
SHA512aa7a6a199c9431915ee3a385c544fb1b50e5d1b85d726b0beec38131b9deb7d21514805b233add7f3ea3682767ecbfa06b36434b9362fb0aa993abf255966744
-
Filesize
64B
MD555e1117ee67175c3342d5b3725005756
SHA1b1cd3b46c534ef7f6b5df278fc28cfafc9e1ec60
SHA2560b8897e8b70bf415f6f6a2492ec602bbc64a420a6bb45e4f8222e58072566c9e
SHA51249ee009d02f5e2124dbe91f5d20c6f78a138985fa767155cfc10b3439b18a9c20bb7a0feeb5f97ee75e19411823da3d327be867f502d2b5bad5102b11654b90c
-
Filesize
72B
MD5c66ff73d457d80c0515599499edff733
SHA166026558cc909a1603e6257bac9c589c31ef116c
SHA2567d8177ba3525b1b5b24f827ee2ae17a925a88fc35839d49acec6d5c5626a8818
SHA5129e04e890dec96bab4f8c4044c94fc96d78f1545be1f2ec7cb0716b60886d909db991a34921274cc75c492c2bd5335a67c6409adc75cfc22a6afbc4cda21587ee
-
Filesize
163B
MD5ddcba951ada5000b9132485c9cae5148
SHA1241c885e6f67a85d48058596d86b4e2d454974e1
SHA256517d3bc5cf4eb63757b6a95779196fe9dff9065b90735d3b579e7b8fff1fe8e2
SHA512c3cbbf13bbde8dc7e1c66ab4359afbe02280b3bceec070ae3f5d0d53d964869626c1a6864d50521f76fec753a3e5a11498fc2cddea5282c733944b700d266cf5
-
Filesize
134B
MD5fa63aaf1224f2e9091706367dfda194b
SHA113f2bf932f33ddefa2b292dfebdc35a17513881c
SHA25631eb8d1f4948c9fa567cdd588347a2b33a7eefa21cad302e4e5b1dde5a572403
SHA512a41afd9ed8e12a81face8c8d03aac59ede9d239ba0b88eaea84d31007dc1423d3aac118478d12afca47015eb9c4921436c5433e685a3c190cbc9f1423565976e
-
Filesize
25KB
MD5dad04b1255a4a977e6c6c503996ab9e8
SHA1ff5c108280e3f705ba307fb6d4ece438faa19beb
SHA256f39f6be1c52f512e0ec0e147e9ad77a7694868d7f59709a89e6ccfc8c6b1701d
SHA512dc9d7ad8c6e7895d51d41653d3173a8bcb5cbbaa48dc0479f0401c24f7acf6687340347f72fad475583bc953efe3c2d4cad692388f921d219833c3944e7d44ab
-
Filesize
6KB
MD509a2f677bf7b722897c7acaa4e16f0f0
SHA133eb511ac020356b1b0fa0c3909e868af27c64a0
SHA2568c39ff8487a468fcf2a77d54bef8a5f40eae5b895ff885c5e1ca620fdc0f31c9
SHA512e672fe5a67af9b851aea9d06b240a41556a86d0d9a4dbab88c66464a9255488e844c23404077df12010c32b92e415de8e1b2c5a03e9ee690a6ad827ed405c33f
-
Filesize
219B
MD54e004176542a31ff793ed0f446fff379
SHA169f1ace855440b429cd2819c717d84905342d1b9
SHA256954ac2d3e324b9aa3ad5777877fdfdd2919fbfbe259016d2ad380214c0f8d639
SHA512dbd9db357db9ddccf5e1f1bc4c122663b5fc6dc4eca1b5ef6c48e9f2005d9595f06c8368161d434ac8754b22019874771210d26f0d93311e3c7b3649fd627d5a
-
Filesize
73B
MD5647e6c66ab347eab81c9d3ea0462cbb8
SHA118fc7323e638dd74eb14290c550b6af4d9957ab9
SHA2564a5fbe96836d0122c584507966ecacafb22e8542a80922cc7198b59fc1287a54
SHA512721e0b6fa92636dc0b310f16b4d9aa2f0c34c0544d5df4cda47a07fc2f2a1a7a5029bc175a2d24d751d0cb1664475f3642631c4a92a462b3cc8b7f4b65aac2dc
-
Filesize
2.6MB
MD5c804156b95a21c4bf0b1e2c8a133894a
SHA1dab8c525d3c86618f2f70a8de71979df529e959f
SHA256395c690bb3c3ec85b3c36ae8498ebbb895b71e745acf9e7f120578a9033d9a68
SHA51252110dadace88fb28be4d9289d797346d5b4e4dc753279769101be18e7d2fa90c2b315e9cff2f89e694c2e0a64f943002116e46c4807ead7d852adc2cf54e7e4
-
Filesize
1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87