Analysis

  • max time kernel
    139s
  • max time network
    142s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    01-10-2024 02:33

General

  • Target

    am.apk

  • Size

    20.5MB

  • MD5

    adcdbe1e25a3e03ae1e454363012432e

  • SHA1

    83381d32b8a6ce9854e8e7213a6c90ac3e17f011

  • SHA256

    ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df

  • SHA512

    597546c877c4ac04c910f123c3bfbe236a342e61ff7a94ddcf1639401da76b04df858da2bbf145c8d10cdfe299f2b946d7ebe75554afd6f749acc8f4d387f9d6

  • SSDEEP

    393216:3OsJA35z7A79L+r2d1mbgafiubcnZbb3T9i/zVN2I+TXadaKpPbNiRSKcsjJY:3RJA35z7c5zrmbBffcZb1i/zVN2IkKk4

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • xuzjgkd.sstlojddh
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Requests cell location
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4248
    • su
      2⤵
        PID:4287

    Network

    MITRE ATT&CK Mobile v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      124KB

      MD5

      4c0ccabb25100a908b9db06434a6af8b

      SHA1

      555d9ecfa42e17aec483e1c05be0fc1362db9e66

      SHA256

      79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

      SHA512

      b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      96KB

      MD5

      32eb36fd89cb29369ac7940d327c192c

      SHA1

      de8274b554b141366260494786d6f84da5d89b95

      SHA256

      af502afd18aa481cc6c693c490692a38c5f85fff7bc5e2186e9f0cf9e2e0ab15

      SHA512

      c9acd332a38efdd5c915404cd5c9cf510cd407d25f0ac1f2e0a209b6242d91df625add3747fca60ee96b79ae306f7c15be7e31856b48ab8a8b34d832a17db530

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      96KB

      MD5

      3fbb5b29e86e120e70525446d8829dfc

      SHA1

      b2ecd30db3b9de229e0cf024509b47cdd5820cbd

      SHA256

      24ba8cc18b97745dc5cacd89e2ef6e14a2105969f7867cd3d5525fbeae76dd9f

      SHA512

      f93b51c7020f885eeb531f8fc22d4630bf43e3586e3be65fe709149bd11a6871fb3aa52dc8c5cebcc38083eb1cbcb871c54e9f3c3a686c6f3dcf846721c5abb0

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      52KB

      MD5

      b6815b344f6926d458cea05acd052cdd

      SHA1

      88f524aff1d4c5fee979a203dd952427871a7097

      SHA256

      028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

      SHA512

      0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      96KB

      MD5

      753763488e19f8bdf6abb3643f08b044

      SHA1

      807920e79ce8b9f5123732b847e3f07fea40b017

      SHA256

      6594cc2bab41b9fa97a87050826c41094d0d82c24e3a6e63419d5ea8ab8b1e2b

      SHA512

      92434b9d29aeb234926c90b36882ff3d5f5218aa0bf6a4bd6b704c47f919732bd327a2c6978fecf0fe170b490cfe6241092bc08afcacc1654a5369632797f233

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      144KB

      MD5

      136ee537d5a2b7517079626ff38ac41f

      SHA1

      2aef4f23423d841c70b12aa300dce57b36755dcc

      SHA256

      45860dfae2b4e7bc0ba25598aaa696469e497b134017680292946afb8c61b619

      SHA512

      630841bb7e7816e7b3fca13f3c66adc6d13b66de3a43c47b70eefd913271c23a3bbde5b269e1087772ede72a2defc72f9997c910b8289206f6fd2e1f7ced6942

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-journal

      Filesize

      512B

      MD5

      941532757333abd610a66b802e3e5d2a

      SHA1

      98bca46e2631bd5fa73b1bb8420a97010ec1e005

      SHA256

      fd127254ae22033df3d5c8379f43b69bbe4e0e549c2faf58f589dc9faf44c83a

      SHA512

      4a855cd6892000576442d542b1f754c01772b16d017aed1e2af6c91defd71a647a799c24b90fd60dfd51cc6d200b077d115600db53ea277ac00ad3ef252b1690

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-shm

      Filesize

      32KB

      MD5

      bb7df04e1b0a2570657527a7e108ae23

      SHA1

      5188431849b4613152fd7bdba6a3ff0a4fd6424b

      SHA256

      c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

      SHA512

      768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      414KB

      MD5

      0a31bf39bd16a6e6907800327c48a0eb

      SHA1

      dd8122b23251ddda995b93c713a1904c81ebec69

      SHA256

      02ee0e1c773384fa776d80b271ce3bad7ea3a7959abb3308ad6ac2ba184b2ae7

      SHA512

      b8df13382a41892356bd404a33022fae1a0d058922b86243232316b3d724acc2a5c760eda58258aa3f017a79249bb9390f3459baf4a48e3161e9d88d6187b332

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      672d232abd02d0656ffb07e7a7fbccb3

      SHA1

      d95ec0cab44e990e84a3987d2115ba35e1a44c79

      SHA256

      1e6cbc337187f70194467e8296883683a2242547b47813f2bf7a8da20b4d4a55

      SHA512

      042f1064ed3f1178f0e262f287e0f004bf547db9b85fcdf5461843ca721a01dd1500f3192d936c2987ab9ab6504c2b9c862efff3c94140a4423d358d08cba9d6

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      fc9bce68537b74d108c386bf510a6575

      SHA1

      36f40bdd2c358dec0c3929c9d6d4e75565bf5c07

      SHA256

      04fcb1331193398c198e20a4f77d435601593bfd9c43c5aa49faa4024c6b4ce3

      SHA512

      346910a7fabce149de48407540d2bde896a1b3e0da3a5b7cfd4563ab64238f2b4a3bc09ef0d39b4569c6103ffb97c2ac162cfedaaaf420c828f370805cade5d9

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      4KB

      MD5

      e542683feca1340903500aba269d179c

      SHA1

      a267af5f66d90ac456cfc748560d4371c74ce53d

      SHA256

      eded064fca6cf2ad009cd0e1c080785a322ef46ebac9b16783eab77c83cfe77f

      SHA512

      f803a7411a6c648b7be02cacd158429e536d73d6734316c1ca17cb5a0ce8c61fcc097ceec79576a04d2b4fabd8d5af6a74e0130bdd675514e513035032bbd4c0

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      37761324e531606a479d8ee371519c3c

      SHA1

      409aba2b6cc6e24826690f82fde2b023a5433485

      SHA256

      883ebad5027d1c79053e8a095acc97ad922fd35c395f727cd016c68a9e704c78

      SHA512

      476b5af7aea09d554b594f61610c61c63d5e8938adf87ac515e32cde8c83ddb8db7b1a15529116981c262240165b8e52e2b23dfd8ca5cd73ee41a117ceb94655

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      418KB

      MD5

      2673727afc5b5d008bfaf286b52ef550

      SHA1

      b547745b3c86bcfc6059ef8bcb254192d2721612

      SHA256

      01cc340bb6569f1416d3358f7e99da4cb484a3d4698280abd47ec62f7a0b817c

      SHA512

      68bd3e4e1955a4e63e009c9f43cd9d0c72ea1df0b15bd71fc6a264b97965c1edbb01b041db916d8b2e2e8190535ba429ee9ccadfbd7fa36582aa4715f0cf4073

    • /storage/emulated/0/.am/dm/md/main.md

      Filesize

      2.6MB

      MD5

      ebec0623df12f3d7e493604884e808dd

      SHA1

      74fa9c2749e8af6bf4f00bc232089e4ba8876ba7

      SHA256

      546b24036b300cfb4b6f17e5df3a0b14015d2eb4d654faee2283526f337e1d2c

      SHA512

      d404aca340c2461c5611b0e4822d552ddae48771ab059e1b13edd3493031e9f0b0d95fa82b6584f6b75bfdc5bb54b76526cc4790cda994b6405a275a48ea8ea2

    • /storage/emulated/0/.am/dm/md/main_tools.md

      Filesize

      1.2MB

      MD5

      51112e0a7f7962a8e02bc885025414ef

      SHA1

      40622959af4fe349d8881c885b9b30441de8804c

      SHA256

      2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

      SHA512

      f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

    • /storage/emulated/0/.am/log.txt

      Filesize

      173B

      MD5

      7854172b9dba02ae95818a5c78a0f2ee

      SHA1

      9e133c79ebe20c40454000795311bec9a612e828

      SHA256

      5a49ad87b255ff5a4e7d6991097791e3e6080c243a59fe67cddfd8771cd7dca4

      SHA512

      dfb3e1052ceddd07ab58eebb999cbcdcef234e2a06e78a87d18cc7a61c8197e98a032108cee0d29cfae8c314c36c6a53d31cc2474da479e9b9e77750c60bc1eb

    • /storage/emulated/0/.am/log.txt

      Filesize

      152B

      MD5

      45faceca0ffc5a22e13ee970729611c2

      SHA1

      6927d6b14dad173a41dbad38255b57185efc20d3

      SHA256

      0793e9ae6febaf2ba0b052fb8fc8f32abaa8d42c3e5f63f93c7817f412d205af

      SHA512

      2a73bee9c485a59425917bfe71380d93fe3f40e7fa27096409a5f6604d9ec61e4a0954a25c75c4e60e8e9539546715058f20ed382e523ff6b00cca538bb3f169

    • /storage/emulated/0/.am/log.txt

      Filesize

      3KB

      MD5

      baba8e92c8befd850a12613059b411a5

      SHA1

      b79e20b764104595df349676e48cdc4bc7abc37a

      SHA256

      26002974876daef5fc06f07c379e588a5533d73aa96305ee6f54801977cf2ea0

      SHA512

      aa7a6a199c9431915ee3a385c544fb1b50e5d1b85d726b0beec38131b9deb7d21514805b233add7f3ea3682767ecbfa06b36434b9362fb0aa993abf255966744

    • /storage/emulated/0/.am/log.txt

      Filesize

      64B

      MD5

      55e1117ee67175c3342d5b3725005756

      SHA1

      b1cd3b46c534ef7f6b5df278fc28cfafc9e1ec60

      SHA256

      0b8897e8b70bf415f6f6a2492ec602bbc64a420a6bb45e4f8222e58072566c9e

      SHA512

      49ee009d02f5e2124dbe91f5d20c6f78a138985fa767155cfc10b3439b18a9c20bb7a0feeb5f97ee75e19411823da3d327be867f502d2b5bad5102b11654b90c

    • /storage/emulated/0/.am/log.txt

      Filesize

      72B

      MD5

      c66ff73d457d80c0515599499edff733

      SHA1

      66026558cc909a1603e6257bac9c589c31ef116c

      SHA256

      7d8177ba3525b1b5b24f827ee2ae17a925a88fc35839d49acec6d5c5626a8818

      SHA512

      9e04e890dec96bab4f8c4044c94fc96d78f1545be1f2ec7cb0716b60886d909db991a34921274cc75c492c2bd5335a67c6409adc75cfc22a6afbc4cda21587ee

    • /storage/emulated/0/.am/log.txt

      Filesize

      163B

      MD5

      ddcba951ada5000b9132485c9cae5148

      SHA1

      241c885e6f67a85d48058596d86b4e2d454974e1

      SHA256

      517d3bc5cf4eb63757b6a95779196fe9dff9065b90735d3b579e7b8fff1fe8e2

      SHA512

      c3cbbf13bbde8dc7e1c66ab4359afbe02280b3bceec070ae3f5d0d53d964869626c1a6864d50521f76fec753a3e5a11498fc2cddea5282c733944b700d266cf5

    • /storage/emulated/0/.am/log.txt

      Filesize

      134B

      MD5

      fa63aaf1224f2e9091706367dfda194b

      SHA1

      13f2bf932f33ddefa2b292dfebdc35a17513881c

      SHA256

      31eb8d1f4948c9fa567cdd588347a2b33a7eefa21cad302e4e5b1dde5a572403

      SHA512

      a41afd9ed8e12a81face8c8d03aac59ede9d239ba0b88eaea84d31007dc1423d3aac118478d12afca47015eb9c4921436c5433e685a3c190cbc9f1423565976e

    • /storage/emulated/0/.am/log_.txt

      Filesize

      25KB

      MD5

      dad04b1255a4a977e6c6c503996ab9e8

      SHA1

      ff5c108280e3f705ba307fb6d4ece438faa19beb

      SHA256

      f39f6be1c52f512e0ec0e147e9ad77a7694868d7f59709a89e6ccfc8c6b1701d

      SHA512

      dc9d7ad8c6e7895d51d41653d3173a8bcb5cbbaa48dc0479f0401c24f7acf6687340347f72fad475583bc953efe3c2d4cad692388f921d219833c3944e7d44ab

    • /storage/emulated/0/.am/log_.txt.zip

      Filesize

      6KB

      MD5

      09a2f677bf7b722897c7acaa4e16f0f0

      SHA1

      33eb511ac020356b1b0fa0c3909e868af27c64a0

      SHA256

      8c39ff8487a468fcf2a77d54bef8a5f40eae5b895ff885c5e1ca620fdc0f31c9

      SHA512

      e672fe5a67af9b851aea9d06b240a41556a86d0d9a4dbab88c66464a9255488e844c23404077df12010c32b92e415de8e1b2c5a03e9ee690a6ad827ed405c33f

    • /storage/emulated/0/.am/log_1727750002013.txt.zip

      Filesize

      219B

      MD5

      4e004176542a31ff793ed0f446fff379

      SHA1

      69f1ace855440b429cd2819c717d84905342d1b9

      SHA256

      954ac2d3e324b9aa3ad5777877fdfdd2919fbfbe259016d2ad380214c0f8d639

      SHA512

      dbd9db357db9ddccf5e1f1bc4c122663b5fc6dc4eca1b5ef6c48e9f2005d9595f06c8368161d434ac8754b22019874771210d26f0d93311e3c7b3649fd627d5a

    • /storage/emulated/0/.am/prog_class.name

      Filesize

      73B

      MD5

      647e6c66ab347eab81c9d3ea0462cbb8

      SHA1

      18fc7323e638dd74eb14290c550b6af4d9957ab9

      SHA256

      4a5fbe96836d0122c584507966ecacafb22e8542a80922cc7198b59fc1287a54

      SHA512

      721e0b6fa92636dc0b310f16b4d9aa2f0c34c0544d5df4cda47a07fc2f2a1a7a5029bc175a2d24d751d0cb1664475f3642631c4a92a462b3cc8b7f4b65aac2dc

    • Anonymous-DexFile@0xd3583000-0xd3814640

      Filesize

      2.6MB

      MD5

      c804156b95a21c4bf0b1e2c8a133894a

      SHA1

      dab8c525d3c86618f2f70a8de71979df529e959f

      SHA256

      395c690bb3c3ec85b3c36ae8498ebbb895b71e745acf9e7f120578a9033d9a68

      SHA512

      52110dadace88fb28be4d9289d797346d5b4e4dc753279769101be18e7d2fa90c2b315e9cff2f89e694c2e0a64f943002116e46c4807ead7d852adc2cf54e7e4

    • Anonymous-DexFile@0xd384b000-0xd39764b8

      Filesize

      1.2MB

      MD5

      336921950a9f279733cd787f1203d73d

      SHA1

      cefc36a7c17909054cf2a507b34f545af96c0e36

      SHA256

      c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

      SHA512

      6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87