Analysis
-
max time kernel
141s -
max time network
148s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
01-10-2024 02:33
Behavioral task
behavioral1
Sample
am.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
am.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
am.apk
-
Size
20.5MB
-
MD5
adcdbe1e25a3e03ae1e454363012432e
-
SHA1
83381d32b8a6ce9854e8e7213a6c90ac3e17f011
-
SHA256
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df
-
SHA512
597546c877c4ac04c910f123c3bfbe236a342e61ff7a94ddcf1639401da76b04df858da2bbf145c8d10cdfe299f2b946d7ebe75554afd6f749acc8f4d387f9d6
-
SSDEEP
393216:3OsJA35z7A79L+r2d1mbgafiubcnZbb3T9i/zVN2I+TXadaKpPbNiRSKcsjJY:3RJA35z7c5zrmbBffcZb1i/zVN2IkKk4
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/app/Superuser.apk xuzjgkd.sstlojddh /sbin/su xuzjgkd.sstlojddh /system/bin/su xuzjgkd.sstlojddh -
pid Process 4518 xuzjgkd.sstlojddh 4518 xuzjgkd.sstlojddh -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/xuzjgkd.sstlojddh/[email protected] 4518 xuzjgkd.sstlojddh /data/user/0/xuzjgkd.sstlojddh/[email protected] 4518 xuzjgkd.sstlojddh -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser xuzjgkd.sstlojddh -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xuzjgkd.sstlojddh -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 5 IoCs
flow ioc 27 prog-money.com 28 prog-money.com 29 anmon.name 30 anmon.name 31 andmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xuzjgkd.sstlojddh -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xuzjgkd.sstlojddh -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xuzjgkd.sstlojddh -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xuzjgkd.sstlojddh
Processes
-
xuzjgkd.sstlojddh1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4518
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/xuzjgkd.sstlojddh/[email protected]
Filesize2.6MB
MD5c804156b95a21c4bf0b1e2c8a133894a
SHA1dab8c525d3c86618f2f70a8de71979df529e959f
SHA256395c690bb3c3ec85b3c36ae8498ebbb895b71e745acf9e7f120578a9033d9a68
SHA51252110dadace88fb28be4d9289d797346d5b4e4dc753279769101be18e7d2fa90c2b315e9cff2f89e694c2e0a64f943002116e46c4807ead7d852adc2cf54e7e4
-
/data/user/0/xuzjgkd.sstlojddh/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
124KB
MD5f15335a640f24813c9b345c99da7e16d
SHA1a0e7fdc85b3c1420bf342676be577f146f5dce49
SHA2566baf6ee8c7c503ed9962ff49957fe3c0b707171d1913450d97c84856a6ae31b9
SHA5125f51ec199de29b23e398d143c4f0faf58ba655a4f455ecafd5b6303c0ef428f3165f5db49daf4697f1dba3033da51113730ee5ad158a9ea9f8f6b9a10b044f19
-
Filesize
96KB
MD56155bf477e1390f039c48e12dd061303
SHA1427c95e49d866cb70bba1fae51b36d2a832a4ee8
SHA256ef36dfb5dfd452a182ea394352dc5640879e66233a888f4b74cfed5c44ff72f5
SHA512666437dcf8ece4acbb311a9e5c01de874f1914bd0611116f9104bba50c90fb91299f3eb64d681bb7331e7c79a8f40cd837957e3426d52ae0889d1c25f5deece2
-
Filesize
96KB
MD5e38a74f66cdfc487d5000508ecb0c6e4
SHA17f44104163ef6f250eb3fc4b1c235f5a5f100c33
SHA256ad875f41b6667aabd9d2fa7ebb3ddc59ded78dec2c352e5d216f35554e169cef
SHA512d1a369aa8e61a66981f04b35ebb787bb144ed78be811cf8bce1df524d1ac08454178a647a87edf29aa623338081469b64980612138c42c042edd9564e2d5ec80
-
Filesize
96KB
MD50bb6ecd10aaa20a053749f880340d807
SHA11def09e3f1db07d937d60e2cf7154e981c38686c
SHA25622306a2bef38a14f768927218f4cd162e4a44a7c2dfa9dabac2b33ef380a54a3
SHA512751e1bb5c1b82a21845c1184f8b5c80a84222db331c87e6dfb5b33dfe01f79d735062b4c7b8bdbfc05dca6fa0093cf41238d9fb83668487e48b86b1a92148e6e
-
Filesize
96KB
MD597e2c834844e630233d162e42aec4d9a
SHA14057343b04dbd8885a8b06a35cf023a0d84d88c2
SHA2560c89f4c8777d80a3cd34f2127bc9344297d53cb18c26bee16875113de571005c
SHA5123266a5e43fadae0881f2dbec5acf21190e34ddfc952781df02a4c5db6456802a29a8893a762d9d44906441b0fde2c3d4e129c806d7b79be31b599f564a1124f4
-
Filesize
172KB
MD5ec1a3dd7f73dc2cc6ed0b9579b1beac9
SHA127010e8e0bf076c95ea78174571844fb3ea5c9e2
SHA256bcf96e629794fe1bf8cb9ca6be10f922cd85a780b47dffe13e98f3be274eed7e
SHA512a1ff0a079e96a8404ec04ebd09807102e8a55c98552554018568a2924aafc1f2870725fb2d55a94b0fb0e8297c6747d7f74ed46b709538a9646b46b4eb320064
-
Filesize
512B
MD5cee7ffbfd67657510a03bf6a37963802
SHA13fb745dad66b6a5c1da1101da3056213b2f9bf43
SHA256c9dba4e5c171ebd6523c3512602037d97fe6b61f5a7cf1616be915034fc229bc
SHA512d2b3e1403c392a476ab6f77337b5207ab6af918dcbd7ab2c26562bbbc7bf25175e077d230da6175d269ddae7a2f8abd4c5dcb730a2b214ce6419e39065653e39
-
Filesize
8KB
MD5c40c7b6a853ac31ee3ac26e82bcaa69b
SHA153c55c38091912486c43f45b1fa362e84a25d9dd
SHA256b4a26c7067452eb85905df76d5ed63befaa94c2b3e8799f17be8de9f03654703
SHA512fd7576fa705bf127cfbdf7630f04f1d0fc65d02a0afe0e36072432560848d7f15c40ff3040d8157240cb33ba1a77523c3915e6db4f08e493bc1b7c90d3bcddb8
-
Filesize
4KB
MD583d902081394888936057ebbd4b6a375
SHA189f252678d3bd28a58ea7988a11242e036d37358
SHA256eb1a5fe324bea0d56b743c57fe14ec94feb7a38fd2e22eb64f317875fd9d7fae
SHA51201d7817b2bc84515825324e3ad4a0ffe27ee770e29544cc414878a009e6b222584e341063da9c762fd71c27e2bf732d7ab387dc9d5be8cfb74c19b8de4fe9621
-
Filesize
8KB
MD58b6e636f0a371587c6189f00bd202cfb
SHA1b2076b8ae3865dd66be726dd80a36ec9df63b334
SHA2560cfb2ba5bd59ca013ad8f999ac8646a4e626cd2b4fdb108d81e00c28a9e47d31
SHA5123a1b37b1eacbc8f7e3f196f087ecb98ca90e5d444548b4876108d5c842d674a35177bc4958cce32da2f2cf197d84ccc0b556cd6f149d09b1ba8e9102a058fda6
-
Filesize
12KB
MD524b0b282fe845bbb20e564060164e085
SHA1b1858466c9628a1bd1da5f9f07d5be0a3fdd2b94
SHA2562900d8d6f42855d3d6f08564ad0d6176166f95f3bd711fd1f525aa917cbea954
SHA512b115f0ca9bdd45d0f0ca1c2760b2a190fb3e7210c26db1cf5c6d57cc2a7525ac2119edb99094b940984a2102e3244f617c68e4ced19a39781b6caa282118b89b
-
Filesize
24KB
MD5b125463f31fcce95ff8abf6872382e6a
SHA1f0f95bba2cb5cec0bc88b7c4ea30375bbfeeaf3a
SHA25637d930e8f3a0b80ed9d93fbf906ab1ab4aac9a6eb86a10fea78680a16051fd9b
SHA5124b9ed0e610270a5aac8bfc7418fb94987da1a790ccca296685d2e667e6fb50b277cf7194871d7c379013c013ea5628a0dc182833bb46d4e5235351ae9436c889
-
Filesize
2.6MB
MD5ebec0623df12f3d7e493604884e808dd
SHA174fa9c2749e8af6bf4f00bc232089e4ba8876ba7
SHA256546b24036b300cfb4b6f17e5df3a0b14015d2eb4d654faee2283526f337e1d2c
SHA512d404aca340c2461c5611b0e4822d552ddae48771ab059e1b13edd3493031e9f0b0d95fa82b6584f6b75bfdc5bb54b76526cc4790cda994b6405a275a48ea8ea2
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD598780a17aa3679c8c24ed5557cc66a61
SHA10dadaa9c9b74079fe38811e6de5b9492b66d56e1
SHA256b8c1c176317817b2a92e86e07b02ddae4ef43e5577f74c97f54a7c0463ed0558
SHA5121dfed4d9b814baf291a3be6f13defe674b16fd25c1bd0d9277a40dbbb57b1569f5baa2bd1217f1c9adcf346c380f1407f20a727089dc1adcfe1e37eaaca1dbb7
-
Filesize
152B
MD527b6287e3650ef3337abf864dd4b52d5
SHA1664da7efe19607e854a3f5f9e761468f9e3561db
SHA2565fb8facb5b14b95ccdcfc837d72e9e6b54179c06096eff242d7d3b21135e6e00
SHA5125f9016fc5b528b73710935dc76da9fa95088ec1c9653f0d8d7a196dc4b9ea396c13c645e18ff5cb8a954944c04538cadc37cd985305e44df1dbf0beb8deb09ff
-
Filesize
4KB
MD553c916dd11167d7f001d9400665136c6
SHA1be576b68e763c0daea703c1afe13fe6a7d2748ca
SHA25617699429e0d2c5314b4c86537968e8a8355e4619f2b83aa0fdc508dd352da92f
SHA5123a82c4e0fd041f0faae352926984f806162483b4c7c0a458f83bd8613fce8678e9f77052c6568199f2ba080878466b1afb80fdb1f845bfda7cbc92f5f7e1edde
-
Filesize
64B
MD5eec05a1f2e683e8de3eb4af145b102a7
SHA11c3fdcf34cf93acc6506e94d3226d307f59ecfdc
SHA2565fdab0a963aae87e9d147da5a02310554d5378c5a27a9b3f1baa31e2ef6ba82c
SHA51246d125f14c67d2a0cd06379294b9d9d77a5c4d1ade7f25f22ba3d4a5f999959ae0187ab4e920f63eb91bb47a8538cab1ae0a1f96cc628f36f8d2d3d423f6de69
-
Filesize
72B
MD59f9c02776e58ff52284016217bd575ed
SHA136b38c42bd54e7478f19ee411ff359f2f2f8f1e3
SHA2563892d297003dd362200ecb15bd0c20b70f2faf7da2284df3f5adcd052467b446
SHA5126de438b723f8ed9d37500c4b4cff2ae880a063ce815a287781fcc9e4401e3d80a9e3da26f7fbad29b9e8c5d8502a1344b8174a931059906a53962f2725b06931
-
Filesize
193B
MD5720a4efdcb5a081039e1ecef022e7c34
SHA1e9643217e00ffc13656c23dbd43c4527713b61c2
SHA2567a91d922992aa48ffe9130aaaf9b61711da71a6e410b3b40a4c74f5ee567e3e6
SHA51288f793eda272fbac1f3e470f37784036b64b97d83a351fa2325de0ad0d575922a66789f5ddc75adeb31c745d90c712df047f4cdddea091b2be261c882b566972
-
Filesize
134B
MD5ece2ead8d77af893e55549d88c659b34
SHA1c7bda83afb74f45b0dc9ecf8e56f8c9df6ae2010
SHA256b96e551be55fba8665ab1414ae670377c9e794c212a700ca1915c97078391e98
SHA512abaf90e03a353bf1cf8af2aab094c76dd94292cc21f21a1c2b6ebdd78bc735b7668b6ea4bff6e353167668caa0b078388f06409772aaa1b0bbb999e34a0343f9
-
Filesize
26KB
MD5e1a74deb397dd65e1f56a223d3e12057
SHA1093cb11b6081ce359c958b8435e5f8606f035876
SHA2564ea9aef029a2ae3d7beb102d2ebd0a393c7bafd14b38257d8b0d1f7514b4a9e8
SHA512bee80659bd2682ab2c175e491157b99916beeefae39fc4db9d493aed40a2a625d8131fbec99057dec918aad3792958472559b08cc1ffa560b7687989010e672b
-
Filesize
6KB
MD5bd9654c2126f4c576f4fc565ec7bd0f7
SHA1459af69b3251359c87216df85073b00724cec525
SHA256cb0554fd8f64f4194757fae8a7911a91aa11ea17e9a683518ded410dfa7bc30f
SHA512827e15f55f4719732477942177613d1cd97875aad9efa618af1de1c6434b889d6cbad614559dc9668d1f8c3535906c6d583d9e78c1bdfc95d988ef40eb467cfb
-
Filesize
219B
MD5af8b7a55a80e7875e7d3c8f9fd64632e
SHA19955121d208490d29b4a9b3544c625a2210d6bcd
SHA2562d0fb123ddd94ce5825c2df56859e18cb7ef6442c1621657dc4e521e17d5ad4f
SHA512324e07be3c78b618b6f8d80920451edb107b7da0c73f68cb08973aef11d2b003921b637cf0970b63ab2474178e5cceaeb95f649995bcb1647d558893dcc7668d
-
Filesize
73B
MD5647e6c66ab347eab81c9d3ea0462cbb8
SHA118fc7323e638dd74eb14290c550b6af4d9957ab9
SHA2564a5fbe96836d0122c584507966ecacafb22e8542a80922cc7198b59fc1287a54
SHA512721e0b6fa92636dc0b310f16b4d9aa2f0c34c0544d5df4cda47a07fc2f2a1a7a5029bc175a2d24d751d0cb1664475f3642631c4a92a462b3cc8b7f4b65aac2dc