Analysis

  • max time kernel
    139s
  • max time network
    142s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    01-10-2024 07:52

General

  • Target

    ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk

  • Size

    20.5MB

  • MD5

    adcdbe1e25a3e03ae1e454363012432e

  • SHA1

    83381d32b8a6ce9854e8e7213a6c90ac3e17f011

  • SHA256

    ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df

  • SHA512

    597546c877c4ac04c910f123c3bfbe236a342e61ff7a94ddcf1639401da76b04df858da2bbf145c8d10cdfe299f2b946d7ebe75554afd6f749acc8f4d387f9d6

  • SSDEEP

    393216:3OsJA35z7A79L+r2d1mbgafiubcnZbb3T9i/zVN2I+TXadaKpPbNiRSKcsjJY:3RJA35z7c5zrmbBffcZb1i/zVN2IkKk4

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • xuzjgkd.sstlojddh
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Requests cell location
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4250
    • su
      2⤵
        PID:4289

    Network

    MITRE ATT&CK Mobile v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      124KB

      MD5

      4c0ccabb25100a908b9db06434a6af8b

      SHA1

      555d9ecfa42e17aec483e1c05be0fc1362db9e66

      SHA256

      79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

      SHA512

      b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      96KB

      MD5

      4b5e9112e343bd07996fd4bd091d04b2

      SHA1

      36e8021ed5944e65e6ff424e3d7b43aeb721127f

      SHA256

      f25af557b306bb0d1167697227f717995ab39ed747c388e362b17be63b0bd65a

      SHA512

      b25f7fb090fe7c370e128ca4cb1b01d1cb7e6cc0777d2b38e3f95dce4612430363995424d3443dd6d1df9d80d95dc8008f7aa487f941275c0fc94e0e66bf2114

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      96KB

      MD5

      ab2fc7d5397e7dae4aa2c30045e844ce

      SHA1

      ca65a4bd5092cd55a36143fa1533eecdb7e1a537

      SHA256

      f11b21909438dd6bc8f11824367e8d674cda45516cc0df397e24464c059ca0c7

      SHA512

      468cd12b8929932538a025f6029dc155e2a5c661a3cfe4f0e3dd64f6c8de4ec972204e8b23e3ed72e6c4146bcef8a5825ed862fa10ddb1c309862dadd48858d5

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      52KB

      MD5

      b6815b344f6926d458cea05acd052cdd

      SHA1

      88f524aff1d4c5fee979a203dd952427871a7097

      SHA256

      028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

      SHA512

      0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      96KB

      MD5

      4d194e6ff0ef4ecc5fda8681b34cadd6

      SHA1

      6d047f762a5f2e19e217f155166934e1b5ff1ed0

      SHA256

      244a5a590630981a4a5d95904dd597ba746eec730b6546ee42673f04949a9e31

      SHA512

      075eb0a819282d827188593447b22de52ed837888e741e8091f6608d273f176cfecd49effd4b654467e7889ccf4b374f82dfa8f1c8c07388436d5e04e23cc3f2

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      144KB

      MD5

      ed9b48fcdd553e4329083058a2e60103

      SHA1

      7ef3a88276ed3c6ce9a5f5b41ab9e0fe68bdff08

      SHA256

      c585b21423cee919c4a39e6f86ec0846d6c21c434d0b82030bf034de53fc030c

      SHA512

      3a51876e2a3fcf25341f69672d8b82a3e475326b542361f9a3b036e225b505ead0a49e92da86d693bf017684088b22a3365147cf0b74988176d55afeed0c74f9

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-journal

      Filesize

      512B

      MD5

      fbd69b72ab042fe49c63302d4654e18a

      SHA1

      014489492bd38fe66f655c092e403e54a7b9e118

      SHA256

      d4eda6a2beb3846ee906b1c16df6c93e3b529f54a75dc68e28f6ac7bfcbab1c6

      SHA512

      491d1527af0f34d2c3a26e6b58d889bfe6a0d656cc04e880db8d0a8d66a88aee0021e77dc42c1c18232e0e0bc50a7e1e2be48028a8a0975d497869497bab19ab

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-shm

      Filesize

      32KB

      MD5

      bb7df04e1b0a2570657527a7e108ae23

      SHA1

      5188431849b4613152fd7bdba6a3ff0a4fd6424b

      SHA256

      c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

      SHA512

      768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      414KB

      MD5

      8dbb5c7a468600e4475358d8f795052f

      SHA1

      f4a780fb9fae4a030b0d2593e1a4044d2f4ff768

      SHA256

      c74013a0cd3f0176393cd77a5d6183d131fc18ab0e49f7c6ee5409edb11b8af1

      SHA512

      3a767a042ef27d5a2384885fd7e234dd7e39caf00cbbae70e0e77af8f4d861ea959258575674f3a45063e09fe1526d22b37905a66ef5562949fea69ea8aa9ded

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      722b2db20f453c6b8089a42a867ec299

      SHA1

      b3fdca5ca4e834e802941e45123ab4ca82d23da7

      SHA256

      27b9cf17281d25ce6a861825f0e4e6dfc76b76df3ae52c59a855da04854ef13c

      SHA512

      af2ff25ee93a6c76bab906b1e567b70670c5e64ac8dde9ffdf60e57bd984553c222d0b05ed8e8a3fae575cf5be7422cedebe36b44bbd9e8e28d17531f7fb4a10

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      9704fa9e2c9d5bd67a7099ab3d52e8c1

      SHA1

      f2911bb42f4e1cdcd7cafae6d537d06ba19167c3

      SHA256

      de2f8f6a4bd177afff4410134366d47aaccf71e8d6d00122abc6a53a34c9a06d

      SHA512

      5a46b909905da40b1d9d98eed6490524d6b197032d1b3be7f207d574f735867e20ffddb15bef4f65e0f0db7d62d0d3ab6aa58045ca5a10365acc952ef5378122

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      4KB

      MD5

      587f9de9ad5584d2918c74cb562247f1

      SHA1

      3b86b6fefa1c7a2fb20f7565b2f479d86852f2e6

      SHA256

      d8afe151d857c63c8aab1447ef60a77156bce3f0942dfa8fdf32bfe0a484bf42

      SHA512

      e593ced1c45a1de78a452a96465e4453e37691d36bd5864effbbc153e1804143e8d31e080e1ae9d00a777f8f115ef6f1dac601063aa936952715eafb1853454e

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      a238ff8830a70d9d42bbc8617d80d14e

      SHA1

      8221838165ae4cafd6abcf1cc0dd9910a2e02f84

      SHA256

      6e71108c2821dd63b804ed2b9312fcf6149f67c6092d5b53e716802e4cf82fe2

      SHA512

      d9a66bfbb880e103655665cf173c5167e9f58ff4b5b48658ba5526e25890d438dd14707327728a7014bd8e6dc545b856d4cf0454ba3cf6b4c6dc2ff78df9b4a0

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      418KB

      MD5

      f2b4a7a68ce03213914e2f3427b8c4e8

      SHA1

      d54e0090043c2f702e8633c14aacdddca5374b24

      SHA256

      aa30f8c86441454ba392ba9117a19c62145984fd71ea756580eeddf3e4468eb3

      SHA512

      3b7309bee5fdafe49c1e6215e7f790e588accbf41b30d9acc2f150706696532c1af52e93205c64add59f07542c9289dc16d6418747000ff9691532f1b39b0dc1

    • /storage/emulated/0/.am/dm/md/main.md

      Filesize

      2.6MB

      MD5

      ebec0623df12f3d7e493604884e808dd

      SHA1

      74fa9c2749e8af6bf4f00bc232089e4ba8876ba7

      SHA256

      546b24036b300cfb4b6f17e5df3a0b14015d2eb4d654faee2283526f337e1d2c

      SHA512

      d404aca340c2461c5611b0e4822d552ddae48771ab059e1b13edd3493031e9f0b0d95fa82b6584f6b75bfdc5bb54b76526cc4790cda994b6405a275a48ea8ea2

    • /storage/emulated/0/.am/dm/md/main_tools.md

      Filesize

      1.2MB

      MD5

      51112e0a7f7962a8e02bc885025414ef

      SHA1

      40622959af4fe349d8881c885b9b30441de8804c

      SHA256

      2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

      SHA512

      f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

    • /storage/emulated/0/.am/log.txt

      Filesize

      173B

      MD5

      512a6f97bd31e7268c18bf7ec3f2a68b

      SHA1

      3f62a86b0da15b981bb698aa098aaa830a8aa1fa

      SHA256

      b48c23601d61fec3b5ea9fe9cc5a761edb4e9b80ac0f8e84c0a564a1c82ceb4a

      SHA512

      203f1e586008fe078ef3e733a73216c732c0f9e3258718768a8d6c198ca1c9d96ce73d6693f0e78a8648a29c03703336cbde3bc3e15ff50ce3615ed0adf40b43

    • /storage/emulated/0/.am/log.txt

      Filesize

      152B

      MD5

      368cc533a74aeb4a365633c3b5b466cb

      SHA1

      9c114ad5adf22df7a4c85022fc44996af16803f7

      SHA256

      935dfc5550ab57377fe261f8bf50874337ac61e0e71db85772b304c840b14b5e

      SHA512

      dc01fc1de26d1d486a981c8d7ce9406dcdbe7da7daba7afb2afb61770d52ca05704fbd3c8ab488540e52736df19d1c3122c665fd35dd5dee910ec1013c8fa0b5

    • /storage/emulated/0/.am/log.txt

      Filesize

      3KB

      MD5

      c1f162f5ed34ce9edf53e9295bbf988c

      SHA1

      7f4ac0e244520aa91ad7b83276f56c20a3e9b5a4

      SHA256

      f0c644a9122727c1726d4488b29dd2dbe41b3fc1a176b2db04c9363758dd2d44

      SHA512

      93b35ae06e4994e2a01f448a186167e9911f714771c6dbc2007c7b7a88676b60330cc59c073be37dc0c32f5206b2c590d349f7f4713bc388eb7de793ab945418

    • /storage/emulated/0/.am/log.txt

      Filesize

      64B

      MD5

      012fcc916c79a5a8410295a73608c99c

      SHA1

      0faaf2b226efb8ec64de5a747e7afa9f3954d856

      SHA256

      10fb25d04eabc3333a9bc9c18cb8ba9d5150e2573327c823154acf4e60851542

      SHA512

      edc816d4a36fdba2eb1853f7a26000c2810de477ebc28eb4a276a647b2a621e46fadde482cfb06cf8756c4f17f9f9d6b756e7c124b55a698633675816c05d5f6

    • /storage/emulated/0/.am/log.txt

      Filesize

      72B

      MD5

      f5becc4c054f120acf9af371c2cffc8d

      SHA1

      65c98b461fc92763c40b3408083e21a26667d7ab

      SHA256

      923eb31c6a56d14cc689dd152bd6c5ad1e393f10bb5df859b9c7f8696fa72229

      SHA512

      7c46694c8bb04f164f17e5e1cad1d7ebbd107499d41cd0016741f55d170369663ca1ec371434997e88c3f7c514444ca8e57b0fc1f36eed373154a410f3d112bf

    • /storage/emulated/0/.am/log.txt

      Filesize

      163B

      MD5

      1a3961f58485bf76edfcc1c13ff25d43

      SHA1

      932a683a99fcc346d62048c6288c3a7f34b954c6

      SHA256

      a92026661a878f98053f4bc4f8f9ee5d68f21b039584312e013e066012ec569a

      SHA512

      e81f3b02344a4178e9cf91fcfdf770593ea1377ef17c77a3745d89e2e81d1ab2da69d8e9611ecb0eb5aefc7990708788e6ff04ca49cb698fdb32fb075d62b333

    • /storage/emulated/0/.am/log.txt

      Filesize

      134B

      MD5

      218674ff3954a106d5b7665aa4372e38

      SHA1

      87496a3917d3a1e4919f24c0bf8a1b772adab1f5

      SHA256

      1ab0f039083fbc526c1f599cc4172eb502cbf00abc878dc9d4dbff1f2ecf4396

      SHA512

      e239878c96093228217efcc2b229337afb7770d78ec07eb8bf1aa191f2b6c384546a46d80555b31f9e63054a0535c429caa8783b2d3e770d9d24f1c90de5dd17

    • /storage/emulated/0/.am/log_.txt

      Filesize

      25KB

      MD5

      16ced1569363e39c6136f5c3008289d5

      SHA1

      e9897fbb4f841ecaa138444941a3fdee615661ec

      SHA256

      af284375ce2b1b83dce5be27985f38006634e29c6111158a64661ffba3fae9c5

      SHA512

      903fe0a19b09892c4e509934a3e069333f491adb89663d3c000ef16a80f1efb6891491586d3cb20c2032f32d515592c430baf44d37df58594e47e4afe1b72c5a

    • /storage/emulated/0/.am/log_.txt.zip

      Filesize

      6KB

      MD5

      5984629a32344367ad1982c528b62d90

      SHA1

      12c976627ff95475f8aafd9ceb880eb76a20091f

      SHA256

      f5a3abfec9d53681770f9d0d17568edfdb898ceb2e4a99d179b522033a986648

      SHA512

      eb539de983813432d0cd507101008bff0a4e0e621ec29a29e5b9c7918cca87ba0fe28cb9eeb4e74aea2efd43ef340b1eed6e89855b612a270784010cbdd5af42

    • /storage/emulated/0/.am/log_1727769159233.txt.zip

      Filesize

      220B

      MD5

      d30606d27496cdd89b86069edc247138

      SHA1

      dd735686409a42c11ce94922f12eaff893d0432c

      SHA256

      a344ca70e7c7eb8eb816df72aaa8ac0ae5502e60f41fb5f0df4c2634600b710f

      SHA512

      3ae8be844aa29aa1ace83269b2eac3e786ff974439919b31c1fb0b25afccb37a045844d000602b8b9de054611f6506ae225467ceb969b6ea339b76d2c6ff6128

    • /storage/emulated/0/.am/prog_class.name

      Filesize

      73B

      MD5

      647e6c66ab347eab81c9d3ea0462cbb8

      SHA1

      18fc7323e638dd74eb14290c550b6af4d9957ab9

      SHA256

      4a5fbe96836d0122c584507966ecacafb22e8542a80922cc7198b59fc1287a54

      SHA512

      721e0b6fa92636dc0b310f16b4d9aa2f0c34c0544d5df4cda47a07fc2f2a1a7a5029bc175a2d24d751d0cb1664475f3642631c4a92a462b3cc8b7f4b65aac2dc

    • Anonymous-DexFile@0xcaac7000-0xcad58640

      Filesize

      2.6MB

      MD5

      c804156b95a21c4bf0b1e2c8a133894a

      SHA1

      dab8c525d3c86618f2f70a8de71979df529e959f

      SHA256

      395c690bb3c3ec85b3c36ae8498ebbb895b71e745acf9e7f120578a9033d9a68

      SHA512

      52110dadace88fb28be4d9289d797346d5b4e4dc753279769101be18e7d2fa90c2b315e9cff2f89e694c2e0a64f943002116e46c4807ead7d852adc2cf54e7e4

    • Anonymous-DexFile@0xcae9c000-0xcafc74b8

      Filesize

      1.2MB

      MD5

      336921950a9f279733cd787f1203d73d

      SHA1

      cefc36a7c17909054cf2a507b34f545af96c0e36

      SHA256

      c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

      SHA512

      6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87