Analysis
-
max time kernel
139s -
max time network
142s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
01-10-2024 07:52
Behavioral task
behavioral1
Sample
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk
-
Size
20.5MB
-
MD5
adcdbe1e25a3e03ae1e454363012432e
-
SHA1
83381d32b8a6ce9854e8e7213a6c90ac3e17f011
-
SHA256
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df
-
SHA512
597546c877c4ac04c910f123c3bfbe236a342e61ff7a94ddcf1639401da76b04df858da2bbf145c8d10cdfe299f2b946d7ebe75554afd6f749acc8f4d387f9d6
-
SSDEEP
393216:3OsJA35z7A79L+r2d1mbgafiubcnZbb3T9i/zVN2I+TXadaKpPbNiRSKcsjJY:3RJA35z7c5zrmbBffcZb1i/zVN2IkKk4
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk xuzjgkd.sstlojddh /sbin/su xuzjgkd.sstlojddh -
pid Process 4250 xuzjgkd.sstlojddh 4250 xuzjgkd.sstlojddh -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xcaac7000-0xcad58640 4250 xuzjgkd.sstlojddh Anonymous-DexFile@0xcae9c000-0xcafc74b8 4250 xuzjgkd.sstlojddh -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts xuzjgkd.sstlojddh -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xuzjgkd.sstlojddh -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 6 anmon.name 11 andmon.name 4 prog-money.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xuzjgkd.sstlojddh -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xuzjgkd.sstlojddh -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xuzjgkd.sstlojddh -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver xuzjgkd.sstlojddh -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xuzjgkd.sstlojddh
Processes
-
xuzjgkd.sstlojddh1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4250 -
su2⤵PID:4289
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD54c0ccabb25100a908b9db06434a6af8b
SHA1555d9ecfa42e17aec483e1c05be0fc1362db9e66
SHA25679aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304
SHA512b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb
-
Filesize
96KB
MD54b5e9112e343bd07996fd4bd091d04b2
SHA136e8021ed5944e65e6ff424e3d7b43aeb721127f
SHA256f25af557b306bb0d1167697227f717995ab39ed747c388e362b17be63b0bd65a
SHA512b25f7fb090fe7c370e128ca4cb1b01d1cb7e6cc0777d2b38e3f95dce4612430363995424d3443dd6d1df9d80d95dc8008f7aa487f941275c0fc94e0e66bf2114
-
Filesize
96KB
MD5ab2fc7d5397e7dae4aa2c30045e844ce
SHA1ca65a4bd5092cd55a36143fa1533eecdb7e1a537
SHA256f11b21909438dd6bc8f11824367e8d674cda45516cc0df397e24464c059ca0c7
SHA512468cd12b8929932538a025f6029dc155e2a5c661a3cfe4f0e3dd64f6c8de4ec972204e8b23e3ed72e6c4146bcef8a5825ed862fa10ddb1c309862dadd48858d5
-
Filesize
52KB
MD5b6815b344f6926d458cea05acd052cdd
SHA188f524aff1d4c5fee979a203dd952427871a7097
SHA256028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA5120431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade
-
Filesize
96KB
MD54d194e6ff0ef4ecc5fda8681b34cadd6
SHA16d047f762a5f2e19e217f155166934e1b5ff1ed0
SHA256244a5a590630981a4a5d95904dd597ba746eec730b6546ee42673f04949a9e31
SHA512075eb0a819282d827188593447b22de52ed837888e741e8091f6608d273f176cfecd49effd4b654467e7889ccf4b374f82dfa8f1c8c07388436d5e04e23cc3f2
-
Filesize
144KB
MD5ed9b48fcdd553e4329083058a2e60103
SHA17ef3a88276ed3c6ce9a5f5b41ab9e0fe68bdff08
SHA256c585b21423cee919c4a39e6f86ec0846d6c21c434d0b82030bf034de53fc030c
SHA5123a51876e2a3fcf25341f69672d8b82a3e475326b542361f9a3b036e225b505ead0a49e92da86d693bf017684088b22a3365147cf0b74988176d55afeed0c74f9
-
Filesize
512B
MD5fbd69b72ab042fe49c63302d4654e18a
SHA1014489492bd38fe66f655c092e403e54a7b9e118
SHA256d4eda6a2beb3846ee906b1c16df6c93e3b529f54a75dc68e28f6ac7bfcbab1c6
SHA512491d1527af0f34d2c3a26e6b58d889bfe6a0d656cc04e880db8d0a8d66a88aee0021e77dc42c1c18232e0e0bc50a7e1e2be48028a8a0975d497869497bab19ab
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
414KB
MD58dbb5c7a468600e4475358d8f795052f
SHA1f4a780fb9fae4a030b0d2593e1a4044d2f4ff768
SHA256c74013a0cd3f0176393cd77a5d6183d131fc18ab0e49f7c6ee5409edb11b8af1
SHA5123a767a042ef27d5a2384885fd7e234dd7e39caf00cbbae70e0e77af8f4d861ea959258575674f3a45063e09fe1526d22b37905a66ef5562949fea69ea8aa9ded
-
Filesize
8KB
MD5722b2db20f453c6b8089a42a867ec299
SHA1b3fdca5ca4e834e802941e45123ab4ca82d23da7
SHA25627b9cf17281d25ce6a861825f0e4e6dfc76b76df3ae52c59a855da04854ef13c
SHA512af2ff25ee93a6c76bab906b1e567b70670c5e64ac8dde9ffdf60e57bd984553c222d0b05ed8e8a3fae575cf5be7422cedebe36b44bbd9e8e28d17531f7fb4a10
-
Filesize
8KB
MD59704fa9e2c9d5bd67a7099ab3d52e8c1
SHA1f2911bb42f4e1cdcd7cafae6d537d06ba19167c3
SHA256de2f8f6a4bd177afff4410134366d47aaccf71e8d6d00122abc6a53a34c9a06d
SHA5125a46b909905da40b1d9d98eed6490524d6b197032d1b3be7f207d574f735867e20ffddb15bef4f65e0f0db7d62d0d3ab6aa58045ca5a10365acc952ef5378122
-
Filesize
4KB
MD5587f9de9ad5584d2918c74cb562247f1
SHA13b86b6fefa1c7a2fb20f7565b2f479d86852f2e6
SHA256d8afe151d857c63c8aab1447ef60a77156bce3f0942dfa8fdf32bfe0a484bf42
SHA512e593ced1c45a1de78a452a96465e4453e37691d36bd5864effbbc153e1804143e8d31e080e1ae9d00a777f8f115ef6f1dac601063aa936952715eafb1853454e
-
Filesize
8KB
MD5a238ff8830a70d9d42bbc8617d80d14e
SHA18221838165ae4cafd6abcf1cc0dd9910a2e02f84
SHA2566e71108c2821dd63b804ed2b9312fcf6149f67c6092d5b53e716802e4cf82fe2
SHA512d9a66bfbb880e103655665cf173c5167e9f58ff4b5b48658ba5526e25890d438dd14707327728a7014bd8e6dc545b856d4cf0454ba3cf6b4c6dc2ff78df9b4a0
-
Filesize
418KB
MD5f2b4a7a68ce03213914e2f3427b8c4e8
SHA1d54e0090043c2f702e8633c14aacdddca5374b24
SHA256aa30f8c86441454ba392ba9117a19c62145984fd71ea756580eeddf3e4468eb3
SHA5123b7309bee5fdafe49c1e6215e7f790e588accbf41b30d9acc2f150706696532c1af52e93205c64add59f07542c9289dc16d6418747000ff9691532f1b39b0dc1
-
Filesize
2.6MB
MD5ebec0623df12f3d7e493604884e808dd
SHA174fa9c2749e8af6bf4f00bc232089e4ba8876ba7
SHA256546b24036b300cfb4b6f17e5df3a0b14015d2eb4d654faee2283526f337e1d2c
SHA512d404aca340c2461c5611b0e4822d552ddae48771ab059e1b13edd3493031e9f0b0d95fa82b6584f6b75bfdc5bb54b76526cc4790cda994b6405a275a48ea8ea2
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5512a6f97bd31e7268c18bf7ec3f2a68b
SHA13f62a86b0da15b981bb698aa098aaa830a8aa1fa
SHA256b48c23601d61fec3b5ea9fe9cc5a761edb4e9b80ac0f8e84c0a564a1c82ceb4a
SHA512203f1e586008fe078ef3e733a73216c732c0f9e3258718768a8d6c198ca1c9d96ce73d6693f0e78a8648a29c03703336cbde3bc3e15ff50ce3615ed0adf40b43
-
Filesize
152B
MD5368cc533a74aeb4a365633c3b5b466cb
SHA19c114ad5adf22df7a4c85022fc44996af16803f7
SHA256935dfc5550ab57377fe261f8bf50874337ac61e0e71db85772b304c840b14b5e
SHA512dc01fc1de26d1d486a981c8d7ce9406dcdbe7da7daba7afb2afb61770d52ca05704fbd3c8ab488540e52736df19d1c3122c665fd35dd5dee910ec1013c8fa0b5
-
Filesize
3KB
MD5c1f162f5ed34ce9edf53e9295bbf988c
SHA17f4ac0e244520aa91ad7b83276f56c20a3e9b5a4
SHA256f0c644a9122727c1726d4488b29dd2dbe41b3fc1a176b2db04c9363758dd2d44
SHA51293b35ae06e4994e2a01f448a186167e9911f714771c6dbc2007c7b7a88676b60330cc59c073be37dc0c32f5206b2c590d349f7f4713bc388eb7de793ab945418
-
Filesize
64B
MD5012fcc916c79a5a8410295a73608c99c
SHA10faaf2b226efb8ec64de5a747e7afa9f3954d856
SHA25610fb25d04eabc3333a9bc9c18cb8ba9d5150e2573327c823154acf4e60851542
SHA512edc816d4a36fdba2eb1853f7a26000c2810de477ebc28eb4a276a647b2a621e46fadde482cfb06cf8756c4f17f9f9d6b756e7c124b55a698633675816c05d5f6
-
Filesize
72B
MD5f5becc4c054f120acf9af371c2cffc8d
SHA165c98b461fc92763c40b3408083e21a26667d7ab
SHA256923eb31c6a56d14cc689dd152bd6c5ad1e393f10bb5df859b9c7f8696fa72229
SHA5127c46694c8bb04f164f17e5e1cad1d7ebbd107499d41cd0016741f55d170369663ca1ec371434997e88c3f7c514444ca8e57b0fc1f36eed373154a410f3d112bf
-
Filesize
163B
MD51a3961f58485bf76edfcc1c13ff25d43
SHA1932a683a99fcc346d62048c6288c3a7f34b954c6
SHA256a92026661a878f98053f4bc4f8f9ee5d68f21b039584312e013e066012ec569a
SHA512e81f3b02344a4178e9cf91fcfdf770593ea1377ef17c77a3745d89e2e81d1ab2da69d8e9611ecb0eb5aefc7990708788e6ff04ca49cb698fdb32fb075d62b333
-
Filesize
134B
MD5218674ff3954a106d5b7665aa4372e38
SHA187496a3917d3a1e4919f24c0bf8a1b772adab1f5
SHA2561ab0f039083fbc526c1f599cc4172eb502cbf00abc878dc9d4dbff1f2ecf4396
SHA512e239878c96093228217efcc2b229337afb7770d78ec07eb8bf1aa191f2b6c384546a46d80555b31f9e63054a0535c429caa8783b2d3e770d9d24f1c90de5dd17
-
Filesize
25KB
MD516ced1569363e39c6136f5c3008289d5
SHA1e9897fbb4f841ecaa138444941a3fdee615661ec
SHA256af284375ce2b1b83dce5be27985f38006634e29c6111158a64661ffba3fae9c5
SHA512903fe0a19b09892c4e509934a3e069333f491adb89663d3c000ef16a80f1efb6891491586d3cb20c2032f32d515592c430baf44d37df58594e47e4afe1b72c5a
-
Filesize
6KB
MD55984629a32344367ad1982c528b62d90
SHA112c976627ff95475f8aafd9ceb880eb76a20091f
SHA256f5a3abfec9d53681770f9d0d17568edfdb898ceb2e4a99d179b522033a986648
SHA512eb539de983813432d0cd507101008bff0a4e0e621ec29a29e5b9c7918cca87ba0fe28cb9eeb4e74aea2efd43ef340b1eed6e89855b612a270784010cbdd5af42
-
Filesize
220B
MD5d30606d27496cdd89b86069edc247138
SHA1dd735686409a42c11ce94922f12eaff893d0432c
SHA256a344ca70e7c7eb8eb816df72aaa8ac0ae5502e60f41fb5f0df4c2634600b710f
SHA5123ae8be844aa29aa1ace83269b2eac3e786ff974439919b31c1fb0b25afccb37a045844d000602b8b9de054611f6506ae225467ceb969b6ea339b76d2c6ff6128
-
Filesize
73B
MD5647e6c66ab347eab81c9d3ea0462cbb8
SHA118fc7323e638dd74eb14290c550b6af4d9957ab9
SHA2564a5fbe96836d0122c584507966ecacafb22e8542a80922cc7198b59fc1287a54
SHA512721e0b6fa92636dc0b310f16b4d9aa2f0c34c0544d5df4cda47a07fc2f2a1a7a5029bc175a2d24d751d0cb1664475f3642631c4a92a462b3cc8b7f4b65aac2dc
-
Filesize
2.6MB
MD5c804156b95a21c4bf0b1e2c8a133894a
SHA1dab8c525d3c86618f2f70a8de71979df529e959f
SHA256395c690bb3c3ec85b3c36ae8498ebbb895b71e745acf9e7f120578a9033d9a68
SHA51252110dadace88fb28be4d9289d797346d5b4e4dc753279769101be18e7d2fa90c2b315e9cff2f89e694c2e0a64f943002116e46c4807ead7d852adc2cf54e7e4
-
Filesize
1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87