andrmonitor | ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df

Analysis

max time kernel
130s
max time network
150s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
01-10-2024 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk
Size

20.5MB
MD5

adcdbe1e25a3e03ae1e454363012432e
SHA1

83381d32b8a6ce9854e8e7213a6c90ac3e17f011
SHA256

ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df
SHA512

597546c877c4ac04c910f123c3bfbe236a342e61ff7a94ddcf1639401da76b04df858da2bbf145c8d10cdfe299f2b946d7ebe75554afd6f749acc8f4d387f9d6
SSDEEP

393216:3OsJA35z7A79L+r2d1mbgafiubcnZbb3T9i/zVN2I+TXadaKpPbNiRSKcsjJY:3RJA35z7c5zrmbBffcZb1i/zVN2IkKk4

Score

10^/10

andrmonitor banker collection discovery evasion execution infostealer persistence spyware stealth trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor

Checks if the Android device is rooted. 1 TTPs 3 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	xuzjgkd.sstlojddh
/sbin/su	xuzjgkd.sstlojddh
/system/bin/su	xuzjgkd.sstlojddh

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4785	xuzjgkd.sstlojddh
4785	xuzjgkd.sstlojddh

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/xuzjgkd.sstlojddh/[email protected]	4785	xuzjgkd.sstlojddh
/data/user/0/xuzjgkd.sstlojddh/[email protected]	4785	xuzjgkd.sstlojddh

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	xuzjgkd.sstlojddh

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	xuzjgkd.sstlojddh

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 5 IoCs

flow	ioc
25	prog-money.com
26	prog-money.com
27	anmon.name
28	anmon.name
29	andmon.name

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	xuzjgkd.sstlojddh

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	xuzjgkd.sstlojddh

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	xuzjgkd.sstlojddh

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	xuzjgkd.sstlojddh

xuzjgkd.sstlojddh
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4785

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/xuzjgkd.sstlojddh/[email protected]

Filesize
2.6MB

MD5
c804156b95a21c4bf0b1e2c8a133894a

SHA1
dab8c525d3c86618f2f70a8de71979df529e959f

SHA256
395c690bb3c3ec85b3c36ae8498ebbb895b71e745acf9e7f120578a9033d9a68

SHA512
52110dadace88fb28be4d9289d797346d5b4e4dc753279769101be18e7d2fa90c2b315e9cff2f89e694c2e0a64f943002116e46c4807ead7d852adc2cf54e7e4

Download Submit
/data/user/0/xuzjgkd.sstlojddh/[email protected]

Filesize
1.2MB

MD5
336921950a9f279733cd787f1203d73d

SHA1
cefc36a7c17909054cf2a507b34f545af96c0e36

SHA256
c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

SHA512
6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87

Download Submit
/data/user/0/xuzjgkd.sstlojddh/databases/SettingsDB

Filesize
124KB

MD5
f15335a640f24813c9b345c99da7e16d

SHA1
a0e7fdc85b3c1420bf342676be577f146f5dce49

SHA256
6baf6ee8c7c503ed9962ff49957fe3c0b707171d1913450d97c84856a6ae31b9

SHA512
5f51ec199de29b23e398d143c4f0faf58ba655a4f455ecafd5b6303c0ef428f3165f5db49daf4697f1dba3033da51113730ee5ad158a9ea9f8f6b9a10b044f19

Download Submit
/data/user/0/xuzjgkd.sstlojddh/databases/SettingsDB

Filesize
96KB

MD5
92396e2c736e058f2e04d28b1185a888

SHA1
6313210b6698c737fa2aef80bb27fa706dc540aa

SHA256
4ec47b6a900cdd24a92f57f8fafe350de913079783e58923caa1785604586297

SHA512
0e7c8830bd39bdbb21bb50757afd381b67671fcec7febafbc595b1e3f337b5ca12c80d72d8b2207d759d81f5e6daa004f52578ea3cf9599e6254dc2b9560d6b0

Download Submit
/data/user/0/xuzjgkd.sstlojddh/databases/SettingsDB

Filesize
96KB

MD5
786a56d330bcdfe5cc8c49ddb723c9b7

SHA1
eedc8212417b399a2be1d05aaa7810920cf5255f

SHA256
bc7a59a04a909845a65ee87d5118a7c6ec9fe1715dc598c26d91c0ada8191589

SHA512
f1dd37e4aebf7f7e64e0860eeeb14ebab5d7737c4ea3ea533dad8cfe8876bfd89d0eb695ae1b2372e1aaeb7d01f9f690ca670b5d01b14759442789dd7c6b9669

Download Submit
/data/user/0/xuzjgkd.sstlojddh/databases/SettingsDB

Filesize
96KB

MD5
bb33c1de3a829b151e91c8b6132081de

SHA1
f8e81c3c96e5c64c6506c18190b343add036c71d

SHA256
e068e76b9032d0fd28830f239beee7a223e2b7bb4cf38b4e4a87332644421c74

SHA512
df1eaa5433b9d9ba080d3a8873ec1a346d13e53fe41ea63d265f15233b17489d839789b44946f40c8d026e90ebe9b38f2c36580cffeeb843a9a9531c4589272e

Download Submit
/data/user/0/xuzjgkd.sstlojddh/databases/SettingsDB

Filesize
96KB

MD5
72caa13223b874a1903aac995e2b7a12

SHA1
c7da8b299aea90a152d5568ff6b668fac3b584ea

SHA256
3010182e68efba75d645950ab1840976e28e17cfe6cfb1958498b1fda7f667c5

SHA512
cf8199b2a7d8c1e1a93c617f90536c4a25b8b2f84cb3d114a68c1813188f5499d4ccb5509f0cdd99e41c40d44c449a34dd97bd236870bc41e9ad50b66d0e5fdc

Download Submit
/data/user/0/xuzjgkd.sstlojddh/databases/SettingsDB

Filesize
172KB

MD5
1ef91a3e2a76d8e4182381046699eaca

SHA1
bf3cdf44f23c37cae7aa661d4ccd22db87fbfe52

SHA256
1036872d0570256138c29a35977c0f5c84e6f07cb208b2f18777edb33f3a4fb5

SHA512
438a24a8b6fc9fc40b46c3d397da8bdc5b99e3652f1a975e16c0e494b9c30d6909195a250a9a48165e4a973edd53fb03b7613aca1227bcb492f3ed30058e0628

Download Submit
/data/user/0/xuzjgkd.sstlojddh/databases/SettingsDB-journal

Filesize
512B

MD5
2097e423fd55f3e6798171b3e05b5264

SHA1
68ab106fb868520705237eae75b96ed13d3a8431

SHA256
e2fe2465b8e71b064b85765dea179ab189c8ee96f732c666f51694ca9d4bd994

SHA512
c5f07b7c07ddec558445577686532552d7f64ac486bcbb608d982051d4a3678437825164f22452517bbdfdb154dc9acdad453a8b80e3d6b65637a0ae72d33757

Download Submit
/data/user/0/xuzjgkd.sstlojddh/databases/SettingsDB-journal

Filesize
8KB

MD5
3b16d77af82f39d2d334c93f9a4cba05

SHA1
672a09aed4c4262506b6a4d569e0bf2abbc75261

SHA256
0036595de8a2d2a10ce75844da0721cd951d849b20a0137c6883e8071504598a

SHA512
d54c5c32c3bca32b0db88b4385122df1f41fea5d919287623ad0edf0ecafbf5397d4ae29aad07d7930634804f907a12c710ddda4780b78c1d7e48e2193471046

Download Submit
/data/user/0/xuzjgkd.sstlojddh/databases/SettingsDB-journal

Filesize
4KB

MD5
b1767dd1f2a1e7b83f99cb293747dc9f

SHA1
de675937211a044e86358961ab00304b0c59fbf0

SHA256
3ae617744478c84ba057ebd9a047cab9b64f5d31f81b8ff2aed5c97f90d7ddc2

SHA512
9adb6d2ab0c360ecc45b87dbbb097a42951c9a27259c3f8378cfedd59ebc0e4bebda678998fc2a7de0efe9aecc43a1dc567209b1cbd9cbd1a10dd9942d94fcbf

Download Submit
/data/user/0/xuzjgkd.sstlojddh/databases/SettingsDB-journal

Filesize
8KB

MD5
063847f4dac9f36ed4d50f01d16926ed

SHA1
3a4f30634e23f85607644c0562c5a90c1ad6eb8b

SHA256
2f5bfdedba7d6d7fd3d9f89d845ba94c18d867fb26750774dfb6cc068e651216

SHA512
a9b0324cf187abf34a0ccb7701c3aea53b8b56d7d1fc45d027286d22469806df966334fb4ab964ae3b3cbd46c69927e634d175dca6737eed1fcd0ee262015509

Download Submit
/data/user/0/xuzjgkd.sstlojddh/databases/SettingsDB-journal

Filesize
12KB

MD5
285d357ccffd74876418c123c07c2f04

SHA1
7f070b750810a7779188c217ee8226707ad8a4ab

SHA256
854ca031a81fd2c36bf312671a15b4f85f7564260b581cb50e3cce310d864bf7

SHA512
8d426cfec7d439572c447b1f78a18717c8b8a690148e6b640faa1df4151eec7eb3f22b7334f84b342a70458eafcf3d7e726020191206e4fc733d36f278ef6841

Download Submit
/data/user/0/xuzjgkd.sstlojddh/databases/SettingsDB-journal

Filesize
24KB

MD5
02755c813e5628217910d04525955af6

SHA1
9248d39ff446502e3eb8966e66a33f956d4caa0d

SHA256
13d6a249f580a4b0d6b9f030a2472bddb2a0935590eb12e45e6f9e7b511bac1e

SHA512
862b178d1a31e311b9087a02bed2ca5c7795543b796da7c521d2861ce2cb73eecde7acf5861ac9f25a7fb979e07b20ad0d256701cdc31094cb143ad89c95f2ad

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.6MB

MD5
ebec0623df12f3d7e493604884e808dd

SHA1
74fa9c2749e8af6bf4f00bc232089e4ba8876ba7

SHA256
546b24036b300cfb4b6f17e5df3a0b14015d2eb4d654faee2283526f337e1d2c

SHA512
d404aca340c2461c5611b0e4822d552ddae48771ab059e1b13edd3493031e9f0b0d95fa82b6584f6b75bfdc5bb54b76526cc4790cda994b6405a275a48ea8ea2

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
51112e0a7f7962a8e02bc885025414ef

SHA1
40622959af4fe349d8881c885b9b30441de8804c

SHA256
2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

SHA512
f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
173B

MD5
7d510658202f707f078c3b87cb78ddaf

SHA1
86a18e271146b23896b9b05f41b18201638e1e57

SHA256
91133c478c1e0964ac84020bf4dc4e934fc7fe54b2f55e3272774ebdaae2b8f9

SHA512
bca0c78edf1b98b2a5d38b49ec5e27d47520bf5211684dca120084e10146e915fd0f8271f55470398c1d0c283c2497cc529a89b6543abc1cba7f38df216d6b60

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
152B

MD5
7c8d9788781f043d38f07cc6de7c46af

SHA1
b4143505999aec600ea075b22e1b20913c830b09

SHA256
fe7036e1fe60c561eaf9c922a04ba52e27446fb8c42b71a4a11de970f2e1a9a3

SHA512
5a7f4059d5981bee0a6be12405614e0d30cc6dfcaae01b2e5b8db09855993f1856324914056f0bc0b5254f845fb7df9a3baa9324c395c13f0bf85ef6683f2249

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
4KB

MD5
696420f8f86333d970c26ed2e7b4ed29

SHA1
9fed85b80c729b163e87b37a4794a20519627685

SHA256
c86bf56ce9c74c51647eb65ae310584825b626d432088e8bc377b7967cf4b7c2

SHA512
d64a98f6c3c60e410b2855eb61dfa53cd3c776e8ee77b4000cb49fdc1b0b9d8017d15cc76abfc3025588085a046f99113139d9dc4e285f27d2448066f02db5ec

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
64B

MD5
973e3fc6c92b0eda1348d4d0270b8a24

SHA1
f8b357be4268944b877b24e8d5fb000c5eabc964

SHA256
3aa132147f3cf649cc1d621bde9cdd749f8efbcbd6fc054fb6cf7f61be0a6d94

SHA512
a1c455b398872cac7a3b64dea996435179cf88129ed1d0820b0c6593bf5a1c3493c0734604322a7c54852cfb9d9367f43d29a02ed5429469c9b18b36634ff013

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
72B

MD5
ed084f9d114efef086edaa32981bc513

SHA1
6d8fa2fd27761cefca7868584ddabc798b80844f

SHA256
6fe5aecc47d3b29eb93c6e37df3958d6d1162ff6a3decba8c6744d1dd2f197bc

SHA512
8515b4b4e17e4ab34cad9d432c14e3b6f2c675f219ba969530369c26d0dff51adaab5bfab198a6d295a8a2cb9f33fb61689bc3433bce4ee72f4a66b2c375fa34

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
193B

MD5
36b8e6e8d8dfa3092a62aeb3212b270d

SHA1
461d25c6a4b3bf73b23cc8ec44ad313ca2f28d18

SHA256
d3d9b6675a4e57faba48fff39fe4a01e2e7017b113b1ec6a4a751463d77ace0d

SHA512
c4fcf550a27d5b059cac9093af8a1a358f1abd5f4666d3a9cfb53afecca9cd7bbb15053991a0030258a01663c6a638e05f9eedd2bb8561289bf1c12301ae0dc1

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
134B

MD5
f1198184b8c171a40b0995df9e55101b

SHA1
9d968bd375410afbf057c5fb5286c74d6d6683b2

SHA256
5e2b674467d53a6427f46a78185ae0073354dbd282eb0663996f0ae9717e6d4b

SHA512
86d5c24fc0d0cb608e765f0d02faa3b191d748d526fd52499cf980b6748f64371176012b215abba44d898db3b9482e28b3977e7d7d66b9db1df15d0c9aa0e32b

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
26KB

MD5
7583c12c75670b39d03b96ceaa2e2f9b

SHA1
f323c03cce06d2d0e68ba6f2db50c30326ad8415

SHA256
6842d533ee03f8a31db6a09682f85923446f08368227184a6ea21e902dd3c7f5

SHA512
00713f28881a56222cc8d5ae3ddc31929fffad5e9083c5b72290664ecbf29f53c24a5ae81862d5c59e42c5a1911f97bcc935d5123665b5e8b816004df1b2cb87

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
6KB

MD5
8dff111ec4047bfb45590c4e9749a660

SHA1
2a2e0e591982674d79cb8ad67143296943629314

SHA256
5b3d2c5df9ac61787d8b3953ea9aad1a58bbd082f3c18ae90545a8856552ffbc

SHA512
75a7465aef319d9d44683ab7779370e62324dab0dc1af9d33f6565379f014e9e48ea8173e4f23a1090f202a0d0d2be069392003a7cf61a563a67fc35b056da18

Download Submit
/storage/emulated/0/.am/log_1727769154733.txt.zip

Filesize
220B

MD5
5337d9598036fe3998e3fdef0c84daca

SHA1
3420ad6965e48c863a38a8b5c093cb1ef35aa69f

SHA256
7453fa05de5b080ee6a22f6c63a3507852e48826d6a7f090b2e4bc44c6ecf59c

SHA512
181033244d765cbc5c28de8f307ecb982677146313b2d494bf250ad16c74e6dc83979795cacaca639dc5a3404070c7818ce8df63f766f4c6cc095ef3d9e4ebf0

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
73B

MD5
647e6c66ab347eab81c9d3ea0462cbb8

SHA1
18fc7323e638dd74eb14290c550b6af4d9957ab9

SHA256
4a5fbe96836d0122c584507966ecacafb22e8542a80922cc7198b59fc1287a54

SHA512
721e0b6fa92636dc0b310f16b4d9aa2f0c34c0544d5df4cda47a07fc2f2a1a7a5029bc175a2d24d751d0cb1664475f3642631c4a92a462b3cc8b7f4b65aac2dc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads