Analysis

  • max time kernel
    137s
  • max time network
    145s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    02-10-2024 01:41

General

  • Target

    ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk

  • Size

    20.5MB

  • MD5

    adcdbe1e25a3e03ae1e454363012432e

  • SHA1

    83381d32b8a6ce9854e8e7213a6c90ac3e17f011

  • SHA256

    ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df

  • SHA512

    597546c877c4ac04c910f123c3bfbe236a342e61ff7a94ddcf1639401da76b04df858da2bbf145c8d10cdfe299f2b946d7ebe75554afd6f749acc8f4d387f9d6

  • SSDEEP

    393216:3OsJA35z7A79L+r2d1mbgafiubcnZbb3T9i/zVN2I+TXadaKpPbNiRSKcsjJY:3RJA35z7c5zrmbBffcZb1i/zVN2IkKk4

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • xuzjgkd.sstlojddh
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Requests cell location
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4251
    • su
      2⤵
        PID:4291

    Network

    MITRE ATT&CK Mobile v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      124KB

      MD5

      4c0ccabb25100a908b9db06434a6af8b

      SHA1

      555d9ecfa42e17aec483e1c05be0fc1362db9e66

      SHA256

      79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

      SHA512

      b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      96KB

      MD5

      c0600806ec860180471e66c22d48576b

      SHA1

      d8fd424be0d7d6f21a0ea9a0d80179733523e837

      SHA256

      adbb80d7812d3a540435fb8ad1f532879d8b67b20b5b93099cb4d5295b98af88

      SHA512

      89901f1b51cb700e566aeacbb7951ce406e3d13508cb53a35607e91988ba2f8c17c7abb555b6cfc6409923fb7b45d116e13ce3894aef806edf2aa301b451adfe

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      96KB

      MD5

      1c6f1542a13630b9fae9be8e30c81048

      SHA1

      ea9fe00fcad5395850afa6086e745986bfebe628

      SHA256

      02f7f5729cf5f28a0459c3864bfc0daf34797bb2d88027b1bc6afe021631c3c1

      SHA512

      7b839e307668223358d08efd18584729373afd83263ff3a837cfcb969bec7ba39edb8feb2e2ab99c995a870bb49810d4ab2fb30140d2991c6c266a50ec55a2ea

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      52KB

      MD5

      b6815b344f6926d458cea05acd052cdd

      SHA1

      88f524aff1d4c5fee979a203dd952427871a7097

      SHA256

      028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

      SHA512

      0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      96KB

      MD5

      a7c76127f830b7f2259a453621f6601d

      SHA1

      d4fc5cae8fd91cccca7c43f85a7928523136cf56

      SHA256

      20157795e7e17e769e76c8f95a89e0387925c2714dd3431c76a09faf283765c0

      SHA512

      d358cd3d530b43c5987d2d8c87bce5f02ce58bc5a90101364965cd9df0b853970d72a05421a0627f72f1f20834028493de886ce4c795011ebf535ac133a8ce5a

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB

      Filesize

      144KB

      MD5

      46a5c6252252921f59d81beb19f35712

      SHA1

      4f6cff86f15103c4011601e673b13d60217420f9

      SHA256

      086f3c5c33b1f6cf18e12087a1244b33bc5faba38c324dd4fc5cd466db1121cf

      SHA512

      ee07c8fb5ce4fce396727855e3a36126f22aecd6657891a2e75d83d4b79f2001de75110bce98195cc6d73035bda3099b5f51348f5d7c58d4a33224d562a9a3bc

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-journal

      Filesize

      512B

      MD5

      ebd67c59c81ba234b09643c7bdc352e4

      SHA1

      4e45a3bef27ba25658e94a56bd64128e8f50bf29

      SHA256

      b87fe0a54bfaaa7fa38c5a54848293f0dfba15d5669d6cb49e038219c48a8997

      SHA512

      68c52491c760d03e142cfb05cbabd5559f77f0e512a62accc0996ec4cf508eba184fadb3473879a9e2d7c022b8cc6c004ca9ce244352a3994e6b8243de9fe4c2

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-shm

      Filesize

      32KB

      MD5

      bb7df04e1b0a2570657527a7e108ae23

      SHA1

      5188431849b4613152fd7bdba6a3ff0a4fd6424b

      SHA256

      c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

      SHA512

      768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      414KB

      MD5

      b0adfb85fb403b805fa2180710dcf156

      SHA1

      73ae23fbc00e309007e029da8862544b7c18436b

      SHA256

      46c3bd33873c1b24f1da22708281f7b4982cc57bf55ad9a1a413f12d8da5db69

      SHA512

      2e28e2ede262cb6961738bfde9bf0bb59a98329a7230562fe7aefd28b9b0e95f0b5af521fb49b821d8bc4800ff1ab13502f3dd5b0f72b8a064152a75dd86f5e0

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      f510bb0d3297be91c7a352a19aabab42

      SHA1

      3499fa92bbcc2e8d59f6102f550509db017e442c

      SHA256

      818f75d8a99a3b291c0b84bedc2a798455339d269722875e3fc19fb90ff85a90

      SHA512

      70194122f8b3c4aaf71f0f5a00317e0a67abd779281604da108fdd038b86abb453d1bef77caf5d36766e51b68e2ed4a45d8726911352e5136c1d2ee7783201a3

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      6224f5741f4c163409ec2adf38e7e726

      SHA1

      71224918d038977c3ba845b907fab81a237f8ff2

      SHA256

      f146063bc5f232ee4aa07326e2df1f22e030781a9610ae95d7937ad0ca1fb21b

      SHA512

      d5a7aa0baa3acaa401800a4b6d284a8ab210514c25ca9600c0878e3bb20c5525a68ea93b2984b5baabe0b2ce413db845ce646ba64e418f7a75d0fc805c4377d3

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      4KB

      MD5

      1be5ec03ec13e6ecfb3cb487008f809b

      SHA1

      514cdd2c4d222ac7b2bdf7df0dde779b5d56b039

      SHA256

      2d814aeb85e578e37422898dd2b43275853cb9db686fb67c388cefbe1d9924af

      SHA512

      cf489cb5121a7d3112eae672b93eb19fb231d1e849b2ec4c48474fb41d487a3e65628cd2246417485f294789a543bb8208c46b95c0eeb2b08065ae5858d79bc2

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      c4c1559a3b9e0b4e6fde026149b0ade8

      SHA1

      bbfa76e65eeaf8dfd07c9343907ba9da1f25fd37

      SHA256

      90e5274e26265063150e6d6aaa9ce3783310a8dfd86c1f00c9283f07de5be001

      SHA512

      3427996289f4fbb923ce23c9e384cf5629e4f43d23397e255b6f0cede944e3d536226a129cbe8143e4df19f12c298075fe9075d2601f88cc98066ea54ba63e3f

    • /data/data/xuzjgkd.sstlojddh/databases/SettingsDB-wal

      Filesize

      418KB

      MD5

      7650d77e4db691c5a5e0e1fbc22a9b49

      SHA1

      70a9c058b733b6671d2fd03c94515efc06e48e3d

      SHA256

      7edc6111517febab8e1cc7fbb4f6208933c5d2fb41b1733a10dc1acaa556a919

      SHA512

      214004d5674e269dec4d33fb12fa3a22ea3df6da9cc17ad0beef30735c1663c03644f94f266e792f4c0a0fce4936a03f622970102f879f98379e3165b6b4808e

    • /storage/emulated/0/.am/dm/md/main.md

      Filesize

      2.6MB

      MD5

      ebec0623df12f3d7e493604884e808dd

      SHA1

      74fa9c2749e8af6bf4f00bc232089e4ba8876ba7

      SHA256

      546b24036b300cfb4b6f17e5df3a0b14015d2eb4d654faee2283526f337e1d2c

      SHA512

      d404aca340c2461c5611b0e4822d552ddae48771ab059e1b13edd3493031e9f0b0d95fa82b6584f6b75bfdc5bb54b76526cc4790cda994b6405a275a48ea8ea2

    • /storage/emulated/0/.am/dm/md/main_tools.md

      Filesize

      1.2MB

      MD5

      51112e0a7f7962a8e02bc885025414ef

      SHA1

      40622959af4fe349d8881c885b9b30441de8804c

      SHA256

      2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

      SHA512

      f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

    • /storage/emulated/0/.am/log.txt

      Filesize

      173B

      MD5

      93253b4671fa6fce5f52fbf3681351f6

      SHA1

      5d435f48c78a2d5d72f28827e6200c724d8941e3

      SHA256

      d8d37da1450a608bdd6b1bca5113d393969cc6dbf7c10999185d5ef16537c43f

      SHA512

      dcc0106220d809749f0ab3b13c74b22ae3f7c0aaa58e70e4323ebe0f7517f20c54d61571258631ac389eb1a1d7bc0df6db4aa33938970511f93871e5472462cd

    • /storage/emulated/0/.am/log.txt

      Filesize

      152B

      MD5

      60f679724d2ae034c20be92c05f5e76e

      SHA1

      a63f9eb4b274a6be94e0513f4136bf58efe4ebe8

      SHA256

      60f3a03531d8aa68d95310d8afac06315eb73604bdc7176b93fa2298b8d15d72

      SHA512

      eed1ebeff358d4501a6f7e21a025b795b03daba00f97ddd65d7f7711da074cd60d9467550bc1f86592ec1c88046bb72abe6a5bccadd95d014f2ea6453c072655

    • /storage/emulated/0/.am/log.txt

      Filesize

      3KB

      MD5

      a4117477fd2890ba71a0dace54266747

      SHA1

      4f3f2db6af3bb9acfb1f4d4a9082ba703b42ce59

      SHA256

      f7a26532e04cd19a0e2bed772f7f43d90d417caa91e54022d4749b1a4ad6a140

      SHA512

      3164871099eabfb9209710ce8ef253f1ae4f1ca193f0563945044242d0a39dc99f4c497ef87a101fea3513177b0442e81de014f9c5d2e426d27f432d48f01ab6

    • /storage/emulated/0/.am/log.txt

      Filesize

      64B

      MD5

      d5bba6692df4ad2e0475ef9cc3228645

      SHA1

      f0bd24798dfe9cce6356d5e63c26070cfd47d2b0

      SHA256

      96ff3524973cb18204923ccd87d79c3a00a7eef2fea188b98992415047f38fe0

      SHA512

      fd3b3cc1c2fe91f285d9065cfc32f595b37b7effb9fbac88e555088e8057d64a3b0a98659ba40b473caf8cdd1dbaa86a2d6c9271e5e6df5d2042720f0d54cf95

    • /storage/emulated/0/.am/log.txt

      Filesize

      72B

      MD5

      efce1f84ca44581c64581646f8cb1717

      SHA1

      a4e55428e9f4795eb88f62b53d4d133e91033dc2

      SHA256

      698c76ae9c2fc1c491e93bc0f9ce0294e47d1f467a6308a2226c8a4badafa2f5

      SHA512

      bffe23aae163477438de69e8217275be8eb5fb2ee5de5cc49358abec3effc17692f186948c2ae00719072db3306b2180f3fdbc29af6db1c16f794f1b0d1f1ce8

    • /storage/emulated/0/.am/log.txt

      Filesize

      163B

      MD5

      b8b25d49b27e8470990af702aa5568d7

      SHA1

      a0c8004066de40a1a240ae021d42ed555f97253a

      SHA256

      364bb7c124839245818d38039aed4ab922bc80be104766a567fe5fbf609835ea

      SHA512

      c8fc298984fd96a589ebc6d133f5bba9e222f53ed57564c75144da71e2074699fffa734f888cb7ee0b0d32bf300078032a192d6634daf9dbb7b3d321a7405c28

    • /storage/emulated/0/.am/log.txt

      Filesize

      134B

      MD5

      f3d6946d8cf380ec2763e888392ea321

      SHA1

      8a55b64dca905ddf0223a8fa8fb52ed0f12e7354

      SHA256

      712e8259c8a7078c485557261cab99505bc388e63fc37ccf653e7a47d33fa5b3

      SHA512

      563c40a48ba8c41f71849592a0094c21128f49480fff10e5897a84e637d45e93d3865043c9df5d290dbcf903714e5b9003573d2abe69023303aa4a1cc815db31

    • /storage/emulated/0/.am/log_.txt

      Filesize

      26KB

      MD5

      3c0075cf25ff85d9378dadd26ede533c

      SHA1

      e6d551ced7cd2a48614d81ce35fda45134663eb6

      SHA256

      66980423bfdc7cbadea3a21bca804296e5dbd6f314914f94f2e667a2f640afcd

      SHA512

      e9016f9c503e49a07db57939f931283f8a024abfa425dea69530ae043d4bf04de17eec73af430ae0d9a0375dbb7cf4e6b18ceb238010d9163b133e1ce152c80d

    • /storage/emulated/0/.am/log_.txt.zip

      Filesize

      6KB

      MD5

      26f3159aa49e21d7775ba18b7562e07c

      SHA1

      fb7b0c8aeb64737072f9a232ccdfaf1efc2a1dac

      SHA256

      88c69901cfe169ee30a396c7d6821dfa9495c4ee04f9672c585d2465393828dd

      SHA512

      078f9f5712163b441d256ba5d2fe59ba565d9766557419a14b13972bd09d286a82bce3e3993372a7aa3557cb2f6d40be2f1fa3df0387e53ee54e6dae0aa60f5e

    • /storage/emulated/0/.am/log_1727833297372.txt.zip

      Filesize

      220B

      MD5

      1fff67c85a6f2ac71558f37a5f59b46a

      SHA1

      2d11d8fffb1410b607be8e9f7eddc16430b23e91

      SHA256

      47ce16fca7d195fa5d40b079556ffa7897cd82adf169738d3a27083a59e13704

      SHA512

      64d4488ca217120b3d16ca930013a510c6dac33d9a770d143e4179ee3ffb866ebd0c781fdc2376d520d9674e142b1ad7d3b8c3fb17452808f9c5caef15bb51ca

    • /storage/emulated/0/.am/prog_class.name

      Filesize

      73B

      MD5

      647e6c66ab347eab81c9d3ea0462cbb8

      SHA1

      18fc7323e638dd74eb14290c550b6af4d9957ab9

      SHA256

      4a5fbe96836d0122c584507966ecacafb22e8542a80922cc7198b59fc1287a54

      SHA512

      721e0b6fa92636dc0b310f16b4d9aa2f0c34c0544d5df4cda47a07fc2f2a1a7a5029bc175a2d24d751d0cb1664475f3642631c4a92a462b3cc8b7f4b65aac2dc

    • Anonymous-DexFile@0xd23ea000-0xd25154b8

      Filesize

      1.2MB

      MD5

      336921950a9f279733cd787f1203d73d

      SHA1

      cefc36a7c17909054cf2a507b34f545af96c0e36

      SHA256

      c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

      SHA512

      6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87

    • Anonymous-DexFile@0xd2642000-0xd28d3640

      Filesize

      2.6MB

      MD5

      c804156b95a21c4bf0b1e2c8a133894a

      SHA1

      dab8c525d3c86618f2f70a8de71979df529e959f

      SHA256

      395c690bb3c3ec85b3c36ae8498ebbb895b71e745acf9e7f120578a9033d9a68

      SHA512

      52110dadace88fb28be4d9289d797346d5b4e4dc753279769101be18e7d2fa90c2b315e9cff2f89e694c2e0a64f943002116e46c4807ead7d852adc2cf54e7e4