Analysis
-
max time kernel
137s -
max time network
145s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
02-10-2024 01:41
Behavioral task
behavioral1
Sample
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk
-
Size
20.5MB
-
MD5
adcdbe1e25a3e03ae1e454363012432e
-
SHA1
83381d32b8a6ce9854e8e7213a6c90ac3e17f011
-
SHA256
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df
-
SHA512
597546c877c4ac04c910f123c3bfbe236a342e61ff7a94ddcf1639401da76b04df858da2bbf145c8d10cdfe299f2b946d7ebe75554afd6f749acc8f4d387f9d6
-
SSDEEP
393216:3OsJA35z7A79L+r2d1mbgafiubcnZbb3T9i/zVN2I+TXadaKpPbNiRSKcsjJY:3RJA35z7c5zrmbBffcZb1i/zVN2IkKk4
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk xuzjgkd.sstlojddh /sbin/su xuzjgkd.sstlojddh -
pid Process 4251 xuzjgkd.sstlojddh 4251 xuzjgkd.sstlojddh -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xd2642000-0xd28d3640 4251 xuzjgkd.sstlojddh Anonymous-DexFile@0xd23ea000-0xd25154b8 4251 xuzjgkd.sstlojddh -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts xuzjgkd.sstlojddh -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xuzjgkd.sstlojddh -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 4 prog-money.com 6 anmon.name 11 andmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xuzjgkd.sstlojddh -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xuzjgkd.sstlojddh -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xuzjgkd.sstlojddh -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver xuzjgkd.sstlojddh -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xuzjgkd.sstlojddh
Processes
-
xuzjgkd.sstlojddh1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4251 -
su2⤵PID:4291
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD54c0ccabb25100a908b9db06434a6af8b
SHA1555d9ecfa42e17aec483e1c05be0fc1362db9e66
SHA25679aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304
SHA512b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb
-
Filesize
96KB
MD5c0600806ec860180471e66c22d48576b
SHA1d8fd424be0d7d6f21a0ea9a0d80179733523e837
SHA256adbb80d7812d3a540435fb8ad1f532879d8b67b20b5b93099cb4d5295b98af88
SHA51289901f1b51cb700e566aeacbb7951ce406e3d13508cb53a35607e91988ba2f8c17c7abb555b6cfc6409923fb7b45d116e13ce3894aef806edf2aa301b451adfe
-
Filesize
96KB
MD51c6f1542a13630b9fae9be8e30c81048
SHA1ea9fe00fcad5395850afa6086e745986bfebe628
SHA25602f7f5729cf5f28a0459c3864bfc0daf34797bb2d88027b1bc6afe021631c3c1
SHA5127b839e307668223358d08efd18584729373afd83263ff3a837cfcb969bec7ba39edb8feb2e2ab99c995a870bb49810d4ab2fb30140d2991c6c266a50ec55a2ea
-
Filesize
52KB
MD5b6815b344f6926d458cea05acd052cdd
SHA188f524aff1d4c5fee979a203dd952427871a7097
SHA256028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA5120431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade
-
Filesize
96KB
MD5a7c76127f830b7f2259a453621f6601d
SHA1d4fc5cae8fd91cccca7c43f85a7928523136cf56
SHA25620157795e7e17e769e76c8f95a89e0387925c2714dd3431c76a09faf283765c0
SHA512d358cd3d530b43c5987d2d8c87bce5f02ce58bc5a90101364965cd9df0b853970d72a05421a0627f72f1f20834028493de886ce4c795011ebf535ac133a8ce5a
-
Filesize
144KB
MD546a5c6252252921f59d81beb19f35712
SHA14f6cff86f15103c4011601e673b13d60217420f9
SHA256086f3c5c33b1f6cf18e12087a1244b33bc5faba38c324dd4fc5cd466db1121cf
SHA512ee07c8fb5ce4fce396727855e3a36126f22aecd6657891a2e75d83d4b79f2001de75110bce98195cc6d73035bda3099b5f51348f5d7c58d4a33224d562a9a3bc
-
Filesize
512B
MD5ebd67c59c81ba234b09643c7bdc352e4
SHA14e45a3bef27ba25658e94a56bd64128e8f50bf29
SHA256b87fe0a54bfaaa7fa38c5a54848293f0dfba15d5669d6cb49e038219c48a8997
SHA51268c52491c760d03e142cfb05cbabd5559f77f0e512a62accc0996ec4cf508eba184fadb3473879a9e2d7c022b8cc6c004ca9ce244352a3994e6b8243de9fe4c2
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
414KB
MD5b0adfb85fb403b805fa2180710dcf156
SHA173ae23fbc00e309007e029da8862544b7c18436b
SHA25646c3bd33873c1b24f1da22708281f7b4982cc57bf55ad9a1a413f12d8da5db69
SHA5122e28e2ede262cb6961738bfde9bf0bb59a98329a7230562fe7aefd28b9b0e95f0b5af521fb49b821d8bc4800ff1ab13502f3dd5b0f72b8a064152a75dd86f5e0
-
Filesize
8KB
MD5f510bb0d3297be91c7a352a19aabab42
SHA13499fa92bbcc2e8d59f6102f550509db017e442c
SHA256818f75d8a99a3b291c0b84bedc2a798455339d269722875e3fc19fb90ff85a90
SHA51270194122f8b3c4aaf71f0f5a00317e0a67abd779281604da108fdd038b86abb453d1bef77caf5d36766e51b68e2ed4a45d8726911352e5136c1d2ee7783201a3
-
Filesize
8KB
MD56224f5741f4c163409ec2adf38e7e726
SHA171224918d038977c3ba845b907fab81a237f8ff2
SHA256f146063bc5f232ee4aa07326e2df1f22e030781a9610ae95d7937ad0ca1fb21b
SHA512d5a7aa0baa3acaa401800a4b6d284a8ab210514c25ca9600c0878e3bb20c5525a68ea93b2984b5baabe0b2ce413db845ce646ba64e418f7a75d0fc805c4377d3
-
Filesize
4KB
MD51be5ec03ec13e6ecfb3cb487008f809b
SHA1514cdd2c4d222ac7b2bdf7df0dde779b5d56b039
SHA2562d814aeb85e578e37422898dd2b43275853cb9db686fb67c388cefbe1d9924af
SHA512cf489cb5121a7d3112eae672b93eb19fb231d1e849b2ec4c48474fb41d487a3e65628cd2246417485f294789a543bb8208c46b95c0eeb2b08065ae5858d79bc2
-
Filesize
8KB
MD5c4c1559a3b9e0b4e6fde026149b0ade8
SHA1bbfa76e65eeaf8dfd07c9343907ba9da1f25fd37
SHA25690e5274e26265063150e6d6aaa9ce3783310a8dfd86c1f00c9283f07de5be001
SHA5123427996289f4fbb923ce23c9e384cf5629e4f43d23397e255b6f0cede944e3d536226a129cbe8143e4df19f12c298075fe9075d2601f88cc98066ea54ba63e3f
-
Filesize
418KB
MD57650d77e4db691c5a5e0e1fbc22a9b49
SHA170a9c058b733b6671d2fd03c94515efc06e48e3d
SHA2567edc6111517febab8e1cc7fbb4f6208933c5d2fb41b1733a10dc1acaa556a919
SHA512214004d5674e269dec4d33fb12fa3a22ea3df6da9cc17ad0beef30735c1663c03644f94f266e792f4c0a0fce4936a03f622970102f879f98379e3165b6b4808e
-
Filesize
2.6MB
MD5ebec0623df12f3d7e493604884e808dd
SHA174fa9c2749e8af6bf4f00bc232089e4ba8876ba7
SHA256546b24036b300cfb4b6f17e5df3a0b14015d2eb4d654faee2283526f337e1d2c
SHA512d404aca340c2461c5611b0e4822d552ddae48771ab059e1b13edd3493031e9f0b0d95fa82b6584f6b75bfdc5bb54b76526cc4790cda994b6405a275a48ea8ea2
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD593253b4671fa6fce5f52fbf3681351f6
SHA15d435f48c78a2d5d72f28827e6200c724d8941e3
SHA256d8d37da1450a608bdd6b1bca5113d393969cc6dbf7c10999185d5ef16537c43f
SHA512dcc0106220d809749f0ab3b13c74b22ae3f7c0aaa58e70e4323ebe0f7517f20c54d61571258631ac389eb1a1d7bc0df6db4aa33938970511f93871e5472462cd
-
Filesize
152B
MD560f679724d2ae034c20be92c05f5e76e
SHA1a63f9eb4b274a6be94e0513f4136bf58efe4ebe8
SHA25660f3a03531d8aa68d95310d8afac06315eb73604bdc7176b93fa2298b8d15d72
SHA512eed1ebeff358d4501a6f7e21a025b795b03daba00f97ddd65d7f7711da074cd60d9467550bc1f86592ec1c88046bb72abe6a5bccadd95d014f2ea6453c072655
-
Filesize
3KB
MD5a4117477fd2890ba71a0dace54266747
SHA14f3f2db6af3bb9acfb1f4d4a9082ba703b42ce59
SHA256f7a26532e04cd19a0e2bed772f7f43d90d417caa91e54022d4749b1a4ad6a140
SHA5123164871099eabfb9209710ce8ef253f1ae4f1ca193f0563945044242d0a39dc99f4c497ef87a101fea3513177b0442e81de014f9c5d2e426d27f432d48f01ab6
-
Filesize
64B
MD5d5bba6692df4ad2e0475ef9cc3228645
SHA1f0bd24798dfe9cce6356d5e63c26070cfd47d2b0
SHA25696ff3524973cb18204923ccd87d79c3a00a7eef2fea188b98992415047f38fe0
SHA512fd3b3cc1c2fe91f285d9065cfc32f595b37b7effb9fbac88e555088e8057d64a3b0a98659ba40b473caf8cdd1dbaa86a2d6c9271e5e6df5d2042720f0d54cf95
-
Filesize
72B
MD5efce1f84ca44581c64581646f8cb1717
SHA1a4e55428e9f4795eb88f62b53d4d133e91033dc2
SHA256698c76ae9c2fc1c491e93bc0f9ce0294e47d1f467a6308a2226c8a4badafa2f5
SHA512bffe23aae163477438de69e8217275be8eb5fb2ee5de5cc49358abec3effc17692f186948c2ae00719072db3306b2180f3fdbc29af6db1c16f794f1b0d1f1ce8
-
Filesize
163B
MD5b8b25d49b27e8470990af702aa5568d7
SHA1a0c8004066de40a1a240ae021d42ed555f97253a
SHA256364bb7c124839245818d38039aed4ab922bc80be104766a567fe5fbf609835ea
SHA512c8fc298984fd96a589ebc6d133f5bba9e222f53ed57564c75144da71e2074699fffa734f888cb7ee0b0d32bf300078032a192d6634daf9dbb7b3d321a7405c28
-
Filesize
134B
MD5f3d6946d8cf380ec2763e888392ea321
SHA18a55b64dca905ddf0223a8fa8fb52ed0f12e7354
SHA256712e8259c8a7078c485557261cab99505bc388e63fc37ccf653e7a47d33fa5b3
SHA512563c40a48ba8c41f71849592a0094c21128f49480fff10e5897a84e637d45e93d3865043c9df5d290dbcf903714e5b9003573d2abe69023303aa4a1cc815db31
-
Filesize
26KB
MD53c0075cf25ff85d9378dadd26ede533c
SHA1e6d551ced7cd2a48614d81ce35fda45134663eb6
SHA25666980423bfdc7cbadea3a21bca804296e5dbd6f314914f94f2e667a2f640afcd
SHA512e9016f9c503e49a07db57939f931283f8a024abfa425dea69530ae043d4bf04de17eec73af430ae0d9a0375dbb7cf4e6b18ceb238010d9163b133e1ce152c80d
-
Filesize
6KB
MD526f3159aa49e21d7775ba18b7562e07c
SHA1fb7b0c8aeb64737072f9a232ccdfaf1efc2a1dac
SHA25688c69901cfe169ee30a396c7d6821dfa9495c4ee04f9672c585d2465393828dd
SHA512078f9f5712163b441d256ba5d2fe59ba565d9766557419a14b13972bd09d286a82bce3e3993372a7aa3557cb2f6d40be2f1fa3df0387e53ee54e6dae0aa60f5e
-
Filesize
220B
MD51fff67c85a6f2ac71558f37a5f59b46a
SHA12d11d8fffb1410b607be8e9f7eddc16430b23e91
SHA25647ce16fca7d195fa5d40b079556ffa7897cd82adf169738d3a27083a59e13704
SHA51264d4488ca217120b3d16ca930013a510c6dac33d9a770d143e4179ee3ffb866ebd0c781fdc2376d520d9674e142b1ad7d3b8c3fb17452808f9c5caef15bb51ca
-
Filesize
73B
MD5647e6c66ab347eab81c9d3ea0462cbb8
SHA118fc7323e638dd74eb14290c550b6af4d9957ab9
SHA2564a5fbe96836d0122c584507966ecacafb22e8542a80922cc7198b59fc1287a54
SHA512721e0b6fa92636dc0b310f16b4d9aa2f0c34c0544d5df4cda47a07fc2f2a1a7a5029bc175a2d24d751d0cb1664475f3642631c4a92a462b3cc8b7f4b65aac2dc
-
Filesize
1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
2.6MB
MD5c804156b95a21c4bf0b1e2c8a133894a
SHA1dab8c525d3c86618f2f70a8de71979df529e959f
SHA256395c690bb3c3ec85b3c36ae8498ebbb895b71e745acf9e7f120578a9033d9a68
SHA51252110dadace88fb28be4d9289d797346d5b4e4dc753279769101be18e7d2fa90c2b315e9cff2f89e694c2e0a64f943002116e46c4807ead7d852adc2cf54e7e4