Analysis
-
max time kernel
137s -
max time network
146s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
02-10-2024 01:41
Behavioral task
behavioral1
Sample
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df.apk
-
Size
20.5MB
-
MD5
adcdbe1e25a3e03ae1e454363012432e
-
SHA1
83381d32b8a6ce9854e8e7213a6c90ac3e17f011
-
SHA256
ec1106a9735034ef21a1126717ac337d825844a1b60ab8bcf32e0c835fde60df
-
SHA512
597546c877c4ac04c910f123c3bfbe236a342e61ff7a94ddcf1639401da76b04df858da2bbf145c8d10cdfe299f2b946d7ebe75554afd6f749acc8f4d387f9d6
-
SSDEEP
393216:3OsJA35z7A79L+r2d1mbgafiubcnZbb3T9i/zVN2I+TXadaKpPbNiRSKcsjJY:3RJA35z7c5zrmbBffcZb1i/zVN2IkKk4
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/app/Superuser.apk xuzjgkd.sstlojddh /sbin/su xuzjgkd.sstlojddh /system/bin/su xuzjgkd.sstlojddh -
pid Process 4448 xuzjgkd.sstlojddh 4448 xuzjgkd.sstlojddh -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/xuzjgkd.sstlojddh/[email protected] 4448 xuzjgkd.sstlojddh /data/user/0/xuzjgkd.sstlojddh/[email protected] 4448 xuzjgkd.sstlojddh -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser xuzjgkd.sstlojddh -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock xuzjgkd.sstlojddh -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 5 IoCs
flow ioc 29 andmon.name 25 prog-money.com 26 prog-money.com 27 anmon.name 28 anmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground xuzjgkd.sstlojddh -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo xuzjgkd.sstlojddh -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo xuzjgkd.sstlojddh -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule xuzjgkd.sstlojddh
Processes
-
xuzjgkd.sstlojddh1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4448
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/xuzjgkd.sstlojddh/[email protected]
Filesize2.6MB
MD5c804156b95a21c4bf0b1e2c8a133894a
SHA1dab8c525d3c86618f2f70a8de71979df529e959f
SHA256395c690bb3c3ec85b3c36ae8498ebbb895b71e745acf9e7f120578a9033d9a68
SHA51252110dadace88fb28be4d9289d797346d5b4e4dc753279769101be18e7d2fa90c2b315e9cff2f89e694c2e0a64f943002116e46c4807ead7d852adc2cf54e7e4
-
/data/user/0/xuzjgkd.sstlojddh/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
124KB
MD5f15335a640f24813c9b345c99da7e16d
SHA1a0e7fdc85b3c1420bf342676be577f146f5dce49
SHA2566baf6ee8c7c503ed9962ff49957fe3c0b707171d1913450d97c84856a6ae31b9
SHA5125f51ec199de29b23e398d143c4f0faf58ba655a4f455ecafd5b6303c0ef428f3165f5db49daf4697f1dba3033da51113730ee5ad158a9ea9f8f6b9a10b044f19
-
Filesize
96KB
MD5dd75a0ee35a19ef4b1ccdba11fd9c69d
SHA1e5b0ba4dfbd8424d8fd5c0d997a6de7d3ce33f52
SHA25679e7cae2fb19a8481632c1b6ed7e2d08e9a4e4204296d16de3f731163ef5f9ac
SHA512773ddf204bd372e5fa69470b3f57cb13e366d1039861e677321df09728674fe881c2c0860b292b82977fe3b87d4e9471f0127493bcca7161e08667c9eb407332
-
Filesize
96KB
MD5e46e644944aa8a03b25169ddb6c0b37c
SHA156ff9bb8217f0bffbce4113145c7b8e65b3c3cd7
SHA25609080b36a41143b95da7782f2d2dd134557af1df26bbd349035a0c9c9079e27d
SHA512f33972027bcc8b6c750b63dcd0f6a5166df6707cbca9c0561ee3c7686c57155c8ae579b4eacbc0c3fdc8a0d635a9ca3fded3eab1bcfc8d5dbcd1231050832b09
-
Filesize
96KB
MD5777e2d534a165e419bd35fea2dbf5f87
SHA1bf76dca8c51b90a5059bb8826a61fb4911c64178
SHA25633c372234407f51fbca9c5ad80454a2b8be86c716baa439d963a7815b5eab1a0
SHA512f5dd15a1c80e6e07ad7abca1da8c989e4fbf191e2809a4200c4dc0d56d5411f070af3f9fce796dd6a6cccff7b9913982a241d38ef4950446b7e59b2612a7450c
-
Filesize
96KB
MD512294c940ed8a1d063f570f0d6229a84
SHA190ff419188ac423a90e99c32133aacb0e263d40a
SHA25692ce2adc06fdf79cf90113b4f0b6371380b47604a0b93ce0d3675a1268f3e372
SHA512f378a64bb97b1c9230da85e03f600192bfc09e22448b9c5e39e35494afb66a8437f04dc4bdf103104bc756077bd058fe27728d3be9f9f74ad27350cf89188b3e
-
Filesize
172KB
MD5bb7853a25bb59b1165f2e87e7fc133d3
SHA1d5f87dab3a6b8621d30c75c9c4d7011355f0e134
SHA256c6ae860036e710a65caea105eb1a8ee0130b84c590ec97368c7de83b686eddee
SHA512027331cad14b4a3839674d85aea61fc419143750301c7ab1f98be845a5c801ad524b0ec3e897ff5df60f6506e2ee2c4b264e0fe0538f6f8533f244338928a045
-
Filesize
512B
MD57555d7fa08eb5fac621c412203a52a20
SHA1e696ed1275bed4ff29b11dff3124b0c8a931717a
SHA256fc7ccb0964018aba2782cbbe90b8b7c61206a461f58c49811abfda4646b4f912
SHA512be4907288ecbc85f3d62fd56006f427e19714ae4aae8a1db28129ddd49b07d7c17422a7b269d074b56d12abca37159d39ac1fd3774c64750204b3ec6f914572c
-
Filesize
8KB
MD530c2596fdfe556b25bb063c00867f901
SHA19553ea4eb42cc9274aabcf204e38757c6ec1db5c
SHA25674af3dcd04c3a6c68da5d5d8e53b00d0873e3fa47badf58688b4c4b97e94a1c1
SHA512f303449da063ac81f3ffc9965091e98960b8e803641db80cdbd7a7b1459ea21c8c3c2a1937aa542b26ad42f30ff2ae7e9a0c2511d7acaed70b2a4332dc2fc645
-
Filesize
4KB
MD5531696ca08d7370a6e834943553a6113
SHA18e8e0920e6f3a6a8b0be2d4b4204df24c33cd1d4
SHA256ca6e62c531c7b7f80eb8e1fd4651579ca98b7fb402c21570da8492b728f5907c
SHA5121d28badde605685208fb6a19fe6fc72499efa62ed73b0a2660410d92eff06ca603ff400a50727d21a2ec546f4fc6cf1dec37b0fa227692a4f57d6254c4356166
-
Filesize
8KB
MD53577d3f3692bfaf274cb3690779c931f
SHA172d96df4d70f6f8b6a60e02fd38728f50c14e35b
SHA256f258f774ef66f928722b38ebe66ddf3991f11463556500ce9b662590e5617f11
SHA5122f6169d8a20463ea8be197f1c456e32aa7e469549c27190a79585ba8152f581aa4efa5ce5b75e289084937a9cef903cbce01cb3567bddd3e4cdd86fed98a930c
-
Filesize
12KB
MD5eadde1bb15107bcc7c93b923a453707e
SHA1197d5c9a4b11708f0dc4444583371b57eec1305c
SHA256ce222a56163922c863d615d75d8dd2e825667ed46e7faf514e447ed9ffb90cb2
SHA5127ef68b02a4e01d32c88d9b5a05c61f03b7b0d908f41d39baa60e0ac51a6425029f868778b8b1437a1db0cda85ec039fc0f999dc2e7d79edb9e5ba837243fb649
-
Filesize
24KB
MD5f4925ba1651441f5d1cc53e906d26703
SHA1750f3af6e35c6f700a1f4617745c23406efd0b35
SHA25660ce9f807109e82e108ccb50a6bf689a9c6de7e89e202b18e999b1c8f2b6c1dc
SHA512e49e1def43dea58c6776bf31ee4487a0f7277c25801bac0da71051ec60f3df5093d2fd0c916cad9113c3e2701cbda3e7b1d394ed7141a72de7c9a02ffebe87d7
-
Filesize
2.6MB
MD5ebec0623df12f3d7e493604884e808dd
SHA174fa9c2749e8af6bf4f00bc232089e4ba8876ba7
SHA256546b24036b300cfb4b6f17e5df3a0b14015d2eb4d654faee2283526f337e1d2c
SHA512d404aca340c2461c5611b0e4822d552ddae48771ab059e1b13edd3493031e9f0b0d95fa82b6584f6b75bfdc5bb54b76526cc4790cda994b6405a275a48ea8ea2
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5e99d3d3d3b5148e9b08204cc02493c87
SHA1bb5d62bc42e90404ad4db70533087b946986661c
SHA2566a8a04832c1781b599d83a2e055dca1bb6e7ebb26d8e0e60af592c0b7591517c
SHA5125432a5db43b48fe9a669ffeb3890fe71719419f43ccf3e11838dd16a45be1e6fcb2689ca647e7563bce54a2b05b7fb5f124071a906487b5b45d160e74f1bd3f4
-
Filesize
152B
MD58ac550e1c47d2127230346410ae7a226
SHA1f509126f7d50df8b7fcf1824b8d8cb9d096a04af
SHA25624cf5640b9fac535a47e0255cc9c0726806b95b67fb709bd49f970d0c5eb6862
SHA5127dbf0600b654b6ab5469801a77e9d93b85a3b9d726c77dab7ed5837927d6ea3aae041e7ec40c73000b6c8c59434f620e0de8986d48f6093e312b013daa3791e6
-
Filesize
4KB
MD58c8db9cc25e48733adf3b2ef2be54f7b
SHA1291bec70acc6efa3554df7f9f517b05487733fdb
SHA256a74e057c17ef3f514d5a5f85610d42fa67a57617f21737936a95790790d75ce2
SHA512a9d20e2c0bafe342eb24f406257d709bd2c5ad7288a1ed26f8a400b5344fa5d34e8c09f92414d70ab9d6e7dc7ba656b6a9e3612d356acb339f0456b7dda13935
-
Filesize
64B
MD550bfdb2698fc797906469a385d3ccd63
SHA113090c23551e8519d796fd6c2c140077072fb947
SHA2565fb940f62d4f7cf89aa474299ec34c27c3be7e15e16f2ecc2c30e7ac81853e81
SHA5125086509a219552555eff91485b8d7f28fe7c7808c788207ee117891395006d4df1694d8058be24e538faadfb15f7e316ed230a55ed80738832019ca0f49cbe06
-
Filesize
72B
MD56a4743bc80cd4e5ce240571393f8526e
SHA1373f8050c99d9283dcfeb9fd4aa35743202fbcf1
SHA256454b721cbd2c04b2801e11f820b1c2e10bd8590614abc2fa6a2b6490cf9fb7df
SHA512985847c8d9f663cdd80e17f7b5477605ef09c3f6ddfc2f5ea0580b9e194e64e83000982b10d5ea78c749d28926300ebabcefa3727ce9c85de7616e412559bac4
-
Filesize
193B
MD56709d6fb39f2557ed4bc84ebc134a435
SHA14c7fa5c9553009d974241749c3c127fc32610805
SHA2560357eb2d3b2715d30d034ca7232c9781a5901d10c2bf4764d5b1a5b3144d5168
SHA5128106510af0121d93426f2fcb250d754f1331c6884b6f05b182729abef677ebe4c1260d25573272a085ca20824e0f86c501767c77d6ce4f61256056903a1fb70c
-
Filesize
134B
MD5b04ba3bca9cfb1d72e4566a128783041
SHA122fdb251df3f45db5c7215005363cd94e7764324
SHA256ef4713c6a5174de28c760290d7259f0cf25ebd6bde95f7d748337e46ea19378e
SHA51296dbb552949be68e1540ded0181ead8e2200edc8a9ffef5c0e1dd4c2720979cd9670828a02a19753cc02cee38bdcb177ad71238cb8ce8758712896f13ea4f61c
-
Filesize
25KB
MD58217020e5c86746da4c75ba7648608be
SHA1336d5bb483859e165ff5a9f728483306426b738a
SHA2568399b08865c9b0aa1ef52b98d67471ffcf680ad7f2cb530776c546e52ff0ad7e
SHA51251c0dbe4f55db88af71f951e43a4bcdfca3831f7392ba753353fff32bde2971afcb59abdc7d8e059099664f0a13a587ed22855fa37ee74964b6d016fdb215d1e
-
Filesize
6KB
MD54325ef384454cff77f90b61ad2fa784c
SHA11f7375b4fa74297881888ce9d06ca93167e676e7
SHA256d0d955f60a25e5b1a7d44b92e290ce63081c8ec3eb7de1cfcdeb2e14fcc2a0c6
SHA512f2e7fda8c2a60fc7bbed5213e842061cd549cd2afa0378f96084a857cc511c5977626213b3cae6ea28deaf67b14983759132925ea92a0dfd2ea0f94f0138cb93
-
Filesize
220B
MD5c6cf37254c9b7abd2595b3b170a35702
SHA15ee0edda7a7f577c963b49db11afe17ba0ea82f9
SHA2561cdeb43dfd1f3895ad4423cf333696281f7058e35c6c49d6d7abf78cee70baf8
SHA512f218c9cc202198e92f74ee0a90f763561c26e2d2ce8a8e636bcb4806ff9e37cf7c6b177e5eb61a9164e3d0d21f6e5063242c928b23345131f1cdfd8c14cd31d9
-
Filesize
73B
MD5647e6c66ab347eab81c9d3ea0462cbb8
SHA118fc7323e638dd74eb14290c550b6af4d9957ab9
SHA2564a5fbe96836d0122c584507966ecacafb22e8542a80922cc7198b59fc1287a54
SHA512721e0b6fa92636dc0b310f16b4d9aa2f0c34c0544d5df4cda47a07fc2f2a1a7a5029bc175a2d24d751d0cb1664475f3642631c4a92a462b3cc8b7f4b65aac2dc