Analysis
-
max time kernel
135s -
max time network
141s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
01-11-2024 02:50
Behavioral task
behavioral1
Sample
am.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
am.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
am.apk
-
Size
20.5MB
-
MD5
7fd2ef1fd5f1d60a5f058a60c39ed3a2
-
SHA1
3e70240789a5eb05fd3b0abd11d54a0cd8d7b2a8
-
SHA256
cb638b84f41c3bdb88e14a3f11f4dad99896562149c6e4963f40e8f4ab4f088c
-
SHA512
965a4585643af6701fc813d583f59f3bddd5ca7ced42d2429a6751576a6e65cdcec03e701dffbcda1d75d54e7d8ae6e5827b3f6f8d338176cb9b3e1496a7c536
-
SSDEEP
393216:R2h6it5sJA35z7A79L+TmN1mbgafiubcQZTbbT9i/zVN2I+TXRxMKpPbNiRSKcsY:R2Y6SJA35z7c5fbmbBffcqTBi/zVN2Iw
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Andrmonitor family
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/app/Superuser.apk mbxaq.yntvh /sbin/su mbxaq.yntvh /system/bin/su mbxaq.yntvh -
pid Process 4473 mbxaq.yntvh 4473 mbxaq.yntvh -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/mbxaq.yntvh/[email protected] 4473 mbxaq.yntvh /data/user/0/mbxaq.yntvh/[email protected] 4473 mbxaq.yntvh -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser mbxaq.yntvh -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock mbxaq.yntvh -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 5 IoCs
flow ioc 30 andmon.name 26 prog-money.com 27 prog-money.com 28 anmon.name 29 anmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground mbxaq.yntvh -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo mbxaq.yntvh -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo mbxaq.yntvh -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule mbxaq.yntvh
Processes
-
mbxaq.yntvh1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4473
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/mbxaq.yntvh/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
/data/user/0/mbxaq.yntvh/[email protected]
Filesize2.6MB
MD514d119c585aa69bc93fd850ea385e139
SHA13ffe4d25d73df06b1124750ec768c8c5895dfa55
SHA256264d3dbae3c9977067f877e6fbc381970059016818da052dc74567c4f2d03f7c
SHA51282e653db6831a0ec86180fb61368cf8f68f50a326998ac3fc99e22070bf52692428502119fb40fab281b3b32ed35d44e454ebc481529d068032aa3f131d95699
-
Filesize
124KB
MD5f15335a640f24813c9b345c99da7e16d
SHA1a0e7fdc85b3c1420bf342676be577f146f5dce49
SHA2566baf6ee8c7c503ed9962ff49957fe3c0b707171d1913450d97c84856a6ae31b9
SHA5125f51ec199de29b23e398d143c4f0faf58ba655a4f455ecafd5b6303c0ef428f3165f5db49daf4697f1dba3033da51113730ee5ad158a9ea9f8f6b9a10b044f19
-
Filesize
96KB
MD5d0f69295be50908cec98905acae7b14d
SHA1c497011d131238398a839864030c8a7b6d529091
SHA256f95066cfea4e7a87a41b48006e95bec120c1c91df3f597d92e7b587b99282133
SHA512e6b553d88ab0627005e4175c7b264d95b83d6ccd2366b8a03a6179965cf65eb8e9833747ee653879d377703ee0b8e91bce6ef32d8b8ec0091fe711561cd71d9f
-
Filesize
96KB
MD52d1914d5d42dc9ac672e3a7773f7690a
SHA1dacd6300b859e64a924db9d25fb7bc3d01980f4d
SHA2569afc0d13b2119fba27bb6dd401d8c29ac6b9e8161c663d1bee8912bccae13674
SHA512dd7e7cafe7ef61a393c7f44b371ea3967198b820d2f500f05070bc40d865b90c163c837e0e4b7f44be52f58f27ef833c7c156e4fa2f162c7d54b1bef68700c7b
-
Filesize
96KB
MD54a605bc38c8caae96af3943c58be9951
SHA18578392e1d0824e0ba695ba7594ff449b9fdf0d5
SHA256650248d04cedb349f19ca5e3c4093224582c212f2abfb535db2447c9219d4396
SHA512ec3d2bd9628032cce23b1d476d005bf01592c275ff4bedfcea80a6714cf4558e60195d050edf625b72ff4c25b6e066a920392071eb805c804bd35b8ee01230ff
-
Filesize
96KB
MD5e8d7e1ba1d860f6aec5fbf05b3db5fbb
SHA1e5d7b1f760b607d9ba0d0d5712db0d3935a822e6
SHA25627d60723eec2e3e47b7664f142a21d135d60c822546d8ff0b38117b4451314d8
SHA51215980d308056026f7f9c0735b1e5831f82a052618fe690ac559779776ba8e2885f4e73f4152adbf2f432de854742bbd8692642ed997bcc1a481da555eec65e98
-
Filesize
172KB
MD542f9ef74198eb548f2c9fa98c0da73ca
SHA1e49323e95f9ef88b588f2c19ee37b5eda531b57c
SHA25650d138f3764dbf3f5ac559929e12a5a959dcbdba407af8f9c55e763c320f7c08
SHA51221c3f8981c38e4ba8c380f71ed1da0d6f508e2e9c5ed01d6828288634f4c91cd99c2102aa24c3b5f0c16802518845a92acf7eb24016eb6ff354f708ec0186108
-
Filesize
512B
MD52344c94f340e7ed083e405cc04a7b16c
SHA1989e2af2a7322eafb0fa812ef1936041387721ff
SHA256f4f19e5c677d2159aa229593c42ab0b44b693a703b245e82eb3c74d1adefd508
SHA5123f87c85c54962630f8a0f3273561ec82a6798bcc4f82603d3a5f48a6f505187331dfa15f488f5e33a84406cfe7b0b0c9a3515afe9a1a8d56295d4bd20a8cbeaf
-
Filesize
8KB
MD54d2956ad28fbcd60c506368e01abba25
SHA168d90cd03278af86bc553ade9cfc17b6efb8cb60
SHA2560393507c29a9dac5175bad61fbce8f84b1a88d43db5f50379bf3d6b1ada3c331
SHA5120d3e5de03af6b5ec8b62f2be3e012ceab601c1f5e3047a4edf7b53b60bbba16f686957a4b0ee0906132d5352a8e5d88a826a66d739a241b0aba6fcd9d7a8a648
-
Filesize
4KB
MD52dfcab391341d2a420a06f45e635cfa6
SHA1a18487104d6a30b2dd330f270c472107cd9f2834
SHA2569612e7986e3ecae3f8aa53febfea07f349bd84c11a8f63c1a54ae17438d71ff9
SHA5125b89405b7525015a7ae83204ec70908f35b0484ae4a79b71ac5af8c3a27313b047e9d09548fef8a49598cb17332eacee80f222d5cd730c8ca3a1412616973f0b
-
Filesize
8KB
MD5d83744e1eb8bec06871bbffbfda33c94
SHA1010f61c00af398072d2e06a7aeb5e632d7a221e0
SHA2560c71f2796dbd470d4764cb54e474248464ccd2b5e30f1bfbd8679b905ea5547e
SHA512c20f421bd55e0359cc823410551106a081fd6a8d828451c7468af3929d69b00911dfbf971fce2b1f94b9b4fbee5f2b12688ebba86082e7f47f99b3a07245487c
-
Filesize
12KB
MD518e85dfa776cc3c49bf8b4ac66c85207
SHA1289298d772f14ebeed2056e86a07b0350160384e
SHA2563618ad26032e2c68bbaaced7d937bed46a2e7c701b9938489b663f64c7e3b60b
SHA51211e4d9833b8719f43b4dad93b400e9460ee9b65a3ab6e42623900e395905e72877495d48c8bb08d513fc2f62827913e1a87a4e2a403ee4396d4288f9cbc87d21
-
Filesize
24KB
MD58ad20028da4ee8945d24c4e0fb5be8ae
SHA11fd3fc593433c0a3e258e598550b2f2f58de59de
SHA256e9d7deb595859ba43937acc9ed99f19dbc5f8f113cac1fde1e6de991d987dccd
SHA51227e884cb013647132b7a2c1b158ce000bbd565c68febf9092f0df8cb132346d699d4257685807265734f4bbf1b428c2ff0f4802d5c8029916ae0996809590340
-
Filesize
2.6MB
MD54e82cf256563b75bdc46b358b34d9c5e
SHA1f648e881385bf8eb5898001191c338df3f0c6719
SHA2562b65fbbe30242b1c4f99ebd3206a1f067455c75e065ca2a498779a1b39ddffc6
SHA5123f5171707433cff82e55a867300d4017e0bfce89fa454b3fd4aaa0ab0afb4a9578f235d6538635520017b1fe45aa80f0c5dd55f0aed71fee5371782d2a664bc9
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
172B
MD5ec86a99beb11d86c91950ab0fb5a7ef6
SHA1e6a4a9766080f2bf7cfd9e1dfe6ad56c9210fb54
SHA256dcee850725b878084fa360e5f8d9156f352dec0b5eb539898b969462c0bae8b6
SHA5128b0d359f54f0017da1ebefda60b01c6bfffd9e579f86d322f20beb77ac55e1c15352c5d76c933c5e612a84a21c2acaa859fdbd509797fba61c4de50ad7af427f
-
Filesize
151B
MD552a690daa8dad532f3e8455b6e48bba5
SHA19f2a7e747521a64107bea10b75e99afeb3fbec5c
SHA25660a2b901bd9ab895d52dca9fe22baade7b3871c9ae7a308671bb5e102139c5ca
SHA512a69479790adc1054a4488168c80b936ce673cfd9691ea97788d9f1dcc7d5f4ef79707019eee420ea3db9db7be2d30843eea762037515b20e936aa0fc24580b58
-
Filesize
4KB
MD592513e9516670381867eb8e721838b8c
SHA1ff1ca24d3fd12ef56906eae32937f3466aef89bd
SHA25696b84d4a5c5d4f7bc54efface32cbd8fb832012e2eb6f3f4c160834a5a410d05
SHA512f4b304198c03881a14bdb04ab0ae818c7d2225f5883c88ef7d03ceb2d2a5fd72e3870f598360f73c97deab63cac35db01cb16b87be9c356a780722ff648be9c6
-
Filesize
63B
MD50df0dcb29c79f7ed329337757f6e6f1a
SHA1183a860d91a3c61d677cf2cb509b474df8d133cd
SHA2562a491510fa37cc94bf84f93964e1076195cf166a4a69de0bc715badf207c901b
SHA5127eb1c5d378f1948935208fa30f7a6b55b9908a42c5c22f2fbbf2ce8b8bee0277c8766f26dcb660b626cd6ab54345281b4769b7414804ce02d722f87a1e2a0e58
-
Filesize
71B
MD5cbe0ca744f77bfdf8e2b00c054e90d6e
SHA1d518c0e14e4aea1709de37f4a0e0c679b7b12e5a
SHA256f92025de968f650bfa08a103de8799b9f591e40fbf9279c1285a66816e646e25
SHA512ff344ba6bd7c9334d4bb7e109d82a7dd23c6af52bed53eec7b66faff940052822362135e5fab1f75e3a3ec827a3da06e7af1e3cacfc146d4589298a833d3873b
-
Filesize
180B
MD59a5885ebcdd96de54a4435daab11a511
SHA1d645bed9f10572a84b7932595bb5b4e2f72a1eeb
SHA2563c6cbd6cb26621e3ed464e7fc785bc2c482100d7ac965ffa2657d93b12706f59
SHA51238a0273fc940b36d2f1e0ed3f0b4066a73211533c4030853ab58bdb440432a2693618c9701534b4d135ebe77e9dfed6599d80ba5b537464675580b6731e37184
-
Filesize
127B
MD5041cb1a1a08324be49aa14f4b48a3385
SHA1171987aa074921c8809e5dc73e9172025f52306f
SHA256287f4c2f7ebcfedb7bf83a2ff364a4d11f95496368771b64c2ca5e0ff7176e63
SHA512271b01003aa6a5720d7e92066f4fb28817777a4d8a4e1bffc79fe627f6bec516811e6803adce4d3447075e88faeeb727ffd1fce9df8b6c85e953c2b3f95d1e33
-
Filesize
25KB
MD5b46b158c4a5d2157e78274208bbc46b3
SHA124b3cd74c058a6367bb66edb493ac79d77eaeb74
SHA256a8dee3aeaeab5ff14da701beb154778dbff98a9e2a593b766afe398de276daac
SHA51214006de6bbfde8b8330d9958e8107cfb4418ac6d18b9f8426a0d95dfa1bfe35cdc8f994f1fccf907aae554f5e848c4c09e6999ad79d7ad3d659e3c12ba73f908
-
Filesize
6KB
MD535a5a1fd9fc302842b95e536ae41bc92
SHA1d0f9d0b07bb1e45ec7ea03239d027ff6cc560006
SHA256004d1990846fec5a7566ddf82c76c25b22f29134a8934640b51864fa8f751c37
SHA512874220557a7641f6f3f782f24945c9153d8a26b343412eb5b73981f7c6e9809263bdbe128c2617006c2210cbfce4464a866325c2b3517b9e71542c1cab1ade12
-
Filesize
219B
MD541ec67a572fa35993398be74039b18ba
SHA1b2c9aef3dcf46f4c709186ca4fc4358f4b3d388a
SHA2565f3739ffb513d73ced7a4e55836edfc16c2f3d6deb99e15940a4081578294a4e
SHA512cde7e11558ccdcff2ff2c6d29f611d2d6a3d0170802e876cd74d2f54cdcb72ba1d22d993373d31b413f29b8da15fb154b4226c8f8f674c3dfefb2fbd70b9405a
-
Filesize
66B
MD5e7df819943fe4bc4d546430c0566f5bf
SHA1ecb8cf618d4ba22a34cfaf542785f10bb6f260cb
SHA25681c7b46a0cdc3ef14658e0dd57b54446119ebde9462bae1375deb6091ff8dc63
SHA5125247c592ec6c4da81747db406dfaced508d020f0d744f3b22ee1741fb314296be71a27e8688dc195000f88d822c5a0371ef352669f626ae4b4559fd29229991c