Analysis
-
max time kernel
137s -
max time network
145s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
02-11-2024 08:23
Behavioral task
behavioral1
Sample
cb638b84f41c3bdb88e14a3f11f4dad99896562149c6e4963f40e8f4ab4f088c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
cb638b84f41c3bdb88e14a3f11f4dad99896562149c6e4963f40e8f4ab4f088c.apk
Resource
android-x64-20240624-en
General
-
Target
cb638b84f41c3bdb88e14a3f11f4dad99896562149c6e4963f40e8f4ab4f088c.apk
-
Size
20.5MB
-
MD5
7fd2ef1fd5f1d60a5f058a60c39ed3a2
-
SHA1
3e70240789a5eb05fd3b0abd11d54a0cd8d7b2a8
-
SHA256
cb638b84f41c3bdb88e14a3f11f4dad99896562149c6e4963f40e8f4ab4f088c
-
SHA512
965a4585643af6701fc813d583f59f3bddd5ca7ced42d2429a6751576a6e65cdcec03e701dffbcda1d75d54e7d8ae6e5827b3f6f8d338176cb9b3e1496a7c536
-
SSDEEP
393216:R2h6it5sJA35z7A79L+TmN1mbgafiubcQZTbbT9i/zVN2I+TXRxMKpPbNiRSKcsY:R2Y6SJA35z7c5fbmbBffcqTBi/zVN2Iw
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Andrmonitor family
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk mbxaq.yntvh /sbin/su mbxaq.yntvh -
pid Process 4307 mbxaq.yntvh 4307 mbxaq.yntvh -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xc8856000-0xc8ae7638 4307 mbxaq.yntvh Anonymous-DexFile@0xc8d6b000-0xc8e964b8 4307 mbxaq.yntvh -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts mbxaq.yntvh -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock mbxaq.yntvh -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 4 prog-money.com 6 anmon.name 11 andmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground mbxaq.yntvh -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo mbxaq.yntvh -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo mbxaq.yntvh -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver mbxaq.yntvh -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule mbxaq.yntvh
Processes
-
mbxaq.yntvh1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4307 -
su2⤵PID:4346
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD54c0ccabb25100a908b9db06434a6af8b
SHA1555d9ecfa42e17aec483e1c05be0fc1362db9e66
SHA25679aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304
SHA512b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb
-
Filesize
96KB
MD54df8ef96fc4a5f94ebcb521ec9d55c8a
SHA18eb3366a1ee09523ea4ef6e5dd226986d8ee4dbb
SHA2562b72e489ab2809720bb11e69b1b1c421e23b54bec05177ca7ab706e91edf39d5
SHA51248067416ba929f0c8d1ab29406f4baad2bf9b01b00714b2306f4493f7effb46ebe9d6db8838684ba121af025107803bdbd6128d1c9bc3229f3685f0ce940004c
-
Filesize
96KB
MD5ba75f98dda3ceca0282b4fe4e3501f3e
SHA128ff2ff551d1cd381bc1cf2e7bcef1c072b2fc4f
SHA256d0b15ada53230e69864713564bf82a073656794356b2cf9e328ee208ca8b24ae
SHA5125f875cdacf866789276c7a75e37c0be8a2bf75a5e4fc924f9092988c15f9beb60dbddaf2e3cc18f94f2f904346427376675644e14e88f33fbfee0dcb21189767
-
Filesize
52KB
MD5b6815b344f6926d458cea05acd052cdd
SHA188f524aff1d4c5fee979a203dd952427871a7097
SHA256028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA5120431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade
-
Filesize
96KB
MD5dbedcece4175a77cad43cf97277ba60a
SHA15adb9759258779ccfb9d326f14b0ca00ad00f06a
SHA256f0b90dc3866f7894f7a34068f4200040948f862db3aaeb40ef1d433eba6ced60
SHA51251d9055a9142dbc624bf63c9afcf53854048b6f17d0ba8b1b2624c4810b35418a004c844811077ab500b663cc98f56509771b2cdd60fbfa9acc1f1b6e5aaba37
-
Filesize
144KB
MD501a4a44994e0205ed89ea0cdfc86ef84
SHA12e4b55be92c5298cc302beaaf6b2ad4f3649c55b
SHA25602f2ccaf8664686e6ff10ad5d11161fbc84c58ab8eedaa9d4ff6bc992e595ec8
SHA51261c07a850310e51ca84aa16763004a23958b2272fe35b6f8f1bcc0282133c2f0c80041eecd3e6a05c79647fbb3cf422c5bec2ec8a166ea9aaaacaccb71ade312
-
Filesize
512B
MD56bd9c3d175c83f9ed7a1db6892ef8280
SHA1c31e2e90abd4ecf08282fc1b059798e18a031d4b
SHA25618daa55b02c41d8c3c20a8e650995654ffabd4288175d85f478cd5a912f62626
SHA512f3ad13eb3f73401e98c377db695c60129b3d4b34f7cd698f40b44661c0b3a85d73483b955a9508e070d8cc0a49299d59af1743c8b3d094ada963fef1f052fb68
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
414KB
MD5eb5327ea5b157d0b2cf3b78db96e06ab
SHA1b4a562dbd64b54fd46f001ee33d021346df45754
SHA2567e3823842be4e3632d6440f410a204b6ea243864b090b93c68dcf23e4ad9bf97
SHA5127450e970eac0b9ebf67af7c58d5d36e3d5413ab68a98b1b1c6f12d712172ae2261ed58571c1341fd026305c1ac7444054cc2c4c0cab8acc7f7b8c643719d9f5f
-
Filesize
8KB
MD5cc43335b05965c66f11c1a12422c99fc
SHA1a46edfa0ff992d5c7e135bd5a2faecd36b9354c2
SHA25602b1b44f4f582e1c125852f9aa4dbcbb337b2a06438eaa2470ba7f7221c73444
SHA51292c2714da02ad4a4e252128aae56c8d0d47afcaf2e43e36e9c2a1bbd3a0670dbb561eaa018eca0ecfa3e02117382e6b20849fb700372a754dca158f38b9876aa
-
Filesize
8KB
MD569abe5bc50561540114b0e894c258186
SHA1bfad29a52a34e95d010245c4448053cc9be25931
SHA2568204e2c6ec8831eac54ac3846bfc45fe1c670311a1069830d1ef56c2391bc48e
SHA512609999fbf298a40c22f22c1e6e1be4952def0d737066d75572581720ea467a90b63230fb29c02e19dc3b7de400819eae12b53c9084f81ed6571f5749d314327e
-
Filesize
4KB
MD5f68bc1556adfa54a6d4a1f3496151e52
SHA1ec434ae27d33452e45caaf59dd2fc510f05f09a9
SHA256b8ac47fc237ee9cbfe95391b0559d61acf0ae9cf572c79182575b0d6c455c437
SHA5124e990912148574e9aff112d411d4ec6445cfc47c8e5b28fde0a8be273d0c0f8c1bb3e5b199add28a45deb2ea7cb383b40969fd0a962934cb5d9b7a6fc489daa6
-
Filesize
8KB
MD5a7067d6dff4c8cc83d6051925b0a722d
SHA185420ca1c85b0a7874e42224eec56d1be3f3df12
SHA2565392f58c4cac0d0a46c3839861dd9e3ffe750118e121a4a78ad70ca11bb37be8
SHA512764387b1b512e0cc213c896671fa6c4c617513cd4875122d01a2de4381e892a63c64c0ba537d173c6a070d45d379ef31bccfc22316e122ad7ce37e684f3ec4ec
-
Filesize
418KB
MD5d2149c894eff9e8d4bf134758ef43275
SHA132858244514fb15fd06397cc15dea11ca97dfbb6
SHA25679ee27f752a67f461c65ec7bd39636c17ccc12ce6959ef4fa21fbf06a7b6aa6f
SHA512e6f0fb23331a053e93afb38a036efa6096ea9d33e83d2cc7f5d4f71f46ac20d536ac20e86c5bdc76a751b2a273ca912ee210d8638f4c35527e3ee009a990e101
-
Filesize
2.6MB
MD54e82cf256563b75bdc46b358b34d9c5e
SHA1f648e881385bf8eb5898001191c338df3f0c6719
SHA2562b65fbbe30242b1c4f99ebd3206a1f067455c75e065ca2a498779a1b39ddffc6
SHA5123f5171707433cff82e55a867300d4017e0bfce89fa454b3fd4aaa0ab0afb4a9578f235d6538635520017b1fe45aa80f0c5dd55f0aed71fee5371782d2a664bc9
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5b8975b0e5ea9e5d69fe0fd70c376739e
SHA181a3581230a3a2123dbaf3f1ba6833b67a8ec501
SHA2564f7135ca4bed807428ab46ecdd2d3c8f4f34ab86e99685c02aa2c4421c27270f
SHA5121d661fe5d56d1fecf8ab3f9e5d6ebda6b0561e9b62d90ace0013cc11dd3e6f63e5f653039061fbd0b400e2b1a72653130e8dad5e763b85c245af0855e1118ed3
-
Filesize
152B
MD52fd335e78e818689ca415957ab6c7022
SHA129602afecc5ec280ce976e65bdb4b8d9a168c2d2
SHA256f0f8d83c69641c5ea09f5ad865adf6a40afb79d195e401342700d3f7d814c4a1
SHA5129e8261905da58bf6215a99f83a865faec7af33cab727b07509e37b005a5624a4924f42192fb01286fe954937c948450136a4308c3edb1f90364f254d8847aa9b
-
Filesize
3KB
MD522129498fbad7f569161c12bce4e720b
SHA1c83b493f23355088d4e6977b69b02c9f67c5df82
SHA2561583afdfda2db2c740d4f00d2c021e3e84cdca89fce436ef4f0a65fc03adb0d0
SHA5124d0e89badb022b8a2007dffb54b8c2bd00dbe908aca2d87e3cd121af9942f071f5a73a62bc22bfa0ec79dfde4f3882ef30a6f4b0fa3b3a8d0ac0fa83d01c3403
-
Filesize
64B
MD53d2a2c5ce1683735005d5fc9eb326a52
SHA1aa63d786d559c4ca7a138389eed6a2371dc8e04e
SHA256cbcf06d0885eda0f23f3b19e50994d0d73e0d7a985d4ac65d95a556dece2f356
SHA512b3f69b1a666d06c0ec4fb10da7266ea4dba01c2b244df26478c9148c28df748100a51c059a0c6f27fa70b12a6b9b42c53e8e6d9a94c276290341104dc8f55053
-
Filesize
72B
MD5d84e5fe9110733ecd312226ccc30d7a3
SHA1a95a5ba6b0b7b40dba7a9b95e88f7113817b0723
SHA256ec927480153eec4d7906b6f94ea4906e1dd3bc529adb643c3f89784c0e9f90cf
SHA512a8dddc952084d94130ef779b8bd3979b6fc83d6666c119d3a349edbc96c1c5f9eb7fed36c9a15993ca0c10a083e29957d3395d970c6446587a33c8c84fa7f960
-
Filesize
151B
MD577cbeb3f9889abcf4912c2325b1fb932
SHA1e8eea1d3ee1825d60d4b6836d1ad53cc60cc82a7
SHA256acc3c68b32e9389f9ac515c04f3efa052962cf59c7dbcda8d4d0dd345a873970
SHA512013a4ca8569ac22140df5792ea29badd3f9e06e637d748f9adb1f55287967460bf5dbff6ae639d9ad54b2683ede96fa377e231fa2a00c5b1fff5ddc628801c46
-
Filesize
128B
MD51d2a9e7ce1db4cc19f9f7eefe4cb7272
SHA1ce6cd12935c65a88371be7c9cd938e219bf374a4
SHA256342f5fe43461faadc0cedc6b23874d15cccadf00f32c67e9124e4b0e99636742
SHA512471409864253212f4d40ca3d5c8aef8c1dd044f14f3d252e34956f1afea60ef6ba5a4d638970d5bb43de604d6699c296a0d49013ff8e2c338d6fca072af3f8fd
-
Filesize
26KB
MD5ee92c485adcffa22a97e11f98225badb
SHA1b4b318afaba60c7488b6e11b7d71228b67b98256
SHA256c307f2aeb45a124ff3cd28b1061d5e879348ccc5c565e87c1bbc7acb289ff8da
SHA5125d0dd6cf11b8cf4d22bcd1d94e74e4129867d6c572721785e4123c6e64870b8fe2d02e665be30acf0ab332e7b878685f2e44667e785cba7ee0850a62e6eae530
-
Filesize
6KB
MD563f52f15f4ba3cb571e096f141f43f4e
SHA192a86c10d4f2ab043493f6f39bfa2a51d8ca04b2
SHA2564835d994723c2916309582e1f0a4dd6c4140dd27a93d7658b808ec79096347d9
SHA51207c7fcc09bac5b225a72dc06c915e030508e89dd3f313643dd08ed2cd30f517de5fdd9a0c6b1bd042f0302a9f9a659d423f5d07fe51be9935637b071fdb9061e
-
Filesize
220B
MD5049adff6c11632803ecb57ed123b34b9
SHA170530918c075770c11a4d47b68907b8153d46445
SHA256bba27efb3e103003099a4c86d6f94697be46862cbc229eca3d2d191ed8260561
SHA5123a13d9dd9de716731c764359fe82fe3cbf331b5281ef379b590309489eccb4bc6f9329918c84bfa1b48918f7e22dcd10123bfe6c4c4b50b9ac5f06b4fd47ec44
-
Filesize
66B
MD5e7df819943fe4bc4d546430c0566f5bf
SHA1ecb8cf618d4ba22a34cfaf542785f10bb6f260cb
SHA25681c7b46a0cdc3ef14658e0dd57b54446119ebde9462bae1375deb6091ff8dc63
SHA5125247c592ec6c4da81747db406dfaced508d020f0d744f3b22ee1741fb314296be71a27e8688dc195000f88d822c5a0371ef352669f626ae4b4559fd29229991c
-
Filesize
2.6MB
MD514d119c585aa69bc93fd850ea385e139
SHA13ffe4d25d73df06b1124750ec768c8c5895dfa55
SHA256264d3dbae3c9977067f877e6fbc381970059016818da052dc74567c4f2d03f7c
SHA51282e653db6831a0ec86180fb61368cf8f68f50a326998ac3fc99e22070bf52692428502119fb40fab281b3b32ed35d44e454ebc481529d068032aa3f131d95699
-
Filesize
1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87