Analysis
-
max time kernel
135s -
max time network
140s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
02-11-2024 12:30
Behavioral task
behavioral1
Sample
cb638b84f41c3bdb88e14a3f11f4dad99896562149c6e4963f40e8f4ab4f088c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
cb638b84f41c3bdb88e14a3f11f4dad99896562149c6e4963f40e8f4ab4f088c.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
cb638b84f41c3bdb88e14a3f11f4dad99896562149c6e4963f40e8f4ab4f088c.apk
-
Size
20.5MB
-
MD5
7fd2ef1fd5f1d60a5f058a60c39ed3a2
-
SHA1
3e70240789a5eb05fd3b0abd11d54a0cd8d7b2a8
-
SHA256
cb638b84f41c3bdb88e14a3f11f4dad99896562149c6e4963f40e8f4ab4f088c
-
SHA512
965a4585643af6701fc813d583f59f3bddd5ca7ced42d2429a6751576a6e65cdcec03e701dffbcda1d75d54e7d8ae6e5827b3f6f8d338176cb9b3e1496a7c536
-
SSDEEP
393216:R2h6it5sJA35z7A79L+TmN1mbgafiubcQZTbbT9i/zVN2I+TXRxMKpPbNiRSKcsY:R2Y6SJA35z7c5fbmbBffcqTBi/zVN2Iw
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Andrmonitor family
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/app/Superuser.apk mbxaq.yntvh /sbin/su mbxaq.yntvh /system/bin/su mbxaq.yntvh -
pid Process 4617 mbxaq.yntvh 4617 mbxaq.yntvh -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/mbxaq.yntvh/[email protected] 4617 mbxaq.yntvh /data/user/0/mbxaq.yntvh/[email protected] 4617 mbxaq.yntvh -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser mbxaq.yntvh -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock mbxaq.yntvh -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 5 IoCs
flow ioc 27 anmon.name 28 anmon.name 29 andmon.name 25 prog-money.com 26 prog-money.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground mbxaq.yntvh -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo mbxaq.yntvh -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo mbxaq.yntvh -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule mbxaq.yntvh
Processes
-
mbxaq.yntvh1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4617
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/mbxaq.yntvh/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
/data/user/0/mbxaq.yntvh/[email protected]
Filesize2.6MB
MD514d119c585aa69bc93fd850ea385e139
SHA13ffe4d25d73df06b1124750ec768c8c5895dfa55
SHA256264d3dbae3c9977067f877e6fbc381970059016818da052dc74567c4f2d03f7c
SHA51282e653db6831a0ec86180fb61368cf8f68f50a326998ac3fc99e22070bf52692428502119fb40fab281b3b32ed35d44e454ebc481529d068032aa3f131d95699
-
Filesize
124KB
MD5f15335a640f24813c9b345c99da7e16d
SHA1a0e7fdc85b3c1420bf342676be577f146f5dce49
SHA2566baf6ee8c7c503ed9962ff49957fe3c0b707171d1913450d97c84856a6ae31b9
SHA5125f51ec199de29b23e398d143c4f0faf58ba655a4f455ecafd5b6303c0ef428f3165f5db49daf4697f1dba3033da51113730ee5ad158a9ea9f8f6b9a10b044f19
-
Filesize
96KB
MD50044ef45f8c0cb51a9dc504b0ac49172
SHA1513f3bfcdcb8a778862e8340a8be98aad2f873cb
SHA25675312e1c7d057bfc0408104c21b81603216999ed20173ef8bf341cfd102ebfba
SHA512e34bbfd1ed08a9f990b2ecdd8d88fbb5b2d15318afbd15a87bb16935df48f44337ba35b70d600e98954f72203807141ba3f5e71226775523e79eec29f4bbc615
-
Filesize
96KB
MD517d2f8793b89972c00ebbb3441abba37
SHA12b35595a998054f97f07f494a270ec7050d31ce1
SHA2568cc192df9b74ab33b0cd5c94f6a46699b971af8c989e287847871404d0cebda0
SHA512e68d5761bf22d86f2298099035b0c1cf906b1fc27d074ec69fc23d2282a5df4cebe3e6b2f1503f2e72cf2b0c70a7b5b3b0ed0f6dbcb312447d671783150a504f
-
Filesize
96KB
MD53a8574b11e97f6de390673a94b3c99cc
SHA172b342429cb0c434a8947a03dae0495fa6491de9
SHA2568e3e1ed56b42794f14fc0fbfd29ed079c6759c985c143eb3c754fa485640ff5f
SHA51227e6c7d44b043d37909e9ac0401ff143d94469710bd8996de1e74392d5285de4f95d15fafa180e90e86d0f04a848792ab0fe6907539c509a96196798e7e0adca
-
Filesize
96KB
MD54fc31931d9cf520ede5f8037583c4b28
SHA153c5700818e9a80b7d700767d35af504af9047ab
SHA25607eb745554251cd07fc19e868d5484b83c9b497872c4157b9ecfad8dd55a9022
SHA5124ca19d37d4c3c174f7ded14687dcfda142224fe8b6f12e5d346b66def1bd9e5dc0957aeccf0eef5e90efee6c872d8487e6ee20a328e221f7d6e42b8f911f4eab
-
Filesize
172KB
MD56146baaae22c2f079766093fb5848f1b
SHA172ada124715f673aa69a8369c917477e8f5c3349
SHA2566c7a9138b6766781a42d94c54130775ec7de1f1b957378e28a39ee600b2a99bf
SHA51275de651d38f4ea546bae281e10e85ff272d724aa6a6b2edfe43c725c3afb81ac0a23e60666bf6f6346419eb08eccfbdad2b4cfe295d03a9067523f05ca1558e0
-
Filesize
512B
MD57e00ebbdc5d2e68211de087155ff9365
SHA16814e532e7432be4e62d332889a2a8fcb8aa9df7
SHA2569a7f074ad8b12a3f58e276e22fe0288f0dd16970a5b07daed43a685c966eba31
SHA5121c6e19c6cbda727b47f6edb7b0f6a922d6063eca42b8433957b22d29a6228f61fee6e06a7348a7482226636a05e9896c83ff40d8e1b716d52b94e649ae163b08
-
Filesize
8KB
MD5526b3c5cc8d8a81e9ce9ed48bfe17491
SHA1c45fb10b865a77cca5f1c5a596f86dc5cf937f13
SHA2563ea2bf6d952eaeb211a2b948a0544db8b8d26f61dfe932ed6db82c08156b4824
SHA512dd3e3a080b8578605dc0ed133fd630549bbdffd287bae6f9b5d02f1a49a81474d79e09776984b028ae59d55d6922f998c398ca4ee6d4a6d748642bd4f6164df5
-
Filesize
4KB
MD570c35578c6c541afbd7178ff4ad74bdc
SHA133c8d94836b0ba0e13dd0dcb475e2eacd8bbb042
SHA25655d845097a5dab0cf3ee6544928505fee3b97e7f67c5e1706375f3c54af818b4
SHA512ef0c78324b9df8078e6f058e127708c3b51a4401a15cf04edd446bdf64e7404d2e6f6627ec689c052d21f215baac1b096fcf2f5a3a1cb38b95e483d5356539dd
-
Filesize
8KB
MD52f3768104fc8c1d9f1e31ef408288dc0
SHA175b0a6080f37312b958065b9559d9a6d1ad20903
SHA2560eb8b03c7e13ba7b0dbc03ddb1dad83aa7161d0677ed3434930baf09cd9071d4
SHA512b7c39b9b33e4fb5796e0a7075f2f44501771192b59ba877ee7df0e2e8398423ea12b46a9e41ea0467df53e73d5a09622015882ed08d8e88523ce31e102857b1b
-
Filesize
12KB
MD587f1da7d44e7854a0598064eca8ac040
SHA18d217c91722be3f52dda8bf23a7217f4e64e96e6
SHA256e623c5b930672044e833605eef4ce270032672413ceca18836800571fc4b7326
SHA512b0f86fa5c68bf50ae761952f32e9efe93b8589ea396b84ae697c514b7b0958192aa58e222e09d7000bd7ce1ed86fb74e9b11044f2e8a90f0979471399a17324e
-
Filesize
24KB
MD5c26129ddd997e1abf55dd4b963ac0b0d
SHA163eb6144b2b6386178ca4fff211d49a6cc6c9fa7
SHA25652662d908b8cf0b67589f5bb5eabddf2c395dd5a9e3b0b7946a39cbe14e12c27
SHA5122996e1bee02cce78659fc7698614d3c071615f0fcd88c1572ebff70358f4ad294824d41a93711cb13615968d36d3dc0597518ec2ba5f0a88c6cf88665ba512ac
-
Filesize
2.6MB
MD54e82cf256563b75bdc46b358b34d9c5e
SHA1f648e881385bf8eb5898001191c338df3f0c6719
SHA2562b65fbbe30242b1c4f99ebd3206a1f067455c75e065ca2a498779a1b39ddffc6
SHA5123f5171707433cff82e55a867300d4017e0bfce89fa454b3fd4aaa0ab0afb4a9578f235d6538635520017b1fe45aa80f0c5dd55f0aed71fee5371782d2a664bc9
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5c96193ab176b6f4c6c34627e68e256f9
SHA1a388329be89fed334032d217c3306694620d93e6
SHA25627c6c085a2e88c22bf7c63a658340d0e682b9a7623a41dade908b26c41e68f11
SHA512d826905cbcc7cce8665a6400618fab664ceef7cd58be8487cd876339c1b4eedef6a009b6a4289bf9174025de23c8d37591aa412296c88d7c324fe4a8c6cd3e38
-
Filesize
152B
MD5d27c95f5f4e4353d97197088d788b6e0
SHA15728829d1b0565c51568dd2d131232936ec8351e
SHA256239b00e1cdecbee549e3c535314c292231a04f8418d13a07d35a82af01ed8f4d
SHA512ad7930d268d02810aa7f82bbe6c045da69d94f3dbb30d326910d5c659d362c02707ae299b4354624949c40161927de00d8ea0940bad98414356136f2d9948758
-
Filesize
4KB
MD51f9c19e3da72c22885d59df5329c1733
SHA12ae5269df9d43f1c49dc9b62f9196f6118273155
SHA2562143ea78307549490c9823907957cb41e8278bca4db86c02e9f6b2725e8448f2
SHA5128d6dbf12baa29a2d5e8c71b239b570acab2da765f7d0778a47ab8993c63da0d1ac60778896942e8e3d487d7ff842eac23a3cd9408b66e9e4707ef9102f2fac28
-
Filesize
64B
MD58b0d96039e37f1743157b3f4988a3988
SHA1f48a2246e5607105e90aab040a3bb36a419a16dc
SHA25630da29daa0da720ece1f17871165f598d05474885d5ea017dbcbb6712dbadc75
SHA512a5c15ce9250a4d0a529250cfeb5d1a8f5548f42ab967eb468e04e84f53ffc37b70bf529a952821edcccadab281a5b8ff33b1d3d108a8e17a0f53e74b7cdff1ee
-
Filesize
72B
MD5e0c5d69fa7751f6db7a4aa11e29ee7eb
SHA1def4405211cc440c720d0b3d6f45981a4ed5118d
SHA2566afad37f3cbd8048b3431ac43892499254d770ad5d79e1e4d2cb4e502c31f34c
SHA512b51e1605c0e6a6297b8413f70d7c4ed8252795f7041afff99a5789f3ed7c73d4916282705a84f71ef00607ddc85bff869f23520faf5d02bfd9c05be667f47feb
-
Filesize
181B
MD5d2e1fd3b71b5aa259fdfef46b0327359
SHA179c7bcfa62bcb1f3b02d6960dc7879a1029354c0
SHA256f881eb94b0a72c6699437a5c011979130b65b50444d48fa1c30965d339e5590d
SHA5123be4f0ffb0ba7a5d810bf6842923800bd66e134cc7f2666ed3e3eda86b30823b90ac6ff13d5fcd9cd424a74334c1705c2b8e071271d47d3780dfb27599828d35
-
Filesize
128B
MD5fe7b24ff4abb6e930ff8d1800c5d53e3
SHA1f91d41a66f0fff363bb4985959e7692a98ca4bbd
SHA256503e82b6bb81229093e12892c71c30227f4c487a7bbba118ad9f35cd8a6a05fd
SHA51256867089c258ab9d334d57cce53a5706f0d99baa03fb0d8f7fd41b012bbf2580fb18723887d9d4a47e483a7bd31b8338a42ff82fd12cbf73be98a77949c9d68a
-
Filesize
25KB
MD56684ff6e47657b16092cd9f37a40022d
SHA1d0e4ad5d8d196186866baef162276ddeb72f5f74
SHA256c2c480c72343ed5f2c58509da5d15c5b5647e90981a2dfe6b5cdcb22f87c8662
SHA512ac66d85e9503affb80880a4364c1ce8e0fe56dad4e068f67c44a038fb0e4e050cde8c82386093b2636fa1b9c296dda99f954ee4b7675315b5543b0ee470b5a2a
-
Filesize
6KB
MD55a7aff91601478050048af101a554061
SHA17e2ee62053fa5a19e1e58933fc093667ec201b09
SHA2569b2fc3099e3e5a4eefd2a515f30a55128f7e0147863313cb2b9a75cae3d18555
SHA51228bdca8dc2ef176a345499bb800651e9fb525d057b8daf4f5ec991dfad3804d30b743704d1901707e4de3e216f2c6a54944f4316df95c3448e2628a41e7eed5e
-
Filesize
220B
MD5ce38aa3a6bdfbe3c92991c8eb7679cda
SHA1d35feff3dad2d3d6e70d05ec80bfb76ac74c6600
SHA2569a6b6861f69373cfb8fc89ce0f5a801753fa714e042a739e67dc4d10e43fc597
SHA512ea9d420f280a15d8c99e61462499812b8c6a45950e555c98450d21df2b93b3446ba9ea706da9a1729b90f82ab5f6f4a66ceba5f8624cdcfaa91d22c97660cb01
-
Filesize
66B
MD5e7df819943fe4bc4d546430c0566f5bf
SHA1ecb8cf618d4ba22a34cfaf542785f10bb6f260cb
SHA25681c7b46a0cdc3ef14658e0dd57b54446119ebde9462bae1375deb6091ff8dc63
SHA5125247c592ec6c4da81747db406dfaced508d020f0d744f3b22ee1741fb314296be71a27e8688dc195000f88d822c5a0371ef352669f626ae4b4559fd29229991c