Analysis
-
max time kernel
138s -
max time network
155s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
01-12-2024 03:08
Behavioral task
behavioral1
Sample
57cad33dfca431d80730501efae0eb000c634653a1941c46505ee5738435bccc.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
57cad33dfca431d80730501efae0eb000c634653a1941c46505ee5738435bccc.apk
Resource
android-x64-20240624-en
General
-
Target
57cad33dfca431d80730501efae0eb000c634653a1941c46505ee5738435bccc.apk
-
Size
20.9MB
-
MD5
9513bc68630569c8f6781dbe23dca990
-
SHA1
bef54d5e9b77e43dc3bb554647fcd5ebf01fcde2
-
SHA256
57cad33dfca431d80730501efae0eb000c634653a1941c46505ee5738435bccc
-
SHA512
c14f4f83f92345ad63a094c7929faa388368b68514dd813bb1317d5ec259bf138f744f6e2949bbaebff10bf64b923465006d9aba1cd50093f978e5880bd75202
-
SSDEEP
393216:FnMsJA35z7A79L+GY91mbgafiubcBZ/bFT9i/zVN2I+TXZlkKpPbNiRSKcsXJ8:FTJA35z7c5sLmbBffcX/Xi/zVN2Ikpe8
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Andrmonitor family
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk gvevykrfc.cemktbvyqfmg /sbin/su gvevykrfc.cemktbvyqfmg -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/gvevykrfc.cemktbvyqfmg/[email protected] 4960 gvevykrfc.cemktbvyqfmg /data/user/0/gvevykrfc.cemktbvyqfmg/[email protected] 4960 gvevykrfc.cemktbvyqfmg /data/user/0/gvevykrfc.cemktbvyqfmg/[email protected] 4960 gvevykrfc.cemktbvyqfmg -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts gvevykrfc.cemktbvyqfmg -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock gvevykrfc.cemktbvyqfmg -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 5 IoCs
flow ioc 6 prog-money.com 7 prog-money.com 8 anmon.name 9 anmon.name 13 andmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground gvevykrfc.cemktbvyqfmg -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo gvevykrfc.cemktbvyqfmg -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo gvevykrfc.cemktbvyqfmg -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver gvevykrfc.cemktbvyqfmg -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule gvevykrfc.cemktbvyqfmg
Processes
-
gvevykrfc.cemktbvyqfmg1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4960
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5b804b5a6ebf09d21cfbc643ae5fd14c2
SHA1236e5d0462fad301004a16130980b0162e785770
SHA25617ca66db8e33c919e03d6b9072b9221e008c6c3d760771857c34f6e53b19faf8
SHA5127959ed7e991c46535036e428affb99824079bf7148de123eb214895e88379f7a27bdc1b881614877e048f3d711672d626481db05b983963ba37a2b1158ca1076
-
Filesize
100KB
MD547cedc311b149b639fdf489cf94d9a49
SHA1bb9235eb30cfdbcb1a5ea9c6d586e0ff76a47c6f
SHA25681d99372924d20558c0a87f157ac1454592598baa3e2cc31860267322406db65
SHA512b17eb3a33d0f388c8ab85d38eefea2e36547dfa73835262928927b54597370dc70fd27142b1669cb67f4c6aaa996459ecfc1ded56baf9bf0cb5fa69236a4b3f5
-
Filesize
60KB
MD5df0d246a3def0a8530902a95ee20944a
SHA17b7aeb2bcde17b22d55c8f9d9880997e41897c6d
SHA25607362bb6099c8ec063c859c448d0a7fafa11217f7286c31ef1df81a564314ec7
SHA5127f86c5e64cb0ac1c38deaf20856223c74ebb81e7c0aa7e1963d5fb52328336c28593f4a17929bf78f0dbc989b2c41c40525b7d2253755c263d4c15c29c15580f
-
Filesize
100KB
MD518dcf45f01428244ebb86d6a364d3ea8
SHA103bb073ef86a1ac348a30e3bc71cc8d86883cae1
SHA256699b3dbe265e2040669878b73467893af76b4ce687554d51b19d4e7cb03b9933
SHA512bd59743fef28f4c505d447867ca79afa72fca398b6df6932ed8c0f74cde19db9005480690d925a84d6377502dc677c7e4244f82f343d1aba5030b8ac3fe0950b
-
Filesize
100KB
MD5a2705d53ec61204b3b01953748bef6e1
SHA141457866ba4311d9d91f0d31894c535afa7ac56b
SHA2568574e515aaa0f9bb7e967641cee50e936de789e957110a3dce7cf983c5dc878c
SHA512085f8cde2ccfdf55daefdb94a7fe1c9183f6f5b731d709183c530239126cec1941301ce88c770e01d9e7df3c9ab8bfc6cfb50f49c19be54b36e749ac63a9046e
-
Filesize
164KB
MD5b843b2b9e8988d5163bec3f3f4dcac9b
SHA1543aad7c28c0a1c5252a959b688e25b53350684f
SHA25690fd22c5fbbd3da098884b6f561beda9a6031155070c7ebfcc72e8d45c9c4039
SHA512089f3d3199f874252d33e72c6fd1641a48531c309675580acfb157bb03c06b4da04adf4cee39fd6598a5c5ba828d8c121fe9efa02b594cd1848f115856e85ef8
-
Filesize
512B
MD5ba942755d13bbb568b9e45e315371ef9
SHA177feaf30ba475679aea72f9b7d25d58c66191281
SHA256036795d6dc08192180308b018984be4e23417012f67b87d437aeb06bce239552
SHA51238229c445459c1d1b0ba2e9e5073358e689bf91ec31f16960b7cfac8e21d80b4ca149d463dc32ec1bd29beb4b048d78e2058c5b3821a892bf524cf7cad32e252
-
Filesize
8KB
MD530e4c96a78d510e64a6769231848d3b1
SHA14be09eb49fc06962b7bf7a51ca309e1a06f91f9d
SHA25693fe4c6e8d7ba5d67cb5bb83a66fa91b44fb12a0b1ab082efa36f07098eea8b2
SHA512e4dd2bc026e1e67697181ee5e68458a9a76fa23bf6194527ac78e15c59b1aeb0985f97cf09d30d2abe858d552327d42b3d33d34023b7ea9a5896f9c1c0e54802
-
Filesize
4KB
MD5083336ac94be34dc3bb9e9c1287239be
SHA1f7fb3b62a23f964756329e01938002007351ece5
SHA256aff7775a36c34c3758d7f816a674340b1c9792cdaf27312bc1b2f7f0e906257d
SHA512eb394d303f976b57b6fcefb172ab56535d4e7c9c5b69aa9ec9b763eadbe1ddeb394b506b6d0eb6416b7094edb409339a017b59221155313fb3471495ec8e4d4e
-
Filesize
8KB
MD5b8f7f73f4d50e8ec8bb38bcd1f1d6e9e
SHA1e79df97cb43c85d980abd561add37476ce8fc27e
SHA256ae86f993f4cdba57a75d6a4286b66ed9516a4437b703ec30664a670ee326a3c2
SHA5125074c3d947f27f095c1e199f87fa8731833f43c8ee3d4c50369cca281b4b18b54b22db63586bbb7c35dcaeb34736aefd62dcb5d3415ee6ca77a5c88794e3d8a7
-
Filesize
12KB
MD554d62b40eff49a3a4e869015f89a08ff
SHA1cfd1399421dc84018b55516cb01d54973b707209
SHA25688ff0e5be979ddf6fd5240ddc2342a564861e8e9413de641ae7f4b96b6d1e004
SHA512bc469502e04ed5f53a397008cc972a1bf690c1c32eb895656fd068cd86cbbaa9ab4ef601b74536cf6a2d4959d88aacf0d019237bb9ada84efe99aab2ee2df797
-
Filesize
20KB
MD5b829f00b02d290a2438cecec74c857f1
SHA1823a198216e76303ff81f7550181e03666517516
SHA256379d0b532a710c202c3e07a5284ce26fdb42c9ba94d48d1f241ee69731b69dab
SHA512063b05b92a0c68ca44275d58b8ae31ea948edc7220e398c2f778faa48a9aeb4cea944b02e8cbb61e48e1fa15bfd4acc904bfd9c8b1fde2fef14d985645076bdf
-
/data/user/0/gvevykrfc.cemktbvyqfmg/[email protected]
Filesize2.7MB
MD59e5ab1ab869c16715311e524196d3653
SHA101c0e56cd26546e301762f0c0ffa6cd1dfca2235
SHA256293ee414e1b04f71ae70117f2aa20476f76af60db33656ae41959d8639c23af2
SHA512da46dbedcafad3cbc2344637f075655096bd358b2fecac3596476b3eb5f7da66825623013b7cbe50788ef40a37ee2aba1454f5d098379da011cb3d88a57f9876
-
/data/user/0/gvevykrfc.cemktbvyqfmg/[email protected]
Filesize1.2MB
MD5603dd5064572fcdbbed7753d36254d6f
SHA1d43df670cd60dce6d02955b73eeabcb5d04c286b
SHA25608df256b7e051a79efa3d142d40307b2045627fe5696f414a0f3ae0f70d7b8cc
SHA512a0fc3ca2e19cd9b917108ec469703da1fab7108625ca3983db8a26f261d2919fe7c4bc064fe8b56915c8a4c8173562c553b8751d7bc4b4e4232b435a2c640f0a
-
Filesize
2.7MB
MD5fc5c2f165df3e661d69554850b7e8f95
SHA19ce32a8377117278ee366af58875b01a2c8fe0db
SHA256989be89cbf9ddb59c9d1cb60f263d67213eaf9ae4053f5a53ebf94040d303fcf
SHA512d3ec97d40be88d9c6dd3253ee7c9caafc30fa8d5b8d63f804b2674f011c46b194276f69d88e7548ae1c0b0fd89e796b459bfa105b0aa989aeb2954dc088d0c85
-
Filesize
1.2MB
MD587f9d7a738756162c8b7f1c125ff4140
SHA11a3bbf2cc1affb0ec01d02bd10be5005c170c6d8
SHA256edb91d71636995982a9b2aaad74f84e67aacf35b60bd6e73bb923f4a7008337c
SHA512d45e4ec5777cb43510f78bae6eaad5e6e294f9f18c0242df50a99ed39b8a7f0d75997eec27ae204785e006ec83d00ea85dd9ccc4f72c7706f326dae4af26285e
-
Filesize
137B
MD5eefba21e0788ef96a74eddce5b739921
SHA12e5479ec22c1186d618746e53925b491212e40e2
SHA2569a26e3da488b1b35a5594ff9f6be2267b540d5112f99f3a24081c9ece9a425f6
SHA512a2de91dbfd98b2eeac3bf429f0e35793d1162fa49e5ae8bea8a59629276523ba4bfaa438b40d411aac4024e6ec24bf0ae3e2055b96e4aa5c49d517afe0f3ebac
-
Filesize
171B
MD53762deeceb74d87c0988117ee5b0fddd
SHA1835d5276e9be9637ccc211b98944af5762018013
SHA256461f5786ee403ddd9586ab31f0de12a72fbeca3e2eef9d8856e651515f5b9eb2
SHA51295b35efe5fa1829e2fbba54e1c003e32b0ec95cc6fc362f5bae9239829988038cb8c2e457d60844a6b230962190339a79c06d30634b5fd4ce96fb2a508064131
-
Filesize
4KB
MD5a54f5f0047f67a1ca6df146f0248a105
SHA177621ac8e062fffd453c24bfa5ac2e060e7a6b6a
SHA2565b3d1ea8ab0ed68fb695c4cbddc64b4db890cc8a97db24326ba09b2952d43093
SHA5124213e13bbf422ac807329d75c577627ddb198e8a823b01b023dc67af2cb2eb125d52867470c5ee2a07e69541c4ea9e39022cb876fabcab3d86fd213432923ca8
-
Filesize
62B
MD542d749cd0b798c9f2d0770e03ac8a585
SHA16cac48b7294870e088f1de3080024144c613fe79
SHA25600b23d26da3962608d57b689d3cdedd1c1854e5f26b0a9679b0bd225672e8bd0
SHA51245ea32c8acab2a0a62f2adef59d70af56b5a9e92d8ecb330cd3308933302972ba8cd184b3be169bfb54f46b2ac188351015266f4f608309c5ba8248a6db7412e
-
Filesize
70B
MD5b4fdc4ba00979adf6aead708fb869e2a
SHA10aaec598ddda66c4ac584183138ef1faae6b8a87
SHA2564c90d283b5165c642559566db62a59e694fc1a7f351e9770e67f0f464c6df979
SHA512f3a50493eabafd805b5352028768a59868e4c656d9dab12c845fcf2df9b332fa873f0572c2f05e40bd23faf8312a482130422eb9901af8e851c1537d7e9842a6
-
Filesize
59B
MD53c78edec4afa33a3a4f92153a541919f
SHA1be6327e7d38658bedfa0bfc0166948e7ef6f531a
SHA256e8f7e943ce5e4adffe2bf5ae4aa84a5f10104c53de6d5bf887de356df1b54750
SHA5123d27b6a4f37a3ad114daef241f91f8941db58f61c254dd00135a1ae59ce54baf84f2b9eca73b3d3d736cab55bdf4986672ba735141a6b7ab478b0da04a6109b4
-
Filesize
174B
MD52afa2ec8c3a59364c32a09892f826180
SHA12a24215e59648e297fb7a34ebdddda307e207743
SHA2561da6e58142d0c8b728a0f71a79875bbeed40268b5479df484499dcde58476f0e
SHA5120a41ff404fc20b2ef92685f1f98ef6cbe85f9a7a30c4e31ea4b02eb2dba62055cd4c4efc11de8f1a4af097a18ea9080d2cd3892ec0268f2d5d63781d1345562c
-
Filesize
30KB
MD525f7b554909107af9ddd02dd0828377e
SHA167403b2855d44260094a73adf48b94d288343fc0
SHA2563797435e51e2f696781b227dd71e728eb31aa3db5c7cdcd148bd1beddeff5972
SHA512b68c23869755a398627e745bae3d0c51d1979b4a0ca953b8bc20e3f4e35d74766c630909c54c7d56ccd07a86d2aa5818a431d87c3fd3a85d21372b90db7005c8
-
Filesize
7KB
MD5787abec91cef90b7d4cd6de1b6358d62
SHA164af9ad014779d3324c23f2cb1cf98236b167c6d
SHA256ab887b9e3ddd65c59f4051663cd4eda43ee435022333f4a1b0317bb6bfe87eb2
SHA512b905b3830565f8883126783f4dadb6bb296bc3c5df55545fcc1d2030acc0d798d5ec8a9beaf8453532b4d37d6d1a7cafdbabeb3ba38508acee415ad715a7bf7e
-
Filesize
218B
MD52c7e576771da0b95d22b42f48d1475ad
SHA11b4efbc90f84e521dd0d1b208eb8f96c981cb560
SHA25601e5c3e7a4063159060b3255b0478817085552ae3b28a2c5624bab10c477868c
SHA5123ad17e5eafddda839555711bbd8a93d8fb81cd22bfa263c02da124c12880d83b23c7872aa9649161f1f3bfea5d256611c288b5150846153559b36ec2181a80cd
-
Filesize
101B
MD538f0b1a489b3a8199e83f6ce6c831883
SHA1870d22256ce4346d0a94d488f703492c4154c4a8
SHA256af1ec46848fde1684ac250a263ce39f2f7f9f24d33835504b6a251ae443223b5
SHA5120df7776fba8b2caa5814dd8fc4357217fc061231c0a9e1f7d3d6a95e6b648f32d1f54927359e14af7bfa0a348d97b6198abae666c1f8607824ec4dffab436d78