Malware Analysis Report

2025-01-19 05:31

Sample ID 241201-dm9sfsvmgw
Target 57cad33dfca431d80730501efae0eb000c634653a1941c46505ee5738435bccc
SHA256 57cad33dfca431d80730501efae0eb000c634653a1941c46505ee5738435bccc
Tags
andrmonitor banker collection discovery evasion execution infostealer persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57cad33dfca431d80730501efae0eb000c634653a1941c46505ee5738435bccc

Threat Level: Known bad

The file 57cad33dfca431d80730501efae0eb000c634653a1941c46505ee5738435bccc was found to be: Known bad.

Malicious Activity Summary

andrmonitor banker collection discovery evasion execution infostealer persistence spyware trojan

Andrmonitor family

AndrMonitor

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries account information for other applications stored on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's foreground persistence service

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Queries the unique device ID (IMEI, MEID, IMSI)

Requests cell location

Requests dangerous framework permissions

Acquires the wake lock

Declares services with permission to bind to the system

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-01 03:08

Signatures

Andrmonitor family

andrmonitor

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Required to be able to advertise and connect to nearby devices via Wi-Fi. android.permission.NEARBY_WIFI_DEVICES N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-01 03:08

Reported

2024-12-01 03:11

Platform

android-x86-arm-20240624-en

Max time kernel

137s

Max time network

143s

Command Line

gvevykrfc.cemktbvyqfmg

Signatures

AndrMonitor

trojan infostealer spyware andrmonitor

Andrmonitor family

andrmonitor

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A Anonymous-DexFile@0xd2503000-0xd27bae60 N/A N/A
N/A Anonymous-DexFile@0xd3187000-0xd343ee60 N/A N/A
N/A Anonymous-DexFile@0xd209d000-0xd21c979c N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A prog-money.com N/A N/A
N/A anmon.name N/A N/A
N/A andmon.name N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests cell location

collection discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

gvevykrfc.cemktbvyqfmg

su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 prog-money.com udp
DE 157.90.2.159:80 prog-money.com tcp
US 1.1.1.1:53 anmon.name udp
DE 168.119.91.88:80 anmon.name tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 andmon.name udp
DE 144.76.58.8:80 andmon.name tcp

Files

/storage/emulated/0/.am/log.txt

MD5 ba7c86a1dbe691a309c0ab3585845a96
SHA1 aaf86b6ad6a2b5ef314a545b1fcad1426ceb6120
SHA256 166d39bd4f2ef682bcd2549ddede30c225240b8f6d403a5c01d243e25bfb549b
SHA512 6fd0f7b0ce5c46451f83de797baf8ef444dc89ee917c9052fc1fbb04df02609ebef3163a067b02e7cd62989d9c76d7f63991c3719cff29c9c83f39499231d769

/storage/emulated/0/.am/log.txt

MD5 646b8d02fca9a877faae2f0af8d6e81a
SHA1 025a2b14134ff5c0bab4e540ad1bbcf304ad9962
SHA256 034106bf6a21df9df4445438a2f7f3fc7c4d5a0f584d5f85331a75d074114daf
SHA512 7a5031009e9808c609fff8d4a5c8349171bec150c4e921dd9e2a547a1ff25a87ce807d26c118aae98dbe7529ae5be3ee12bb5075be66702c39da19e38131e7fe

/storage/emulated/0/.am/log.txt

MD5 ffe5d324e1c1dbe81125f7b45647c9de
SHA1 cd46b753ead84b1908c5a164f9b7334c5bc35b5a
SHA256 5c73a637704a8514be7831afbd4e6f82d667782458ec2791963a2c8396edf2ec
SHA512 9172843c8f0fc62ca8dc22a6e067ff7e69086239cf6df0c8df723e4b38cc0ebb7ba98e31361be7c845a50af11f4e8a62ff3634c6bab47b30117c5f14307a4ccf

/storage/emulated/0/.am/log.txt

MD5 d524416e7f309ddea08379f2de101404
SHA1 521ca40befb2ff650907fb046cbcf36c97b17cb1
SHA256 df6d7784c4fb78456b31f29a341907418dc75a9591d82d49b5a4b85907492cad
SHA512 0062157b1d56b9afc37003b65a3cfce6d69e00b4d489de501ad513df6693d323fd6017736098a8456d0d764588f22f98cde8ae8a16ffbfb62683d75748c64176

/storage/emulated/0/.am/log.txt

MD5 8a4c7885faddb5aee5fae868c2b5b703
SHA1 2b0ac1428ce4c864c5e38b6d374526b6f72a9498
SHA256 7f005532ecf20083b1cf12b3d27b4f5977b557a1c4e49e46ef7b6f7bad003869
SHA512 8538e9248e05d4fb0caffa0eef627be1c1f93f3cffb6485d8fe8fd15ec0bf774a7082a51e584c0ca25b64ba95321101823707208902d56ee0e5d5644a9d9e9e8

/storage/emulated/0/.am/log.txt

MD5 0d5ffd4c2e3a6bd57165575ec1f6f406
SHA1 8fb5d5f549f0b04e1dccb584a7e1267e417e0af8
SHA256 c0fc3f41d832dcdbcf0ab4aa3243fba8535ab3d5ff0cebdb1934d8300506c898
SHA512 429118ac7927c82279a603b3a198d869db375c60d9f694641aa998c98494fbe5278f571ee6beeff187649aa4cd6e1865c4307185b75e19b5468bc476b95c2ee6

/storage/emulated/0/.am/log.txt

MD5 31a9688866fd3648a3b7256249f5c5cc
SHA1 a50bfb907c1193ea5b3595acb79086457d6a3828
SHA256 f6abef7fb7b077f053ed8ca179741025e114ce5593355a660cfb7786d259bc48
SHA512 570d56fd9c08b00c2bb8367ca4b0b869fba648a618436fa54053ac3eea0ff7b188ce1251c2ee4f16659fe476d4894151916b5425a57186e7e687c994c40ef8cf

/storage/emulated/0/.am/dm/md/main.md

MD5 fc5c2f165df3e661d69554850b7e8f95
SHA1 9ce32a8377117278ee366af58875b01a2c8fe0db
SHA256 989be89cbf9ddb59c9d1cb60f263d67213eaf9ae4053f5a53ebf94040d303fcf
SHA512 d3ec97d40be88d9c6dd3253ee7c9caafc30fa8d5b8d63f804b2674f011c46b194276f69d88e7548ae1c0b0fd89e796b459bfa105b0aa989aeb2954dc088d0c85

Anonymous-DexFile@0xd2503000-0xd27bae60

MD5 9e5ab1ab869c16715311e524196d3653
SHA1 01c0e56cd26546e301762f0c0ffa6cd1dfca2235
SHA256 293ee414e1b04f71ae70117f2aa20476f76af60db33656ae41959d8639c23af2
SHA512 da46dbedcafad3cbc2344637f075655096bd358b2fecac3596476b3eb5f7da66825623013b7cbe50788ef40a37ee2aba1454f5d098379da011cb3d88a57f9876

/storage/emulated/0/.am/dm/md/main_tools.md

MD5 87f9d7a738756162c8b7f1c125ff4140
SHA1 1a3bbf2cc1affb0ec01d02bd10be5005c170c6d8
SHA256 edb91d71636995982a9b2aaad74f84e67aacf35b60bd6e73bb923f4a7008337c
SHA512 d45e4ec5777cb43510f78bae6eaad5e6e294f9f18c0242df50a99ed39b8a7f0d75997eec27ae204785e006ec83d00ea85dd9ccc4f72c7706f326dae4af26285e

Anonymous-DexFile@0xd209d000-0xd21c979c

MD5 603dd5064572fcdbbed7753d36254d6f
SHA1 d43df670cd60dce6d02955b73eeabcb5d04c286b
SHA256 08df256b7e051a79efa3d142d40307b2045627fe5696f414a0f3ae0f70d7b8cc
SHA512 a0fc3ca2e19cd9b917108ec469703da1fab7108625ca3983db8a26f261d2919fe7c4bc064fe8b56915c8a4c8173562c553b8751d7bc4b4e4232b435a2c640f0a

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB-journal

MD5 9b39046bc7bb3fbec416d71d854d6631
SHA1 f12deec45090b351d0a5ce36bdf24ab3b4e5f530
SHA256 45db97f528c6d1025d598ae4092bcf59a4722d36ec3921275c01e964df4c3200
SHA512 bcc86e3ab9571546e826ba71c551e2d2bdfbc02b8be12c758482f086587cc5f53f7fb53fc9f2ce165025c3f74f5b1fb1bb9392233d38df768689dcac27d9241b

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB

MD5 fc7eeb869a33416e82cb60953de94eba
SHA1 e13da2bb6953ca73f11673f587a32a4c6eb9fbf4
SHA256 6f8c398beeb2b8b99588f32ac97f677d28e3376bcba11c8d4dad591ad18738a1
SHA512 c2601f0d5d8d9b25b39b61b1e3636bda1b57839dffab08e18807423e1619fd4f53a3f668abd98eb6a4b09b698c4160e431521a40f4469fdfed7beb8d92fc6d1e

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB-wal

MD5 1e9fce0fed7e5e3cbd75af7344cc0b07
SHA1 083ddcfa0968aae3e46610e287f89cbe6b8cba6f
SHA256 485ba57e817a3c4c7eec48373ab884e12c4fe1f60d4e4bf07c9cb1e2bffcc32e
SHA512 7cb8744098e0f4956dc9a134c08ab9b298acc086d6cd156ae9bc0e3795d14f50a9e05a478a990191d7e32c4f2eddb149ab1db354429260c291872a0436e9c7d8

/storage/emulated/0/.am/prog_class.name

MD5 38f0b1a489b3a8199e83f6ce6c831883
SHA1 870d22256ce4346d0a94d488f703492c4154c4a8
SHA256 af1ec46848fde1684ac250a263ce39f2f7f9f24d33835504b6a251ae443223b5
SHA512 0df7776fba8b2caa5814dd8fc4357217fc061231c0a9e1f7d3d6a95e6b648f32d1f54927359e14af7bfa0a348d97b6198abae666c1f8607824ec4dffab436d78

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB-wal

MD5 81bf9b8af3cd2475770c2663e842b103
SHA1 07366234e6d6b9b7fec47ff5d709d9904f2ef676
SHA256 5cb4484c61f2058619085d8c3587f3f6502faf5c8e5093198affae268bbb64d2
SHA512 c313dd4722b67dbf2f51caa0075807e6cc60296843df215f95049c58c651ecc9b7a4641ed7172e987063217a53314157c876a6a7336944d9935161824c2ff029

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB

MD5 c959c9ff077ce07af2f949d3a219976d
SHA1 3671eeac93b2a5d17811aad78645892928368867
SHA256 47005831c4647584841cd7600bf32a18540b5646f7f38c51da84aeeb68716a13
SHA512 bfd78bed2be30c8bd5355aa34bf40e0ee16c1adb707514d092891ee764c7301919b7d1e3c2f4c3ece42bfe5d112da59a1003be001083f34a22f19274675fb953

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB-wal

MD5 a9131eb9873595ed3e2863edb8bdbc20
SHA1 e5ddff6cf578ba8a41ea072a82dac86725ca86ce
SHA256 afda57211ca8017a74def97194b18791010f0c286f7cf77734a0987cc155684f
SHA512 351de915c60fec48f60296c4bb6fdb3247ef5ecbcdae5ae2b961a2034bbf3fdc85a8c86978f22bd8158e4e5301a7f1a4d6d972a00e1ec3e043e2b7c88d8f6553

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB

MD5 b84ec3ac5c1e79f72c55ea19bb82f981
SHA1 2a911a0494b171906a25ce812a25847c9f550a2f
SHA256 cd2acafa436796594063fa7599247531a5a1faf91b5035d85bf692a395cd3841
SHA512 9faa7a08293d0d00f9d0ec1b8c217d86d99e938a0e81f6d0324befefaf8c3a4226a64c1f1ee44119c07035c643e46f7fab51b6421819f346619382bae75ad2fb

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB-wal

MD5 cf2ea751349c74aa0698f09c761e497e
SHA1 cf5d63fa93213e12af36dd550965c7cec3c1f004
SHA256 27d3c9e9195e72f7935a189beb0dad276355ff4175786bd97fa3f47a1d66d93e
SHA512 d30d0d22a98e8147c1cc3e24883bfbd72aa42881c74b1c578cc2c5a2fbedf4c5002c4080b615746e993ef1f861cb0484c48535f92ad9eda723e1c094899153ae

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB

MD5 b6815b344f6926d458cea05acd052cdd
SHA1 88f524aff1d4c5fee979a203dd952427871a7097
SHA256 028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA512 0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB-wal

MD5 600eda46c25a2c897d078ffe811467f4
SHA1 247603a313631d7c62a897f140e63433b9078c17
SHA256 4f019022b6ea90f3a66e308c7649adb8ec59df9ea537a52d2b85e549f36bdea0
SHA512 c90ad73169fb881aa6da50e117f909c79644cae43cd29767b2e6f58bd5c084c69f2464505fc7340591fb504dbc3b8247832d590d49dee361f9ece84b2f50b44a

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB

MD5 aee41f030019bd76da75544c2c5b2f2e
SHA1 6b9c91d6d3f6cc663400d138ff5ac8b9b17bb1bc
SHA256 ae7b49fe3a4118ea9188e5b59052a0d330753c80d3be5e5df90a09f117694d66
SHA512 2a0f47e31268b9c3fd85b0289f091783b8333afc1c311d470dfafe798c4319065a84475f0f37490853cd16e95e4ebfdd1957822f1f0041fc7e7962d7c3c156a6

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB-wal

MD5 a397f54ff46be30bfedf15d159ce884b
SHA1 d91d0532d89722238ffb2e53a5e23d9f4e0a4f04
SHA256 1d980a8ebaab8f4670dc6880f7f776a313015583d13e5563290c3774c2792dfd
SHA512 809656a61f80ca1b928d9f28edf4508a1985e8f7798e3e5e5468da0c677a29347211381aaa443cc65171e87d7074664283484601e1dfc05df40a0735f6e078ca

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB

MD5 b26d5c84460c49e5f01b073a8b636539
SHA1 527daaf13bc16544659826b96ca25d36ac9a2a26
SHA256 18d1faf6c1fcaae76874577e1a018f0b093b3d532f54f5cc4c1238af8c86a049
SHA512 c6bb069d0e58311eda4c42e923205853d1ded325a5aeea0093ff643cdbdcff6d6ee491de001f294325a9c7f2f60b67d073b924e0aacc5e0a6f5486c99df35437

/storage/emulated/0/.am/log_.txt

MD5 ace711d913195e0d0fe9e16831a50cc9
SHA1 d022f918ec6058d279fb984122a9914fbd9ef6f1
SHA256 58596edb970a5e751d5a0f9d7170ed1b706994785020faf799f0b01d8a4e519d
SHA512 e46448e8067b861dfec4c0235050bbd5723ae09aee2bd922d9ebf2f27364469a62a0f894f86009bacd9a7ec0a8e31f2fe1edb70a2e4678b9d0fb244e265a03b0

/storage/emulated/0/.am/log_1733022540873.txt.zip

MD5 c7e0704aa7bff21ca2bc20aadd89f60f
SHA1 df4ffd799906da6115668cecb6216e7020fc201e
SHA256 ca149785d909f1802d717e8ab81cb3fdd53b08b647037fea6dec883bd0c38751
SHA512 804ea3560730d1f643f8125758ed7f16eecf2418cea9291959517292ad3a905e3ad2b56e77148149d6b4a469222351bd6c64d528a1f02bf62b96caf155ca761c

/storage/emulated/0/.am/log_.txt.zip

MD5 c1af15858cfa8bbf8e18005d3c86126f
SHA1 a785f44e2967e75017ec0dfc5b84f7a4aa25ca4b
SHA256 4dd41c941ac832bc979e8e0efc1964705dc1286fa792abe1c489ee56dff59d65
SHA512 a33f58d749b10f9dcd1e7a77766dc72219808d8cec36d324d7c42cd24bdd1dc8a7da053d994dcd9b8f58409cabe9f52e37e6855744ac8a03bc9ecdfb1dc845a0

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-01 03:08

Reported

2024-12-01 03:11

Platform

android-x64-20240624-en

Max time kernel

138s

Max time network

155s

Command Line

gvevykrfc.cemktbvyqfmg

Signatures

AndrMonitor

trojan infostealer spyware andrmonitor

Andrmonitor family

andrmonitor

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/gvevykrfc.cemktbvyqfmg/[email protected] N/A N/A
N/A /data/user/0/gvevykrfc.cemktbvyqfmg/[email protected] N/A N/A
N/A /data/user/0/gvevykrfc.cemktbvyqfmg/[email protected] N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A prog-money.com N/A N/A
N/A prog-money.com N/A N/A
N/A anmon.name N/A N/A
N/A anmon.name N/A N/A
N/A andmon.name N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests cell location

collection discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

gvevykrfc.cemktbvyqfmg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 prog-money.com udp
DE 168.119.91.88:443 prog-money.com tcp
US 1.1.1.1:53 anmon.name udp
DE 168.119.91.88:443 anmon.name tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 andmon.name udp
DE 144.76.58.8:80 andmon.name tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.34:443 tcp
GB 216.58.204.78:443 tcp

Files

/storage/emulated/0/.am/log.txt

MD5 42d749cd0b798c9f2d0770e03ac8a585
SHA1 6cac48b7294870e088f1de3080024144c613fe79
SHA256 00b23d26da3962608d57b689d3cdedd1c1854e5f26b0a9679b0bd225672e8bd0
SHA512 45ea32c8acab2a0a62f2adef59d70af56b5a9e92d8ecb330cd3308933302972ba8cd184b3be169bfb54f46b2ac188351015266f4f608309c5ba8248a6db7412e

/storage/emulated/0/.am/log.txt

MD5 b4fdc4ba00979adf6aead708fb869e2a
SHA1 0aaec598ddda66c4ac584183138ef1faae6b8a87
SHA256 4c90d283b5165c642559566db62a59e694fc1a7f351e9770e67f0f464c6df979
SHA512 f3a50493eabafd805b5352028768a59868e4c656d9dab12c845fcf2df9b332fa873f0572c2f05e40bd23faf8312a482130422eb9901af8e851c1537d7e9842a6

/storage/emulated/0/.am/log.txt

MD5 3c78edec4afa33a3a4f92153a541919f
SHA1 be6327e7d38658bedfa0bfc0166948e7ef6f531a
SHA256 e8f7e943ce5e4adffe2bf5ae4aa84a5f10104c53de6d5bf887de356df1b54750
SHA512 3d27b6a4f37a3ad114daef241f91f8941db58f61c254dd00135a1ae59ce54baf84f2b9eca73b3d3d736cab55bdf4986672ba735141a6b7ab478b0da04a6109b4

/storage/emulated/0/.am/log.txt

MD5 2afa2ec8c3a59364c32a09892f826180
SHA1 2a24215e59648e297fb7a34ebdddda307e207743
SHA256 1da6e58142d0c8b728a0f71a79875bbeed40268b5479df484499dcde58476f0e
SHA512 0a41ff404fc20b2ef92685f1f98ef6cbe85f9a7a30c4e31ea4b02eb2dba62055cd4c4efc11de8f1a4af097a18ea9080d2cd3892ec0268f2d5d63781d1345562c

/storage/emulated/0/.am/log.txt

MD5 eefba21e0788ef96a74eddce5b739921
SHA1 2e5479ec22c1186d618746e53925b491212e40e2
SHA256 9a26e3da488b1b35a5594ff9f6be2267b540d5112f99f3a24081c9ece9a425f6
SHA512 a2de91dbfd98b2eeac3bf429f0e35793d1162fa49e5ae8bea8a59629276523ba4bfaa438b40d411aac4024e6ec24bf0ae3e2055b96e4aa5c49d517afe0f3ebac

/storage/emulated/0/.am/log.txt

MD5 3762deeceb74d87c0988117ee5b0fddd
SHA1 835d5276e9be9637ccc211b98944af5762018013
SHA256 461f5786ee403ddd9586ab31f0de12a72fbeca3e2eef9d8856e651515f5b9eb2
SHA512 95b35efe5fa1829e2fbba54e1c003e32b0ec95cc6fc362f5bae9239829988038cb8c2e457d60844a6b230962190339a79c06d30634b5fd4ce96fb2a508064131

/storage/emulated/0/.am/log.txt

MD5 a54f5f0047f67a1ca6df146f0248a105
SHA1 77621ac8e062fffd453c24bfa5ac2e060e7a6b6a
SHA256 5b3d1ea8ab0ed68fb695c4cbddc64b4db890cc8a97db24326ba09b2952d43093
SHA512 4213e13bbf422ac807329d75c577627ddb198e8a823b01b023dc67af2cb2eb125d52867470c5ee2a07e69541c4ea9e39022cb876fabcab3d86fd213432923ca8

/storage/emulated/0/.am/dm/md/main.md

MD5 fc5c2f165df3e661d69554850b7e8f95
SHA1 9ce32a8377117278ee366af58875b01a2c8fe0db
SHA256 989be89cbf9ddb59c9d1cb60f263d67213eaf9ae4053f5a53ebf94040d303fcf
SHA512 d3ec97d40be88d9c6dd3253ee7c9caafc30fa8d5b8d63f804b2674f011c46b194276f69d88e7548ae1c0b0fd89e796b459bfa105b0aa989aeb2954dc088d0c85

/data/user/0/gvevykrfc.cemktbvyqfmg/[email protected]

MD5 9e5ab1ab869c16715311e524196d3653
SHA1 01c0e56cd26546e301762f0c0ffa6cd1dfca2235
SHA256 293ee414e1b04f71ae70117f2aa20476f76af60db33656ae41959d8639c23af2
SHA512 da46dbedcafad3cbc2344637f075655096bd358b2fecac3596476b3eb5f7da66825623013b7cbe50788ef40a37ee2aba1454f5d098379da011cb3d88a57f9876

/storage/emulated/0/.am/dm/md/main_tools.md

MD5 87f9d7a738756162c8b7f1c125ff4140
SHA1 1a3bbf2cc1affb0ec01d02bd10be5005c170c6d8
SHA256 edb91d71636995982a9b2aaad74f84e67aacf35b60bd6e73bb923f4a7008337c
SHA512 d45e4ec5777cb43510f78bae6eaad5e6e294f9f18c0242df50a99ed39b8a7f0d75997eec27ae204785e006ec83d00ea85dd9ccc4f72c7706f326dae4af26285e

/data/user/0/gvevykrfc.cemktbvyqfmg/[email protected]

MD5 603dd5064572fcdbbed7753d36254d6f
SHA1 d43df670cd60dce6d02955b73eeabcb5d04c286b
SHA256 08df256b7e051a79efa3d142d40307b2045627fe5696f414a0f3ae0f70d7b8cc
SHA512 a0fc3ca2e19cd9b917108ec469703da1fab7108625ca3983db8a26f261d2919fe7c4bc064fe8b56915c8a4c8173562c553b8751d7bc4b4e4232b435a2c640f0a

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB-journal

MD5 ba942755d13bbb568b9e45e315371ef9
SHA1 77feaf30ba475679aea72f9b7d25d58c66191281
SHA256 036795d6dc08192180308b018984be4e23417012f67b87d437aeb06bce239552
SHA512 38229c445459c1d1b0ba2e9e5073358e689bf91ec31f16960b7cfac8e21d80b4ca149d463dc32ec1bd29beb4b048d78e2058c5b3821a892bf524cf7cad32e252

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB

MD5 b804b5a6ebf09d21cfbc643ae5fd14c2
SHA1 236e5d0462fad301004a16130980b0162e785770
SHA256 17ca66db8e33c919e03d6b9072b9221e008c6c3d760771857c34f6e53b19faf8
SHA512 7959ed7e991c46535036e428affb99824079bf7148de123eb214895e88379f7a27bdc1b881614877e048f3d711672d626481db05b983963ba37a2b1158ca1076

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB-journal

MD5 30e4c96a78d510e64a6769231848d3b1
SHA1 4be09eb49fc06962b7bf7a51ca309e1a06f91f9d
SHA256 93fe4c6e8d7ba5d67cb5bb83a66fa91b44fb12a0b1ab082efa36f07098eea8b2
SHA512 e4dd2bc026e1e67697181ee5e68458a9a76fa23bf6194527ac78e15c59b1aeb0985f97cf09d30d2abe858d552327d42b3d33d34023b7ea9a5896f9c1c0e54802

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB-journal

MD5 083336ac94be34dc3bb9e9c1287239be
SHA1 f7fb3b62a23f964756329e01938002007351ece5
SHA256 aff7775a36c34c3758d7f816a674340b1c9792cdaf27312bc1b2f7f0e906257d
SHA512 eb394d303f976b57b6fcefb172ab56535d4e7c9c5b69aa9ec9b763eadbe1ddeb394b506b6d0eb6416b7094edb409339a017b59221155313fb3471495ec8e4d4e

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB-journal

MD5 b8f7f73f4d50e8ec8bb38bcd1f1d6e9e
SHA1 e79df97cb43c85d980abd561add37476ce8fc27e
SHA256 ae86f993f4cdba57a75d6a4286b66ed9516a4437b703ec30664a670ee326a3c2
SHA512 5074c3d947f27f095c1e199f87fa8731833f43c8ee3d4c50369cca281b4b18b54b22db63586bbb7c35dcaeb34736aefd62dcb5d3415ee6ca77a5c88794e3d8a7

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB-journal

MD5 54d62b40eff49a3a4e869015f89a08ff
SHA1 cfd1399421dc84018b55516cb01d54973b707209
SHA256 88ff0e5be979ddf6fd5240ddc2342a564861e8e9413de641ae7f4b96b6d1e004
SHA512 bc469502e04ed5f53a397008cc972a1bf690c1c32eb895656fd068cd86cbbaa9ab4ef601b74536cf6a2d4959d88aacf0d019237bb9ada84efe99aab2ee2df797

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB-journal

MD5 b829f00b02d290a2438cecec74c857f1
SHA1 823a198216e76303ff81f7550181e03666517516
SHA256 379d0b532a710c202c3e07a5284ce26fdb42c9ba94d48d1f241ee69731b69dab
SHA512 063b05b92a0c68ca44275d58b8ae31ea948edc7220e398c2f778faa48a9aeb4cea944b02e8cbb61e48e1fa15bfd4acc904bfd9c8b1fde2fef14d985645076bdf

/storage/emulated/0/.am/prog_class.name

MD5 38f0b1a489b3a8199e83f6ce6c831883
SHA1 870d22256ce4346d0a94d488f703492c4154c4a8
SHA256 af1ec46848fde1684ac250a263ce39f2f7f9f24d33835504b6a251ae443223b5
SHA512 0df7776fba8b2caa5814dd8fc4357217fc061231c0a9e1f7d3d6a95e6b648f32d1f54927359e14af7bfa0a348d97b6198abae666c1f8607824ec4dffab436d78

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB

MD5 47cedc311b149b639fdf489cf94d9a49
SHA1 bb9235eb30cfdbcb1a5ea9c6d586e0ff76a47c6f
SHA256 81d99372924d20558c0a87f157ac1454592598baa3e2cc31860267322406db65
SHA512 b17eb3a33d0f388c8ab85d38eefea2e36547dfa73835262928927b54597370dc70fd27142b1669cb67f4c6aaa996459ecfc1ded56baf9bf0cb5fa69236a4b3f5

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB

MD5 df0d246a3def0a8530902a95ee20944a
SHA1 7b7aeb2bcde17b22d55c8f9d9880997e41897c6d
SHA256 07362bb6099c8ec063c859c448d0a7fafa11217f7286c31ef1df81a564314ec7
SHA512 7f86c5e64cb0ac1c38deaf20856223c74ebb81e7c0aa7e1963d5fb52328336c28593f4a17929bf78f0dbc989b2c41c40525b7d2253755c263d4c15c29c15580f

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB

MD5 18dcf45f01428244ebb86d6a364d3ea8
SHA1 03bb073ef86a1ac348a30e3bc71cc8d86883cae1
SHA256 699b3dbe265e2040669878b73467893af76b4ce687554d51b19d4e7cb03b9933
SHA512 bd59743fef28f4c505d447867ca79afa72fca398b6df6932ed8c0f74cde19db9005480690d925a84d6377502dc677c7e4244f82f343d1aba5030b8ac3fe0950b

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB

MD5 a2705d53ec61204b3b01953748bef6e1
SHA1 41457866ba4311d9d91f0d31894c535afa7ac56b
SHA256 8574e515aaa0f9bb7e967641cee50e936de789e957110a3dce7cf983c5dc878c
SHA512 085f8cde2ccfdf55daefdb94a7fe1c9183f6f5b731d709183c530239126cec1941301ce88c770e01d9e7df3c9ab8bfc6cfb50f49c19be54b36e749ac63a9046e

/data/data/gvevykrfc.cemktbvyqfmg/databases/SettingsDB

MD5 b843b2b9e8988d5163bec3f3f4dcac9b
SHA1 543aad7c28c0a1c5252a959b688e25b53350684f
SHA256 90fd22c5fbbd3da098884b6f561beda9a6031155070c7ebfcc72e8d45c9c4039
SHA512 089f3d3199f874252d33e72c6fd1641a48531c309675580acfb157bb03c06b4da04adf4cee39fd6598a5c5ba828d8c121fe9efa02b594cd1848f115856e85ef8

/storage/emulated/0/.am/log_.txt

MD5 25f7b554909107af9ddd02dd0828377e
SHA1 67403b2855d44260094a73adf48b94d288343fc0
SHA256 3797435e51e2f696781b227dd71e728eb31aa3db5c7cdcd148bd1beddeff5972
SHA512 b68c23869755a398627e745bae3d0c51d1979b4a0ca953b8bc20e3f4e35d74766c630909c54c7d56ccd07a86d2aa5818a431d87c3fd3a85d21372b90db7005c8

/storage/emulated/0/.am/log_.txt.zip

MD5 787abec91cef90b7d4cd6de1b6358d62
SHA1 64af9ad014779d3324c23f2cb1cf98236b167c6d
SHA256 ab887b9e3ddd65c59f4051663cd4eda43ee435022333f4a1b0317bb6bfe87eb2
SHA512 b905b3830565f8883126783f4dadb6bb296bc3c5df55545fcc1d2030acc0d798d5ec8a9beaf8453532b4d37d6d1a7cafdbabeb3ba38508acee415ad715a7bf7e

/storage/emulated/0/.am/log_1733022540982.txt.zip

MD5 2c7e576771da0b95d22b42f48d1475ad
SHA1 1b4efbc90f84e521dd0d1b208eb8f96c981cb560
SHA256 01e5c3e7a4063159060b3255b0478817085552ae3b28a2c5624bab10c477868c
SHA512 3ad17e5eafddda839555711bbd8a93d8fb81cd22bfa263c02da124c12880d83b23c7872aa9649161f1f3bfea5d256611c288b5150846153559b36ec2181a80cd