Malware Analysis Report

2025-01-19 05:31

Sample ID 241216-g87f1aykez
Target f7a01a72056b791898c75c6de13a15c6_JaffaCakes118
SHA256 93ca4d53d68b38627ce7c629f189d500ebe5f43240ae9a4cd1b1c02c68990359
Tags
banker collection credential_access discovery evasion impact privilege_escalation stealth trojan persistence andrmonitor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93ca4d53d68b38627ce7c629f189d500ebe5f43240ae9a4cd1b1c02c68990359

Threat Level: Known bad

The file f7a01a72056b791898c75c6de13a15c6_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

banker collection credential_access discovery evasion impact privilege_escalation stealth trojan persistence andrmonitor

Andrmonitor family

Removes its main activity from the application launcher

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Queries information about active data network

Reads information about phone network operator.

Tries to add a device administrator.

Requests dangerous framework permissions

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Acquires the wake lock

Queries information about the current Wi-Fi connection

Requests accessing notifications (often used to intercept notifications before users become aware).

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 06:29

Signatures

Andrmonitor family

andrmonitor

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 06:29

Reported

2024-12-16 06:31

Platform

android-x64-arm64-20240624-en

Max time kernel

70s

Max time network

94s

Command Line

com.andmon

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A prog-money.com N/A N/A
N/A anmon.name N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Checks the presence of a debugger

evasion

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.andmon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 prog-money.com udp
DE 157.90.2.159:80 prog-money.com tcp
US 1.1.1.1:53 anmon.name udp
DE 168.119.91.88:80 anmon.name tcp
DE 168.119.91.88:80 anmon.name tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/storage/emulated/0/.androidmonitor/log.txt

MD5 3c6f641e8032ea3ccb6e47f3f60f879b
SHA1 accae170691eb10cbafbc3eaa1a1f493f18147ca
SHA256 c5915d7327feebd5639318a6115e960fdc7ff4f0f76cfa5f5499bf7c96c1c933
SHA512 7a39bc20360c71f3ee806b03a5d52c545e1f0ad282fbeeafe4322df746dd2f34a0454436001cece8497a7ee60642ba93e7e24a8ab7fc0c5a5f7e0cf5268964f2

/storage/emulated/0/.androidmonitor/log.txt

MD5 7482e32494d62f9e1657205931623181
SHA1 5afa319427004cd8dc35b49fcbcbff2cc7141bca
SHA256 c66ca35024ee545681244f87d0f8931d53831ff85be0dd8c35b5189e82706f29
SHA512 545ce024e5550dd8ed8deff5475248aefd493ec25dbe938498211f34059a44550dee7d1516437f7810c1311291936787e1da7bcac34883e7e68cd1efa52a701e

/storage/emulated/0/.androidmonitor/log.txt

MD5 54c6e9e3babcdf3edf6e96a89f48dda0
SHA1 1094df2765aa401d18981c68632e84b9f7572d6b
SHA256 ff84ea46be23cc79b709d645a509777ef8765f70d1a9d7f43a6a4eb4f82375ef
SHA512 bb054569e166ba331a3d672d9fe54ede0980943f901a25cf91571715d2b289692fd198c78c278dcdf9366626547b742ed570fad65570d6e8ba7a2c883976d7d8

/storage/emulated/0/.androidmonitor/log.txt

MD5 823cd98a816e673b058592deba7af655
SHA1 f330198fb6fd081491860edc2c19c49a185cd28e
SHA256 04b8a421b2b1acb15b7bc308e7456a32b82f9961230ea01f5af6cc460d9e5ea4
SHA512 1f17b0c4b528d977421bd22e0c5bb7f246800211d8fcc0d974c5c104e224bf4c56fb33957ce7c8deb66459b4f72b0a7525585eca65ad975d8ae1ce98efaf18a5

/storage/emulated/0/.androidmonitor/log.txt

MD5 136ae8ca916e40e8710000d0b90e33f3
SHA1 e421cbd758ebe4f2e298c5aff294f33b4c169115
SHA256 ba9817b5caa785367ea227033e5070ade4bff294f5c347f201fd56666d0b4b7a
SHA512 a28211c8ca182baa7dcbb82d9e8f9f53316385a1a8d7003e5c6e41fb89e7bfd78d07a75ce7d2366b55548bf9ad898a6d7ceb6e7a28e23928752a35c3aae392d4

/storage/emulated/0/.androidmonitor/log.txt

MD5 b983834ef8766b352531ad52123861a2
SHA1 d6104531b88c1b362a08e5198759e10af178ebbc
SHA256 f73587d33ae6cdb943c1fa65e29c2d22572e53c940ccd20870776e66468e0cc1
SHA512 6b0488ed5d285284556eef4173c9677de29d6b69a2896f540b7f1849307fae1b70f15b3356e7ddd05387874360922c58c6c31c111917e808ec2bf82ce01921d2

/storage/emulated/0/.androidmonitor/log.txt

MD5 7d9b53a161afe07a0ef34022ca6bb25d
SHA1 7bb2ce6501072c5ea2cae4e089f63d3fd1d2199d
SHA256 3c789193bb802fcc21c22f5c8af27d3c9355c848801892957ea094631df37a63
SHA512 eec24f8b7b1aff2b0bb970f42838c3ad9da06bc026bf56649d84b5d7a6d7ba6ced8772591b922f61a150a86e285dc9b0fb5741c5f18d519944e92acd66afb706

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E60204-0001-11A5-82514F0D77CFBeginSession.cls_temp

MD5 f6233f640249d52b8c7be199286dfec4
SHA1 09144b4a6acf216324419817b8e525ff4e19ed7f
SHA256 ac89a2966c8ba15ff38a7a54bf766391efbd8d19ed2dd6e193d01afe62badedd
SHA512 12fdda04e30382b0fe6812eab2c1f858b178eaf9799cf01ac375293f4cd724d21d53563375eee9d353ef7ecbf40dcd7a32487474ea55e01ab30e93ce48b4f68c

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E60204-0001-11A5-82514F0D77CFSessionApp.cls_temp

MD5 5c4c2da74d507a53c50d97c745906b16
SHA1 ae3fb16f5b12ae86e839e44c211c21e65134bf08
SHA256 981b44aca775d91c25b2d8bf87f260e55bd923680b21cf4b824c33bb75561ca3
SHA512 20156dda79ca28e4181180b36092d3fa8989b450b5551e477936a71ac6f2af89c04e62f3824eeb7ed37e92e6134e331becc3be1566140c809fd247c19d20b753

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E60204-0001-11A5-82514F0D77CFSessionOS.cls_temp

MD5 b3d9541cc92a9153d14e5160f8d8c008
SHA1 2e1ac80eb381dd82a03795b682f92020348c0113
SHA256 1ead5b213c87f182ffce484c34f7d9f140ad3425c0f303f460492efe8a26c56d
SHA512 78074409135a210ba4e1407ad9b3f784f5683e83aac4ce3482d4e8135425cf2b30db1ff5dd0041901c490a551a477237c6d255671c7b1fad74090980dcf3334f

/data/user/0/com.andmon/databases/SettingsDB-journal

MD5 578a5f8ca35d1c8ec4e88d22129d5c63
SHA1 6d8d02596cff568dc4d64c0d94221afa7d07e013
SHA256 4e95dcd02f04b3c7c38c63a38c204c3a7f8f94976a690afb5c6b7dd12bf07e18
SHA512 ba89f8ddae4ba468990adfc1d08c2932cda96c14af8de1f01b9a6e3c56e0d1d5d9aa0fcdec1cbfaeff61e8bec2325e43506f64ec03147b0861c242417d50ba0e

/data/user/0/com.andmon/databases/SettingsDB

MD5 d89b97c875ff081652b3b9428f001eaa
SHA1 4ebf43d141d6b4438a022498b926a5988598fcc2
SHA256 c53b2f113103ed317647eebcf65a5e921d5537f66c9f42b48790eeb804c06447
SHA512 4e9b232878cb8b27f89f4f11cb8aeff3d87f9875bc9bc05d3658d1105705a5ce512471240df91327eb64f10c96da1e9f23579fcc5b81b7bbe5e9e54a5ca5f385

/data/user/0/com.andmon/databases/SettingsDB-journal

MD5 4bd1dd78ce0f722b5fbf643392454f76
SHA1 b2612d4221f9bac70cf14b10132b76d9917722a9
SHA256 6c207a509191d3e148ab44cf0427b23948577a008239fc32228d751ae9b6d08a
SHA512 125dc612977d949d9e27287c95b305e831892c7d04d3fe46581a418ea342d3cb1d84a5f8951de047dd6eb98b242f1183545d33c4dc1693233f6cafc7b54b6328

/data/user/0/com.andmon/databases/SettingsDB-journal

MD5 4cb177e9faf8802aab0860331326bec9
SHA1 f5322995bd5208f0a8a1e7bd8d3acffa5dd60aec
SHA256 f992a64e2c27be7fe7f1f438c235d0e3a1039da59a512ce55a069f84acdf1417
SHA512 32b4d0f37795bcb1c8adfd7b48492ee0808eba34097bd348360ac4b7b4b53dc9f080c598423316aab3834cd1cdc14bd6fe36294bb9166a73a2ee2004b0f1c759

/data/user/0/com.andmon/databases/SettingsDB-journal

MD5 16d3d35034ff203087eaa0846d8bc45a
SHA1 c64c733fda6ac0fab3d9684bbd8046f452e81595
SHA256 da26fccd9f5dec70b5e958aca951196177d8afea43b6d07a93b8c96a6be9cb08
SHA512 362a107fa719e0e3c41e474d5384829e72455ac17b7557115b4873e3277fb508c8ecdbe21772759d4497f537b18b52fb8a2c32bbd9b6e46b7ce4d6c9bb3a216c

/data/user/0/com.andmon/databases/SettingsDB-journal

MD5 e02ece4ba3b5e328ba07635da0de9006
SHA1 611e2265a43b59992b36361e290a8f3558ae67c2
SHA256 8b121b5863d17636532c90b22479e59939485d257fc16b0d37d68a83b827d39e
SHA512 825640405492f9abc179b9cd4ccf9f3696b0081926324b784277e98b14a0205de7bb07a1ea1650e67bb3d5141a3fbd2e6576d7b21ea3b1d8e951a6eaed9709fd

/data/user/0/com.andmon/databases/SettingsDB-journal

MD5 40e8838264242d5e77afb2fc368a9fd1
SHA1 0d20d5e1a4ec5c24d7aee1bb16649a24ce319421
SHA256 ef40270ebf128db72b273b48535734ef2d5389029f9cd2282d6788348bce0efd
SHA512 81891d305604a8b91a76ca8920459ec94185ac0c11fdca8a404feef9b40b1e35b981b1ec865180136c33badb3e23db1bb1ed3c5e7d376f10c38a4596559863fd

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E60204-0001-11A5-82514F0D77CFSessionDevice.cls_temp

MD5 2824869e2b48847ee06aa112458a4c18
SHA1 62ac324365ca456ba4e5308a446b3a95a30d2aa6
SHA256 1e6829928e284cc18fd68989ae7a5a2a67970dc2c79cbb94e49263dbbc5621be
SHA512 7028d0b43fb51081ac279a3846ae5a589d97657e403dacb0514ecf08dcd2b38c573c50b6b845fa67fdef7027bda6445011f0c6c7d3de8a8005ff7becff5c74aa

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E60204-0001-11A5-82514F0D77CFuser.meta

MD5 f5454a0160dd1c70ae6ca4b5eca84966
SHA1 4649dc7548bf4e3b473edb8faf645bd7fd1d12fa
SHA256 4ab1a2641b9a60d3b60308e63592b192a71be9d10ad793158ec43131a7c7ee40
SHA512 de8e9c47fb0c4d2e913bdf719bcefcebeff26aca3e79da3dc2acdf73a00c85c130487f2ef181605562ba6cf69d88206c9c0f592bb4ccfd695262c01239b664f3

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 24d09cbd064ecc1b6cd7588c86e103e8
SHA1 b922ef4e305034508f75cbb2e47b4d2f58190908
SHA256 9dcf40ebb483f079793449266c0f632d3b5933b26fa1d06c00c547c4f09afbbd
SHA512 cbdcd09eb6df6f45ac3aecb76e9047c07a7d347038b4cd7060c0af542ff65e856cc28031c0f3ce99220a5232d237a0bbd56f8935b4c22ac3627232570c4ae484

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_4831adec-507e-4846-9b2a-3676098a6b69_1734330599342.tap

MD5 d305e937de58925344ee4d3cea86a3c7
SHA1 3c1b6f417490b6e2ad9b97c3642db88b28044741
SHA256 44e84d39f6d18edf182665220020a96c8f33d975386d28c1d56b1fa356fa8bff
SHA512 a4b50c5343e1f09d1d91686cbe2e6698803cc7388cd7b174baed6c0976dc2ffae152193b0d82cb1d86a4d4dde6535bec14c3b24136b3d1b1210502a43715091e

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E60204-0001-11A5-82514F0D77CFuser.meta

MD5 71f360ddb4cfd7eefc8d66ad9ab29dc3
SHA1 2b476760bed51444e0182807942e6c0b516d8e4d
SHA256 5eb4961a3f79e653013019b4c2f61a65ae930c33f51733f127b7355a51a13e35
SHA512 e8b8f692c1fe6a6cd3d6c268bbed983733fbbb822771e2f6b5cb915f26d82a583759905bc30470a6eec71828f7d49b60406a5d5d323556191195cfff48bc5514

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/log-files/crashlytics-userlog-675FC8E60204-0001-11A5-82514F0D77CF.temp

MD5 c3300c1929dd4cfa5c017c2838aab58d
SHA1 b80414611efa84f5ec1c3dc692cc8248ca0ae6f0
SHA256 ef3d461378e6eb9873a9c7c91632c9d7f78626dc8e03acdcf237818009a1b9b9
SHA512 2bbdb27223cf94cd0099b9fb4efc0ff8f0ab87ad5981889de50e47827b2f62447b5f43b0d461e26726b8e5863cffc91ca4125d359ba1cc5eb781cb4ff53548f1

/data/user/0/com.andmon/databases/SettingsDB

MD5 dad5d1eb3fa8ffb777a3d862a67a1a52
SHA1 0d1fbf27ede5166c7b3fbc63d12f3f390ecbc800
SHA256 07f241f53ad04379da93e2d95ad4bb8f99d220ff6c7e24f99de35ab86258b3c6
SHA512 acde845157bbfb7ee649ba1a4d3ac688cd2a96dc1951a21dcbe6a484cf6fa319f345f611bf74f00be1ecfd49d0baef4dc12b294e6967943ff98912ad4045eb47

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 60d9c0223550f0795ab3351c8a8c331f
SHA1 ad57e1cda8e57a4534e11ea4de890abe7d83f15d
SHA256 e43ec58a54e3f0598647ed465ab0b74f4322da79e70846b53466e2f5b97f7fc4
SHA512 7d9d67c9f98c61175f85a9b7169ad038c5821a6c2fe74cd04e6598439eb71bd213f64d0f8b6d1ecd6b29ded7a67cb52432ea122a026fcd3c01b795f89bdf5d26

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_919f99dd-97b8-459f-858d-7ca184df536a_1734330610620.tap

MD5 68693ad1fcac304e82c2957a7835b979
SHA1 fcdc0860dff598259bbb18124712ee62d473ba99
SHA256 5b1e787a0afe91bd11f7e0cba9d723eef225d519623be53be0f0d808e96e4501
SHA512 2956abc30d78dd67715e202c74f7e2ce1126721ad7c0529a44ceed347df2dbae0453d63d6555b5c23126b50858b7065888d46cfe8f59e884efc7245dd0188841

/storage/emulated/0/.androidmonitor/log_.txt

MD5 9a684806239d7cca6ff41045131036a5
SHA1 fa0813f52aa8a26bc076af3d984d11036e87d288
SHA256 3a82d32309d3ae8e377f5c0687e7af9d88c946b61103b651883197adbc9471dd
SHA512 6ce7dc8a7ca6fa25ac67e26a957772761a178cbd03c1c38e18af5e1010fd8d797a58fa620758822a488bc483cf6d1800686613b02402f9e82ac3dd6086b39a14

/data/user/0/com.andmon/databases/SettingsDB

MD5 f142d2fd3c6d3be74f31fa5c6a505a02
SHA1 1705ad537c160fa984d5ea538e7b1b264c1e90b7
SHA256 4a9bedb5180cdc201968a8dc3cdd0b32de8fa0c30cebf4dc5e55f8146290a56e
SHA512 35c0edea4855626553e7de6469c77765f0d213454d0418b2703ad92ca52589421c1201d0cabfd530712915ae70183d01cfb66b5e1455c2c9cafdc176c53c26c5

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-16 06:29

Reported

2024-12-16 06:31

Platform

android-33-x64-arm64-20240624-en

Max time kernel

35s

Max time network

77s

Command Line

com.andmon

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A prog-money.com N/A N/A
N/A anmon.name N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Checks the presence of a debugger

evasion

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.andmon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
GB 142.250.200.42:443 tcp
GB 142.250.200.42:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.187.202:443 remoteprovisioning.googleapis.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.201.99:443 tcp
US 172.64.41.3:443 udp
US 34.104.35.123:80 tcp
GB 216.58.201.99:443 udp
GB 142.250.187.196:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.187.196:443 udp
US 1.1.1.1:53 prog-money.com udp
DE 157.90.2.159:80 prog-money.com tcp
US 1.1.1.1:53 anmon.name udp
DE 168.119.91.88:80 anmon.name tcp
GB 142.250.187.227:443 tcp

Files

/storage/emulated/0/.androidmonitor/log.txt

MD5 b1de8164aa6fd1d093f3c154400d2883
SHA1 3286f1a5abc7b317a37b6d1ae0368a8cafef0c8a
SHA256 52d4988ee616a328c1daf5f6790b6e0bfd8369cd8d1b501026470db6bdcbb4a0
SHA512 e705a544115a9c2c721a69f40322da2ccca48f2ef02f2ccefee5228f573ed3902141421d50e4ad4a6bf4b4faa91707a3697cecdd009468785dbb2b48b83a26fe

/storage/emulated/0/.androidmonitor/log.txt

MD5 1246c533ae5a649087d313d752884384
SHA1 49d2e0dc0a9e07a2239b0392815bb7662724b5b9
SHA256 310c70b4663f0efadee276345f238e668495e5341c33906f755c1b0db6a97a5d
SHA512 3459da68b3bebb85deb4ddd4dab1689fae64e70410f1107b138fab38014aced26529186e3e6f82413a193f4d0db98af8215a678875d8583221ae188b52b7421c

/storage/emulated/0/.androidmonitor/log.txt

MD5 49559c0c1b8fdfc7af9a87427d3cce1b
SHA1 eb3a357c6b6b39e208db45c25839a782c8ee414d
SHA256 beb2b1f44e9c19134afbf5694ca206cf84e3bb24d6ae1325a8bde76615f30d71
SHA512 52bd1d51042fda10823660053256595316a99ad2ff1842a7e258b103f3cfedc5f20b2864255d099982dd1b59835935e207640fceded4b5ecad4900d613f38a32

/storage/emulated/0/.androidmonitor/log.txt

MD5 23746cda29e4219b9d3c3ca1034fcf44
SHA1 0ebc7df9354619dce95b26c853c08161b77b1a43
SHA256 2468deb03384af4cd4de76f861cada963549cce1fca4438dc4b6f95006fa1257
SHA512 2576b4038a0c90c3c8a0a5e9452b4b1fbae2dabb04c1612cb74a028184928a12cbbf1f2c36b000e448ffb3703edbd732f55c02b5d08a5c9491369bafffea7f9a

/storage/emulated/0/.androidmonitor/log.txt

MD5 c8c7a86b525ef5d7fdae583caec8fe3a
SHA1 45e8788888b9804b9d394b4f97002cfbc304d3bc
SHA256 9227282315d5026b9550e83c080360f074be38097401a101f65ae5b7a142f052
SHA512 f19b57003f1e8d36ffa7c529d7feb67cb34f6a3da0597215900f1c844ba7624df622f3318bd3fa7e56cbc267b03a3c5152a77d3c5a3aff38bc67aa49f352c732

/storage/emulated/0/.androidmonitor/log.txt

MD5 1deac9d1dc302a8ec8426c330e5517aa
SHA1 3def5c63e81bb765dffa0d34e23c83b2a6243f63
SHA256 29e35179228083df69f22e64c0ac9c19519b229fbcce17d1b3772d94bb19cd42
SHA512 c8b9a60a158da11be1e57ab30315fb57ae3bdf63eaf8e1a3c2e7c117105d0438a5ed7c2a27f5031afbbe68dcbe96018af34564d94f458682ff33f17c27c1f23f

/storage/emulated/0/.androidmonitor/log.txt

MD5 067daffb917e2d152f81333e86f22f7e
SHA1 9692014da923b1dfd3aa928a40ce4521c26ea0a3
SHA256 718af48a6d0217c8fbcde5407e0f85a060d852528e57b5ba218690dc1c05a0fd
SHA512 73e946fc117d90f5e2c62e354f3ad1bb4562b07b21f57b8587285b763c31cd44916eb8487c0ab96306bbba69a79c78aa66740e8403982415b70c40ab4648d948

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8EB0385-0001-10E3-0BC6F47B9883BeginSession.cls_temp

MD5 f4228455895342c2c7b49265cdb6f882
SHA1 c0986f0f9b3a41fb0a1913b2dd908169b81f57f1
SHA256 cd7944e31cc747c950d1e154e197739c1c9a1a0283a9b000bbcdad323c49c595
SHA512 de2d61519f31b38bd99cf153e55f5775dae8e31ae4d6be69309c755724c8e2f40364e4da03a14b5088627d95f885cd2742b25abec21be2509593acf11c8778f7

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8EB0385-0001-10E3-0BC6F47B9883SessionApp.cls_temp

MD5 25cc1a657b56c984b269dc7b3e15f3e8
SHA1 7c82a76397e4c822c61082471e4a92f106140001
SHA256 87529c0445753d4140fddd0aa5fb841e76c6b14506696022dd2e449e96e32b83
SHA512 d883bb2a2224c02e80090781e66fe2019746cbada935f00528a835bac171094c1cee50d4bcf93e7efb4ff09f9d1d67ffbdcaabdcc712aad7e12860ebe8d67f14

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8EB0385-0001-10E3-0BC6F47B9883SessionOS.cls_temp

MD5 f8b3ebea29c91d82f009e5a9c6d11060
SHA1 99d88c4b39d9143084e777b93d9692a59a3d087d
SHA256 b7869422f5dcf3f24ae91560cec05ebb39852ed45baf3a31176f9b90de87aafe
SHA512 6f89bfe6bc1c0a68bca73ef92c53e1a308fd63f2228a25a6e34d117fc5cd253209eed56fe08f51d5643343a152acfdbfbb1c5dcea224e2750aed46074af369de

/data/user/0/com.andmon/databases/SettingsDB-journal

MD5 6ebe4b6fae11a2257f02170b98fd6716
SHA1 168b6700cd31feefde13240d53be793400257d8a
SHA256 c7cd31170ff205632e3effb86751ce7789085c58f5131c61546ca496c7955d2e
SHA512 fc09c4a0040e4bdfc2f78d740746147f966a8b61558bbed248b052efbee6d8a143b387a9f83544446ebc18025ba40ffc3d4f83227ad42c4121782b55f9846a98

/data/user/0/com.andmon/databases/SettingsDB

MD5 b5a13b9851c2ee146ad864abdf70d8f2
SHA1 3891a7f5ad66b5332800005a0ca0d71076c17b15
SHA256 bf50e70044867c15cba55b2cdfab8511396234e762df28f08aeba6eaf0c99345
SHA512 255f410f312615bb57178be166b8ca0414cf6dbbadd54d51e554ba15a1c59fb66dbf7a355caeca146bf0731811db15f41b84253250149c85e416fe4aa7428012

/data/user/0/com.andmon/databases/SettingsDB-journal

MD5 adddff0a72892d3960c2ed9730a572cd
SHA1 5bb699652128329d939ef00cc5635406ed32eaf7
SHA256 58c1f8ff352ee0de15d80824a7e3ee14a2f6bd762f7e897f8993ec9c4c8739ab
SHA512 5ae8faff9327d822fb92e92b4b2de516e8431c8d7f37a36dafe2ed3455c986613bfee531706736e492df37cb5fb1e4a2b68eca58ddaf5b91835866e2e591cedc

/data/user/0/com.andmon/databases/SettingsDB-journal

MD5 6bea9b25984efc6cded3b894e21bc950
SHA1 4cfd4d5d4880349f3a2f515c299cb967faa0ffb9
SHA256 162931b3ab788dae1b17fb3ee77219fdb4d91e78246c8d9c17a475b5ca66d038
SHA512 0729e97c3ce28709f32826619e94d96e3ef9cf50522d1058379a5c06c4cf11b4d2fa13d3ee2fbfc31dee56a4adcc899a6e082e7941d4f9557c13167d741c0065

/data/user/0/com.andmon/databases/SettingsDB-journal

MD5 57a299ed60517691e86e60cda94d9429
SHA1 6a19cff78e13098f04144667cdce79be1481652d
SHA256 c9129a844e05c1121b199afa53b1205438a1f9c7b6ae1df4c2e090d8c5f8c1e1
SHA512 4129d607f4575eda4c01202ce56a9ec5290932f663c7a207030367c9e4f08c466741068d838ea5fd892a87c0278d7dc0d75ce3471f9716813c69f232106c6bed

/data/user/0/com.andmon/databases/SettingsDB-journal

MD5 01315265a61f92372a6d3d45762cdba9
SHA1 7bfe9000fe2d5a17d3a10825de1bce16500db594
SHA256 4f8df40faecbac0e91acd2c660e6cde4c216914467ece1cbb5f0b4c69118e8c7
SHA512 c21db3ed1d33fa85543ec97c63711c61669f2abfeaa6cdb5bd6803d1d7a224ab422126dd752734015657205761e5390271d5ec5f13d6a453acec07434f674929

/data/user/0/com.andmon/databases/SettingsDB-journal

MD5 c72fbc3bbb3be768e6f9a683b086b92d
SHA1 a7f5c8113f91d0a7b14cff641344af474b0e435a
SHA256 8861d8698dcd04f7b33714e1f5c4c22a5c4ef93be9c7b894cd90d6deb0ed464f
SHA512 f353047c978d30654f64beb872bc1bdb02e46332f7cc74b3753c12d8a8acbf9eb6a185bfaaa47a5bd48055b7e058f7463ebd9ef6c6b42546d99acf2b6ea116d5

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8EB0385-0001-10E3-0BC6F47B9883SessionDevice.cls_temp

MD5 5fee9c379a13cc2b9beb99f24fbf86c5
SHA1 ec28c3b0ee5c50caf722b85978131c88579f872a
SHA256 afcb34234ca38b20217613102a63b241367853889911bcb3327a04b66947fa7f
SHA512 65e6239efada615afec003431ccfce1e04442ffcf9012dddfa1fdb7e2e2abfb0fccf94e34b62760a6538de19dc38c8e3ef3f38e728024f3933a181a00a232a2d

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 65b68a273119de10ae81ad7c493ec132
SHA1 c379fd1d9bb4f42acfa2795eab15c85cab185e79
SHA256 8e555f1320d05bb1aa056d85cccbb29058d0eca2d8fb1b907988604c80ce316c
SHA512 2b1c00312a786c48e339bae4561b5153c42c6316658689861022cb96938de46e3ee5518d6e791a03073a844d4055ef17414d1817663c7901065dd43a6b8159d4

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8EB0385-0001-10E3-0BC6F47B9883user.meta

MD5 2ab8462142d0789da5afaed9c145213f
SHA1 4896fef0bbe31d39af8a22475afc88c1d5d7c0e2
SHA256 a54926ad8d23802a5e64b6bb87a6d3fbebb3633f3caaa891fd15b711629571b5
SHA512 0b184c789e565265e6cc9a81d3eb02651d2870440bf7a16ad69681ca13dad2f749a03feecd524c923e0ede9d96316e0b17bb5b418c0e33edaa88cd1aa1acd53a

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_1ae81c46-7d75-4992-9bd3-59eaefe956c0_1734330604569.tap

MD5 3c1d8bc38b1240cbe233c7319ec8f145
SHA1 bb3a4307d41c49ecff6c1c249ae0de0e5b1253aa
SHA256 7a0f4750235fbba9e759335181c2f93d355f60613743f6982352700f704f64af
SHA512 625127accfc88a0640e53a3e7ed1da83c51a31b248bf2660c5badd101b8a6de0a599795f4d6b327643047a155864cf0d175c49e9f207a6ff5205b171a429104b

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8EB0385-0001-10E3-0BC6F47B9883user.meta

MD5 e7766640f19e7b84075b9d3dfa00448c
SHA1 a04e2256e9c5b3a180fa116ebf977af5f3f65480
SHA256 58133cfd97a23770f8b705405586e6db315296bcc83151d94f8a9794990f0199
SHA512 677ef4d6498c0477c551bdaed82667bb35c06555081646621f280a9f60e3cc82efe4841508f58953652bd69050116aa9338e00d7e2a2bdbb4bf19bd0d1c5903d

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/log-files/crashlytics-userlog-675FC8EB0385-0001-10E3-0BC6F47B9883.temp

MD5 82742e4b6327c9112d297a48da953113
SHA1 ba0ec6f49bae59cf45823152f9b70fb745d7f08f
SHA256 108deab6701d091ea04e56eadd2400597dafda64d8530dc2c5d5763b351f52e8
SHA512 a4ee728cb46edf2f0a923c00523d199ab9f97e85688111c7705cec7845b2100a5bfc0cce2288ad0af4bb5e441545cc43e5de76a88a0678ff0d2d489b6074b45e

/data/user/0/com.andmon/databases/SettingsDB

MD5 ac15d309782852c2f78b47fd7525f337
SHA1 7972a33f85abcbc6299af386bd89ebbe7055fe54
SHA256 a58e31d4acc5bc9ada8365ea569ec0d513eeb9e886ea636dc43a503245e8775f
SHA512 48a0b6a92ddaca84099be9e42896d1a7a9332f3c717bba28f32b418215f1cfbc4d2ed3512bfdb2942cbb73a9febc00cc40c597ce79e424dc747f4f056fc3d6a1

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 7b5bb286a48a0c6c2cd348bda62d8266
SHA1 317a2c04ba39e27a762e6ac15f1296eadc371504
SHA256 25f450d354bf57b87ea02c4900c5b7172a48974aea58c20e81475e0b231c973c
SHA512 b3464b3b562b384e89d6a9b46b55ce453b989cbd9171411046b6ef417c5ef626cd9406a256f6a88d0d246b5015826d94d9524c5f8fdb45eeaa8e8a998944bc4c

/data/user/0/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_06b26302-37ff-4225-92cf-be1176f75e50_1734330617266.tap

MD5 4e77e34c16fc44e1cad37e45ab20ad3e
SHA1 4f1921ee126fc6c6651b8e445fffb6e90a737dee
SHA256 6d5f1e2d656a8ac2aa21d6d1d8d32099725017a3ea47bb92eeda3621804ee650
SHA512 42706bf050737c4dce6a71e44e86a4c5028b9a9785f6cc29ef80c7e424ed2c509e405b61ca6771c06430390e9889736bec838596da9e3f6fd39a2ea7f7d1c055

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-16 06:29

Reported

2024-12-16 06:31

Platform

android-x86-arm-20240624-en

Max time kernel

73s

Max time network

86s

Command Line

com.andmon

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A prog-money.com N/A N/A
N/A anmon.name N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.andmon

su

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 prog-money.com udp
DE 157.90.2.159:80 prog-money.com tcp
US 1.1.1.1:53 anmon.name udp
DE 168.119.91.88:80 anmon.name tcp
DE 168.119.91.88:80 anmon.name tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/storage/emulated/0/.androidmonitor/log.txt

MD5 92db638a6db0682a2e3fe1abc0e85ed4
SHA1 d2507a1964d3d9888d0dd934103138f05029367c
SHA256 479bb6fcdffada97fe75d6dde922a502807666b733cb29daa8e5e4af63c58ed1
SHA512 2807142e970f6afab4ab4c2ed116ef0ee027edb892557d38fd585353529ed1aae077f98ab8d85be5dcb7b531f079a5de03b4197584ab5ce9426bf351720a443c

/storage/emulated/0/.androidmonitor/log.txt

MD5 304b5e6a3ec56b94fe7234d18e5f4b90
SHA1 170a9864e903ad796d27468e7d1c341444379ebe
SHA256 1dc7fae1047f38dfa86b293a996679ef98705e3e3a03eae01a97f2446f17dd7e
SHA512 7984d83ee562adc045727d2c0c4a1724003e79d9e6314b3b5b6b2ca4aae039d9d488bf8f7190e9eafe87f397c3d389f0a7b10517cdd2e8bfbef21d5b50ad4838

/storage/emulated/0/.androidmonitor/log.txt

MD5 0631a249318f70c5b15e8abb2691ebe4
SHA1 bd837632b0860b2045c29b7f069e1b627d0ccdd5
SHA256 37b81eb25c54d2df69fc1494977309e7b151e525db07f8d9b1227d68fcaab10d
SHA512 2c44df45a8f2d84650b2cca4e9e23eb0a634175032f2cc3668022bee352f602407a1269552954406b47e4c3073b98b3c5bdbca1f4d965a335d8325a5a95c04f4

/storage/emulated/0/.androidmonitor/log.txt

MD5 c671d776c2d41c539b851417cce327cc
SHA1 d00d0b29bcf261907ff2ad427bd11202c602738a
SHA256 8c093024578fd94045d41a226d220647c97a816a9f6480b9265bd78cb1dec6c2
SHA512 9b043061a63de6c3b73983ead3ae62cd7a33a56f605d9909dc9a8133ecd4428c40a17b1006e6efdc4896bea31cf1949148a81b349bb5f323a260b8a08fe7779e

/storage/emulated/0/.androidmonitor/log.txt

MD5 ebfa7fe68df932d84626932752b9c4dc
SHA1 33b7a7f31d207c23f9286a7a0a8c80cb9b8d8724
SHA256 2ce53a4ff2ca55e4e45066bbc3d53bbed502c02a5b953c1fc1ad3fbf5ec2f0c7
SHA512 be762beb8e4bd713fa74f5c84c5a30836534f271ad832b4d2ba6da309ed94674c7d0d9b6c90a1abcdcead3453f654529003f726ccd57168f7018b1c922192782

/storage/emulated/0/.androidmonitor/log.txt

MD5 a23524578ca9fdaf2600a18edf48e87c
SHA1 5840c000f6b2871b0cb9e4fed36e9a01fc67caa6
SHA256 2d15ef7681f165002447b0ebead1e752490b916b6e3fec3f88a2e87d2ca9db5a
SHA512 1d15398ce9509d5dd984440fb7e943a8baaa5e987fb797c07ecd8d5a38a7bf8411e9e1501e0abca8e912f05b615bec46b25548176544353d35c3cbea1ac3fd17

/storage/emulated/0/.androidmonitor/log.txt

MD5 261c2e0c6f49b3e8f568f666ef88df44
SHA1 50dd532137658c71f99c974d078428fe8c5cf836
SHA256 98146df1d1e1076110440a7bb47386d60776089e97c6c0df184e8c3017808612
SHA512 8da4e3e4b765ed5cecef2da083cee638feed8a9c8ce58191571c242cfa2c544bbb05810ed8cd18125c78fc8ffff12afdacc77b7a77b299521282b0dab43e9627

/data/data/com.andmon/databases/SettingsDB-journal

MD5 ece890c170d5c573ae26b9a8542e9485
SHA1 d6052fda2f1527bb30c65a82070d01bbc903a5b5
SHA256 ecdcf049d6b564d5a637ffef24fb6710f1e0cfda0d05fd40c80bc2dab56b0bb3
SHA512 fdde9c3df88f3b03b080740950514302b6cd6ccc96b9554cce0ee9b06ee1bb6620b6bec0534df5e4d04d66c3f059574a9845cbd41cff9738b1f26c20df3fe0c0

/data/data/com.andmon/databases/SettingsDB

MD5 9a1705f1f84f97bc19044a9bf9ef2949
SHA1 db883500cfcef8b692ec4192f4cb55c00bd8d8f3
SHA256 cdbba48a7b88d3eb944631d7caa5fff47f79210e207a26607c7ee332e087d1b1
SHA512 6b2e7f463027c92d12b2fc2a75ba4c10ff549cb30efc62168d7b1b9dad11dd9c5138fc975b230d3985a7979d5e989fd35fc753a78825f18dd9ca5855b36a21f3

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E700F7-0001-1097-91A197FEA6A7BeginSession.cls_temp

MD5 655cb30dcac1168af7b791be4604f93a
SHA1 8c7cf324dafe538c503b87887697842b69e28da5
SHA256 c6ac488c62b9b6d0c98c346ad1799d3c8b9870e67fea576de766e0b57ba14fa4
SHA512 c2b5c09c025b9e2d3d2f96dee1b593398c25b834727ec1b883c407825b38060173e1747976fc5e0ce540b12c32fafecc92eae0c99a1d854faff9dbaeb0170be0

/data/data/com.andmon/databases/SettingsDB-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.andmon/databases/SettingsDB-wal

MD5 9dc63fe29bf21d41df29e68a036257fc
SHA1 df9bfad71e1f576a80c7e8f01a9bf4f71e223eab
SHA256 6adf0462eb724839e6627a0b1916ec10c85559bf0e11193ca6bb1b4477cb7170
SHA512 689242b214bd791a67142982bea84e5d0332f2b4fb2e4427545ad329ade99b5010171cd03b5a7a4c3cd6284635e082099b51e44e149f773580ce68296e834fee

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E700F7-0001-1097-91A197FEA6A7SessionApp.cls_temp

MD5 066ee47d1be5fbf5bb4f7874be5fbce6
SHA1 633330e298990b0e024697b07744125ac38ccbea
SHA256 794b9e87015dfbb0ad830df0b94a754b423f4b62363bd42916edd86a090f2378
SHA512 f9f449b90b3f6cb542991958acba3b6b29dae30ec7b3edd1f2da70df823f9628c5625deee876930faef70fb0c2e33d324a9e92ef2fca9b49a005bfafc59494e3

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E700F7-0001-1097-91A197FEA6A7SessionOS.cls_temp

MD5 9b3d4522944ce6396563812bfdb92fa9
SHA1 6d2a6133c8f01938a48ccc77ef86ad8ca335c020
SHA256 d32805d685a3f50caa7f1c0bd7c8804c4d937a866513289f60e3184f7a591ed9
SHA512 091d87643712530bf9006135db42a5a50742bb5ca3026bcc5f2c1c17bf4fd984a8938d29263b0abde3d15cac196d2230902534e200b0b79485e3a1bd97d95727

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E700F7-0001-1097-91A197FEA6A7SessionDevice.cls_temp

MD5 109c0893179e4534e4a15c802896b991
SHA1 7928002b83d3b0c2599fa59ba964940fad78d0ba
SHA256 474426810d5d5d6b36629582d784d7875f4235eeff21d3c461a26ebf0a12f364
SHA512 bea4eaa6a055a6cfd76081bffc404c2ba7c1fa565fa49dd4e60e2a59dfe7ad3f5224caaa6c2df214ea36f153c7150120ef26dfb77084d50791450dffb2929b6e

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E700F7-0001-1097-91A197FEA6A7user.meta

MD5 2e24f7e64aa1ff176b3d0bbf66b47972
SHA1 d70934a5531757da24fb6b2e4f1ec6c0e16f32cc
SHA256 2eb995e182f00f6717ac27cc51e63239bb08a191569141d053d9384397488289
SHA512 a2c0350774a38faa053e603c75706e37ecc3db464d1dd4bea1f9692bf663979038e358fd8f24b459198d2b9164854123d61320cd7ab2bde195ab5832f2a6c90b

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 e352aaa9b9d4f3f3a7026bd3e817f1d8
SHA1 a91ea4a3e7c26f5f124448fdf64a84565083d5f7
SHA256 b492ce3a81c154770959c45dd8b89f6f7ed7c20baa477bd32727481abebe2d8f
SHA512 720872e44baaedb752f08b1d4741ad4982d855b0ffa794e6f248100b1fa02d16c58c83b18b53e4e692a8fddf8f707a3fbad14ae04c7e27c08eed532764221424

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_0f919eec-e580-475d-a3a7-9c1cbe31fd3b_1734330600359.tap

MD5 73c3a49d2eb15e4ee3a20831a503eb55
SHA1 9a78053afd592507306680cf94661367095e1a5a
SHA256 4b9723f562bbed7f740a593a1cef99c199327174db433e04ad65f2dab2fbd7d3
SHA512 5418fb902eb66f261232dfa4f9a28f89d50004e39954a7b2db5a30ef5fa1242938b37414f5ad438e13a82ee5d14eab353d9e7545c5b730e6567ad79597609cb8

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E700F7-0001-1097-91A197FEA6A7user.meta

MD5 69de0fbc5ecc151462b35f5c0795f4a7
SHA1 871ff44a8c5a2c682c0943c0ad522ca1dac22044
SHA256 9c01223aa82dbcaeb26cc6500e86c08157e1070eaa0469f20fe2b40a0fae0df7
SHA512 e1f367d078f8cb9818c3197442c4479f101f233be9a6baebb0ee20bb69bfea8bb305204e8fa896d66a47b45c860d53693ccd4c683ba73a7d3177f02b925851e4

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/log-files/crashlytics-userlog-675FC8E700F7-0001-1097-91A197FEA6A7.temp

MD5 1a40caae4b135959146de3bb08149304
SHA1 16ffdef54b96ef4fd341ddff50d44d55b049b311
SHA256 f6239d84b89394ea7bad1d30d2451292add09e05122e7c1223da04c195771032
SHA512 a0be36f8d04a5d2131c12cca2968af5bfba1d17526ccdb7cd1dd9fe816a7dbd468a3ca8e9a490491d56cc7994d6022740fa8686bd25a3f83d98bbb3bb13bd138

/data/data/com.andmon/databases/SettingsDB-wal

MD5 46112d3f8007af4d3ec290a5cf5e1367
SHA1 123929208d9bdc80bcda7ab9c7a4bb9ec69438f5
SHA256 5786f8e8d0d920d8c4e1c38c803922e83e214339bab985c6335501bc9ec42061
SHA512 fd4cfe926b6bdbaa04141295e4dff8d7f5cc9692f72fabc100c8ae269caac7327769f5b8ce3cdbace6270f6a4e7c35dd27759cc3618f5b0227ebe19ceb5ae9b4

/data/data/com.andmon/databases/SettingsDB

MD5 079700dd24e42c6c986319268907fad4
SHA1 1e11b0dc3e3c283f05aa38219a5b5417b73ec1be
SHA256 8c1ce76976707828509fc7073b465ed81f6c1722cfac88504928765003f781a8
SHA512 f8ee3d2d66cd620d4d1cef5e1084c0225f28fabe266a19efaf690c20cf0d4c1a362c32f3bbdc4acdb41fb189abe5b134542638cbf73d5a71a80b76c2942d1836

/data/data/com.andmon/databases/SettingsDB-wal

MD5 f436a78556712cd8e83dda9086fb091c
SHA1 aa3aafd8f565a81b66bebd87c9351ef89b69b0a5
SHA256 9f3d7cbac8d50eff9351de44be057bd2464baad6c1799afaa3f9702877de91f1
SHA512 f62a8edfade63d8d5eccd8240b76001889ad529a7a4eb25c158537effb1e48bd82deb1091f1c7ea6f051a4c6c7217ea21f62d0be7822221f17727663f9ce6673

/data/data/com.andmon/databases/SettingsDB

MD5 4e0b9a0dc7245d33336e781747c5c808
SHA1 1ce9e0ec9fc8acdfdbca282ff9ea2b792ca0f254
SHA256 104de7f907389c6e86aa4ae8c9366acc8b4fd01bb4994d58a826b7690f562d6c
SHA512 dd4891258c98c9966f5ba176ea060097e71ae35157522a08681b952f1f99517d4a6231eaaf64ff7dc404370b1080b34716d7023d33d03efc121b9bafdb1cc280

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 f5f9917f29960f2161c13ebc207ec68b
SHA1 13deb0ced9f0985f1aa0c6b420c33c1fe70b2c55
SHA256 e56106745b35407550ecdebbad954616ca44cabb3ed87ea3bba1b007966772a9
SHA512 6a4ea76ff8c62bcf08ed8aaee63db59d798883c123059be4d566275b1637cffb20ded154a247095a262f9fa1113eab3b46219e12c9ecad982047fd68bea820e7

/storage/emulated/0/.androidmonitor/log_.txt

MD5 c8f47f0db43bb730f5ca17340ba80ef9
SHA1 6d294d12291676e4a9c142b240dfaa44ab745a12
SHA256 8163c98d4b0641b5fa6e69d819e6bdf435def01ed9405312004b926e8e3c8a0c
SHA512 6a5c682a4877c8258e6e89abd00892bafdde8f6934ca0c9e9cb55ea63dcf05c6e2990c909fb7011cef9511b4164c9c442e072e296adea12e6e64dbd889f1602c

/data/data/com.andmon/databases/SettingsDB-wal

MD5 3bec81cb10f113ea8718e769ccdeafd1
SHA1 cfd0c7189950bf865e1ae4a094cea94e87c774e1
SHA256 df413900facaf066ee48467e1ddc5f73a917eaa9a45dd7f5311e73c0c717d1e9
SHA512 21f5644ce9f839473aa64a5eb009472d0be23c581f53aed823d0c684c20e973bc0aad528f275c364d9b8214860b14377a22892c6baa9aefdb6414fe8fa1f2c0f

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_4eeb623a-634f-4bb7-a291-eaa0ecae757d_1734330611589.tap

MD5 013151aa722eec0ee41fb3e39e6941b0
SHA1 1b2db3fd4a401847661a40607fd7693befdc234b
SHA256 120cf564ae5f3130f315a7291e2890e0d9e5de942534b08e84ad76bbacc8d1bb
SHA512 ba06a6a3c1b23662d5ad2f45f91719bd1d561de355c46a54d1d1f70255a8510616ad17db8e8b0e57788d69109af37aa25d1a3d52352252da79723b53ad0b4d62

/data/data/com.andmon/databases/SettingsDB

MD5 f83a81e498151008282e1e3f4ecb0f23
SHA1 6afad09cdf0e0f2c954a14ba0d34a634eb9c1f83
SHA256 06001ca21055efbd522790a028e4fbb5249901c24a452e25d1c70b6c566d5686
SHA512 e1afea4267ffba49539c4a2adae16b5baf85cf0844481ca36c8fd582456bb968ce318218e488cd1f38cedad0230fceab308594af98195aea78adb86049b79eeb

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 06:29

Reported

2024-12-16 06:31

Platform

android-x64-20240624-en

Max time kernel

44s

Max time network

93s

Command Line

com.andmon

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A prog-money.com N/A N/A
N/A anmon.name N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.andmon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 prog-money.com udp
DE 157.90.2.159:80 prog-money.com tcp
US 1.1.1.1:53 anmon.name udp
DE 168.119.91.88:80 anmon.name tcp
DE 168.119.91.88:80 anmon.name tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/storage/emulated/0/.androidmonitor/log.txt

MD5 54039e58d631c2b7a050b2e58245d789
SHA1 176494e35422372483d962e476ac8f312089f2f8
SHA256 bc6bc8ec4f1fe29f45f5743a04976edef047324321d2b97ab8df5d67d3a7227f
SHA512 d552d571f6534c7870779bf4bc3c7b2c04c79bcd191bb1f595b6fe14767b6ae7460cb2afe344b3d7d7c48389253981cdef61de9af5a569dd6e5340661b16d0f2

/storage/emulated/0/.androidmonitor/log.txt

MD5 4b44e6613adb6c502bebf6a60b5578a0
SHA1 ca501ceb8ba5dfc4f9a42d03322ad32706506260
SHA256 e6beed6ec944faebc6b69cfe53f3b01cdeb78d76773eb8966c02979fc57e5171
SHA512 420a707acd7d2361cc6006af13a44a5665af545119ee945835f6c0063c42a2d9c2860d2fd47ae7f82984805eff741cc1140d77d7539a42dd1285b1bd9b5cd854

/storage/emulated/0/.androidmonitor/log.txt

MD5 f69f56b5b20c499dad0beeba3cdeb1f4
SHA1 6136261a91e3cdb4228fc574add489932577969d
SHA256 d3892b1f9a02bfaf8e5a55faa83f0a93c3b34156641ea5c4cd40490de0f5c322
SHA512 207596664b41a43b06728ef1de71dba9f4c2d5e7d2207b5f057483ab7e563146191beabff2e0daa57794d9c990c391bd4ed9d616d16a2f8954c6faa565ad591e

/storage/emulated/0/.androidmonitor/log.txt

MD5 6d16f29309094892d3fbc49856972640
SHA1 2af59a2961128deda947dd757eeba9a55838cb40
SHA256 72e8f05a242de9ae7b8c5e341da760c05711ce497ad80955d235b7df88d33f15
SHA512 a301b6030639a8a688010b0e13a827d862c8223a139b287e048cdc6054cb34e17e9a8017ef99bd1379622779c7dee715f938d65b43ea2524c156ea9dcd48388c

/storage/emulated/0/.androidmonitor/log.txt

MD5 46ad8b961a56783d3449a345240a12e1
SHA1 6ff39aaeb4b8d3055f46c3ea21b7771dfaa38e0f
SHA256 4a6efc1e94bb02f32c77cb68f01f7a0cb6b5c5534488e011f9a69374a701e46e
SHA512 7b30cd5ab861c793368ed9f12f1bc081692474f3279a2866b4a55da3ed75593f1c9e6f07798967966d4bb24c9bf95cd4d57c0a9be809eda2809918a7b811ccae

/storage/emulated/0/.androidmonitor/log.txt

MD5 7ce70c28408f228f911d4740c03bfc27
SHA1 8d7af3f24fd70dc318c9eaa259ec17c4f16b2371
SHA256 322dabf42343baa9f7ec9d6f2751b94f6f2089076ecfecccab1b791d9c95f294
SHA512 c9272b0e6b751e706dcfd026cf0708a16e8c92ac35a7b36c2c46d59148aa5f2e63ffa6ee2222da312c0dc88e1316b3230f324e7e9f432a79565154e722b81c26

/storage/emulated/0/.androidmonitor/log.txt

MD5 f3663a86f8576e016c40270a7c4664f7
SHA1 4e6719d0eeb5c5383441401fcf706c637cb3c481
SHA256 1caee394476108f69d432df56bd018ef33e7ad686f4f8220883f967b7ddc2e7a
SHA512 66c78cfcf51184159903d7ac7e4eee19213fdd89e3b955882de28dbb4e13920f3327ab6c5698c2b1a830f9ca218644556aa5ab32da06b1c49c83fe8ec452e925

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E502AE-0001-1383-79A9A4832815BeginSession.cls_temp

MD5 58b74d22c31e80a62d1d44f2a070e4cd
SHA1 9d4db3f710755f2fab486cb7a55a1431e93acfca
SHA256 65c0cde1b6fca45e6f88e27b3dd301e46b755004689f11a73eb5676956bed40f
SHA512 52b77b5802ad071d29822e6ac5a6e76e93ae413d326e03fda7f73822ced817cf21d4d7cdb57900f6d5eccf30cb977a96ccbd89a7dc5b6d2867a7a82f18382a89

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E502AE-0001-1383-79A9A4832815SessionApp.cls_temp

MD5 6e1f3bea41b5b2b5c1b562eceec611c7
SHA1 bb72e51620f90947bab049beb36e9bf5e0e6cb95
SHA256 e7014b455d860e827679e01afd48e2c852483ece5323fa7135e8d13367145731
SHA512 78305a0a2f2169af7cd4b6658ead0c4edb999ec185a0386054de4c438971f4225b6bb7c52da91d84615335c0e7c8b5cb9666335efe29c087c8af8748af1a64f7

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E502AE-0001-1383-79A9A4832815SessionOS.cls_temp

MD5 2566d27ce8c28d8961f082c375d7535e
SHA1 92fe585b1a2c9c523d2fa1f65ab5c1b6a1a6edaf
SHA256 5acdb54ddba2e264f6822fbdbc4e9b5158f57d43785c2f01d981956b18f7a90a
SHA512 1c70679bbd25a57f9ac02083d5af0fe72b1417cf3070a195497f03d6f492e87b1ed3f570de7ea7c814c995a1530e32610d9570f31a480648f4062e8d3287be8f

/data/data/com.andmon/databases/SettingsDB-journal

MD5 b663dc5054bb8d8e6f7557e3e722de04
SHA1 9e5b35979877458f478e139bed9dd18e9aa8b8a7
SHA256 2064ad68400696aa71d952c957f93ac7b9dae4c47db63e772b4986a27d539c5c
SHA512 bf56fb17f2ffa805f63438e9ec7f5e1679996c4fdb99e41bea3b44ae242472804ac895eb4417381a853bcfc0e540fc5e088bdf1e5aabdf3bda8b4e1b9bd810cc

/data/data/com.andmon/databases/SettingsDB

MD5 49372c0b0623769ffd38f65a79865f78
SHA1 71dcc6d2392923a01f9f7d96f36925f41e4bf1e5
SHA256 d6ba706b7d55ea2409d59452d33d65048bff03a41249c92ab398630b5b8ebab7
SHA512 3fab18084ee746b13baaaefbd0ab3bdbef7b1fe0355fcef79b326a6a3e0a941e0d0b92e27ccee4bede257ca65c33d6ca12b22c8f082ee067c006a1d4cdad062d

/data/data/com.andmon/databases/SettingsDB-journal

MD5 dc195a03a2ab46c0229dc9020786c09d
SHA1 f98a70324c6708bca5b81a174d16930cd353aba7
SHA256 2d0396921f964ad49416e5777e090abe2423e8c22811ffea24c77bb3b5832ed8
SHA512 84216cd329c71adc263ed121d30a75a92af9680a191aa6c553d9f675f4c7f04f3f9fe64d59eb775fd3d40dc014eee9fb4e6b237120a4e7d6016f956dd724f371

/data/data/com.andmon/databases/SettingsDB-journal

MD5 cbae9a969ad16230405ffe9c0ac8d502
SHA1 7b2dca1f6ac7f5faef479fc44184475344796d30
SHA256 8e598f0debd7fcdb0c02aaa17c2eb4374ed9387378eb892575a58df0d09cf222
SHA512 4a8ee05ef87eedd9e3245db9c009a7cb70ebe6daf05d59ee7d2af65c99751cdaab7647203bbc45d15cc519da8fc809a07a425e57a560a80284c87535d58b8d41

/data/data/com.andmon/databases/SettingsDB-journal

MD5 771b268460bec2fd1bc2ba4a73a21be0
SHA1 a4b02a6041129232a2892147b36793a3d1235cee
SHA256 07cc25cb0253428fe59db417cd345346fdf36a7590ecf996dfd9f4423b3be327
SHA512 cc642693bb2c291482ea36fac3eae46407db575bf39d9b5040c68066dc85f4f13c850a88d91fb27da4d922c02fe7668502a39228b25207afaf570dab57fb9ed0

/data/data/com.andmon/databases/SettingsDB-journal

MD5 1fa7ec21d475fcfeaf6470b7109c732c
SHA1 84fa4377546b2196bc73117d323ee31172cb99bd
SHA256 dcd1380d7dbd480a9814f9622a785139dabace0c77583272431c3c2d71a625ef
SHA512 c04c8d8227ce336943add2c970995cebee6c9ac5ac8ecd2c6ba69ef1e68d2a3082fe9f4ecfb6ce1a93755f83d37246fa0429bccb9170b95284f4c2b03e4ec4a8

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E502AE-0001-1383-79A9A4832815SessionDevice.cls_temp

MD5 d747ae4bb811123d59bff0ad5d2d41b9
SHA1 5aedb7ae9735a23de466b88699909722702e26a0
SHA256 0918ae55143e86e705406ab2380d9074e47087847a83c174d2abc4f865af1a98
SHA512 b3068d0402d9a2086d5d38bb2751496d9da38d6b709846f83727bc80caef2b3cf52ff684d983af4d2ae54d70e079e0d454d61a5aac2158c99188b788c6d17432

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.andmon/databases/SettingsDB-journal

MD5 2ac921311d1d6d6527a91ba552c4bfd9
SHA1 8f71467abeb01bfda661f36117216ffa400be8a7
SHA256 25c1cad7a6679b29cf0b30983ac1316f0bee36e309190ca6a47794e614545f56
SHA512 c9949c85b56ea2e205f45986ba538ce3f9438befbb03c20c05c6c3c2bad462a9a4719d82d9a0cd4cb2b777b99fd845a0c43a248663611ab7dd3e7c7f39fa91c2

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E502AE-0001-1383-79A9A4832815user.meta

MD5 0894dac0db7f46d422b59c6f510e4782
SHA1 911b2635c867e50aae25b122432a7aabb1bd82ee
SHA256 ca6be64d52985609511c2d1bfce73c70dfc67ea2a759b96518ddf0f8c279ef1f
SHA512 67fb14dd767a7d743753670c9fe1e5e619a78daa3ac02e885aa0df3399b50ef6a0a686899787bf3f97f5d683551e418f90d93a79febe7bf3c8cb241356f53f00

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 467fd090e35e6bc2147eec490e6a0e0c
SHA1 20f0447ad594ca3d433453285e36904d6d5b4c23
SHA256 9f4fcff30b53697f15b1b4d726d4c5be32a0fb2bd9ab726100feb775c8be876f
SHA512 b0b6a0e9f05e3e9e2202b07ccb5b8770ec0e5533dd2a28be97b8fa7ca0bc8af24b78b03529e19ee77baad40ee2bf983ad9fb405ab59077a509054288589270af

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_4e70ac93-01c8-48a0-8210-e8c4542a6a87_1734330598345.tap

MD5 423c37812bfa2698ad7cd4f754ed2e2e
SHA1 a2cd7889ecfcbca2746cc71f6a9b23b3f1d6016d
SHA256 3be943094e6762cb7c01418f2cc1ad9a94ffb1c14204308c3c632737f80016c5
SHA512 6d446082ebd1a3ff6573de5b9239068ae54eec2f5e3d2877ffe98d7287da8040603f0196f54d2fc72c75c5c2bf2710f7ff2229c45cc157615a927ab08e8dc5da

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/675FC8E502AE-0001-1383-79A9A4832815user.meta

MD5 dc06e3d3735c9358d7de44a778195a85
SHA1 eb894316c826d6ce2fdc6c6ca374cc4165a068ec
SHA256 420322d5e17a1a355dd30dec5e5f64bf144924c39841b257cb0b34be1fc54323
SHA512 41c6375c367390ae147ebdc4c4784019d279da05af123a1c13cf6d330ef905332bd65a0a034869a006076901493c9c2cb5d95f6444716e4531689359e278251f

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android.crashlytics-core/log-files/crashlytics-userlog-675FC8E502AE-0001-1383-79A9A4832815.temp

MD5 a2202092adc59519fea9ab3fa733b2ac
SHA1 c9aa84f0453fd3aafca899936005815416e6bad1
SHA256 db632799fe9e0736f9b09f147282ea4607a1e1834b9ada8bc52c54b5c1df0e44
SHA512 71e3fc7f70f87e5bbbbe115b85ee02f86faa969a0fa56e9df0a4a946c46570529ce542593aa5a152c3e3972aa693898dcbc57b5a06143f2512bf86a92df47d5f

/data/data/com.andmon/databases/SettingsDB

MD5 c841e41f0166c8f3a193ae33b35d96c5
SHA1 ff7f3bcd75b23c4796fd0f44030f4d8c08e4311d
SHA256 54939929148ca5357731964d3c20f85c7056775570b845c3c5f13ce74386f61e
SHA512 e69aaeac9680630d40641783c1738a60ff29247c341abed3870b4ad472b1eda5314a68fbaed747ffbbe747b746089a1521cfc8e377e0a2de0599dfdc8b940d4a

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics.tap

MD5 0e2bf40acddeced37b331217668a966a
SHA1 bbe7602a686df44345a391f32afc532f881cc327
SHA256 dc743ee6dff7847c2d174ef6de839e3f73a46e7d5ad0a9b6fb8bf9f592d5bb7a
SHA512 46e0872fef26d16769f5db13e13a1fadde195cb8c56ad77ac52241c66d1b4905d782bdf2ab8180733f40d557c8335d75942d79d80be428c06ed291b0b658b9a4

/data/data/com.andmon/files/.Fabric/com.crashlytics.sdk.android:answers/session_analytics_to_send/sa_9a79f6fe-f256-4f28-9b09-6b62dd322b91_1734330610110.tap

MD5 f45b10a2d53bdf065cd589e3ac66fa10
SHA1 fb2c84caea409d875396449b2b77e4bfc35eadf7
SHA256 4fd623a1ece70017ca10c9eddcf9c872fe9634c15c22fd1305f3834ebd5c23aa
SHA512 e379b14659e654c507d9cfa9d0f238de6bdc1ae13c1f74ec092f3114a5aab19370be33a930d71f62339bdaa5f987e1541456ad55584b4ae28f7596e41bf5ba65

/storage/emulated/0/.androidmonitor/log_.txt

MD5 e8b053d616b588f8c06981f59ff90471
SHA1 1ddf4ac8c95e84a86bb3edad353c0d44556f0189
SHA256 2c4247a6e47a0f460815efdb3df9f6baaaf38160283ccbbf739010d57a73d679
SHA512 b9d1acfffb5bffa4a6edf5bb5b1cd9e26e0ea0ea2206917bbc357fcfa498300bb695c28712813289f160d7d2fb8ccba51687bcb224223625fa34dd366b0ded6c

/data/data/com.andmon/databases/SettingsDB

MD5 179c5fa1a63f724d95b561d186465445
SHA1 3a685f9ae6365676e615751d441d50e3f72da7ba
SHA256 1af9f8e214e7ff7cb6fd526db3b3c9470ce5d9797613f1ab12ae971972c9d265
SHA512 f82a4611cd10d982489b0332432447daafb7b685685f65a992b28d7bfee8ad8f7065163606b2e30c6ae83d5e209aa2ac20739fab4ba22d1332bf4bf30976af1a