andrmonitor | 450173140bbdc6f8ba40d8e2c29b42a93c189c34c19829881097e8f0d56ac760

Analysis

max time kernel
45s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
01/03/2025, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

450173140bbdc6f8ba40d8e2c29b42a93c189c34c19829881097e8f0d56ac760.apk
Size

21.2MB
MD5

47d9b5e71d8fb85d593fb75c3ffeaec0
SHA1

4b095e4336cc8652e86044d4d6aa1178fdfad2e0
SHA256

450173140bbdc6f8ba40d8e2c29b42a93c189c34c19829881097e8f0d56ac760
SHA512

5217fb55c33dfb5a79317376168692b8b2c655e7ffd0ffcd40e34ead708585a058e236b96d581176a78fe9084a6f6bf84635e0682192f17a701b14f85402e388
SSDEEP

393216:wKU8rbvqsJA35z7A79L+IsQ1mbgafiubcBZLb7T9i/zVN2I+TX0NuKpPbNiRSKcJ:3BbtJA35z7c5yOmbBffcXLBi/zVN2Ik6

Score

10^/10

andrmonitor banker collection defense_evasion discovery evasion execution infostealer persistence spyware stealth trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor
Andrmonitor family
andrmonitor

Checks if the Android device is rooted. 1 TTPs 2 IoCs

defense_evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	binbu.pjyvmek
/sbin/su	binbu.pjyvmek

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4301	binbu.pjyvmek

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
Anonymous-DexFile@0xcdd39000-0xcdff34e0	4301	binbu.pjyvmek
Anonymous-DexFile@0xcd845000-0xcdaff4e0	4301	binbu.pjyvmek
Anonymous-DexFile@0xccded000-0xccf19f24	4301	binbu.pjyvmek

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccounts	binbu.pjyvmek

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	binbu.pjyvmek

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs

flow	ioc
4	prog-money.com
6	anmon.name
13	andmon.name

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	binbu.pjyvmek

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	binbu.pjyvmek

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	binbu.pjyvmek

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	binbu.pjyvmek

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	binbu.pjyvmek

binbu.pjyvmek
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4301
- su
  2⤵
  PID:4336

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/binbu.pjyvmek/databases/SettingsDB

Filesize
128KB

MD5
83f9d1be51c0ef0019952bd962f70f05

SHA1
8f9e2782d24b692b46e6aa8974e61fb6aa7d903e

SHA256
9623d7ebba654211ee8fe37878dba389a66331142db2401a66207d308d29528b

SHA512
586686fe26bac50335757548d758303a9adc54ccaf923f9ed977d05ffb927a4c406480b8fd8723a6d8adbad5d079843931d7b1d20aab2c369e88e6a62b928a53

Download Submit
/data/data/binbu.pjyvmek/databases/SettingsDB

Filesize
100KB

MD5
06e1ba555a4614d5147f9ec3e5d8f831

SHA1
6d2eeb2100bdcf8a7252fe0f00005bc394135edc

SHA256
f887a8f2c8ca9dd129c304c1a6effd55e080a85e9a398c2eb71cfd5ebca9fd0f

SHA512
8a3e693edf08b4ccfae35c42e8b5dd4cf79153c76cf21e3fac4b8e282cf1481bd694db6373ee701e8cedbc65e110672f62a66a287a889d53daeee0484ec8ff68

Download Submit
/data/data/binbu.pjyvmek/databases/SettingsDB

Filesize
60KB

MD5
b84ec3ac5c1e79f72c55ea19bb82f981

SHA1
2a911a0494b171906a25ce812a25847c9f550a2f

SHA256
cd2acafa436796594063fa7599247531a5a1faf91b5035d85bf692a395cd3841

SHA512
9faa7a08293d0d00f9d0ec1b8c217d86d99e938a0e81f6d0324befefaf8c3a4226a64c1f1ee44119c07035c643e46f7fab51b6421819f346619382bae75ad2fb

Download Submit
/data/data/binbu.pjyvmek/databases/SettingsDB

Filesize
52KB

MD5
b6815b344f6926d458cea05acd052cdd

SHA1
88f524aff1d4c5fee979a203dd952427871a7097

SHA256
028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

SHA512
0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

Download Submit
/data/data/binbu.pjyvmek/databases/SettingsDB

Filesize
100KB

MD5
d1d5fb3e137d790479e9632eff14fb82

SHA1
f5389b719da88c42b864fb803d2b4e0c0541773a

SHA256
2da471ccb1d47c153ebcd50df5191b1e08b601b76caa2842d005fbefa95f9056

SHA512
22e5d3cbcc2f0f6769ba8facce7688275bf972f02947386782a7b8e11a343af0379ee648b5496f454e8f8c281ef767bdeccac6daa23e910335bd8cdc0b15e78a

Download Submit
/data/data/binbu.pjyvmek/databases/SettingsDB

Filesize
148KB

MD5
9ab3167f3288cf8fef42b1698ba5729d

SHA1
f4e8f16108e8e3605c0ed20187153d0b393f3f3a

SHA256
6d5a49d0ebbe3328a8937cbab4d554a79cdc8813d337910c593ba2e2591a508e

SHA512
99481fabd129ba8557a8bd89310a99e04e266bde3c066bbe019222fc133c5c86cfeaf49c9277537d36d3aa78db87315add843deda3cdcaaec52f51cd590557e5

Download Submit
/data/data/binbu.pjyvmek/databases/SettingsDB-journal

Filesize
512B

MD5
12c37618a16e11070db458a47d56b1c1

SHA1
33dee628abeed1c778dbc964c6a6e62a23f8dcc3

SHA256
cc5ddd0e5e1f3052237dba97dc5941bddbb6a73aeb2dd76e9e561ecc869ac0d0

SHA512
cd601649f1638ee8769c6cb7222bf14403bc6cbda5b195b43133b344de33f388022ffb948e50f47f8b3d5874ede55d794d2420fe8acc5e95f40d72977027c643

Download Submit
/data/data/binbu.pjyvmek/databases/SettingsDB-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/binbu.pjyvmek/databases/SettingsDB-wal

Filesize
410KB

MD5
7dbee06f5fe69f349824a95c648f55b1

SHA1
999ab9b830b35a55bc7ed75d20cfd9b6a27126ce

SHA256
bce5fa57eb6768abf73087696a83eecec9191939f4e6fd2e3de1faee48d077a7

SHA512
1f689a04d7a6457d94f96327423a3f70a6d4032e95d05f77590de28ae2a1b0f4483c9a2b792487dfeef0c23708cf46f3b9618b2f8cf145dc5a81d3a45406598f

Download Submit
/data/data/binbu.pjyvmek/databases/SettingsDB-wal

Filesize
8KB

MD5
9aa3da2f47316803bd48995b88183207

SHA1
1502fcdd887e3614c607891c51c911924bb04a80

SHA256
c5c6b8cea0de1f82af28934131ef75e623b871bd470989b2d31f3f51a2a81829

SHA512
cd994782e6034f896fdca95f4b0cc16dd6bd6b6b1a12eca363791d03a2fa30b35e271e986c201608b4ec89bbdb418ce740cb35711d982ed3cfb0136c3c982472

Download Submit
/data/data/binbu.pjyvmek/databases/SettingsDB-wal

Filesize
4KB

MD5
ba3b1a82b3ad6833dc980715de24ae62

SHA1
9eec2f45d847720b2bac0fe4abbf414c75f24ca9

SHA256
cb9c1b0c5ddab1c0524285df6069afefe24b71ef8503b8c6ebacf6039ae08006

SHA512
d86bd34045bbec6b9d58d7ee427a0dce47377fad23aebcdcffaeaec26e839a37168c5c51416afe01277c2587334d28b0a53c4cafbe6f30a7cde4261c07edf432

Download Submit
/data/data/binbu.pjyvmek/databases/SettingsDB-wal

Filesize
4KB

MD5
234f6996d3486190d7378a02af66f5ba

SHA1
1ce5878a1bcc7101ac2176b56cb2f0491fe70c0c

SHA256
2d398135fd7b5bbada428617a94526db54c457856171c99f8f4f6ce9b48d0097

SHA512
ba2f7fa8c9728c7e10242e613202fbb44ff6634c02146ef898a8d9f93d4d1a24382ff7392882a4dd4f101e189516ba89c0afe41c85102bcfcd58eeeefa317916

Download Submit
/data/data/binbu.pjyvmek/databases/SettingsDB-wal

Filesize
8KB

MD5
70b8e31cb84c8fa1ed2b771d3cbfc0e1

SHA1
766ac1f9ed0f668cc376e9ffc1d73d3603fea8cc

SHA256
98e1b32520871aee7e3b17e99db88a6ab3df66202caafcb83a8e8f6a9df03156

SHA512
ad542d2290e54cc0aecba60ad73276876c407c70d1f1fb72d7ad7748165950489d0ed7c1ed25d6f859bca9ff2052eb84ebce61784b922f09edd8de12fc563910

Download Submit
/data/data/binbu.pjyvmek/databases/SettingsDB-wal

Filesize
418KB

MD5
82df2df1e3c91ca7697eb43754242514

SHA1
295378c25897fc8de2c650fdd7489a75d6433c58

SHA256
7a02c0de3489db3c3c8f4f4aa417fc254cb1b48ccf187a58b772c2fc435bdcea

SHA512
0e712af81c5153ca0c98c8d6e115cb6777b80485c22b1005474ce80879a98d58721ef175424244d6113a6a1b992f0292ee83c7e32c7d2df4791e01df238d3549

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.7MB

MD5
97cc43e6bc600b26035cd7ff7e3ae864

SHA1
d86a7030dfc879297367ff279287868d94c5b6c0

SHA256
3e007b65ad02af5378b746067cc917eb77e9bd8b4ddf6293c47bd8a86359ad33

SHA512
eb9a4be54e98fff773eafddee0a145e5ef75ca49fda810c3fa481c6ac8314c888c85167235a540fd3e1e38c35f5c6a65d66f91dc837574037c1c7857a17d0bdf

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
c81c51456766e174d6b23e17e56b3151

SHA1
2b8f21a13af6efdfe1bfa00c011ba6a1bc5d6f20

SHA256
79ceb49440a30e4e0b9ab83015384650cc535a1f54d457cf4a0873f9621c0822

SHA512
a88c8290d5804d10cbbe811eb3b041d122c66cb75b44c5095f3e03ebf90e8f39d58d6d7e20066df046e9999b3341337094336b35c987ed6af34852c8a049a13b

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
128B

MD5
a6ed1bb5fc1c59ec5e201b8cd75756e2

SHA1
14c1a0d37fd65eb9a32e9861f42947105c18e201

SHA256
b32ed06dfdab26d832b6884425cb44b6549a94659daefb0a7d661b9196ffd6c2

SHA512
dbbe3a4b1cad658424530a60426bf76cd460188fbd04aefb060f49a92d756752551a5d8f4e0cff2373c1ffdc325af40c54542cc13e95d3c9c22625e644c9186c

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
171B

MD5
f5717bcd639d8f6353f6e0c248b6398e

SHA1
38bb5865c8ab392f2c5e7686fb41cb80d750e330

SHA256
423bfd55d68cf84bff7a6edf8fc69c5b5d622bd62d08aeb4dbebd8a00643301d

SHA512
5e8b736259de0f627c27d022de1fb66d2268afec33b64ff837794cf34366f5c954b4019ae45db7980f71e035e8d4428bd37d11b05a0a7947ac6d819bfddeff5d

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
4KB

MD5
77907d20d1100acb3439be8542733cc6

SHA1
e01c6ad3ecd3eb08da843e7a9a49b7b9d94dbb15

SHA256
01d411a5234afc48876ce19a2e5d3e3389d26024dc144984895d902494c2373d

SHA512
dd9d39f095332fa7af5804648ccabab30615d106fd1e821b9fd82818e456f53ff341ce61a078a106c9657444c5db33475c6da26029b2b748fd53e608c6ebf176

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
62B

MD5
602d93eea47e3b73fc64767062aab9aa

SHA1
3695f66b14c0ce68c8fed4f149e03ab501581232

SHA256
c4d15773d5c54f89166fa67fbcc84bff6c04a04467276ad3cb97cba4379a8998

SHA512
02d4a89cf305c711b6a888b8306446205f12afc6d729e9b1ac7fde7ae3c96077ebbafd0bf8a850ff7fa2ea6e5af29280035665dc6f892cb1645e3ddfc9c8e98e

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
70B

MD5
0a6a06709510f64f851ada1f6bc07548

SHA1
5eb7025f713a44cb22870c207d2e567f6f69643b

SHA256
cb3e7d2dade474666581fe43af6cdcfd5a709fcb1a7f19ec4cb5f9f1d992ae5e

SHA512
67f215bd14dd58136a15d60b6ffb70159b07790b32fee331acfb0bd02a069ced4b4da3ba65dc7c0baebf9b0bbaf5bb8c6d552dce3ba194332e8b85f3b844a451

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
59B

MD5
7086d9c8ab72e1b79485734f81cc598d

SHA1
65c3ab96ca046380a3413a86f31b740eaa0ea192

SHA256
beea388325457659706dbff0f0dc6526a758a887d698364bd48079b8c25d3e6b

SHA512
68d4a258d40970cbcd37cc2acdadf01f7990563d8153c7479c1d57e299d6fcdfe54fed56328b0676a3f9b776362e4126a8e91f2b8805ffefc97446a6ea8a3fdf

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
153B

MD5
f5fdb9eaeae2f6b02a32fd8f3a60d6ad

SHA1
5e2408d7ecd6590f0384ca6b94cea4b336cac62a

SHA256
86502b7051cae95a88bc5e4a3bad892ad05d283cf1966c98c2b41dff50b9426d

SHA512
7b7eb6c0cd92897bd31c0f1714f5440ef442a39263246753d4a10efbc2557befc599ebeeaa2a27f4fdd67aabff344ef7b48a7d48422a64e1185c0caa6d8ee726

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
35KB

MD5
9a369de6bb3b35e4170fb85e991dedb1

SHA1
43274e5a1856ca127a4661378bf680beb213b1ab

SHA256
4e1c9f2fbd9baa8d6304e8beb51331c3fb98eacb888fed7b413de3f1cd942474

SHA512
e0a7631a0b259a98cceb53e2814408729ade927441ce3dc2c866ff4f9f9bbb5fea4495faa0587164de9115e68d4f49ec740f1dd9835e3f068ff94737ffdc8e90

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
8KB

MD5
736c5a9984b2b685eab5dd54ff77784f

SHA1
a3fb7b2bbab7eb24e1909f0c431df1b338b47e49

SHA256
13934791a035b48d8f0fdfc29645920e434ccd018eccc5787446a4d4ad1c7333

SHA512
4d75c19fb5936faed49ff366d2230b7fa91130f363ae259ec39a3157b9140d1d02e2ad5ef5c0a15eac2921078563769d0727d385f87d71060edb64e972b6e748

Download Submit
/storage/emulated/0/.am/log_1740796363872.txt.zip

Filesize
218B

MD5
590eb8ce7859d1d6586c68befc409425

SHA1
0eac3421a811ccb093db34d78ccfc381143d0315

SHA256
4d3077b00cfca8d78c7d07175175d6e2085a04a8769ccffbf5aaf7d6b5ef2d66

SHA512
98d4db801f1be86e1d72ceb13dc49d9f2109a9184a9e158979e773671f92ad7272827c3e0d044d7f781b32777a8930600f7718ff8a844fd8e52c27ce63a8ed48

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
74B

MD5
630c3cb641663163938c334862b3d8af

SHA1
a6bb61e769f4629d0fe62e2b7f69248a17a9a782

SHA256
a2193224aaa62e8e71608313d27dea72f7f8f4a2efc029200a3b89232e3ee782

SHA512
64e019d3ca81a2d4d075ddd5244c33c5da0036ac5166f5fde70659a31ff0cdf35d95f5a50330600eb5ac812de8a0d08d41b8a5aabdfae8ed7f08aa98d35a3f66

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
72B

MD5
ba5e690930f49e4578149c9d9bfc97e2

SHA1
8939c46b246e849d4a4d353554111c6a91a095c7

SHA256
9e82864cb17ebb1ace3690bcee3861b414c9682f7f7822b54f8d49d9da831b15

SHA512
b3afa35f6ad54a72372c22fd6e082a868eabfba8487b7d10b0fb964ca3ce26807d8072c5b020ade544d90d486d7fe84ad86e25c13ccf0b57c63cb4ed1962a570

Download Submit
Anonymous-DexFile@0xccded000-0xccf19f24

Filesize
1.2MB

MD5
4768956e02a41b7e2032707b7c65a52a

SHA1
eb730a2e6f2b0497ee9731c488b02f0e68105942

SHA256
c50c0434ac58766df76b0ffb3fdd9489a6d8ea7b8789f0bfbb3fb78299a00060

SHA512
afae3c09e482e6577f4e79013b6d2dc1ce89a00a2ef5571074931da9bc91aceb53a01298dd3072325034ecd1ea0ec92dda630c06433dcd458ba7ac574778848c

Download Submit
Anonymous-DexFile@0xcdd39000-0xcdff34e0

Filesize
2.7MB

MD5
542b77e146d8118017ba4c66529cbe6f

SHA1
863e8616511229438d1cac6e1c5c00f860219768

SHA256
40f050a80dc09006cfcb7fad3b37a617ebbc222c1c51f303ef41d23e0436e50d

SHA512
d546457becb7c3b8e8114c929668a5f22ee38dd3a5bf39140563d6d9cd7ae6aa45631eeec50079b2fafa08fd8221624e8008e2d24830af9d28fb19b2eb5d4588

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads