andrmonitor | 450173140bbdc6f8ba40d8e2c29b42a93c189c34c19829881097e8f0d56ac760

Analysis

max time kernel
32s
max time network
156s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
01/03/2025, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

450173140bbdc6f8ba40d8e2c29b42a93c189c34c19829881097e8f0d56ac760.apk
Size

21.2MB
MD5

47d9b5e71d8fb85d593fb75c3ffeaec0
SHA1

4b095e4336cc8652e86044d4d6aa1178fdfad2e0
SHA256

450173140bbdc6f8ba40d8e2c29b42a93c189c34c19829881097e8f0d56ac760
SHA512

5217fb55c33dfb5a79317376168692b8b2c655e7ffd0ffcd40e34ead708585a058e236b96d581176a78fe9084a6f6bf84635e0682192f17a701b14f85402e388
SSDEEP

393216:wKU8rbvqsJA35z7A79L+IsQ1mbgafiubcBZLb7T9i/zVN2I+TX0NuKpPbNiRSKcJ:3BbtJA35z7c5yOmbBffcXLBi/zVN2Ik6

Score

10^/10

andrmonitor banker collection defense_evasion discovery evasion execution infostealer persistence spyware trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor
Andrmonitor family
andrmonitor

Checks if the Android device is rooted. 1 TTPs 3 IoCs

defense_evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	binbu.pjyvmek
/sbin/su	binbu.pjyvmek
/system/bin/su	binbu.pjyvmek

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/binbu.pjyvmek/[email protected]	4490	binbu.pjyvmek
/data/user/0/binbu.pjyvmek/[email protected]	4490	binbu.pjyvmek
/data/user/0/binbu.pjyvmek/[email protected]	4490	binbu.pjyvmek

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	binbu.pjyvmek

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	binbu.pjyvmek

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 6 IoCs

flow	ioc
17	prog-money.com
18	andmon.name
13	prog-money.com
14	prog-money.com
15	anmon.name
16	anmon.name

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	binbu.pjyvmek

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	binbu.pjyvmek

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	binbu.pjyvmek

binbu.pjyvmek
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4490

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/binbu.pjyvmek/[email protected]

Filesize
2.7MB

MD5
542b77e146d8118017ba4c66529cbe6f

SHA1
863e8616511229438d1cac6e1c5c00f860219768

SHA256
40f050a80dc09006cfcb7fad3b37a617ebbc222c1c51f303ef41d23e0436e50d

SHA512
d546457becb7c3b8e8114c929668a5f22ee38dd3a5bf39140563d6d9cd7ae6aa45631eeec50079b2fafa08fd8221624e8008e2d24830af9d28fb19b2eb5d4588

Download Submit
/data/user/0/binbu.pjyvmek/[email protected]

Filesize
1.2MB

MD5
4768956e02a41b7e2032707b7c65a52a

SHA1
eb730a2e6f2b0497ee9731c488b02f0e68105942

SHA256
c50c0434ac58766df76b0ffb3fdd9489a6d8ea7b8789f0bfbb3fb78299a00060

SHA512
afae3c09e482e6577f4e79013b6d2dc1ce89a00a2ef5571074931da9bc91aceb53a01298dd3072325034ecd1ea0ec92dda630c06433dcd458ba7ac574778848c

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB

Filesize
128KB

MD5
f2ce9c95a8b8921a66ab95c76d10e742

SHA1
fd335c8a71b7402d10093d8014e2c92a667affdc

SHA256
8141d144aa9d7d88e19762424cfb404f33fa02a80c7421136b79849da77621c1

SHA512
aa9517ab1a5bc603260ee5506beebe83b754fe76baea323c3fb3f68c06cc50ebf8777f98e084089774bbe956e31a5d56d6984b02b812cd842dea920ca2f003f6

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB

Filesize
100KB

MD5
97d437665fad84901d87763360aba6e0

SHA1
d9daa6053aa955e524566c71107ebf9d7ffbd274

SHA256
a9386c2f3f9ea8b85882d1bc93d08caf66402449832b156b996ade5c234ac0c8

SHA512
2051e41f5ae8bc1e3784f089696bd707710f72d0f2dba00ce748a4e84b1149303db4bd59f6a2d65091bb6f258f3256ef0207b26d3adcf856bbe4d1a4fd8187b2

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB

Filesize
60KB

MD5
b2fc263e9bccdddd2c60eb1de7e7c232

SHA1
1b1dc1dcfd01b101a09d291aefd0b2c1af82e9e8

SHA256
72ab04778e734ba53f9758331bf32246eb8b0cd83f6a33df7178d0b97c89a601

SHA512
65bd24f8ff9c9d05900b37c449629b8ef24ad0c83db6e1516992e2e9420603e40fddeb030dffd20e85f97278b3afec08ceb3691f2021be4c63778d0606b7cbc6

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB

Filesize
100KB

MD5
62489fea594a8794bbf5bcc846eac49c

SHA1
44763ea8997cf5e6f5474a47c0b0a15b302bbe81

SHA256
cac4e41f20d2d7d6e236152c0388491bb516c5b7ec037736e48e3e54cc01a0ec

SHA512
edbbf03c37b85d2ce782796e5712c90403804973669b0a4e7ef637cfcc9933dbe2ebdbc6264dcfd484e24fa4f1ccac9fd31f409f657cf04dbc77748de3ac1263

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB

Filesize
100KB

MD5
5121e2fffac7457437acfc48d435a32b

SHA1
74b2d05bb82f83a27fff3d1d8cc413d1e9115153

SHA256
32cd1c3f7cbde68adc517a1e2e9f8c3d96882618780ec5e0a47ed21a41bb540a

SHA512
4bb93052ea9ce77897f40e302a573c8b7cc4548ff11e74e2597ba2a26ee64e59b427d5f2b6a3ecb1dd8b6e9b89a44263ecf310e9e2ce0bf8b6e7066740c1d22e

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB

Filesize
176KB

MD5
94b7e3ea5970abb27f7cce8017e38d4e

SHA1
76f2d55312679f3f731dc2d0a2a98d9e141db804

SHA256
60e999987e6b436d1b1b544c6681cc59a974cc0b31b3ce7e9616e5cfa60c5ada

SHA512
8b5d614ce05e4ffaddcdeec93c911ea1b61594580a311b273e748db01452b4d0a7d72151463de9a517ddf1bd53565fa34fec83d182f8646774be22a304cd29a8

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB-journal

Filesize
512B

MD5
22474bc1d6bef25cc8b5e3c5daa1baf2

SHA1
18db796f472bef44b5953b1385398f3a6da7b628

SHA256
7e62d57b9687bd04a69689ae7841e2d9bbdf8d58c9c678494dcd105799866b1c

SHA512
c9a5534126ba4eaf822007d4fd40ad7356cfefcefbdd5d897c11b0fc0c2a291293839ddc9341245e08fee666754ab551e4ab6b7caee7675b884b5ea858000822

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB-journal

Filesize
8KB

MD5
8b501e3cd52a2f1aff1af2763c0d9960

SHA1
d8e05e5f397e50f61c64e9a6060e7eb0a889d948

SHA256
f19672c50244df5b4e34e50b85c56166f351caaa5cc7e4e2e2e4d941dfbc0b48

SHA512
79dc78f3f45f97e931f18e382b729a775fcd2c38bd48e25acd1465ba7924bf079c60fc72440e26a5a7d81858a789cf79222515c68b6c882c3352bfaad4e5f536

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB-journal

Filesize
4KB

MD5
fdc5b0ec3ce63fb73fe7c99853094b32

SHA1
ad1346b0d369fcc1250642086bcdc91c94995393

SHA256
a2e1d5d7b079a317f08bd6bd03b93bcab3356fe1f83508f008a735fb13fe06e4

SHA512
b4597489c5d23484e1535fc2940c8f6f2a195dcc5f9d2bd43bad811928942ade5352978a398cf26e12de58322430cb04368efcca2d3f1feb445e387a1fe16aed

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB-journal

Filesize
8KB

MD5
a803f497e2498a30b318e734819948ed

SHA1
53f31a36f727d32497a2898c681384e3c6320e50

SHA256
85732c1a600f91fa33cb2a22658d9aa956f1831902fc20c8e2800b11e943eddf

SHA512
8f0b5200923d04d9d3f3f2989b025acc9ec07828a52223c862fd2dc11d54489c98559526c270b752f7574318f4831c12ccb3b6ccbe61a7222b90eab14fb3fbc3

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB-journal

Filesize
12KB

MD5
1b156f960106a7122c8b0b0c5253d1d5

SHA1
a4034f7b6e963cd37df66693f2b8525c1d6b382e

SHA256
ee982faac7934ae94ae649aab270c6c28bf6735f575a044721112b73c3cd7841

SHA512
a53ecf5d19ed23f0b3800d34626c30ee569f1b9139ece317c4f6babdb9f9ff7905b31e7d359dd4a7e7fb6ccc24715b35063fbbee000750094eafd5835892c488

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB-journal

Filesize
24KB

MD5
c9b5689f56cde7890ee51e24370044dc

SHA1
4a81634d96526fd9cdc3afc2d141b1937f992686

SHA256
3436a5f419b2f71015d9de42c383a66e26d7ac6b970894677d48b4e2767260ca

SHA512
c674d1e5d89e81d07c96995557b8e5ad48e458297587c911a073703cb0a21d669158b3169eea95b6619963bc4f19f574502ef412636f3af308c3e377be0e7e96

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.7MB

MD5
97cc43e6bc600b26035cd7ff7e3ae864

SHA1
d86a7030dfc879297367ff279287868d94c5b6c0

SHA256
3e007b65ad02af5378b746067cc917eb77e9bd8b4ddf6293c47bd8a86359ad33

SHA512
eb9a4be54e98fff773eafddee0a145e5ef75ca49fda810c3fa481c6ac8314c888c85167235a540fd3e1e38c35f5c6a65d66f91dc837574037c1c7857a17d0bdf

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
c81c51456766e174d6b23e17e56b3151

SHA1
2b8f21a13af6efdfe1bfa00c011ba6a1bc5d6f20

SHA256
79ceb49440a30e4e0b9ab83015384650cc535a1f54d457cf4a0873f9621c0822

SHA512
a88c8290d5804d10cbbe811eb3b041d122c66cb75b44c5095f3e03ebf90e8f39d58d6d7e20066df046e9999b3341337094336b35c987ed6af34852c8a049a13b

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
128B

MD5
424072f8f1870334c712329fa1199674

SHA1
7e071bdc6007b32221a4b66666b0b74ad4bdce0b

SHA256
d040ee99d95ce51d1c130600212d19bb6268f443e7b7e574d781c255994ab24e

SHA512
4c641ba8e9a63c4e7475d86ce246a189776b54806fac35ebc89e7ef78117ffac38cee612c26d42c424017d15745a91d7986486dece84fc0626d59fe8ecf97158

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
171B

MD5
3cbd051a1e3883e8c71d47512e09ad09

SHA1
433430ec901c80754661cb65da6c0602097b87d6

SHA256
b5331f4dffa670b2bd6d8222b034c11b5431d28a393cc78b6298157706a637c6

SHA512
7875bf82b6cf6007437c2eca2c6a956a8c0bedb2fd0e466084cffe58518bc8e9e5609b8bee81c04fc5ebba474bc276946aa5da4997de6d6cd301ba08c53e389c

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
4KB

MD5
1d90317718b75de38062317514e3edb1

SHA1
009be5d02d7b2c9f17118a49434f4da191bbdddb

SHA256
825cdff0f1727dbdc0f26e2520e8619ec901ddff946d7350638620baabed6dc7

SHA512
4c856ca180691a54753f745c25b5c4f156ae58526789c5c7f910ad6e321c508ea5a517ce8d9e3c533c843958a3a713f8107a76f21d6db1ebb2b5430e39aedab2

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
62B

MD5
d4c6631eafc10ec1134fd07cbca8bbf7

SHA1
08e15d19f0a60ccc2986d801e730ffdc99d29dd0

SHA256
a07bfb0cd0c68c6a998ec010427c8ef2d1c7df262d4d403ab7696fd2d245df2e

SHA512
c436492079db13c7e41829b21ae613084f9c1f82100a42aa72509dac9ea25ea6df82eae421ad66565a59ec0ab789c41fa66b669b6d031ebc2c5110b74d5ef09a

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
70B

MD5
2811dffeae3e372ccd369cbea230bb7a

SHA1
8ffc276368931320a046db2f4ee4e2fb817900b0

SHA256
28f2c3cdd7c9f85390a26a5dd8b0888d5e084d413ee984413dc1dccc728b0eac

SHA512
0bf0992c39290ea0e499f47837779f85ee5ae80d6ad8ba17abd9cc92fba2691b15b0ab971b1ac8eaf5982c60c7e902f63d37b6476aac10dcd16692bf27afa124

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
59B

MD5
4ef096f53a5391e01b32d47d0502d8dd

SHA1
20da9baa6fbbd6ba19804603ba2a196ac8ccfa76

SHA256
56745ecaaae7c054ec569aa39bd56fba5bbe1471d09af129b206847ae5973f60

SHA512
c50e0edc01fdd1922ef68d55d1bc570571fc7cd4dcb5afde0154249a80b2e955aaddba3168475d3d51216e7fdf36fa5ac45f1c354ca3f0b81761ffae814359f0

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
183B

MD5
e673e24f3cf236635444cc4d419e0184

SHA1
b625d08955660de77c5628a1be45717012d8a55c

SHA256
ddee3389737403fc12b7d2a45996785d1be78a7c35714e66cd4dccf9034c8003

SHA512
c0b0cb9ff4df2e1d5433b38c961d466e09c36fa9306226c46c3c876d07105f96e7c388b6fe76e1316d643652406be6a237852e4910d82470722316998359f1c5

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
34KB

MD5
8ec4c8187127f5e50a7b0bc6047951e9

SHA1
b582c0b7a38ede4ef6e9bfb09cb85da507508aab

SHA256
8a1ce03d0311af4b571fb8c4decc7b7065666d1ccaa0a6833038368b9be5370f

SHA512
7ceeba9d51a3b1fbd87d102dd56c9a4ab25f52ab39c8e2565a3ab2c4619d7313f4395d9d9f50f79d8d2365128f30fbe1cb6300e49c898235d00f4948ee242881

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
8KB

MD5
ee0d253f8d446709b81302cdad6c16a4

SHA1
e505e3e0e3be40325791f1a0850a0568ddbb05b9

SHA256
38eaecf7e9083e34803cfb4cdca98012369997972ca482da5e625cdd6b346105

SHA512
af97d5ab2748599b981f0e2c51be887c151b7a29ae1831f586ce852f1466ab3682e607b9264f939e91236c8353840ce15f83266336dcae4afb64f1b9aefe352c

Download Submit
/storage/emulated/0/.am/log_1740796368872.txt.zip

Filesize
218B

MD5
8e5611212ebce064c484e101553becab

SHA1
ad5224286110634a9bb946c5acdb236ba2a76657

SHA256
4bb8e74816dde45fa7b232502aec148d130a58642f5e1ba40d758682952a7ff1

SHA512
30f7cc689f5812ca759a67bdb870843d0fc1694d91f32b6c1e3debe1fee0cfe46c045321a39a39240a4860ff482bd0cbc23b9a30f0045e1c8bc1e5195f39771f

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
74B

MD5
630c3cb641663163938c334862b3d8af

SHA1
a6bb61e769f4629d0fe62e2b7f69248a17a9a782

SHA256
a2193224aaa62e8e71608313d27dea72f7f8f4a2efc029200a3b89232e3ee782

SHA512
64e019d3ca81a2d4d075ddd5244c33c5da0036ac5166f5fde70659a31ff0cdf35d95f5a50330600eb5ac812de8a0d08d41b8a5aabdfae8ed7f08aa98d35a3f66

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
72B

MD5
ba5e690930f49e4578149c9d9bfc97e2

SHA1
8939c46b246e849d4a4d353554111c6a91a095c7

SHA256
9e82864cb17ebb1ace3690bcee3861b414c9682f7f7822b54f8d49d9da831b15

SHA512
b3afa35f6ad54a72372c22fd6e082a868eabfba8487b7d10b0fb964ca3ce26807d8072c5b020ade544d90d486d7fe84ad86e25c13ccf0b57c63cb4ed1962a570

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads