andrmonitor | 450173140bbdc6f8ba40d8e2c29b42a93c189c34c19829881097e8f0d56ac760

Analysis

max time kernel
30s
max time network
155s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
01/03/2025, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

450173140bbdc6f8ba40d8e2c29b42a93c189c34c19829881097e8f0d56ac760.apk
Size

21.2MB
MD5

47d9b5e71d8fb85d593fb75c3ffeaec0
SHA1

4b095e4336cc8652e86044d4d6aa1178fdfad2e0
SHA256

450173140bbdc6f8ba40d8e2c29b42a93c189c34c19829881097e8f0d56ac760
SHA512

5217fb55c33dfb5a79317376168692b8b2c655e7ffd0ffcd40e34ead708585a058e236b96d581176a78fe9084a6f6bf84635e0682192f17a701b14f85402e388
SSDEEP

393216:wKU8rbvqsJA35z7A79L+IsQ1mbgafiubcBZLb7T9i/zVN2I+TX0NuKpPbNiRSKcJ:3BbtJA35z7c5yOmbBffcXLBi/zVN2Ik6

Score

10^/10

andrmonitor banker collection defense_evasion discovery evasion execution infostealer persistence spyware trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor
Andrmonitor family
andrmonitor

Checks if the Android device is rooted. 1 TTPs 3 IoCs

defense_evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	binbu.pjyvmek
/sbin/su	binbu.pjyvmek
/system/bin/su	binbu.pjyvmek

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/binbu.pjyvmek/[email protected]	4491	binbu.pjyvmek
/data/user/0/binbu.pjyvmek/[email protected]	4491	binbu.pjyvmek
/data/user/0/binbu.pjyvmek/[email protected]	4491	binbu.pjyvmek

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	binbu.pjyvmek

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	binbu.pjyvmek

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 5 IoCs

flow	ioc
13	prog-money.com
14	prog-money.com
15	anmon.name
16	anmon.name
17	andmon.name

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	binbu.pjyvmek

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	binbu.pjyvmek

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	binbu.pjyvmek

binbu.pjyvmek
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4491

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/binbu.pjyvmek/[email protected]

Filesize
2.7MB

MD5
542b77e146d8118017ba4c66529cbe6f

SHA1
863e8616511229438d1cac6e1c5c00f860219768

SHA256
40f050a80dc09006cfcb7fad3b37a617ebbc222c1c51f303ef41d23e0436e50d

SHA512
d546457becb7c3b8e8114c929668a5f22ee38dd3a5bf39140563d6d9cd7ae6aa45631eeec50079b2fafa08fd8221624e8008e2d24830af9d28fb19b2eb5d4588

Download Submit
/data/user/0/binbu.pjyvmek/[email protected]

Filesize
1.2MB

MD5
4768956e02a41b7e2032707b7c65a52a

SHA1
eb730a2e6f2b0497ee9731c488b02f0e68105942

SHA256
c50c0434ac58766df76b0ffb3fdd9489a6d8ea7b8789f0bfbb3fb78299a00060

SHA512
afae3c09e482e6577f4e79013b6d2dc1ce89a00a2ef5571074931da9bc91aceb53a01298dd3072325034ecd1ea0ec92dda630c06433dcd458ba7ac574778848c

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB

Filesize
128KB

MD5
f2ce9c95a8b8921a66ab95c76d10e742

SHA1
fd335c8a71b7402d10093d8014e2c92a667affdc

SHA256
8141d144aa9d7d88e19762424cfb404f33fa02a80c7421136b79849da77621c1

SHA512
aa9517ab1a5bc603260ee5506beebe83b754fe76baea323c3fb3f68c06cc50ebf8777f98e084089774bbe956e31a5d56d6984b02b812cd842dea920ca2f003f6

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB

Filesize
100KB

MD5
1dd774351a2012a417e1ac017e5f3a52

SHA1
0621a21cf7508c441cbc07e4e651082d3264f657

SHA256
5bb5a2a585d54e9c7f78b636b2e379b793d202813e7a3859b05e99ad90aa823b

SHA512
48d5ae757690930f8ad19b18e8b5526a6e4f1e5ee2718daaeb6fcf457b1bc76868834f220281b07949e97a83b65d36c2538407fe8b74d8c0a3777daf68dd125d

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB

Filesize
60KB

MD5
b2fc263e9bccdddd2c60eb1de7e7c232

SHA1
1b1dc1dcfd01b101a09d291aefd0b2c1af82e9e8

SHA256
72ab04778e734ba53f9758331bf32246eb8b0cd83f6a33df7178d0b97c89a601

SHA512
65bd24f8ff9c9d05900b37c449629b8ef24ad0c83db6e1516992e2e9420603e40fddeb030dffd20e85f97278b3afec08ceb3691f2021be4c63778d0606b7cbc6

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB

Filesize
100KB

MD5
5f6b8dc683058a70070eb8d2ead7010d

SHA1
20c8c02471a7e5183034d51237975a8d41f1695a

SHA256
ce474a898ed0a8a3c77221acb7b3b6a800751d1c660650807d7490971d9c37b8

SHA512
e8b07423d4e19d0864a328bbf81314ba075bd33c4417ba665f87dc74df990804958bb44c39832cef4d7d3e912b8d78ed4564bf702f70f40053094eae9e6945ec

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB

Filesize
100KB

MD5
7dd73e45e30aebdac1b0c5cb7ad8a2e1

SHA1
daa1a2b544d38bca37ae35a1e1f232a771eb7631

SHA256
b9cdceaab4892889dbd484c58b8eabf2785a408c63d1497529e2502190b87814

SHA512
879d283396d60d1fd880adfbdff96d843ab31a94222b6ce0345ba775adfdab4538aaf086a03153f4207d203a804377ecad124f10fd1d87f4bfda470d6ed67ae8

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB

Filesize
176KB

MD5
e720f7a79e84e540c96cc60e015c0bc8

SHA1
a18f55ae61c8e6c6288bf000ddefa4714dc5c9e1

SHA256
845c3468fcb8bda247d53c6d16efc5180f83be8dbf42519fa243dd43a64d00c1

SHA512
4be76ef16e16acc2c0a0df5d3b79322ddd79b9889f54e05a2272215603a6e94b117f3954ac4ab1d2d4ba0e776a1fa222c3f35674b09b97da634bab1744085179

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB-journal

Filesize
512B

MD5
6fe99e3acc49e2919f34313750ae3b19

SHA1
b9063429003401c6a3c5f795eb839a9e60ff1d11

SHA256
29f45139694376aa7e12f9dcd18cf57100cc619435ef558d8d987fca7000e8f0

SHA512
ccd9bd234c14b11b12c1d3c841d4aff6ce58a74712a0cf28f1e0fce3bfc49d69208441a97be85b57ebf9436a5f909f392ebf7b0d05a9c701b064ebeb77611a9b

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB-journal

Filesize
8KB

MD5
3523f51cad532a98c6bf8dcfba9f62f8

SHA1
2b6a44fe058f0c3dbe06e3ac2eb54cabd4d1f6f8

SHA256
789e14b6e5e46694cb7f038b46704137e755ca52e75871ca90f1f18783a6d1f0

SHA512
1b74ee1ea7faafd97308f202e81282159a4fdfec6d01278f0b7815e4dbb189c2c5890c1b8ab9e983da21f6c611489be35538a4aad3240ca63b29211f4c582c3c

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB-journal

Filesize
4KB

MD5
29e0ed08e7ae9f75a1915134715d7f2e

SHA1
dc59f7d8f9bb3a0073bc13a3aa4e5704f64d2034

SHA256
de58d254b844fa414b2be1bba57407ee837ccce0d362b7edfba4793c7475a04e

SHA512
e111333cdcd4f5848daa349e6157aebcf540e1a8efba8cb42c07a290320f974743236257631fa50a3078a7be270cc0bedf1a421da72ec38e4eeae36b67bb424d

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB-journal

Filesize
8KB

MD5
c6774da46b17e07e868c38fd23eaace2

SHA1
b3be75b33367505cc99e68cf6c02b451c12fb901

SHA256
e377f79ba8854b93b8a11bc53628d74a82abef0134096749c813328b13140d68

SHA512
33fb05359dec26035d2ecc29f149f7f055c20440f20ed8b383503bc9f1c843df8d4e25d3cdb7ecf6537f9c98b2c9846156f22ff7076061422942d9103ebddd93

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB-journal

Filesize
12KB

MD5
25653bf9aaa813bc5df554c07737c2a9

SHA1
5da96900f6494ccbfb079280620d34099c2f26e2

SHA256
1621f6036dbdc3195ac9a971f69f61b66417c47103e10eb87094a159c382aa24

SHA512
4e178bdd54b3503dbc3d1d637e786a841c1d67efb6b3099f28f7d1cc8c34acd60f4abdb70871c6601416a1a61496dddcf76c476cde59a578ad19f00f3420e3fa

Download Submit
/data/user/0/binbu.pjyvmek/databases/SettingsDB-journal

Filesize
24KB

MD5
fbfca1d835f362e7354cf3d110dbd333

SHA1
ad1e717f1a2d208af5cb93191293b9d63d7c21c6

SHA256
ad8a196b5800b712d224d7e0c4a1551a231366b40155d172fcb2977b41839e34

SHA512
37b2e56e0fa5de488f8a3e6780727fc5795a26f8f986c4272eb8d30edf6163026b428c80b62c0ec351fdc294e3dd247f43d1e8a675531216422dead4a337f95a

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.7MB

MD5
97cc43e6bc600b26035cd7ff7e3ae864

SHA1
d86a7030dfc879297367ff279287868d94c5b6c0

SHA256
3e007b65ad02af5378b746067cc917eb77e9bd8b4ddf6293c47bd8a86359ad33

SHA512
eb9a4be54e98fff773eafddee0a145e5ef75ca49fda810c3fa481c6ac8314c888c85167235a540fd3e1e38c35f5c6a65d66f91dc837574037c1c7857a17d0bdf

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
c81c51456766e174d6b23e17e56b3151

SHA1
2b8f21a13af6efdfe1bfa00c011ba6a1bc5d6f20

SHA256
79ceb49440a30e4e0b9ab83015384650cc535a1f54d457cf4a0873f9621c0822

SHA512
a88c8290d5804d10cbbe811eb3b041d122c66cb75b44c5095f3e03ebf90e8f39d58d6d7e20066df046e9999b3341337094336b35c987ed6af34852c8a049a13b

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
128B

MD5
8e6ff3c46fd39d3bcf63fd5829bd5a32

SHA1
8afe0e3bb3a419378d4640653a0e55df6a64abd6

SHA256
12a29080e411a0ee348d8e3a5332570845157ef0292106da6b50d8a0d2d6a0cd

SHA512
9bb0fef4db592ebd3472cc512d0366180320ac08f63dd256bd27f5a8db84e031acba9d748a3cbe2570bc618a27fa04bbccdc1a908f1be58bd9d451fd4031bcba

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
171B

MD5
e85396b91beb0d9c88c7af6468f4aa50

SHA1
f0e69c9f4267ed72eaa2af1d4f2b5510ca8219d0

SHA256
5775dff9198ba64bc50d39dbfcde3c93e2fe79993e62d76bfeeb0944ee3b06b1

SHA512
c09448148a363e9ea474aeeeececfb5c035d148163c13cdc9431b1c90311b6508cf494ce6bf5202981220c722510175c4ce945a4b33c93588753f527b6dba822

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
4KB

MD5
59cedeabb9a6a824805177ded03e20bc

SHA1
42a323fd5e55cb9ea98d72c7d8c4a95be95002c2

SHA256
d4e85662e6efa72035051220b7116dc5c96aed3a603c8e0b79daac79ecb4d453

SHA512
7ff0a942cef12c784af5ad8dc35b639dd82cbfccbb13cb57457db5441a32f569ccbe77a90bd8a4a770263a0e6e4946b33fa697748e2920c99d3dc43e7e0ea656

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
62B

MD5
413d123668e610aabdc7bf1ae4b7dba4

SHA1
f6864aa1eb32524bdb50fffb48551ac9d5dadc3f

SHA256
3672cf5dd0964e1de56d279b99d0982110ed1aa4aafa2bbeacd50502287c52c6

SHA512
9ef0408607a9c9883431a4f72757974a2888cd94d0a6490fa817c23e98cf76e7ad6471a6a2d76bc252988dbfb62d36db5b8ccc1a81a7f162e927afce43a3dd71

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
70B

MD5
64ff678f9f4d9b4fbb7ff6e4047cb199

SHA1
7a08c325881e588c25732f3f40e36fdd196b3bdb

SHA256
96a8cdab7f5e46c5d6124c1bef9ada682432c63f5a6cb52cec5b00b3785695f4

SHA512
f042592f2d555cee57a917801ad26dba1517d4bfee545884d06eecf468341560779bbdd5481dffa2fcab05f89105303e7ca92ef01ed19eddc8e2a7a4d18b8ee6

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
59B

MD5
d2d579f7358699f54dde0782c6a7ed5e

SHA1
b51a8d74ccd96b9eecfdd090bf071e11e0c00328

SHA256
9dff541cf8c474b5bfa28e4553d2b1bbfe23826c635186d50249e4f9ccb87aa8

SHA512
5ffd00c5e4787a311a108f90f0f5b41291f02028543fbc1bc006adb43de5bb721261a16c87ed8e75398e5c89f53c434b3a8ea73c944079e87d1d5db410e70d30

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
183B

MD5
e85febca7f7d907a118f93ea88347090

SHA1
a8d70b441a0453fb2ff31a566236217ab24841b4

SHA256
a25d10d76d5553c866f9c814aef5890a876b7a9a5a17a50f35901899225716c7

SHA512
0560bdff35e42eb88b196b46ad765d5baa568e142725815a7e6397736040109e86cd4147618a072f04fdcc33b2606b1f05dbfd507df59966bce9ae53b5e9fb12

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
34KB

MD5
71f8482789d01d2e41e4ef790dec5635

SHA1
a384f2f1d9a12f91c4860567e304b9fb89381c0f

SHA256
3781e4b29fc1598d8ce37ffd6c7611a64e98593d8711d978340ae09dbaac600e

SHA512
1911bad216d34293943444cc8881d78e3e5f89bdaab4f41eb52eccc7f5dabdd55cc1cfd19ea95222b6827d81adf51300f79626b8a18d072b75ecd55048b08439

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
8KB

MD5
4cab305f689dd33da7f325269c841f51

SHA1
48143f3ec690f6abcba6aff0493143b332d5fcb4

SHA256
fad688317ee8b56ce510f45c20a57a29c5a0656651610d2434fac1bbafb6abba

SHA512
a58277741549e1e4ec4b39e03df2539a45ec1f6854369ca32e28f2f7605c706fed80721824fc4fbec674136688711b9fe61652589a0e9260940d080b4569f8e6

Download Submit
/storage/emulated/0/.am/log_1740795998630.txt.zip

Filesize
218B

MD5
19bd62dae00274f55d8fba83b7fb91c7

SHA1
4b126453be74b0d7067e574000463b1c2fac81f7

SHA256
ce56f4ce3bab96eb4cd134f10065d3043c4aa1755062d2e31913197137b8920a

SHA512
455790df2119d3f5c74848e3a1263b49e82ce512fcd17f0c3127fb509ccea95adb102ff1fc0ab131a56afdcd93c409e95b2cdc96fbabfb978149f24a656ea81a

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
74B

MD5
630c3cb641663163938c334862b3d8af

SHA1
a6bb61e769f4629d0fe62e2b7f69248a17a9a782

SHA256
a2193224aaa62e8e71608313d27dea72f7f8f4a2efc029200a3b89232e3ee782

SHA512
64e019d3ca81a2d4d075ddd5244c33c5da0036ac5166f5fde70659a31ff0cdf35d95f5a50330600eb5ac812de8a0d08d41b8a5aabdfae8ed7f08aa98d35a3f66

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
72B

MD5
ba5e690930f49e4578149c9d9bfc97e2

SHA1
8939c46b246e849d4a4d353554111c6a91a095c7

SHA256
9e82864cb17ebb1ace3690bcee3861b414c9682f7f7822b54f8d49d9da831b15

SHA512
b3afa35f6ad54a72372c22fd6e082a868eabfba8487b7d10b0fb964ca3ce26807d8072c5b020ade544d90d486d7fe84ad86e25c13ccf0b57c63cb4ed1962a570

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads