andrmonitor | 583b68d3c917ddc713d8621959f97d7f2636654494027e494f2368409730f88b

Analysis

max time kernel
150s
max time network
158s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
02-05-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

583b68d3c917ddc713d8621959f97d7f2636654494027e494f2368409730f88b.apk
Size

20.5MB
MD5

5682f19f3a2723db1c7141c9157ab93e
SHA1

748ea5d804fafc742824bd4c2f9c0259822de99d
SHA256

583b68d3c917ddc713d8621959f97d7f2636654494027e494f2368409730f88b
SHA512

63884b29b4b4714a2330d43529148ee9e8aba2b3ed62dbf85f9187148f330e846de2cf8516db3d2b8b7cd5b6cfa989b2e9a00e6df89da76e0b317d2ba415d46e
SSDEEP

393216:HHusJA35z7A79L+4wr1mbgafiubc6ZxbdT9i/zVN2I+TX3VsKpPbNiRSKcsLJJ:HRJA35z7c5KBmbBffcQxvi/zVN2IkHGl

Score

10^/10

andrmonitor banker collection discovery evasion infostealer persistence spyware stealth trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Removes its main activity from the application launcher 1 TTPs 2 IoCs
stealth trojan evasion

T1628.001

Processes:

zufxtk.qtqhxzzsr

pid process

4310 zufxtk.qtqhxzzsr
4310 zufxtk.qtqhxzzsr
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

T1407

Processes:

zufxtk.qtqhxzzsr

ioc pid process

Anonymous-DexFile@0xcd971000-0xcdc02110 4310 zufxtk.qtqhxzzsr
Anonymous-DexFile@0xcdd49000-0xcde73958 4310 zufxtk.qtqhxzzsr
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

T1541

Processes:

zufxtk.qtqhxzzsr

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground zufxtk.qtqhxzzsr
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

T1409

Processes:

zufxtk.qtqhxzzsr

description ioc process

Framework service call android.accounts.IAccountManager.getAccounts zufxtk.qtqhxzzsr
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
discovery

T1421

Processes:

zufxtk.qtqhxzzsr

description ioc process

Framework service call android.net.wifi.IWifiManager.getConnectionInfo zufxtk.qtqhxzzsr
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

zufxtk.qtqhxzzsr

description ioc process

Framework service call android.app.IActivityManager.registerReceiver zufxtk.qtqhxzzsr
Acquires the wake lock 1 IoCs

Processes:

zufxtk.qtqhxzzsr

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock zufxtk.qtqhxzzsr
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

T1422
Reads information about phone network operator. 1 TTPs
discovery

T1422
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
collection discovery

T1430

Processes:

zufxtk.qtqhxzzsr

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo zufxtk.qtqhxzzsr

pid	process
4310	zufxtk.qtqhxzzsr
4310	zufxtk.qtqhxzzsr

ioc	pid	process
Anonymous-DexFile@0xcd971000-0xcdc02110	4310	zufxtk.qtqhxzzsr
Anonymous-DexFile@0xcdd49000-0xcde73958	4310	zufxtk.qtqhxzzsr

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	zufxtk.qtqhxzzsr

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccounts	zufxtk.qtqhxzzsr

description	ioc	process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	zufxtk.qtqhxzzsr

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	zufxtk.qtqhxzzsr

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	zufxtk.qtqhxzzsr

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	zufxtk.qtqhxzzsr

Requests dangerous framework permissions 3 IoCs

Processes:

description	ioc
Allows an application to read from external storage.	android.permission.READ_EXTERNAL_STORAGE
Allows an application to write to external storage.	android.permission.WRITE_EXTERNAL_STORAGE
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps.	android.permission.SYSTEM_ALERT_WINDOW

zufxtk.qtqhxzzsr
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests cell location
PID:4310

su
2⤵
PID:4347

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB
Filesize
124KB

MD5
4c0ccabb25100a908b9db06434a6af8b

SHA1
555d9ecfa42e17aec483e1c05be0fc1362db9e66

SHA256
79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

SHA512
b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB
Filesize
96KB

MD5
6074f1069dc0f162de7bb7c90f5bb2de

SHA1
813777be5bbcf4096124475a163c5936541516f4

SHA256
5a7317599325a503de5f72d57ffb4be24fa011c783e27fd5f2e4f6c0e4a05198

SHA512
4fbba9531a5eac90b2d374ce375f4a2bc1d637d2584821a0fe962de6a516d91d3b52b20f15e7e16d7e86971e0f32156fb8a90584f2ed8f7150273874c72d70aa

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB
Filesize
96KB

MD5
2f217f9e4736bb667431fa1908a7b4ce

SHA1
9b602fc01b0d92c8dde217b1ba698839c5ae1cf1

SHA256
77ac0c9d8b711ae036386899e867f6569429304e99fc601f66535f80d84f0692

SHA512
ea7f9947a8b48379e344e9f106704de5aa2faa612e81a56d2a20c102d414935a38cd17bf738bbe7212db3a1983e61ce96b4286317ea0c4d76b6b928c651b5d0a

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB
Filesize
52KB

MD5
b6815b344f6926d458cea05acd052cdd

SHA1
88f524aff1d4c5fee979a203dd952427871a7097

SHA256
028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

SHA512
0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB
Filesize
96KB

MD5
da546579eeb40176721eba65c3a741eb

SHA1
a70619fbd820b1015e390cdf6e5fa084e9f5e0f2

SHA256
8f42876092377396b34dc102e419b1824ac2cb576257f2af316fe2ceff0f7902

SHA512
a093d743a32ed038178b67116b761e13d9db65663ae0fa7eb6073468ba10a9ee46b1c5fdcf02285f873e4075d94201fa8e6919745255d95a7a51016e599cbb38

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB
Filesize
144KB

MD5
670236136ef95845f8fe7f68a16dad5a

SHA1
ee1f186e47642442e79244ef60144a3adff89e6a

SHA256
4adc5630fffda362fbd95d2586e51ee462881fd8514fd1dedb3b7f7193f5a7c7

SHA512
446a33d3a75bfe1d1f8f54f97b298aca4b9da823863d0c4f0800cd5db9d05d728074d99ec1c93b45e6af2af2f8a79650350439b2351f94895e365484b7c87c04

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-journal
Filesize
512B

MD5
2227a38d4140c769cf4913f2113491ba

SHA1
7025b552fad90b4c1a5cdb2a8c8f703aebd1f200

SHA256
ec8065ffde6d179d5975bc3d9733d53dd39d1dba6f60457dc05da99b1a94299e

SHA512
03d5a567593d618a541806cf6dca61925d815fd79604577fc0a2b8ff4e5112fced25f3f2a7c4b14a1e60b0b5bf3accd1d62a3bc547cef9f5e9215eafd708960f

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-shm
Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal
Filesize
414KB

MD5
b05360a4e24fefa3c308b85a20c533d0

SHA1
8394dae722247cb3bb6c00898083e43f789e0ecd

SHA256
5d9e5fbbf453f2440af799ce52a5205ae2b30fbb62baf663ab4b7d9f9d1f48cb

SHA512
42c678602755eb1a6948a5eb53c7bd1eea62bbdbef135d897d480e8016602560dd04d4f9a1ea6fba1e0cebc895fb2563e8c95595bc91d345e6bbc29a9c389337

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal
Filesize
8KB

MD5
869a773595341b4a357adc7ad9e73429

SHA1
b90aa483f08b19167841b75efd0365d8023f88b5

SHA256
aff95eecff6dd9949f4e55bede89a5d2d4f937ffd075cd02e13cb92af79d04c9

SHA512
5ef0ceb84bc53ec7746d44f894758079460c66d0d451611970101683a1eb438ea3bf909a3bb6ce1b98be4a760a051464f7f0e468bf416da8123736f5b71208cd

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal
Filesize
8KB

MD5
6eacbc1e4170dc859c0ec340879ee957

SHA1
e9893280f7059f4bd5879e85531115ef79f373f4

SHA256
af7731bd25959e0c615856ee9bf6076bf32a8fc7c57c3fe6cc133ca7cead0fc5

SHA512
065e5f0b7453846483965b46b12bc8d0ff17f291d60827303f9b0e7442b6fbb61f4ded34aa1878f016d7d8d2c174609c5b4602aabc076b83c42c3095b1843e06

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal
Filesize
4KB

MD5
838a530f315b9d4e1d5b923930fae93c

SHA1
a0da96c86f3ab88dffe1691e5afc0e1eb66b3543

SHA256
26a96231fc142898f93f61d47258cbd0ba27c9d63fa7d4c304a4785a5052bcf2

SHA512
3dc72c4939b088f6478caddae390ba7633bf9e851fc3955425a86933879c7e89f68da12be79f21bf4ee8d4a6e88d66c86eb40611461ff604e76476ddc9d9b658

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal
Filesize
8KB

MD5
c42e89503be6af809f34a75071b83823

SHA1
7ee99e05a97b7a75f1e4f3f9f1ae4dd23699da04

SHA256
94e82934f9539bbdd8eb7e77a07c637203500bd9a762c7dc0c8a667f2ed65d4d

SHA512
7eac2ec2a1203e1d98958147a7babe36de810a20ef5304f5fb5fb30eb7e74378226db440b25437194e1218b91d706aec42efe5c45a8c91acaebd09dc554208de

Download Submit
/data/data/zufxtk.qtqhxzzsr/databases/SettingsDB-wal
Filesize
418KB

MD5
ec434428f8ced75baa974cada01d51ca

SHA1
580da61a51f407796b8c6865b7deeaeee86d4e2e

SHA256
9e36725b663ab9c593fbcc0375fee2605b9118114f2f5236273748b00967cb80

SHA512
fad7088b3ccf7928b7862f5686eef5d1d03225a8ac71fa032833bf34c64db76b12923d13a01d2535a20641064c53136a703cb8d7c41397bf858fb949e225b9a9

Download Submit
/storage/emulated/0/.am/dm/md/main.md
Filesize
2.6MB

MD5
6ce629031a213e71015b36dbcc18fe6b

SHA1
8c2dcaf0bc169b2a2cb21119182b32f65958e369

SHA256
afd06a2b7fea75b3f5a4ce8835846cb95d2e50ec87428798aafe9189868004f0

SHA512
1cba0ca71b9359dde78305ecd91248ebf14ff4402fba538777c105c5f997a1267fa62e264267cbe7cfd1561e045a38f92ba85f9220e2cd439712ab8a74b2739b

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md
Filesize
1.2MB

MD5
c74275c6f8cebd2e1510f9ed4a68258b

SHA1
5de002cb456a33b2e54f43a009680770d079dea5

SHA256
22dc2fb27037413dc9aab2fef27ed052776bcd68a740d96c997aa31dd8f1632a

SHA512
ded1c0604d1c6439cf569149d0e9f30d05d1ae8d7dbee2b0539c90027fe45046ae2ee6f582131055341a442aa7f8be4da73f948de88c2e5e6d1bb764f00f70e9

Download Submit
/storage/emulated/0/.am/log.txt
Filesize
170B

MD5
11e59049fc9e36d26fb8edf7709740e4

SHA1
d72ffc1cfa54a0ad1681e99d125a5d229143458f

SHA256
41175769b1122aad54b76aa077408a3a590614930235af136b643a72867162ce

SHA512
c14bd9b2b3cde0b218cd2aebdc5437d206fb9e6d4861a4481f267359e5fa8fa9e1ace3b87c0106dbb7c5d1b5f239969786ae161d029555b61eb44811920c4025

Download Submit
/storage/emulated/0/.am/log.txt
Filesize
149B

MD5
f802b732f90c7a2633357187c256935d

SHA1
a22499773bb50e044f79c43c5140d7d5fd2b950c

SHA256
1871bfc3fa77d1a9a2c9afaf05196cbac97c398844537079dfeb56140cae68e7

SHA512
524bdc9d8e7784ed3fe98dc6bb6d868bbcfa60874cc2e3c41a5f378bfda8a666ec4ef991ebd3a03d075cc117e812142a201baaa78778284a3e50193a9e7542d0

Download Submit
/storage/emulated/0/.am/log.txt
Filesize
3KB

MD5
0e6919c523fe59bb6fe989186b0741dd

SHA1
8c95e77b2f4c5739c59c0519969efdc1bc6d7a62

SHA256
8b0cc0aae67836893462c842c1319abb48d48bbcdebdea73908a9718237c5832

SHA512
ba1bdb022aa0b9626272ebd26f6d615737ee0beacc92ee5bd82726f0168f4d4c46ffac3d353c3a630b2d1bebe1ca3d505fbe5a705cadd59f874e5beec6f2566d

Download Submit
/storage/emulated/0/.am/log.txt
Filesize
61B

MD5
14365832d301df3e9b6ef7b21c657e93

SHA1
dba06bfdcf14a2479c4f6197b3d7dd0fb5d98e0a

SHA256
9005b4881bd613b4f73ee3234898965542a900f7da0ce639c0f3e45a59f73eba

SHA512
1a7a5e2c1a8eebdcc95b9fdcde2fcce0052f685722ef269d47e601f09c19f73d3b88472996edddff6a1616c3f06569d3506fa216155a2b5f3351eeb9cb08da6d

Download Submit
/storage/emulated/0/.am/log.txt
Filesize
69B

MD5
2bf48b13dc574cd174d458b19658c568

SHA1
16000a376034d367dbf421cc92cb57337013a2cc

SHA256
8288dd7c9280de8a6db2dcec195b3f765ac8a0668df4b49817c070803b7cdeb0

SHA512
028b985039cfc7b317df60f53b3abd016af0d6810512164eea57abed7d6eb8c4e3f109e08062e082c9a1c5982211ac98ed9b9642bd7f1ec1db36f20175b7435b

Download Submit
/storage/emulated/0/.am/log.txt
Filesize
158B

MD5
f1de34ea05cfe4b3808226bfded15bef

SHA1
1b5c632ccdcc01709cb1cd0f73164e69c4af5a5d

SHA256
94b4a0046cc9998aa3a66460263c58e4f5fa645314ab0fbca9e0d73e46630218

SHA512
4eb8bac4b448a36528d6b187223adaea5e5f9998fcc5e4e8bd7cf97f3122ff0e71e276c51ff7d00a2e0e73d38299229a3c7b0a0122eda582a9777eb47162dfac

Download Submit
/storage/emulated/0/.am/log.txt
Filesize
130B

MD5
5cdc3c6dce75a8886be2d53710722ba5

SHA1
b5323df7d4accf86f645bcce7571ed8a574c938f

SHA256
a7a80a6d545053c4bc797d05eb0070a894198c8f4727716880864bdd52c74bd4

SHA512
2df62b9472553f9876e3496cfc04443fee8d5340e7af7aa64ea3e4d1d4b929386203af5b9e765304f613514e93df4fccd63d52f699d06201d644dff3872009ba

Download Submit
/storage/emulated/0/.am/log_.txt
Filesize
26KB

MD5
f60165fe36dfdc5ea5abbf3d5f2f62d2

SHA1
4f3cf8a27c6af5d36757a92e1ac006c38729d991

SHA256
711ce236c659ecf0df524b681fcefc3ecb3a27e6d1883f26503aacccf934d38f

SHA512
e9d008d3c1bc47a515d7bb323d63efe453afb56c5ca07e95ba81b9b8828696c056a3346f6e144c965d7b8ff691d74e8cb221abfe43a48343c05738bda70f7f17

Download Submit
/storage/emulated/0/.am/log_.txt.zip
Filesize
6KB

MD5
d992f7924dbfb4ebd8e0b354eedbe3a3

SHA1
6946f9b2fbbd5082f9f5c55a6de97ffe2702089c

SHA256
1d067490ebad00f21548156a45b4975e6efd1a813dd07d5e4e0ce957e9510869

SHA512
d34ba15b571accc9a899f5e46358d17d0306ab5c0fc598f58054790ee93a0d0a0b1949e14b78fc1c9a5266fba2eee2888dd18322a4073d89a1627caa04a8befb

Download Submit
/storage/emulated/0/.am/log_1714613124839.txt.zip
Filesize
217B

MD5
1f6998b3249dd30e40a8d3d37fc58e28

SHA1
d677e6371011ff438d75c8427af97d57034a4597

SHA256
a50014788bee876483676188526d2767e489821e55a68713eec2dc512008584a

SHA512
865af4b724dc7ab2d8be1ae7c5a2354f3b93ef56fe13396201147f96bfea8ca5f0ef79df1443f0d3b5cb6861978d63d681fa4f05513a614b0b351f9e27727cc9

Download Submit
/storage/emulated/0/.am/mch.apk
Filesize
39KB

MD5
b8cc1d0cbaea87bde5807dd249ec919d

SHA1
9dd70fbb0c83a59d0fccbeb881bc25b34285cd42

SHA256
dcb870a7be3d6ce1086b6ba14101f1d3710a2450638ead593de468a77d10fb50

SHA512
261aef3232aed406c2d1c96a9a365068594ee7dd4750bca8acc2659a5529d9bd11f981d688472448e642c4586ea5fe048d09c3dae5207c36193bca897ef14d6c

Download Submit
/storage/emulated/0/.am/prog_class.name
Filesize
83B

MD5
826941bbac53d86e5d00e9e55cea925e

SHA1
804aa6bec689aa3fbb786cded95a5f5bb0a0e54e

SHA256
29e2e0b88aaf6f47825025253b1c3b11192c109f0e8587e0d620cd5e4e5163db

SHA512
cd75a77ea1ed59af80ce1971a43263fd14025c3ebe32e8168e97b8eeda8cd9fe2029d4fe4d7c45e608736a6746aba5e68e75e6b0b1f9abd0a639cfa43a1afafa

Download Submit
/storage/emulated/0/Android/data/zufxtk.qtqhxzzsr/files/Download/mch.apk
Filesize
64KB

MD5
13684d2547f64dabfe299d1c6553a05f

SHA1
b000477d2cb51e917f2ebce3a8c53745ba7e0fd0

SHA256
3cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0

SHA512
e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217

Download Submit
/storage/emulated/0/Android/data/zufxtk.qtqhxzzsr/files/Download/mch.apk
Filesize
64KB

MD5
4d48683c7d94ce23efe44a67a1c3ae39

SHA1
bb85e13bcc11b6fd12ada7d2d97cde39d55dae44

SHA256
725dd06122d50279501c5c2a9c3ea55280ca6d25c4bcd25b9e2ac4aea2ba965a

SHA512
fcc32c08b7987c16f79a5cd5030de9f023e75f766c7cd0c54bb6d8f0bb806ecf8f3882135ab1f032b92d3a7f84aab0896069a1e8173af66a06f3f4ee0e269e1f

Download Submit
Anonymous-DexFile@0xcd971000-0xcdc02110
Filesize
2.6MB

MD5
0c7c6b52525074c2a1aabaaaa33cd625

SHA1
161ba0350dab8e50d0988249c06b2a1c757189b4

SHA256
8ecf2f3210764f98e3713b9284bf0e3f49db5472fc0940bfd3d2624d4df5bece

SHA512
c7a872f5360b97c18a121d7e8827da32352ea7dbdd4c6ec8a80e7e950bf85c7a468230c81a7675c6815623b7b0ff2ada29584a5b0a87ce48e47ba391681be44f

Download Submit
Anonymous-DexFile@0xcdd49000-0xcde73958
Filesize
1.2MB

MD5
205a360b4d45a6e4688aec7a7265dc0a

SHA1
53f493d19040d517bf0b4a842d5f7e8865a443cd

SHA256
a78f1f6aa2fb421d336ac32befa711c6702050014dad9d07074528e8ee4598ff

SHA512
3c515d0d30b65fe025629a9a2da0b7c83a95d27ce87bb54739e15b719b99dbeb11e9db0f8bce1855fdc60c872eede02327c15a6bd8f57a7de2d22edcb972febd

Download Submit