Overview

overview

10

Static

static

10

am.apk

android-9-x86

10

am.apk

android-10-x64

10

Analysis

  • max time kernel
    22s
  • max time network
    185s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    01-07-2024 02:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    am.apk

  • Size

    20.5MB

  • MD5

    69a3362a56aceeae697d711b85ea1bd0

  • SHA1

    05af8c183ee7934be6bb1077992be1aa79a4d17f

  • SHA256

    ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772

  • SHA512

    75f50d474571b4d722d623f7d74857fd831553f941bc5fe7b7b5b310ee2c8367adca0f4e32ee44ba9c5d945e76b8b6269d4197dcbd5efcea245dd6da118ae61b

  • SSDEEP

    393216:/rTNsZsJA35z7A79L+piJ1mbgafiubcrZzbfT9i/zVN2I+TXu1qKpPbNiRSKcsaT:vzJA35z7c5R/mbBffc1z9i/zVN2Ike84

Score
10/10
andrmonitorbankercollectiondiscoveryevasionexecutioninfostealerpersistencespywaretrojan

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

    trojaninfostealerspywareandrmonitor
  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
    evasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 6 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

    collectiondiscovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • wzfj.mxwub
    1⤵
    • Checks if the Android device is rooted.
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Requests cell location
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /storage/emulated/0/.am/dm/md/main.md
    Filesize

    2.2MB

    MD5

    083d614b4799f4f249fe55a236960558

    SHA1

    2dcc7259f4340ba2e06f018121fe3525b4d10a40

    SHA256

    b6e0106f49f06c7567953ec87b9d533eb72e193b0941441c8db2d0e105ae8a78

    SHA512

    468fad40e8a2fd074b92acf04876a9e8bb28a298b8635826c3b4ac889636c9f76ab445830baf58d54b0f3d14957e95f473150d3a9f8126889a224fb307ae5744

    Download Submit
  • /storage/emulated/0/.am/log.txt
    Filesize

    171B

    MD5

    3a314aa63c6444039eb00cdde56a3cfc

    SHA1

    09365ba07845dbbc9b96acea221c43c81a72d858

    SHA256

    67cc115b56045d0429698960f12ca1a0b46a718e22458db8f4e793c81348eca2

    SHA512

    c000a9994a4e4fb178529f267a23344d8d3db37ea3bebb4680ba7cd580fcecb5fce63d634246c2c34fbc7f47e00f741e9bf3028497ea055bd0b9214b1ef10625

    Download Submit
  • /storage/emulated/0/.am/log.txt
    Filesize

    150B

    MD5

    decfb3332ba87ba4526879283832ecf7

    SHA1

    1d753ce54a44e483c88516be99bceb8c48688de9

    SHA256

    5d2f14b1c706de7fe4ef922dc82c341b058114a6469b37ad011a67867946c5e2

    SHA512

    c26f9ca4cbad354cad3124ee0122e6bb54a54a436fddac4689cb45695b70a32cd3e0f892cbdd413ddc60e21a753aece7f6fd356e3ab14cc1026a20243155cbdb

    Download Submit
  • /storage/emulated/0/.am/log.txt
    Filesize

    131B

    MD5

    ad232195ebec7f5eaef9df862c3845a6

    SHA1

    507c4dd501cade46ddf99d86b87b0a0fe7aa8a37

    SHA256

    ffb3df7e9f2f7b566af19379c56e84ec848f7273c79d403fad4b7196750f7aa9

    SHA512

    73cdbb1381822a2c53186d36ac219cd41788ba396d9785540bacdfb784c8eee5b35273996a0a6c5280d398ebb1a300d78dc0fbae88083f50c8149e811ece1dd7

    Download Submit
  • /storage/emulated/0/.am/log.txt
    Filesize

    62B

    MD5

    950cbc340f8a8795d9882c2a8f482630

    SHA1

    cbe83f4807d3c4308497daf2f823b70b108a6c75

    SHA256

    c4283d1f0c8804f13fcda35b84981a13cd0b30b7d2adab37041e1e249e0374b2

    SHA512

    92a0eecebdb26241a339b113e5a78664d46ad4e5020f1358101c70829bb088969485f62e2c2be20d101de1cf69d54539252899af6ad2a6b255377054b7532e3c

    Download Submit
  • /storage/emulated/0/.am/log.txt
    Filesize

    70B

    MD5

    0ebadaaf824ee5ca6cc09afa16d5a566

    SHA1

    be6d7bedc8f6cf093cc1df81e23338ae0d06e970

    SHA256

    8aacea2daefd0eadf24100b1486d6cf1f6eb196612814c3851f9c51a44611b52

    SHA512

    dd2738372f8a6ec3388701ad37c5c7755cddc31fdeda459550e6a97ed89cedcae450f8e76092231eb4cdc18a86844bb7525e71b6e7a82866f1c6ecf0ec7b9bb8

    Download Submit
  • /storage/emulated/0/.am/log.txt
    Filesize

    147B

    MD5

    20a6f3ad5dadcc12ca2a91b9273b615f

    SHA1

    b1468941e0e0720e8f9b10779824f6da45a91802

    SHA256

    fa17be3493f3cea585c043daf247bb1b5cae66611824f02a7493b38a885577d1

    SHA512

    657193fd8759e3da520419b306669dacc188a8fb8a59a22bb0c941bf60347edaccf9d6283bbb2c9ffd86e670134e780f91089d1eb6fc6c10e25df2fbabed321f

    Download Submit
  • /storage/emulated/0/.am/log.txt
    Filesize

    125B

    MD5

    7bca7eefb13c9fee201287639ffb3a9e

    SHA1

    1115cb6bf53b1e57d4b08dbfaf972424e9651a0a

    SHA256

    d58ac574cc76e505bcb9e4434ed2e474a83fa4bf142e61a703e57797731f25b5

    SHA512

    fdf3874fcab0450af1a2c94a8968df9f3e31167555c13cce99c40f9b4dad96d9d52053d668a547bae317ff9c2d844dd332036b9d7902c42a2709de0bcb164efc

    Download Submit
  • Anonymous-DexFile@0xd19e1000-0xd1c734e8
    Filesize

    2.3MB

    MD5

    27fc4b7b8340e5bf94ee09aed7ecd6d4

    SHA1

    a626b82423f3e24577e3d7898b6f6e7f2b6baf1b

    SHA256

    d3040992f669d42bb042e0281a03174bf6543a0c5cffb68a0295863b73c9807a

    SHA512

    18a0110404b175b8a0640dbd7b2a2bd7f324cabee14728f33aa7276851f87c972d383d8c153da03025a29104041304e36ffc33ee0e149856a57553e817c79249

    Download Submit
  • Anonymous-DexFile@0xd1db9000-0xd1ee4250
    Filesize

    1.2MB

    MD5

    cb16f947895faf71d09cb5ad792b0e35

    SHA1

    c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7

    SHA256

    e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef

    SHA512

    8ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba

    Download Submit