Overview

overview

10

Static

static

10

am.apk

android-9-x86

10

am.apk

android-10-x64

10

Analysis

  • max time kernel
    23s
  • max time network
    186s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    01-07-2024 02:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    am.apk

  • Size

    20.5MB

  • MD5

    69a3362a56aceeae697d711b85ea1bd0

  • SHA1

    05af8c183ee7934be6bb1077992be1aa79a4d17f

  • SHA256

    ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772

  • SHA512

    75f50d474571b4d722d623f7d74857fd831553f941bc5fe7b7b5b310ee2c8367adca0f4e32ee44ba9c5d945e76b8b6269d4197dcbd5efcea245dd6da118ae61b

  • SSDEEP

    393216:/rTNsZsJA35z7A79L+piJ1mbgafiubcrZzbfT9i/zVN2I+TXu1qKpPbNiRSKcsaT:vzJA35z7c5R/mbBffc1z9i/zVN2Ike84

Score
10/10
andrmonitorbankercollectiondiscoveryevasionexecutioninfostealerpersistencespywaretrojan

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

    trojaninfostealerspywareandrmonitor
  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
    evasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 17 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

    collectiondiscovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • wzfj.mxwub
    1⤵
    • Checks if the Android device is rooted.
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Requests cell location
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:5052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/wzfj.mxwub/[email protected]
    Filesize

    2.6MB

    MD5

    1b5d7af0d254b409f3abad6d01570547

    SHA1

    7c496db9cb7bfcdb8832246bcec5276f5a280c75

    SHA256

    e2f0cbb3e3ae65a8b8289743d576d21db62b62158922993759ada8479225fc34

    SHA512

    c1f2f5a61fba8d3333d1b65eb4e1c536cb5660239f1d32183610cf463dc300a896e7b8fb96ed324946ffccb88d29ca03590e07535d4d426ed2a88b83acc788e8

    Download Submit
  • /data/user/0/wzfj.mxwub/[email protected]
    Filesize

    1.2MB

    MD5

    cb16f947895faf71d09cb5ad792b0e35

    SHA1

    c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7

    SHA256

    e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef

    SHA512

    8ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba

    Download Submit
  • /storage/emulated/0/.am/dm/md/main.md
    Filesize

    2.6MB

    MD5

    819710fd84f5711b935df83118921ac5

    SHA1

    cce96f2c67511c83e9838783bec9f4df8060b042

    SHA256

    2dcad94c68b202c7fee1dc9c2513c58951d121d41187d933b7e4b794d24dca97

    SHA512

    ec8930cfc9d9c7830d1fd12c36222594c00c3c681962cf0f51718804ff99bb0975d2e0e386b1194497f83d5eae1e58b8bb13aef2fd3164b0a296326897c2f7f8

    Download Submit
  • /storage/emulated/0/.am/log.txt
    Filesize

    171B

    MD5

    5e9c24dd06cbf2610bb24b36bb655cd2

    SHA1

    f56828d8a701cd64e76849fb26780afa9d5d75cb

    SHA256

    69e1689f056c171b726f0c48a53aece21b8a9a30243997939cc4fbdece07e915

    SHA512

    76b397ce740f9ffee0c90521a7f80ddde4ce1029c1a1a8c3765e544dd9f6508b112cdd8a3c6e52306f979cfc8ff6bb962ebea6d4cbf5611ace1bde996f39f1db

    Download Submit
  • /storage/emulated/0/.am/log.txt
    Filesize

    150B

    MD5

    f9572d28abf765e739084945f04724b9

    SHA1

    b8d9c77b6abbede642370a405c5c4f9c43e133c2

    SHA256

    56cf45c1d8ad0e09a43dd8e63c8aff5c088eaa499ce10da89f072a3259194371

    SHA512

    530f00c6754b696b6cb450a89a45e9136430226f706b8819e8302bf5cb17b345811743a6afbd5606f11620ec8a07fd4a50af9e20b04a5ee0e64a649639f237ed

    Download Submit
  • /storage/emulated/0/.am/log.txt
    Filesize

    131B

    MD5

    1dfb9bf51051ec9dc1fe2828e582fbbb

    SHA1

    4841e83f2fe6fa03afc762636bfddb04ad2d6111

    SHA256

    482ecc137a0ce3b19fbec81633f410dd83f92fa7151189a697ebb653ad6e6981

    SHA512

    17808095bb01cbec524bd9f4b886a77812fea1b6550b4eb43a73b31cf00622c50a9d86f8220e313aa4bf94b55777753b007134c7171b6ea9fdb823c7c8a56361

    Download Submit
  • /storage/emulated/0/.am/log.txt
    Filesize

    62B

    MD5

    9f18d26b763d6713ec071bca92f7beaf

    SHA1

    1218912e05456b05eb1820eb4ae1eb52dd33cf44

    SHA256

    cfcf6e4bc953676583e3a54c2c6c419dfe45e89c371a732243e5812b0cb54585

    SHA512

    42b4ca12916440a27fc7ab2e01bbff836a88936db7dd5beb4f598063aed1ee0ca2a66da4d36d81a4c52c7828983c4a2c8f49dd20cfcc5de6197ca6bb26ea9efe

    Download Submit
  • /storage/emulated/0/.am/log.txt
    Filesize

    70B

    MD5

    33f0ae50486dfafcc8667e1b12954352

    SHA1

    320da3ff872b7cc52ca7401748e31947ff2136fd

    SHA256

    eee0efd4573a5132ed41391f7a4b2fd82c4f8e9181b7369dedb7b244da5dcc0b

    SHA512

    0fda27349987e17f935f5d2b718c896959724efd7ff789e3ca9650e80b2fe07f7ab44d3220635188a1822259973138ae7f118d7c9f64b360d0adf13d9df5d38a

    Download Submit
  • /storage/emulated/0/.am/log.txt
    Filesize

    150B

    MD5

    2dec73f27a9810e154470b6dc862e566

    SHA1

    6550f32131b178ae763b4d37c8db8c3c7a9b60b8

    SHA256

    9d44dca5d2c5d382c98d31b20bd0ede1302160dccdcb853ee402902436e97b1f

    SHA512

    0e78d968f4d441a81c505e530285858b1d1281ad70084e7b057e15a68ce93e41411d9dd195957af5881ee35192b4e4a2401177f4cc2699adf5350e55c1befee0

    Download Submit
  • /storage/emulated/0/.am/log.txt
    Filesize

    125B

    MD5

    1fc29dbf8accea48786b064b41a9599f

    SHA1

    3c14a8b28c6c5b813a87a3c05a3e37113b109f26

    SHA256

    06857f54dd7d6cb622699dabb2035b2f732c4c9abaeb32886ecd29008b33c2ec

    SHA512

    78fe65b8aa03aaa22d405e7090f18656c29b2a3325d7a1913444e46ac1d9c27548dbcf8bbf9ccf7b05da59324921fabd10e7ac4bfdc30a86f90090703ff41ea0

    Download Submit