andrmonitor | ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772

Analysis

max time kernel
171s
max time network
186s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
01-07-2024 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772.apk
Size

20.5MB
MD5

69a3362a56aceeae697d711b85ea1bd0
SHA1

05af8c183ee7934be6bb1077992be1aa79a4d17f
SHA256

ae4e024bce0ae2f7577d6eea4b616c585dfdc48daff98ecf24a1e36c60690772
SHA512

75f50d474571b4d722d623f7d74857fd831553f941bc5fe7b7b5b310ee2c8367adca0f4e32ee44ba9c5d945e76b8b6269d4197dcbd5efcea245dd6da118ae61b
SSDEEP

393216:/rTNsZsJA35z7A79L+piJ1mbgafiubcrZzbfT9i/zVN2I+TXu1qKpPbNiRSKcsaT:vzJA35z7c5R/mbBffc1z9i/zVN2Ike84

Score

10^/10

andrmonitor banker collection discovery evasion execution infostealer persistence spyware trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor
Checks if the Android device is rooted. 1 TTPs 3 IoCs
evasion

T1426

Processes:

wzfj.mxwub

ioc process

/system/app/Superuser.apk wzfj.mxwub
/sbin/su wzfj.mxwub
/system/bin/su wzfj.mxwub
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

T1407

Processes:

wzfj.mxwub

ioc pid process

/data/user/0/wzfj.mxwub/[email protected] 4348 wzfj.mxwub
/data/user/0/wzfj.mxwub/[email protected] 4348 wzfj.mxwub
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

T1409

Processes:

wzfj.mxwub

description ioc process

Framework service call android.accounts.IAccountManager.getAccountsAsUser wzfj.mxwub
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 9 IoCs

Processes:

flow ioc

36 anmon.name
12 prog-money.com
14 anmon.name
20 prog-money.com
21 andmon.name
32 anmon.name
35 anmon.name
11 prog-money.com
13 anmon.name
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

T1541

Processes:

wzfj.mxwub

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground wzfj.mxwub
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

T1422
Reads information about phone network operator. 1 TTPs
discovery

T1422
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
collection discovery

T1430

Processes:

wzfj.mxwub

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo wzfj.mxwub
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
execution persistence

T1603

Processes:

wzfj.mxwub

description ioc process

Framework service call android.app.job.IJobScheduler.schedule wzfj.mxwub

ioc	process
/system/app/Superuser.apk	wzfj.mxwub
/sbin/su	wzfj.mxwub
/system/bin/su	wzfj.mxwub

ioc	pid	process
/data/user/0/wzfj.mxwub/[email protected]	4348	wzfj.mxwub
/data/user/0/wzfj.mxwub/[email protected]	4348	wzfj.mxwub

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	wzfj.mxwub

flow	ioc
36	anmon.name
12	prog-money.com
14	anmon.name
20	prog-money.com
21	andmon.name
32	anmon.name
35	anmon.name
11	prog-money.com
13	anmon.name

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	wzfj.mxwub

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	wzfj.mxwub

description	ioc	process
Framework service call	android.app.job.IJobScheduler.schedule	wzfj.mxwub

wzfj.mxwub
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Makes use of the framework's foreground persistence service
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/wzfj.mxwub/[email protected]
Filesize
2.3MB

MD5
f351ac2b6d45a6c71f98b9af3d566607

SHA1
3b24242ff000e7b5c00526ba7a0706369c4dc073

SHA256
34b0aec7c02820703cb9f22a786253cd0bbcc78c60a70eb4a8f422d6609d248d

SHA512
bf4a683f06931002ec191e0e7dc26f8de88644834c1559703a915b16987946c510e09d0c03504519d251962d816f199d05212c1eeba207326b1caa4d3e9d7d07

Download Submit
/data/user/0/wzfj.mxwub/[email protected]
Filesize
1.2MB

MD5
cb16f947895faf71d09cb5ad792b0e35

SHA1
c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7

SHA256
e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef

SHA512
8ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba

Download Submit
/storage/emulated/0/.am/dm/md/main.md
Filesize
2.1MB

MD5
4ff2b064cc25929cef9b4d11bb97e3de

SHA1
9399ef3be9af39099959ae53a9e9f700f73e383b

SHA256
b45b3bbf8b4326f432daf833a14774c8bd0521b4c9ed4b4f2d4ddc6c5799a72c

SHA512
2e5ab81962cf0df7406e09193a45dbae998195d8a1aaf6cfed0bb440d6c81b0baab91a3526c843293634f8d1030741c6834fc3e3d36fb6df4a1193d5731fce44

Download Submit
/storage/emulated/0/.am/log.txt
Filesize
171B

MD5
813ef5b4e43732f445294984246addaa

SHA1
fbd01c1b88eab59ca1bc67108dca1ec01ad009c7

SHA256
4d8258955555ec0a4a5c3b85adb9a44018e4c0c9fc9b66b9cd00d5163c5427ad

SHA512
585a4804229ff4aff7cdf78fc25a6ba677618783afc1335ef71e4d82b7a8d3dd75f05c05c0db8315ae975265c523be3119560b0258aa9425bba37d2150846f7d

Download Submit
/storage/emulated/0/.am/log.txt
Filesize
150B

MD5
4ca726acd3afa1595f8eaeea71921252

SHA1
99934ee3cc0a5a7a4dfeeb2407806c4cf46ebd39

SHA256
0f7fc77c14cd1f7e66733174f46bc19be9b7e8a99849d93fd25cd7abedc9d3da

SHA512
f195a5c2c3afad15dc8477eb74a5dc57a3bfd1707969e8609309ef8df6a7e85f368436c3bbe106a85f86ceef8ac0bf942bee1ce8f5e53254ed5f7c2696f22130

Download Submit
/storage/emulated/0/.am/log.txt
Filesize
131B

MD5
a9ed7d9c40507ad4c8e2895ef3489ed4

SHA1
c65441b9206f3bf4a0c3a3d6d171e3f35cbf4b86

SHA256
3c6cc16617efa59c6eace4259a0105826f1154f9670dd78b1708935a39d17538

SHA512
c5e8db12b2be5b896b3dd64a1e7d7fa167e3c7b216b27427a14bd4274b460bb2cb4bd7d7a08bcc8a453637b0cb1c98dce9c0f2bdf0cd076c1506e9ef56a589c9

Download Submit
/storage/emulated/0/.am/log.txt
Filesize
62B

MD5
fe6c26554bb51fa9e9170fefdbe9c90e

SHA1
6bcdab43a045625d0e4b8a6fee38daf94706ab25

SHA256
2ab0ecd0b4b158a6940ff2f1be68ccc9e3e417b137004fa73bf31e74bfe4f8d7

SHA512
01e91d1ee80870a96d774c3ef6985991e066ee98f8f80f76481439315f26bb690f632f1091d95d15f3e3fa0c10e099247eb79faf9abfdc6803b0066f76ced5c9

Download Submit
/storage/emulated/0/.am/log.txt
Filesize
70B

MD5
3fd9a8b1f0a4817ba38ab2a7f6ccfafa

SHA1
c6643208bef38d8418ba09ef85f4d1b1c90d4476

SHA256
8339556d9bec9c9531eb457e0ce32ff270ad080464dee3b5ac56a770faa41af4

SHA512
723039578eda5fc22d770c5e75eed5554f580ac420616007d0422639fcc3fd645b0ed0eafc7d0db66f603c638b5d6801f72ee99f56617e9e416bacf488c1114d

Download Submit
/storage/emulated/0/.am/log.txt
Filesize
177B

MD5
384ac24fc25d1a3f11be9e56f9f53d44

SHA1
34eb3620c045cc0e1626e945f434eec3e0f075d9

SHA256
1170296ba87ed4d614736e03e6188f758ef7cef90434caf6b31983b83426484c

SHA512
81952c1d509b55043242c15db04bcda24b41f920f0bcc1e26214485a9cfff72d033463e1a5aaca4798a8ff6e565d183d4427a647c1df45ae02ddad18d986036c

Download Submit
/storage/emulated/0/.am/log.txt
Filesize
125B

MD5
0c82d37a1c2540ff0ba67305f2b31963

SHA1
c510293c6f1be3ab2e74930deca0d0df3c7014a5

SHA256
924127e71bc04465d73708196a2683b27d32b568e53e1f35e5f7a5486095b825

SHA512
86123cf42d72e40b9531899897fb75aff59af48f63d6d035ace972fd2f2407e174327b2cb8dfde2ec4ce410809ac0007dd444d46213b391098c3c77c69cda023

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads