Analysis
-
max time kernel
170s -
max time network
185s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system -
submitted
01-06-2024 02:06
Behavioral task
behavioral1
Sample
am.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
am.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
am.apk
-
Size
20.5MB
-
MD5
95b2280beecef198e0000141611c25f5
-
SHA1
412f94db6e1472f3157a4ff2c3f73a090474a18c
-
SHA256
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2
-
SHA512
91609c6b985210db45b578e261e13c5de8f070405b7d81a611fc3375e7603fa8e728bfd19fb9003369488ed4e906c3f10554a13b5c50530df4de86a7e12fff18
-
SSDEEP
393216:o5pST5h6sJA35z7A79L+icn1mbgafiubcNZjbZT9i/zVN2I+TXt5kKpPbNiRSKcG:btJA35z7c5k1mbBffcrjTi/zVN2IkdCd
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/app/Superuser.apk ultfp.xluluazofns /sbin/su ultfp.xluluazofns /system/bin/su ultfp.xluluazofns -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
pid Process 4510 ultfp.xluluazofns 4510 ultfp.xluluazofns -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/ultfp.xluluazofns/[email protected] 4510 ultfp.xluluazofns /data/user/0/ultfp.xluluazofns/[email protected] 4510 ultfp.xluluazofns -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground ultfp.xluluazofns -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser ultfp.xluluazofns -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo ultfp.xluluazofns -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock ultfp.xluluazofns -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 25 prog-money.com 28 anmon.name 36 andmon.name -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo ultfp.xluluazofns -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule ultfp.xluluazofns
Processes
-
ultfp.xluluazofns1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Queries information about the current Wi-Fi connection
- Acquires the wake lock
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4510
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/ultfp.xluluazofns/[email protected]
Filesize2.6MB
MD5a11095265b09ae16734bc3b64a287e71
SHA1880f31b9f8816a40960b0276447e2252194d5f0e
SHA256886111a93011a48dfb6eb6231c42864b42364bd8a71d0efc229188653dbe0a9f
SHA51281963a169cfbe9dbc6a47a5d5c52d3f25ad3b56e82ad24206b24b257f0118d52393174a4219f6b27b4cb3a2ba8eeb832e61ea5bfb2b2160cee63a895a28cddc0
-
/data/user/0/ultfp.xluluazofns/[email protected]
Filesize1.2MB
MD5cb16f947895faf71d09cb5ad792b0e35
SHA1c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7
SHA256e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef
SHA5128ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba
-
Filesize
124KB
MD5f15335a640f24813c9b345c99da7e16d
SHA1a0e7fdc85b3c1420bf342676be577f146f5dce49
SHA2566baf6ee8c7c503ed9962ff49957fe3c0b707171d1913450d97c84856a6ae31b9
SHA5125f51ec199de29b23e398d143c4f0faf58ba655a4f455ecafd5b6303c0ef428f3165f5db49daf4697f1dba3033da51113730ee5ad158a9ea9f8f6b9a10b044f19
-
Filesize
96KB
MD58926ede590a51d106e230dd7fc7c2047
SHA1e579365beefd712f6ee549064767b3bd9539f6c2
SHA256c864ccd519c15949a860c4cb8b4e7eae5e2da068457d16b5894ac1520f357407
SHA5123f9f236b667cff0122b0f351271c91a2e8def04346069c7a6c175e06545d40b7deedc83502ab8a1340f7bd488d6692f0acb8c063a558b83e58105ad762b08085
-
Filesize
96KB
MD52f5f114d58e0df082b48da2a1b7e02d4
SHA1489e420e38bdae4c5adc734ed5dfd178f4cac68e
SHA2569ccb4b4edb6c09317fd586ad8508d16bd870f1e656d1f89e639ce6db11888c4f
SHA512bca3215d89339b384b8371708a9c1636b572d022e33dcf8815f877f7b30b024209e4338c252c685389a3424dd988222164bd7d3a42ffeeb23f891ea6ac71108f
-
Filesize
96KB
MD50d2333a204fc28ed6ec739a2f3dcd13e
SHA1a8ad276d7b1395fb402c283f823a7049c77e7730
SHA256cf33a6e75095f220fd66e0c885ed6ce85b4a53a89ff6709ac642053c3e2baf37
SHA5126335a8c863fa37481d747cb49f6c790847cfb0b3370b17f8b76d64b48503e0623265a1cefc82001782362adf9dbf18314604fab015b9e308fc1684c0d402cada
-
Filesize
96KB
MD5a765d9c4daa314315364b4f9f671335f
SHA1f73004d5aedc3616bb58f49d19d562d1303d942c
SHA256a11823cec17d8af3058b30a454f77a384ae5640d870d515e15f62a01d4389a1a
SHA5125c6efb3601fd25013fcc7263a4f36323aeb37c45b00a41a5d44b75345e6a91130e4267eb105973bd92cec0ffdc3d591deb2bb55ac6b6e245912d1c2d8cc5f7c2
-
Filesize
172KB
MD5593e073e9fbeabf2ec8df41084a2fa69
SHA17ebb43722824bd83dba57c27bb020cbf08449ce5
SHA25672092b984a04e14b4c65a9e73642ee31d9bd2d9e46b9a1502af4cd73ca5a4d48
SHA51264a448939746f56749ff9301f9e7eece71f699c7bc7d2a958ca02192654f573a2d3f68ec34f6e4048a13f50a7e9864226a5862b1cd5279dda9d9ed992b3c443a
-
Filesize
512B
MD5ddf55e99db70cdeb39757943ce807a88
SHA1f6e974fcd65b9591e88b782741a34d2812622386
SHA256f9d7e591388cf180c0507ca82933fb46d65645093847c2a93c927f5c5e39a28e
SHA5122e09566b047abd5cf72bf9e8e50e7237ee7ef0cb70b9e97a1df7035503ffa0dd0c8da7d731df7fbe109064367180c32691f57a99db9d81481404c6dbdaaf48c2
-
Filesize
8KB
MD588e7100bfced8e35f997f05b2bbc5381
SHA1744829f18b7e574448cce1c2a3eea73bd4d84ed9
SHA256f79a81ca3a1095683f8156b2e172eeb7c4c2b7febe8d98c3541eca667dc470bc
SHA5126a4977b6a99f99bf179c5e2cf67f69ee017cf7a513e5ed2bd1807629e396a8d13ec23ffb5040298b8d3c9067eff7785231077884faad9d0492a250e3c6d0b892
-
Filesize
4KB
MD58abfe9f8b71fadc8f0c00ad8b0abf972
SHA1674885b47a8252d0bbe38a7913a758782fdea724
SHA25684eab30033d5556b5742f261dd96cb4d336600aaf2409704e1cc9a0831c64dc0
SHA512d4b17e5a4f65f726c734ffdd621051fd31891417f6fe1665241a27df06688c14232031ef8703de8b9a707e165a1bc7ccd61c262eb6f047b176476c85c25aa0fb
-
Filesize
8KB
MD5a4fd7e40a2dcff5a2ebd3cd61aa43dd4
SHA129f9a39cc067816ade2011d4f8179e07c453a9b1
SHA256f6ea90d62c21e9d8ebdfd0a40f1200589c8ac6fb031f2fca1ca72984c9a9bad0
SHA512d598ef91ada43ad895c9211c2a1e0985373a417fa977b3b85bd3ec4af5d07e66831b770519d297b3d6141ff0f9a4ce75e31fac723c6e0af00d45246508d504d6
-
Filesize
12KB
MD58e74769b564d043a6376743fdd460d81
SHA1fd19e6ad613bc1c8fba1ef02416d397967d13191
SHA2561ffc49eb9be460d6765c3c1ae2074ed4c6f6629f148d04722a599aff6d37c279
SHA5127406221d2fef6b656c44d7d22cc80f7c6e7609c0c3c01c378c221576f77ec1965124c9e272970627b65a69d67f0be2ab67a2fc3f15664a819efbe813ec703a7a
-
Filesize
24KB
MD5e1add71d6e1ae6e34ff6770d7d1aa390
SHA162b0d88adaa6e0182b22b3bd400101379a317218
SHA25612a4fedf6d544f5c2e23e036c0906c50137ea0249b34ef0f47613416895e82b6
SHA51242b3b3b2e48c480edf1af5937413245a2bb42b9da7c7a8f8cea6bc92a921bf43ce1c3d9255d900c35ae24361e75a9dcc13716192d688dc1092f71f89be05990d
-
Filesize
2.6MB
MD5b6d3a4cf3c50723d4c2b606550f66078
SHA1fe6541e98b3cc04a31d269c3dd51beda11814796
SHA256e10b67c58d2778bbcafa71e34353c26a089eaef19021b8a52274708c6c664a8b
SHA5126b482bec5b3bf9f39f09164b67a416f238973e799a88245422a06caeeda73daf0aa0fa4e319384e6ac6c03c99c5808c9cba990ab5028169e820a2d8694eb7c5e
-
Filesize
1.2MB
MD51e05a2d987a9b8ace6ec423e1de9ae2b
SHA18ba9fad037667f9a091541ac11cf4e27965d5288
SHA256743e7d3660de8e672bf0d07078d8e540b1cdb17d216e63b8703fa180c97179b6
SHA5121744113900cd787eb4ee34c9fe5b72dbefd4e6c334373f6f32adde0e3de22044a2cdb1ed9a6137e4dfdb7ec53a7b77fd5d059e07976569a30e192e680233d54c
-
Filesize
171B
MD5cddd8f0a017edce02b114e774849ca49
SHA14d6e305da24e28bb94bb1d872156f43f38e16f26
SHA2564be76dbc5607ad770639df46eddee62f81a3c5bc224b56d41eef89e45601f67f
SHA512891814d8b18af00375ff73c9bcaa8ff7b7377e1b9006512a1f981ec4a21c4c6132c1dc2532b2a60acbb03bef515e6279de3c3731f03be6c0bcb1a1a42911b7a4
-
Filesize
150B
MD5d34c37a5f15e41464ac4aebabd307462
SHA1518e825a075304ffd75dd54de8832dda9a6898e4
SHA2567b6f11c534d63cf5c57bc633e76561a3ff5cd204d78aa654503f22d099c68694
SHA512d645673d1f88ca2401068511517866cd8642e20e6a29ce41d406b08cdf508b677bac4b2a4dda7450e0936aeaa4da78ef2f7fe6245de91b2962aa48cd2942a7d8
-
Filesize
4KB
MD5d80e67c0a723caf64fbd1038934ec525
SHA162bcb20902f832b45259fd5a2caeb06874a8ba90
SHA2567cd601b6252dc7f704752458b1164da6408633ac55d3d159dee7c55adf54289f
SHA512af7c4afdfed63885f36f9a9be30de905ee466896756fbc5323028f0cbd7e6aa88a6c686d4f959d83cf6582809ffd9b49e28b126b58e8e8b2218044c5d1b7c77f
-
Filesize
62B
MD52bcf54cfeae04b67443f7908b276cefe
SHA1a6da032bf46c1f8f1c20590ea875ce6fb9848e77
SHA256760ba474634d1d3c786736b28182e06f25a654f6b8016135e02e41f9d3c6e7be
SHA5127859d1d7a384115a3c510018abb74cad1c97a85bc2f1fb43f1afaadc1956e98388a52fcde2a8398fa86699fea6bd0a55690beb2c88d7fec8f04bd98758f12b1c
-
Filesize
70B
MD5222651158bbe84bfd00a51dd5ce6bcb1
SHA1a2861d2c92182c121287c27f022d4a56d769dfdc
SHA256a6fb3ffb23acc59c3edc6a803745822ae2878cc2aa246030ba9234b00d7d9e92
SHA512821800e37914137f8dbf86999b08c1766e627409f189bec12439b4bed1370d0d33b3f3d963faa0184d2869b73b01cc6c67e3bb3d58df61730c70c64714de27b0
-
Filesize
191B
MD5fcc79f79567a2c17604ca62f8cb44fc9
SHA1a64fe9501b5f6cce8d841de8fe29eddabe2a51ba
SHA256d6636c0894db58142d0935a35401c8565fb5d1093db35bf6fbdfde6c7bbd520c
SHA5126532b69767d772eef7c6833d5538031eb34a98d5ea10d9265b3d796e9a03cddd4c802a0b719fdd6c7abaa5e96fa73f531e0e5c3688d592b22a28063f69c29054
-
Filesize
132B
MD58ab72905d36f938fb0a1bda22700d158
SHA11fea193be512a0dff37e55aea1f4cb643520034a
SHA25631bfe30b271a98dc6157fee1f4c6e639c86a4e41a654243afc58fa9a9a49d717
SHA5126a78540a82b679febf5c59fadc6eb2ba40408979f4410a139db62b7c87d164e7f5c0221ded04d81a8c1d2697c60f6efaca8538450ea28dccb9ec14e3bea27ffd
-
Filesize
27KB
MD593988e3dc5bf0d21621cb8db0e959f99
SHA14f002a9fbe6a6ddab472a9bdffe6bb82e6fb9c95
SHA256043ab5d77cfddee26d178ad41cd0d377be8d9559795ae990143810c20ada2248
SHA51200cd3e2d2c10aabae94316e4e30932d8d4083cfe9fc13a3ad7dc931920a52ed47ff588dc371f24f0e732a12ffa5ac78954e2f42d34a731722f9102200a08ab60
-
Filesize
6KB
MD50a51bbf204e528bd241dc8dbf20726dc
SHA1dd8d4bcf30bdcb6f9173f6c4bde67c0335955e49
SHA25611323c23193a95ff631211b211fb8814a7eb7afa267179c8d38f206fc08d709d
SHA51202e49c0af396a0cf9832c6842383e33078bbfb3e395852282d4f0ad8b82b71d09246839bba3c578dbdb502cb2c322f59754f0ab8dea327ac3f7cba3640db165f
-
Filesize
217B
MD58d51f026936898c3a9acb1c3b75280e7
SHA121a5d9d914e52495929bcb065cd4b5db53e946c2
SHA2565b1fa3efdfd4609a5cf69cdfce9e6fcc836a644f6e60092ff0fb7fccd46c8f32
SHA5129395f0950cc9bbf3cd982d4ee6515e3922663671d6061ddaec266d900b15273a3e074347660fe86783b69a2e915740d5c143f4b9ac164bbfd1a05a8a214356ce
-
Filesize
81B
MD5b8b5f3bfc09d894b59b046a334c95afb
SHA163553f7add999d1f9279baae996086f6da7e5c63
SHA256724cec8037ad196328560e2dee682aff4e295682d738789468d8123e9d447871
SHA51230d8ca6f0c05b027d1fe1504a5c95efb8b48ab61a8da85fbe49fe5c24cd23266450e95e48cc735244e764019c6065e5b8420d615baaa39d3abc6489479f66b67
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217
-
Filesize
64KB
MD538cb0f23ea4266e5835734f8191718dd
SHA11bca9bd7bcee0dc5e04a55bf608de31618c57405
SHA2563e7fe59f181e7e3bfb37276d8ebc707227218871aa0e59179f8f26625deb7d9c
SHA5128a73d18efb8dc9235f9bb7ebed91e9d6efb9e53ed9b8a63b18262dac286145dccf8406bea75fef60ce0a0e6650be61cdd2170cd6a1518e9187ed1277cb722f4d