Analysis
-
max time kernel
15s -
max time network
185s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
02-06-2024 01:17
Behavioral task
behavioral1
Sample
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk
Resource
android-x64-20240514-en
General
-
Target
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk
-
Size
20.5MB
-
MD5
95b2280beecef198e0000141611c25f5
-
SHA1
412f94db6e1472f3157a4ff2c3f73a090474a18c
-
SHA256
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2
-
SHA512
91609c6b985210db45b578e261e13c5de8f070405b7d81a611fc3375e7603fa8e728bfd19fb9003369488ed4e906c3f10554a13b5c50530df4de86a7e12fff18
-
SSDEEP
393216:o5pST5h6sJA35z7A79L+icn1mbgafiubcNZjbZT9i/zVN2I+TXt5kKpPbNiRSKcG:btJA35z7c5k1mbBffcrjTi/zVN2IkdCd
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk ultfp.xluluazofns /sbin/su ultfp.xluluazofns -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
pid Process 5163 ultfp.xluluazofns 5163 ultfp.xluluazofns -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/ultfp.xluluazofns/[email protected] 5163 ultfp.xluluazofns /data/user/0/ultfp.xluluazofns/[email protected] 5163 ultfp.xluluazofns -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground ultfp.xluluazofns -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo ultfp.xluluazofns -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver ultfp.xluluazofns -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 4 IoCs
flow ioc 20 prog-money.com 88 prog-money.com 92 anmon.name 111 andmon.name -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
Processes
-
ultfp.xluluazofns1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:5163
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD59cf7e03179a00e0097bb8292c310a7f8
SHA18046f1a0d32003f672b2da8ba6c7eb8f54ffcd17
SHA256b428664066ed6496119d7ef35afee74fe8f5eb834939f9cacbf55804aa592438
SHA5121d046cd7d5a96b0b4f0c5d218f97ebc850ea4a3385658ea4a9d36dc05363659d1dc53660f94d4d7d87794cfd60b94593f304e9011421d35f3f17296d28c28cb6
-
Filesize
512B
MD554d4df8c39af18b02c59156a2186ff3e
SHA198ee3746a914563a72c0c1af125f9d23fbf65a06
SHA2569d267f3547681251855af9b5d7fdf61d9db456a6541269896e2ae050b2d7d739
SHA512ea5b2b6c9405a7b88701b5ffbfccb18ae2f2fd122d3564fb2c2f9cbd70922d1e5af7f5742fc766dbaaf461aa5c97a88304d1598c092fa118c92fc4e7d9279a63
-
Filesize
8KB
MD578028ee24dea9501af20923f0a778fe9
SHA12f7c8d4d3fb0e6a680bd9df08b3df957b3c75517
SHA256cc1c18d35a09c7c89e06ccdf1daf51094c197c006f48d7d67779103cf1387fec
SHA5123b2e581d19cc7cf68bd92d0c71cd3b2768e6805fe3316c3519059a6a49d09b3b69bf937af006901224ea795184cea518e551d14cccc5713833c951678f61f5c7
-
Filesize
4KB
MD50b2af3a432c8edd16b07c06d2d55f8ea
SHA1956e58b3d5ca981ae8f13088f1f50b9333e2b03c
SHA256afdafa10645ecbb506e24bd18054f3ab91b4b887db0f33652dde15295eb0f142
SHA512a5b62e2ce3cc446c716335d22a2fbe28dddad2589a4caa7321ce200622d3ea9a4d8ee0820373903ac6ccb0393e44c9bb6100c63860e74d977a93ae9e2d342d46
-
Filesize
8KB
MD54eb4a428748dd98c1998535f4655ef42
SHA11f54bf6ed210ed8430ec85dd58f9dfa6595cd796
SHA25694e346ea4c404e843ac82c3891fe56fa8e8e5e22b1852b3bc455e24f026bab40
SHA5127ada5acd854dd182468fa0031a7751b73f2c548034186c98bc2e6c65c8e42cacd0bb32ade8a76831c72f5217a1e4cd89f6c9f7a174dc405eb2331530c7c8dd0d
-
Filesize
12KB
MD5ad9e39b0e7fd460452b9910db186f162
SHA1573454a551c456cd4a665fed4652a6a0e825a708
SHA256e516c455568c89d6edd096d8b6e37a21ed56f7480dc0684b1eb0d396a2b3cc54
SHA51286ec2c65d721b998efdc675da2714b99e44ea3d82f552dfa1c316197aa00b980811586dc4a480cc07779bd533154068f4d7207275d9a9da9db0bac6f9649a132
-
Filesize
20KB
MD565d28e0d9a829bd9def0596de39b8e5b
SHA167221bbe9aa1f030b6a7d003da1cef2cb5d95578
SHA256a4bbda21cc07a6e10bead100d8395d48d3cc30260b9633adc303574773c33816
SHA512616f04f794d406e21b3c08a0a4d250764d22318d7047b4ccc5b82231984469f41bc3eebca746f54b3b8ce1184fff6c98cb8ae249d4eb345097765bde535c90d9
-
/data/user/0/ultfp.xluluazofns/[email protected]
Filesize2.6MB
MD5a11095265b09ae16734bc3b64a287e71
SHA1880f31b9f8816a40960b0276447e2252194d5f0e
SHA256886111a93011a48dfb6eb6231c42864b42364bd8a71d0efc229188653dbe0a9f
SHA51281963a169cfbe9dbc6a47a5d5c52d3f25ad3b56e82ad24206b24b257f0118d52393174a4219f6b27b4cb3a2ba8eeb832e61ea5bfb2b2160cee63a895a28cddc0
-
/data/user/0/ultfp.xluluazofns/[email protected]
Filesize1.2MB
MD5cb16f947895faf71d09cb5ad792b0e35
SHA1c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7
SHA256e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef
SHA5128ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba
-
Filesize
2.6MB
MD5b6d3a4cf3c50723d4c2b606550f66078
SHA1fe6541e98b3cc04a31d269c3dd51beda11814796
SHA256e10b67c58d2778bbcafa71e34353c26a089eaef19021b8a52274708c6c664a8b
SHA5126b482bec5b3bf9f39f09164b67a416f238973e799a88245422a06caeeda73daf0aa0fa4e319384e6ac6c03c99c5808c9cba990ab5028169e820a2d8694eb7c5e
-
Filesize
1.2MB
MD51e05a2d987a9b8ace6ec423e1de9ae2b
SHA18ba9fad037667f9a091541ac11cf4e27965d5288
SHA256743e7d3660de8e672bf0d07078d8e540b1cdb17d216e63b8703fa180c97179b6
SHA5121744113900cd787eb4ee34c9fe5b72dbefd4e6c334373f6f32adde0e3de22044a2cdb1ed9a6137e4dfdb7ec53a7b77fd5d059e07976569a30e192e680233d54c
-
Filesize
171B
MD5f821514f1753a590473cb1f2fb6d9801
SHA12887d56bcdc488e95a190917959a6ea002623fa5
SHA256b8dc1d9a60a9c4154559d7d277ac41302993ffeefbb072da93f4cb5a4add2019
SHA512f5f58b79e8b93b67fabdc75e46f381499a031e36ba60fb49916d981801506be95fdedeaf56ee01f2de31bd157c50d0816aefaa9e19e3fbb5e66bd410834830b4
-
Filesize
150B
MD5bb8d5e7fa600df262d37baa13f4107d9
SHA1c5e7c4ded2f25cc124ddbf67e88b3fb5feb567f8
SHA25642e9594f6e65af0b186d56f84a8fb7dddd998c2c6e1af1aa6a54860d67e037bd
SHA512e5149d66dc48590939c9aa410f3adcff317b09326b26dd6ef9ef5cf2f3ddf11b252d6231a09afbbf0f0649219c3e4a8437c46655215c78b895d58fe33e7804fd
-
Filesize
4KB
MD5044f80462b08071c704bfe08c6654e41
SHA14a7439f2a762d764da25dbfa4df25554b4fef309
SHA256762c8b44733660bc17af07733cc11d0558c24dfe7806f4ee277d8b77cccaf0aa
SHA5125a7985161a5a80096f1f245f08b1cdebedb7c98869f63dc7f8fe6961ad1fc431a08ad5817b022013240b96729dc748f6a93252c0b7345c0690b87caa1f092991
-
Filesize
62B
MD5d99a06e16324344bb254b16127d89de1
SHA136cf58f08bac2bd84f57d90b4a86dfa8859a879c
SHA2569e1ac5f1425f9825e368ffccbec15f2c84c030c93e2d5da0632c118a5137aafc
SHA5121e2e96134654049f76b6cd374df2f5c2f2f59cab284cbce385732888e19ee5d25682f6d769df9fec064317b444ae88b3cac6530a31fcbee664f0f6593d0a4b96
-
Filesize
70B
MD539a2ece8daea06e2504728eb2db7faef
SHA1b292aa4d8fdfbd7f1a16ffb9f09c00c1b0ca59bc
SHA2565e484759fb6aa674552e8175006230e47ec8403114011694cd552fc15706119f
SHA51257fec476d6d6039e8ecd40f06c6b6e009d85cf8180e1860071203eb64ed0e348b330b2e898dea637265745138e188a8d18c817063941ddd57bb57b9c8104ecdf
-
Filesize
164B
MD5c714777ab26e06775ee6b38cb21ecc8c
SHA11b87a03072229cd8f8ca5aa27102e893a7bef4e0
SHA256be8a132ef4977524de4da44b8f5ca4a2b7477696a95485ee5fbc6ec59f5e465b
SHA512a345a3176bbaca2260fd051b5cd21e0cb0d74c914b9b4d97ce7f8cf388b8aa3a8061312850041816ef5888e7a0374f3fe5d72d3d2f85401b2110d42bbadacea9
-
Filesize
132B
MD535714ac62582908448995599b8bf8cf1
SHA163334a68ab6f92e888e86ea5de5a2d2850364669
SHA256cdc0221b065db0d7fa90f6b2e7ccea997fe75ed9cdd374452a7366d54b44ab48
SHA512a42e5a86302111a4096cc6bcdaf46825826d8499e796239f621f411bebf767dd816ec8a325f34793f7ce1ffca2b8b85a6db349e0cdd6598faba7c5aa918e775f
-
Filesize
81B
MD5b8b5f3bfc09d894b59b046a334c95afb
SHA163553f7add999d1f9279baae996086f6da7e5c63
SHA256724cec8037ad196328560e2dee682aff4e295682d738789468d8123e9d447871
SHA51230d8ca6f0c05b027d1fe1504a5c95efb8b48ab61a8da85fbe49fe5c24cd23266450e95e48cc735244e764019c6065e5b8420d615baaa39d3abc6489479f66b67