Analysis
-
max time kernel
169s -
max time network
180s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
02-06-2024 08:52
Behavioral task
behavioral1
Sample
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk
Resource
android-x64-20240514-en
General
-
Target
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk
-
Size
20.5MB
-
MD5
95b2280beecef198e0000141611c25f5
-
SHA1
412f94db6e1472f3157a4ff2c3f73a090474a18c
-
SHA256
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2
-
SHA512
91609c6b985210db45b578e261e13c5de8f070405b7d81a611fc3375e7603fa8e728bfd19fb9003369488ed4e906c3f10554a13b5c50530df4de86a7e12fff18
-
SSDEEP
393216:o5pST5h6sJA35z7A79L+icn1mbgafiubcNZjbZT9i/zVN2I+TXt5kKpPbNiRSKcG:btJA35z7c5k1mbBffcrjTi/zVN2IkdCd
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk ultfp.xluluazofns /sbin/su ultfp.xluluazofns -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
pid Process 4231 ultfp.xluluazofns 4231 ultfp.xluluazofns -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xd283a000-0xd2acc25c 4231 ultfp.xluluazofns Anonymous-DexFile@0xd2f48000-0xd3073250 4231 ultfp.xluluazofns -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground ultfp.xluluazofns -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts ultfp.xluluazofns -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo ultfp.xluluazofns -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver ultfp.xluluazofns -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock ultfp.xluluazofns -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 10 prog-money.com 12 anmon.name 21 andmon.name -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo ultfp.xluluazofns -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule ultfp.xluluazofns
Processes
-
ultfp.xluluazofns1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4231 -
su2⤵PID:4326
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD54c0ccabb25100a908b9db06434a6af8b
SHA1555d9ecfa42e17aec483e1c05be0fc1362db9e66
SHA25679aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304
SHA512b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb
-
Filesize
96KB
MD5508e308665e3cd511b65d82bb542e684
SHA19c4ce4d7d2a9a993f4783b956a0f2d4567dfb0cd
SHA256798c7b8017750dc08ef6d50771860a2506fa53cb0e991ff33fdd8fca212bc632
SHA5121c615b8308d58acef0be8c0d41efda451f73ec75432f40e429934e4ce95b2ffd21bb724bb13bb3e8ebde538f62476a9a2d59d27359b234de7a0eb468f500cf45
-
Filesize
96KB
MD5e9624614f831c692a9b11e3ed759d0ed
SHA13b8ef4f30f6c104ea0a508d62ae06cc1bc1e5f06
SHA256feaa31a85e8e5ebd13eeeb2bc4c7eaee7a7d0da4d9591cf60881bee3fd7ba8e6
SHA512b1d1118ee54b50f026340e0e6b0e3d0ba706fdcfbdfdd1ed0800a7ca890b1d734e9525c8d05863cd9dfce116139f12cec444d7ad165aac2fce2903cda5db3739
-
Filesize
52KB
MD5b6815b344f6926d458cea05acd052cdd
SHA188f524aff1d4c5fee979a203dd952427871a7097
SHA256028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA5120431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade
-
Filesize
96KB
MD5101c617139fc2dd8c77cb7fd50ce92e0
SHA1bb851c0425043c9def897bc0026c91c46018c18e
SHA2564e41c0205f5197c6eef61409c0969df1d044a65b8fc00b8308a0677217871dad
SHA51243754847185ebabe9b3aa9f006a0c9f3119ec971583609f3b6bb4e24db74258c86228c48265cfb6b2a8ee49b1ec64b155610c51cae0ff14dd53775c69a7e17d2
-
Filesize
144KB
MD512dec06d7435bc91ec630eb3b7265c76
SHA160ae7e942d534d55d915f485e3c07687b046d1b0
SHA256f4245724454b9b3315108f5c7b6abb7add06c194b095a7c4a3b6679fbdd14d41
SHA512215f4475ea8459afe633366e976c56df87e705450826585bf9d511406928e1bd6a1a93fbbce0edd55f78b4c2f8de7bf6712a8c51fa2f68b2c8c334fa95924736
-
Filesize
512B
MD52ff40289a4e049421d3ebe9800eeb2f0
SHA197a5dbb209c1855514b52d9e066b8c74a8f1dfa0
SHA256a57ad096c7ab947ff6bfcc43ad097e586faf65ab881cb109222497add712c94b
SHA512e8191a616d848131786b3c98d189f2779e04f88da6ce233ca8bf43d3bafa445c0f518685d9d36d6b15dd444ef2fa694c7a90d3ca65d0796db458a99111379369
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
414KB
MD519c67783085d8d116bd04798f1e2312f
SHA1ea123755f16c9814b4d702195f7b578684b69874
SHA256d8a3a15fe1964857b1e40901c4f4b646624624ad52ac9b3503536ba9aedbf360
SHA512b8b7c1f86e3d740d9cc320d0f29c6ea4fb2fb27b38c55f9875dc61ed18f5ca049b4d827e103d3d7b57d77c5b5636e84046f9ca6bafbe73d838d3ac88c72dcbe7
-
Filesize
8KB
MD50e5772c299a3c454820bacbe4944807b
SHA1f2eb3044b2b8f854f2d10e3e096b9cc2b9a85950
SHA256f25fce0f252c7b984aeabc29b718c2da2042832e9f8ca7d1c70226164f295d19
SHA5123303fcfe671ecfaa69503571f17c791ea0c6b5e6f977f621ff940cbd1555e1752e9aa7d9954157dd66837c86621776137339dfe48338415a4d764c8164898c9b
-
Filesize
8KB
MD5f056c5fde3ad0dddbf42c44873b71470
SHA1cc437d008016c1d12819b366f769a43a796998af
SHA256e6deb9b6f09b2ccb1e2be7effcea0375d2b6e725e5c4fee4c9ece1b1cb9c5a5b
SHA512279209251572a18be6f373c47b0bb86c6fa79fdceae1ccb9173a735ac64e5da8f3f316e3413a9479685ac1d9aa52844ab403c5976dd1598a9cd1342cc47ff9e9
-
Filesize
4KB
MD549e2400f49f1916be5fdde6cf26c5c26
SHA1f676aec5d544c0b11ea5b2ab32b0a2fa7768b180
SHA256e04dbd5ff2bff64ec519d502ac413747ad88a3cf119470323c9da908cd679f15
SHA5129ad46634c3b9e38bbed184af64fc2faa015ac82ee6bbbd4afe3bcd3a2165a58cdcb59060855faa1d2bf4fdcf2852804feba2b7cd8daa1d17277fa47e7a98209c
-
Filesize
8KB
MD59eaf7c713bf67f0b475d3eaf227d5931
SHA1f193d45bd824ee1248c3c7c7e594e2a34f22cee0
SHA2564e8fc94ad793b920846be8d7ccb0c59ee124f063e17432a96759ed47ce391c2e
SHA51249ffec56dcfa2970dd6d6510abbe6ea1b512738e57b181731895cecf12deea9e6e252e19d477399776ac58567c2079c65bc1063e3e1e7d203b286a31c293def7
-
Filesize
418KB
MD507990000d3b98beab8464d2d8bd8dda8
SHA12aff834e746ea7d7f9b911cbe919ab6501211fda
SHA2565c631ca8646a3e9a1fc425063db0c64fad53677df298688683bebfa2fc17a7e2
SHA5128bbcc467cfd51a13623361a371ef1cfe81e653c66f55208523a7298fdf1065afc41059f97192d58ba6fcabc2d1db1786cd2240e078e79efef57600265837a848
-
Filesize
2.6MB
MD5b6d3a4cf3c50723d4c2b606550f66078
SHA1fe6541e98b3cc04a31d269c3dd51beda11814796
SHA256e10b67c58d2778bbcafa71e34353c26a089eaef19021b8a52274708c6c664a8b
SHA5126b482bec5b3bf9f39f09164b67a416f238973e799a88245422a06caeeda73daf0aa0fa4e319384e6ac6c03c99c5808c9cba990ab5028169e820a2d8694eb7c5e
-
Filesize
1.2MB
MD51e05a2d987a9b8ace6ec423e1de9ae2b
SHA18ba9fad037667f9a091541ac11cf4e27965d5288
SHA256743e7d3660de8e672bf0d07078d8e540b1cdb17d216e63b8703fa180c97179b6
SHA5121744113900cd787eb4ee34c9fe5b72dbefd4e6c334373f6f32adde0e3de22044a2cdb1ed9a6137e4dfdb7ec53a7b77fd5d059e07976569a30e192e680233d54c
-
Filesize
171B
MD5263a0a4d8f8b9c8a883a3d690e93419d
SHA14e85ba27f008d876847eb3e51b812612ef19f5d0
SHA256f2dd6e182eed2b7b9e3c291dd258c0edff368eca84f914f597251cdc86afd9f0
SHA5128e25aa82fb12d31f0cdfe7d22be7c7b7178fd64db10e6f88c3916b62bb8f1133ed0b083563976e3a17c1ebb634e1e8252d21216c1cb608b894b094cc8bf770c4
-
Filesize
150B
MD5f2e52129a7a2fd3d005f2c3714a45023
SHA1f2ce6fb219efa23813b37c6bdcdfd2d8df749541
SHA256cfd09b8bcc5b80133ce7533add0ce0c86b33272409cb014f2a6e7cdb9ac6b492
SHA512bc863c02e279d7f1350328c2efc6cc9b261e1b579d49ced84f0e9cc9d727c343e29f05d7cd7e7128d15061a5e04a43c8f64075642b60c9d731890bdd851a9677
-
Filesize
3KB
MD5b9a444be5b060b5ef237565a6dd258a6
SHA1d538b793f5ac7435c6f42b5982e53b68ca463dca
SHA256636642a859ffa924afbfe3722eabf8e066c25fcaf77b22ff4471cacabdbdeeae
SHA5125380af8e5211da35fe7243adbea633d69e1534bd6b327728e01a54ce252e4c7532bc93b0ef86252d4a9cb7e109c59c615dd27a29d2b080bc6797a68f24a573cf
-
Filesize
62B
MD51797a4898519db65b90a5b266c5492b7
SHA16b439e02d3ec9c82db39a445725c339dd9ee45b1
SHA2562dd71adb321e6c69945e6e34f20fb3160d04ec3471052edf9b5d2fd5ab744f5d
SHA5129321b01b1d9ff747415bbe2dca4677c244ad6c7fc18661227edf6e2234a7d742e9f6b9d257a290d3d5bcf3204492232638d7d5c258a7a8218615ee754bdbb1b7
-
Filesize
70B
MD50f96310627b8163153379e1bbf0eb387
SHA16d88563d907187b0fb9c97690f7efae2aa63c97b
SHA256ce36f88df3ef7566e4f9251ece674eeb881804f64e981ba51d1cfcc0a784af7b
SHA512e111e5e8c356c9ccf09f9cfe3c19323c25577fb7e2ebe81413aff2c6057729a59055b55f5ca3c5429fb6ef43014aabbfe52a097de4880714cd5cd80a1176af5b
-
Filesize
161B
MD55350433970d104fce5ad1fd003061de6
SHA1c488646d404517e9e0dfda91b1681416871b0dba
SHA256d378911768edbb6d1c2bd6f212359b14a1cc268410751b8274fa2dce5b65003f
SHA5125d2736a70a3551ee79a619d36f3fe1af1e6a4a122855641e261246cb8682bae131c9412e6977f3e38b3bd7e267270a38979d3d380660ecc67049e5d59cca4d73
-
Filesize
132B
MD524286d4187e9a766be4fba1a82aef60e
SHA1e7cf6fb7208d4352f24af95ebe9692be7b97056a
SHA2565c3a265ade7f9f2e20a862290fad020ff9a92556bbaab4bff6f7a68459cd8fea
SHA5120cee4df506e8380a4c94ca5f579a46cfa984b78b6206b0c2525b8644d04fab5043b710a31ec7edc6f7f2b6360b37734c9d38aca5993addee7c14237911fb1118
-
Filesize
27KB
MD5d43606b275d7a3c89b45ec653454f4d9
SHA146398cac95958fbb3b42cd98031496be613c238f
SHA256d5b85880d50c03c1c9fcf161686d7aa18d3d64c2ac1701fff80096dd5c7dc487
SHA512548102073390175da117b4fa1d20e6669c531e49071bd75a83f9c9ea94ed73a5ed9cf5ee9ef6061b1c9dff59397fa847f54ebbd15a8ba377b56d01f5fa88ff4a
-
Filesize
6KB
MD52faf20a78d87cd707dd815dc62387ae2
SHA1dc90cc1e035eea1113267cc4e3a2c89de164b2ee
SHA256932e07c9c29f27fcc366c87429ff75b4d9c46670d3fbcd050abfae319a49988f
SHA5125cd5f45db451aeeb6132aec86a773820549e7a2562fdd5ce01aa259eab82682c374884e34b8ac1fb63d62c31116b1b1f19e079a2e9b8f78019335d929ac4607e
-
Filesize
218B
MD5fac5ead0d6ee93af876bcd3caef66740
SHA1c779e9f5b39f0d4d03312694c7269347073dca02
SHA256b49d62e229a3c769d804be3cc8408b9e684c1ce37ee7b83c46ec69adc4717ccd
SHA512d5dbc32154c4b390c311f689a868fd2ad41790c1ee342669c1b660ef8becdee411a7c4ec6600bfc3c5b805efab8518e4097440f59056d5c1fb65f595ca11eca9
-
Filesize
39KB
MD5b8cc1d0cbaea87bde5807dd249ec919d
SHA19dd70fbb0c83a59d0fccbeb881bc25b34285cd42
SHA256dcb870a7be3d6ce1086b6ba14101f1d3710a2450638ead593de468a77d10fb50
SHA512261aef3232aed406c2d1c96a9a365068594ee7dd4750bca8acc2659a5529d9bd11f981d688472448e642c4586ea5fe048d09c3dae5207c36193bca897ef14d6c
-
Filesize
81B
MD5b8b5f3bfc09d894b59b046a334c95afb
SHA163553f7add999d1f9279baae996086f6da7e5c63
SHA256724cec8037ad196328560e2dee682aff4e295682d738789468d8123e9d447871
SHA51230d8ca6f0c05b027d1fe1504a5c95efb8b48ab61a8da85fbe49fe5c24cd23266450e95e48cc735244e764019c6065e5b8420d615baaa39d3abc6489479f66b67
-
Filesize
64KB
MD54d48683c7d94ce23efe44a67a1c3ae39
SHA1bb85e13bcc11b6fd12ada7d2d97cde39d55dae44
SHA256725dd06122d50279501c5c2a9c3ea55280ca6d25c4bcd25b9e2ac4aea2ba965a
SHA512fcc32c08b7987c16f79a5cd5030de9f023e75f766c7cd0c54bb6d8f0bb806ecf8f3882135ab1f032b92d3a7f84aab0896069a1e8173af66a06f3f4ee0e269e1f
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217
-
Filesize
2.6MB
MD5a11095265b09ae16734bc3b64a287e71
SHA1880f31b9f8816a40960b0276447e2252194d5f0e
SHA256886111a93011a48dfb6eb6231c42864b42364bd8a71d0efc229188653dbe0a9f
SHA51281963a169cfbe9dbc6a47a5d5c52d3f25ad3b56e82ad24206b24b257f0118d52393174a4219f6b27b4cb3a2ba8eeb832e61ea5bfb2b2160cee63a895a28cddc0
-
Filesize
1.2MB
MD5cb16f947895faf71d09cb5ad792b0e35
SHA1c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7
SHA256e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef
SHA5128ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba