Analysis
-
max time kernel
26s -
max time network
188s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
02-06-2024 08:52
Behavioral task
behavioral1
Sample
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk
Resource
android-x64-20240514-en
General
-
Target
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk
-
Size
20.5MB
-
MD5
95b2280beecef198e0000141611c25f5
-
SHA1
412f94db6e1472f3157a4ff2c3f73a090474a18c
-
SHA256
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2
-
SHA512
91609c6b985210db45b578e261e13c5de8f070405b7d81a611fc3375e7603fa8e728bfd19fb9003369488ed4e906c3f10554a13b5c50530df4de86a7e12fff18
-
SSDEEP
393216:o5pST5h6sJA35z7A79L+icn1mbgafiubcNZjbZT9i/zVN2I+TXt5kKpPbNiRSKcG:btJA35z7c5k1mbBffcrjTi/zVN2IkdCd
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk ultfp.xluluazofns /sbin/su ultfp.xluluazofns -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
pid Process 5153 ultfp.xluluazofns 5153 ultfp.xluluazofns -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/ultfp.xluluazofns/[email protected] 5153 ultfp.xluluazofns /data/user/0/ultfp.xluluazofns/[email protected] 5153 ultfp.xluluazofns -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground ultfp.xluluazofns -
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts ultfp.xluluazofns -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo ultfp.xluluazofns -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver ultfp.xluluazofns -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock ultfp.xluluazofns -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 6 IoCs
flow ioc 14 prog-money.com 16 anmon.name 72 andmon.name 101 prog-money.com 105 anmon.name 121 andmon.name -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule ultfp.xluluazofns
Processes
-
ultfp.xluluazofns1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries account information for other applications stored on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Schedules tasks to execute at a specified time
PID:5153
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD59cf7e03179a00e0097bb8292c310a7f8
SHA18046f1a0d32003f672b2da8ba6c7eb8f54ffcd17
SHA256b428664066ed6496119d7ef35afee74fe8f5eb834939f9cacbf55804aa592438
SHA5121d046cd7d5a96b0b4f0c5d218f97ebc850ea4a3385658ea4a9d36dc05363659d1dc53660f94d4d7d87794cfd60b94593f304e9011421d35f3f17296d28c28cb6
-
Filesize
96KB
MD59dabbd4a4ed2fcd75245f9b27527c03f
SHA13e0998cbc52b49ca740c7aef0b61a1de5db7cbf6
SHA256c226f4d45475de27e5fb753f0f93fbb36b28dd6e71c6d93260c130bb8862a53a
SHA512881c0b77829616d097107e3e91cbec80455f16708c434c7419ce989bc7a261a44366755a2f5d5c6f04815c0c3a530dadcae6050d76f58b114f973080af621c98
-
Filesize
96KB
MD57127cb606ddb293619854ff438dd3b6f
SHA17528c4195b4f66cfbad4ef5ae297a1c016be749b
SHA2561fd56703e0cbe7401e74a9eda5fd99e365c9771471c9ba47ab7c6217eb22ce88
SHA512acdb327aa88217ffdac66e36ceaffa6665012d44e30f58c6c23b444e2506aacdffd71be6593c3351e9fb0a3c9ed00292d5bcd52ca586a6f10365b21d0d50217d
-
Filesize
96KB
MD5d3dd91b6960ca71e9d21adf4fce909bf
SHA151617f03481959064f38fe158f42fc0c4fdf6160
SHA25654de929d67c10998c67d54a6ea08ce5b03976ade1a22c18815222304cb6c84c3
SHA512ef30e744521b159fc444e927248dcacbef372cff6925002e429d4d064aa0f27659862ac7810deac34a7dc20e4b15a841749b2dc1ef53ea3d40c17daeeadd6d15
-
Filesize
96KB
MD553250cf383cc159672318a8add133c12
SHA1f54a93cde7280b940d12173154e7cf42fb9b9759
SHA25629ec07fd519bd9267e6eef907ebd298767c18804459c4f0c28e8e7b405c1b05b
SHA5123f5cc7ee1f9ef7879a4446a9aa84dce9f21a7ebc1488322a1489ad7273322f070274c1604e430f039104d9a6369e9ee094897003137e8bac989b0a25a20309ef
-
Filesize
96KB
MD510e40f812959b3864ce88ade83006333
SHA1ea963e482a0193cedd0ede9813be30594e622f83
SHA2566d2e1b2f9bb0330a0c968a87f75ca9e36759ee5c1b0a4aad3ab435f0d025fae2
SHA512bfbe6da1047b244c64b6c04f408951326e3da24ee70c9a3c9e16eddf8ff7b3b31c9e004e03d280fa9d6a4efbe64b32bce4d17bda9909169d33a6e4b790b279c9
-
Filesize
512B
MD5421fc326417e59935f761eaaa7850979
SHA178d8e09bf8e28522b8c8527a72f4832a14fdc87c
SHA2565669b80144c3c2fff865b764f4a22a3877964d70f65abca6eb33c196e3dad938
SHA512b22af4cf292c479335f9574a62f9e0b30c37784ecfa764e9a74225ea0de0f5071fe1def4b24a7697284ab68aa6be31e7b943e4dfa1c0f3c3d3c84671c9dde4e3
-
Filesize
8KB
MD5e0159962595a7c6c11e6c52573040d22
SHA16ab2f49e3fae60acece179f01fcbbc5a23b558a9
SHA2561f1ee8e478a78f381e21b29264e49b10fc387b090636eeedf4b2edbd12ddd89b
SHA51258f6b84d26cc3d73d3aff0f99f1c662185cca41c3d097e61810c8ea18feb18379a4fb75bb0be0a6f290346075c8474d21662b22565ac49f4b4d2e133784d7112
-
Filesize
4KB
MD5be69d272ec9d967963cdbaf15c944954
SHA1ee068c1034f2180d45d8eede6fa0b34f1fdcb2aa
SHA25693c5f4b63b5fe4d56e8f1c976a4b66ff458f458ca9f91d3d38c1478e61363465
SHA512905e28edcad206ba2d206183045922bb40728353b0e08b6c15fd1c93254e677cfab1e0354f653274520a7ce2683cad9fb4630cf5fd016ddd2f8362053120170a
-
Filesize
8KB
MD5277835d0f9c6e82846261fc2f22360dd
SHA1acc33cc58b9541755a0e722c67e3456606428337
SHA2568d1a696c664db57a170003ee24e62ad701d2f5cc789253306bd9d6d1c9a0d1a0
SHA512ecfd078855b2a4ab9811ac94196aae4f3da93adf50202780ec61418e6b923ac505590c95607590e07992d7d04ce6b6c5acdb8084d449b66e104d23a41bfbbd62
-
Filesize
12KB
MD571fe56e60fab9db8cf8f8913118f9039
SHA1356931814c56302570be5c2e1f8283350acb48c2
SHA25690b7e7528a7a5510307afdf6ff074e1c3ddb4bb47a895385b28202dad283bbb5
SHA512ba617689782b68d52844593986f5fde258ad39773c1c293a279e8aeb00e7bb9f62b1f253abe967282df2af8092234c7f3861a8ce4f1d514b7c1d612c3e02b64e
-
Filesize
20KB
MD5aa855c1e16a9ab546ce54658bd6a21da
SHA1d09456b6db8bb0007c0b5866d3db946c15dfb6e5
SHA256f07488d437d5458ce8f3bb912e5803559fcbb91df033d087c5e87b225953d8a1
SHA5123a5c65b157cdeb7c758afae5944a869729a5717507ea85b61a533b5e0a1c115b3129e4412649eaa310e4625b9df1fc5c620f16f579e7ff4c0a200a01462a5860
-
/data/user/0/ultfp.xluluazofns/[email protected]
Filesize2.6MB
MD5a11095265b09ae16734bc3b64a287e71
SHA1880f31b9f8816a40960b0276447e2252194d5f0e
SHA256886111a93011a48dfb6eb6231c42864b42364bd8a71d0efc229188653dbe0a9f
SHA51281963a169cfbe9dbc6a47a5d5c52d3f25ad3b56e82ad24206b24b257f0118d52393174a4219f6b27b4cb3a2ba8eeb832e61ea5bfb2b2160cee63a895a28cddc0
-
/data/user/0/ultfp.xluluazofns/[email protected]
Filesize1.2MB
MD5cb16f947895faf71d09cb5ad792b0e35
SHA1c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7
SHA256e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef
SHA5128ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba
-
Filesize
2.6MB
MD5b6d3a4cf3c50723d4c2b606550f66078
SHA1fe6541e98b3cc04a31d269c3dd51beda11814796
SHA256e10b67c58d2778bbcafa71e34353c26a089eaef19021b8a52274708c6c664a8b
SHA5126b482bec5b3bf9f39f09164b67a416f238973e799a88245422a06caeeda73daf0aa0fa4e319384e6ac6c03c99c5808c9cba990ab5028169e820a2d8694eb7c5e
-
Filesize
1.2MB
MD51e05a2d987a9b8ace6ec423e1de9ae2b
SHA18ba9fad037667f9a091541ac11cf4e27965d5288
SHA256743e7d3660de8e672bf0d07078d8e540b1cdb17d216e63b8703fa180c97179b6
SHA5121744113900cd787eb4ee34c9fe5b72dbefd4e6c334373f6f32adde0e3de22044a2cdb1ed9a6137e4dfdb7ec53a7b77fd5d059e07976569a30e192e680233d54c
-
Filesize
171B
MD5f6458957be8737791ea51069fe297893
SHA101ea14c9773b8a0435c35483363ca999311a1bfb
SHA256cd641e675961e00c43802651f4951c8c5488c3251f5e1cf55caa0e97256b33a1
SHA512be584d767e90e5a6e96f0e45873983fdbd7d568b9326d63f98159885f8b7485e263cf18bb1a668fc8a477ce9ef9562fb39b8b32195ea7e8e252ef3c5f5926b50
-
Filesize
150B
MD5087c30a59c23a5b14761ed010df434ed
SHA16158c6af3bb9e31c139f14d4c505e8ab1a2aaf11
SHA256a2631de0ceb0e7572a5372c4c84a2df7e4e6efe24c417f3a8922c18aa225eb8c
SHA512ee5050aac09a6ac44c909cb63a948b214acca78b37e77beadf0dd5f81ac767aa77097e225104e13c8baf468048e916d1467547fd37bb4d352325b9fd4a7b9f3e
-
Filesize
4KB
MD50ca7fcca83597269fa7ffe7e90ccb34f
SHA13986605b61102fa85631918640b6254f8b2abe5e
SHA256ae914b805f918cc464a2741d223a5cf8c3544cab11cc801f2283aa74fe1199b7
SHA51238f128a89b8570ab7a6961d2e2328001a9d1420ae9d6b94f88928a11ff368d240f2262c9b5a659af1916ce472222259e33b967b46fdbb07398ae3a57f1c72bff
-
Filesize
62B
MD5958c26b3b12952b3313935b85aff862a
SHA13fc52bd0a70f61ec94af78c21daab1e4d14ce277
SHA2561eddbd66654d297f0ce6ad7d6d21aa3ecaa56188205525babb468a9a99b85172
SHA512527c3ec9fb2c22897b00c44af3fc8935588268ee27a33ea2df0839a25591154dd4461c953b3fdcdb87827d1fbd96ed5c3cfa4cc021803749aaa8da6718dd5b6f
-
Filesize
70B
MD541f8d8de7647608a2d32db511919d901
SHA1a6217f927b4e7d637d7deff8ec3e76e928fb3710
SHA256ff5738f544d97ebe1fd75a29170a441e5564ba9c054094f9c440a14baef18620
SHA512885c668496173bfd63b3f74ff437079f169fd1780807b20d0aaa8c7287d500111bbbe599f3dc15f8c91b1ecf8e8ab7c30e41b2cebb30ddc18f5943cf81cc374e
-
Filesize
164B
MD5e0afa6f942486b275999f1e068dabe80
SHA1f08e64805c44efb2860b1c20adaa493cd73714b8
SHA256b990724dbf94f6c839490244efc0077f534dec27d1229e8ab0ece0b7830771c4
SHA512a38b1f1fd822c18725ed63b4a6485a5c91cba7e0abc06f0923dd6b26732c603521a0bb89b3524fc055d0d1ffa7de26e635f458ad385760347a6da5592e94d877
-
Filesize
132B
MD57aee27684bcfe083e0617a4585da15eb
SHA18ed21c6434378eaa75487bf7860e9613d83c6afd
SHA2566cf1bfb80841f5ec1135bdf8db49882ba41d89ec21ff3902e2116a6d35dd4663
SHA5123e7cab31bc681c8583bbb581503e9926078cfca85723b69269cc4406fc49be6398fb01a6b45c8257005d1909be3c499a8301b3697b28fde9eb00c954f5775019
-
Filesize
45KB
MD53cfa758df675a49ce7a48ba461605e24
SHA17f0e175d6f2473c8369ff5841a59f0f616cacb8b
SHA25647932b3ac5484af53ef9477716da7a7279194322f9c2a1b276b872481a63bb19
SHA5123b915f3348297d89d894ca4abfb8fd565f64aed6b0365f8a9388b98a99e7cc8b4a0234e7e15bd4f3f264aad61b325a663e87ae28484355a6e45bd42286465e2f
-
Filesize
81B
MD5b8b5f3bfc09d894b59b046a334c95afb
SHA163553f7add999d1f9279baae996086f6da7e5c63
SHA256724cec8037ad196328560e2dee682aff4e295682d738789468d8123e9d447871
SHA51230d8ca6f0c05b027d1fe1504a5c95efb8b48ab61a8da85fbe49fe5c24cd23266450e95e48cc735244e764019c6065e5b8420d615baaa39d3abc6489479f66b67
-
Filesize
64KB
MD5bbb146ff193cdf02fa7428bc4b8b8c27
SHA1973a9f12b7174ef2f58d23838271d5f4263ef8db
SHA256cbdf755e9753dd6f6aaff892284ed5528cdf81e41e86d0cca436a8f94207ea8c
SHA5123592aabb47d5d4023a9c15e1d51afeb2e8baa8a7b345e74a1c272c7a15a482df5357e06bccbbc493dd2c560d437f0da3b120180a836928afe9c90747543d699d
-
Filesize
64KB
MD513684d2547f64dabfe299d1c6553a05f
SHA1b000477d2cb51e917f2ebce3a8c53745ba7e0fd0
SHA2563cf935d3101700253aa86e9d233201e587cfdd71b44491414b9d0f8f351febc0
SHA512e75a7c2d43b9223cbb58cf21640ed86a1df77fbeab56d9f7904748898feac40aa6a372dfdfd44c93ea8480dad2f9889684bf37b85549d4bf8e2a2c7c79172217