Analysis
-
max time kernel
13s -
max time network
180s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
02-06-2024 08:52
Behavioral task
behavioral1
Sample
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk
Resource
android-x64-20240514-en
General
-
Target
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2.apk
-
Size
20.5MB
-
MD5
95b2280beecef198e0000141611c25f5
-
SHA1
412f94db6e1472f3157a4ff2c3f73a090474a18c
-
SHA256
7e8781523b8f388f6a84fe0a64eda900e90238e2e4abdbf0a713f1fe321fd5b2
-
SHA512
91609c6b985210db45b578e261e13c5de8f070405b7d81a611fc3375e7603fa8e728bfd19fb9003369488ed4e906c3f10554a13b5c50530df4de86a7e12fff18
-
SSDEEP
393216:o5pST5h6sJA35z7A79L+icn1mbgafiubcNZjbZT9i/zVN2I+TXt5kKpPbNiRSKcG:btJA35z7c5k1mbBffcrjTi/zVN2IkdCd
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk ultfp.xluluazofns /sbin/su ultfp.xluluazofns -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
pid Process 5172 ultfp.xluluazofns 5172 ultfp.xluluazofns -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/ultfp.xluluazofns/[email protected] 5172 ultfp.xluluazofns /data/user/0/ultfp.xluluazofns/[email protected] 5172 ultfp.xluluazofns -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground ultfp.xluluazofns -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo ultfp.xluluazofns -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver ultfp.xluluazofns -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 6 IoCs
flow ioc 43 anmon.name 47 andmon.name 97 prog-money.com 99 anmon.name 116 andmon.name 19 prog-money.com -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
Processes
-
ultfp.xluluazofns1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:5172
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD59cf7e03179a00e0097bb8292c310a7f8
SHA18046f1a0d32003f672b2da8ba6c7eb8f54ffcd17
SHA256b428664066ed6496119d7ef35afee74fe8f5eb834939f9cacbf55804aa592438
SHA5121d046cd7d5a96b0b4f0c5d218f97ebc850ea4a3385658ea4a9d36dc05363659d1dc53660f94d4d7d87794cfd60b94593f304e9011421d35f3f17296d28c28cb6
-
Filesize
512B
MD5b930096b5f51085761546a9ca5205e2e
SHA1981e8b10d424176fe8d85eefbb3fd39b9a07ed01
SHA2561a45e440428034ebe285172f4c7a07f44e056097472d906e7a13e7d1b25d0b62
SHA512022006a2df5206f16e8e4538ea9cb32f3fc7709cba45994790cf07d709148496a4c55f23c44553a41594bd9c9203e8f4e74c0fe9a62d0e43857e3fc4c2c05c85
-
Filesize
8KB
MD5c287146b428bee74933eb9ddb48f86fd
SHA1bd469207f7c1bbba1abb61ecd15b7eeb5eab99cb
SHA256bf4e63782359dd27d748a7fb6e32f95d8b32124f3c466f2d4e25c1ca852a4ebd
SHA512dcfa0b11f732174b0299c547f9de716b565ebca1a4e41ccef43847f42f187ece39819699b98908199f5e2b3a25a7a60cbfaa3323e0e29ae7b9cf4abba7a63529
-
Filesize
4KB
MD5f6b9604bacd5b3109c28a588ed44a5db
SHA1102f76ba6577175670e899c3299b8dfc1e3b4a89
SHA2560f2299e4acdb667696259a2f4ad604ee0cbd9c06686014049b85b2584b82ca66
SHA51258b8966963928374d3e5a51569ad7ca8d5a56a8ef928522bf12114e315627efee5d7472a530eee70103d333ab0356b62141c3f41929e061543c8e05cbc4a15f5
-
Filesize
8KB
MD5b1b96b27009846454b3c0dbf6f42eaa6
SHA14acd10fc97469df2855bb70789cf0d9f9fca812f
SHA2562c0f31fe21e286a2ae7b57087482492bcaccb9cb8c05082372a189f46094e178
SHA5121d696f91df64906e234b3d6bf373aa4126488997cff668290339c10ea429953232e1f1014158c63dcb5233a958c1ba0cf0bd9d97fbdb0b964e4ccc8987e9c403
-
Filesize
12KB
MD5b995606b062dd9603ebe995db21b076d
SHA17412212b22a2aeac1af8d76c73430a264e1beaba
SHA256d798c6a0ed47fd6ced4996d3deb8d4235535592e74137781d4c20caa855da6f1
SHA512b74f1b89fec4917c68304f52316225e05aa7b18df9044f443cbdae60a6921301bbb47d34f54f10f1ab9407a23ecea0c4386103c68fb856f0082d61a30ecd567d
-
Filesize
20KB
MD5324d3d4a6285ad95d3b0825ebb9b1b97
SHA1b9c954ec2b525e050e758d4ef8272ff8f4922fb9
SHA25648a1384ed6560034b1245a305e9798eef70824434f85064e47fa4aaeb6f7e92e
SHA51292efbb2c33e907f7ba5e29a891b811b73babfe5f84103f4e3e9402c21723df4ed1a3f16c0dc325c08725474574a0f159a230007fd09ee46a8990d70cdfc6d3ae
-
/data/user/0/ultfp.xluluazofns/[email protected]
Filesize2.6MB
MD5a11095265b09ae16734bc3b64a287e71
SHA1880f31b9f8816a40960b0276447e2252194d5f0e
SHA256886111a93011a48dfb6eb6231c42864b42364bd8a71d0efc229188653dbe0a9f
SHA51281963a169cfbe9dbc6a47a5d5c52d3f25ad3b56e82ad24206b24b257f0118d52393174a4219f6b27b4cb3a2ba8eeb832e61ea5bfb2b2160cee63a895a28cddc0
-
/data/user/0/ultfp.xluluazofns/[email protected]
Filesize1.2MB
MD5cb16f947895faf71d09cb5ad792b0e35
SHA1c1dc4f7d5942a9dc0e1f27bad9239a4b4e8f49a7
SHA256e884e38eadd126d05e90daacf4250127ea46787315a235296d3c9341c2df3bef
SHA5128ed0d22895c375649c7eee45c2911d816d194ee36c648e8cf84805dfff0889602bb3d17b376d2e4c73fdb0df23002349df0a872d8e18fe219862ad06970aa2ba
-
Filesize
2.6MB
MD5b6d3a4cf3c50723d4c2b606550f66078
SHA1fe6541e98b3cc04a31d269c3dd51beda11814796
SHA256e10b67c58d2778bbcafa71e34353c26a089eaef19021b8a52274708c6c664a8b
SHA5126b482bec5b3bf9f39f09164b67a416f238973e799a88245422a06caeeda73daf0aa0fa4e319384e6ac6c03c99c5808c9cba990ab5028169e820a2d8694eb7c5e
-
Filesize
1.2MB
MD51e05a2d987a9b8ace6ec423e1de9ae2b
SHA18ba9fad037667f9a091541ac11cf4e27965d5288
SHA256743e7d3660de8e672bf0d07078d8e540b1cdb17d216e63b8703fa180c97179b6
SHA5121744113900cd787eb4ee34c9fe5b72dbefd4e6c334373f6f32adde0e3de22044a2cdb1ed9a6137e4dfdb7ec53a7b77fd5d059e07976569a30e192e680233d54c
-
Filesize
171B
MD5549f77eb782915d5fda3844057043670
SHA17e458263f4a6a4583f596c3465385e902b6bcb5f
SHA25669a1f3c7e9b758613aa06d9180792a47e12d46ce7a76eafac6cfe444305864a5
SHA5127fd1caeabbffc4e3a5ee5177cec42fb0e0820dab1499042fcca10c4eb4e9feb052d52a1509d1e2d87dc9c0caba57803b9a0e0ec9dbd6540266b7f9135eda2814
-
Filesize
150B
MD509dfcf95fda1603e9c2126c22169013b
SHA123e96986b88e8b9fdfec06e74537b80bff0c27e0
SHA256ef7293f1491645c9d9bf4044dcfbaae4da736ce1670387501261fc4ad55f2fcd
SHA5120dfa0f04a01b13da5a8df4ec9868c5f7d18e3bf26714b09e377fe940b72d822637759f8c0f6ad084a192a6287346af7b32725ecdfc6df77da673dfdd4e49d1c7
-
Filesize
4KB
MD5047ac59103dcae0f2ce9cf2df357e928
SHA153ff8fbb9a8446a5f51a3734e6a360fc4b5a8fea
SHA2564bdc5cc104e6213a4566dc4e6c096895229f4350a87d4af196d2724191e1a5cc
SHA5126949482d097e6d9fd03ca4da06a90b7929ba3c59ca511f51246fe5224fac3f52c4fe249358fa3001d2d74af05f0b2390f69122fce3034250b69b46fad162bb1e
-
Filesize
62B
MD557942d1245a0e511cbcab1f63c0f6493
SHA1f862d2936222816e23411976a16d749bbfab96f7
SHA256fcced9c18c7212d1d731bec6a6958e30782e707dee81abbc68017ac24f7b3157
SHA5127325eefadf6cea0c93aee6d8a4bf6c52cfdab80960022b2ebc028ed9110e2436d9a6e5919479cc6e53887dd8f6ddc105234a521110ad8a20127fa1ce9fdb0785
-
Filesize
70B
MD5d4cd564602f4ec928ebb74c081becda0
SHA14ae287bb1548a420d988af9a2022e87eba4c8094
SHA256e20467419241349bab497d3a7375cd54d165b38c5b15e684070ac4bdc6ac4d1e
SHA512f54deebdb883ee1bb8a851686ca2bb2fe7c08c7448e10de05914a8bbc93aa7c3f323e569217d085ab882ae8404fee00025fd50de6a626954adbe576673906653
-
Filesize
164B
MD52afc6003d99984088e9e05ff79c6bf0c
SHA13c0506468267acd0ff7077818313ce917c79f2a5
SHA25681bb96ce5d3adeab1034f87f0bae1bf1a4626ddd30c6384ba10be9700235866b
SHA512b914812a43a502974b51d843138a7fdc0146d82a2d0e461ddb55e41f51cc57eefe2260ae555ff82484a6369c6d7c5225498bbf574813f40d529d9f6a38528782
-
Filesize
132B
MD5d121cc9ae4233d45e88e13fd35894ddf
SHA146fd19b6b9ed225393e5f3d5e1b7236bfba26138
SHA256100f4322c2ab96e679347d08de9eebc3a914683f6fa84777f786c2ee093ee2c1
SHA512c3403c8c7a2db352078f46af270445b4d392a2eb79a7db4aa4a1f769a32616b3a267bdbb2f3c5d1989d23fa845c714e3b9ffc6de767dbd68d73a2356c0946837
-
Filesize
81B
MD5b8b5f3bfc09d894b59b046a334c95afb
SHA163553f7add999d1f9279baae996086f6da7e5c63
SHA256724cec8037ad196328560e2dee682aff4e295682d738789468d8123e9d447871
SHA51230d8ca6f0c05b027d1fe1504a5c95efb8b48ab61a8da85fbe49fe5c24cd23266450e95e48cc735244e764019c6065e5b8420d615baaa39d3abc6489479f66b67