Analysis
-
max time kernel
137s -
max time network
150s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
01-09-2024 02:40
Behavioral task
behavioral1
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-x64-20240624-en
General
-
Target
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
-
Size
20.5MB
-
MD5
f95cf2c20d492d6647885e8428d808cc
-
SHA1
3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa
-
SHA256
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c
-
SHA512
3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5
-
SSDEEP
393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk fka.ugsonrqogw /sbin/su fka.ugsonrqogw -
pid Process 4244 fka.ugsonrqogw 4244 fka.ugsonrqogw -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xc892c000-0xc8bbd638 4244 fka.ugsonrqogw Anonymous-DexFile@0xc7b94000-0xc7cbf4b8 4244 fka.ugsonrqogw -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts fka.ugsonrqogw -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock fka.ugsonrqogw -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 3 prog-money.com 5 anmon.name 11 andmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground fka.ugsonrqogw -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo fka.ugsonrqogw -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo fka.ugsonrqogw -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver fka.ugsonrqogw -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule fka.ugsonrqogw
Processes
-
fka.ugsonrqogw1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4244 -
su2⤵PID:4289
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD54c0ccabb25100a908b9db06434a6af8b
SHA1555d9ecfa42e17aec483e1c05be0fc1362db9e66
SHA25679aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304
SHA512b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb
-
Filesize
96KB
MD53b357b7ea8d86a3e8228c352dcdd4bd8
SHA19579594b500d9362a42d57f83e1f0d4a50b8f91b
SHA25673043bce153b3e0c40adea3e6ffdaad0bd38cadcb443ecb4a8ef4da9e3d8ae59
SHA512e8c9ddcecaadb0f752a436b18371de5ea7fbf7a93df96fba20fe7e91d10c3e79fe16df39e18edc8f85749e054215c8e8abc7d5c43de18bee6b16a30819dbd4a3
-
Filesize
96KB
MD5d69f0de2aa993c43d5f12d61a298bfa2
SHA177bd4f455e3c90b45ddacb1f023351ea9d92606d
SHA256277cfdfa3180787698ed8e6830f36ce4ecd4dde411766c2e104f21886c9aed37
SHA51238ddaf48016f9a0b27facb30bc60844257b955eb9b220db0ce0167dad7256378765f7bdd5faac5c8fd1dc4bdbe6dce87ab73787433e382c008a3074cf499b0e3
-
Filesize
52KB
MD5b6815b344f6926d458cea05acd052cdd
SHA188f524aff1d4c5fee979a203dd952427871a7097
SHA256028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA5120431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade
-
Filesize
96KB
MD5a3d802698e402a270527d4ae5f7ba8cf
SHA14e4c9bfcb9103294a357496cca270ef606c028e6
SHA2563b9c8431ff80606130198da094659dc94921304e79c17c7c13ffd5ab9ff1cd7e
SHA5125bd54923d322dadcd5fa8514bac4a8808ee054e0bbd91e5f58ae98c3bb5115fedaf2026c1a02d0834e59377561e44c4742d0c294b10f2e1c40d57759ae07d448
-
Filesize
144KB
MD5e236d7f4a9a5e7f4a329b3f4dac9ec16
SHA1af601dbc8264d0cdf8afa8c5f78faee19265d5a7
SHA256a4f37db082d9da39442066ec11138f1e6cdb100821a339a6d9c2dfd5ff9b5310
SHA5120a3a7fff62cd894294645289600fc684aec5856d2508eeb32539b2f5e97eb5aaefa236bc4583c37258a76a7a0a90799790d139b266fb07be12d14e11383982b5
-
Filesize
512B
MD55a9e4641aea84aa59611c33cec464cfa
SHA1868b8185582d349eccabde75c6dac3afdedd149b
SHA2566cd993f639c4184bfdda1f738ae3ea0443d569b61e066b4b67a2b0b8ed613b3d
SHA512e30ae2bc61ba254d3f8e3fee66ac100072fbe3533bfc8b16a3341b3b8059e33134943c3dc10b5c5559dfbc7f13d2764ef43e35838ec7d01f79486cd05463b26f
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
414KB
MD5215ee5a0c5fc9e8a0e46b2cfb289ab2a
SHA1589cae5ff8ade4e43aa475a5781bdfda8238aced
SHA25604f384125e88fb92e700b52ae2f6bf944a5af41a8f253d495fd2ea0e72c7621a
SHA512c10ebd543538eecfa3dbcec1b437fb5805333589de69dbc9faf7b39674f100f14c838a2a7402bcdf1b21be6de3dd97905b33c5cac926f66589b76d690b6681be
-
Filesize
8KB
MD553d99db9fba62612b50083cdc6ad7038
SHA1e166cd115a1d2cfe878e894a980277eec7fa6053
SHA2560d4b3b137d6e87de165a1b1d02c340174a8e468ab93178a818c972669af1bc07
SHA5126918dd49dd84f6f32ec7591196665e5a1641b92a3edebefc60df23c555cf0ceb473149892811ffcb02fbb17ee4436c5a29f1116bf54aed5d5a2a8caa0a23ac82
-
Filesize
8KB
MD538b542e53d2809ad843877adf0f291ad
SHA1c9786c16cb19c17816a6adff41df51ff9fb3faaf
SHA256a74ac9ba9fbe1026060a33b39c49970e8d7d01fd32b54ac9700a6121b3522ba0
SHA51246f32691089194d842386e0e2510879dfbe7e8bae6bd96a5fbf5a5087de096c2f6c7baba45897f698275bc10557feffa9391603006d16699259f8f526d8346bd
-
Filesize
4KB
MD53ce4ddaf71cce1549a715ed200720cb2
SHA172d414c2876f1a0ff748ab8bc92074d952637cf4
SHA2563f37412f6f75315fb55fdc6da758a4b82cdd583e64ecbc23f05e780fde32244c
SHA5125ebb5bb9e029447139e14d4a4e63ff1b60104c9f1cec299def69492c777f864a7f7080c7bb05755c968224c14756148efd2494aad72574ced432b3edbe7a045e
-
Filesize
8KB
MD5337387194ef35864e248afbb997c63c4
SHA14737d49bc00afe3b8e6c97e2c5c970ab50b19110
SHA25642975c039f35f66c8c597a0f66c21f5b30da791dda89100a9298f442b23c9878
SHA512cbf6a8ae60a3696e079171dbabd73b5573f67639518dd63e9a2ff5b9fc68e6995d632fafb91b0b2c1c44e272411177f4e868a415cbb7608b0bbba76b2ca8f43a
-
Filesize
418KB
MD5537cebbe5823d10f30891e064221afbd
SHA1f84eeacc9d737fb33a66bd94cfc3c9e376a8e3f8
SHA256f876d580c5b666612f0b4abf8148b1ed92f01c2a22d2a3a9988df2d989597b3a
SHA512c7e7b138f1384e91cd885e69568c5000ff2beb260722e24ddb6816c764911821f7cc78ca134ea8f086c7338ffca1970f7ea1f7dd1f6b9bd95b2bf561653b343e
-
Filesize
2.6MB
MD5470586b3a055aed7c22156273f38f69f
SHA139866ece4bc4bcdf2613bd67851ee7ba22df85ab
SHA25665daf0c170cda7fde64c441438cf9875248bd33af61af060d943b48bfb405f8d
SHA51295ab906e2be05248360a5d2a3a4edd61a128e1d71dedc35245384799ae68b686d37ba9063bb2e86a891d96acfec47c897bfca290ee6251afcb07f140aca9c540
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD54b77078aec4470dbddd8ef7726c0d2b2
SHA1b6d2524baba99b329ec6115b4f9c564e85a99f87
SHA256498ec3428f0b5fdd2050f23c6050b560ec83998b7f6b942e258e24dfc066ae97
SHA5122406f6f1d953d4d35690bdc96ed675bd7562c1f94eabaf649bd75c522988fc3aa4165685b57e197acc9524622c64fe05dafc193bc570ac21701e458bb10dc197
-
Filesize
152B
MD5eace8c52b40c0c00a6507a960da6e633
SHA12bbfe0e79ae1e80305999e5a5adf925916ed2dc6
SHA2562dc8e8be6dcc05c3588d7c667e826fce4218ae0489142c386fc3bbee5b3cf7f6
SHA512391bb04eb35f439e01c3c697b19a18df43ada9c36d0bdf952bd407cceac6699765c579bceb56cda10105b9ce936aa370ebf49fb0799e508b95ea12ee438d9b9d
-
Filesize
3KB
MD5d7420a29bd689ef015279426b9781713
SHA19f52441113868442d1e3bc7fad24da13cebdfc78
SHA256b6a2760384dd28226bf7382f54dc03f9ddf1e7a07a7788715ad3df72a4e314be
SHA5129acc0edf882f63cce485447ee0446259faaca87ba3824f4097235ad27ce848ce12128a55714f4324868eeaff5b94a24cb5d3d9000885b1e2de363edeb41a7fac
-
Filesize
64B
MD59da3a83f243a6a6c41e9bbcc9ea8a543
SHA1c3e2588ef8953924f1fe61f8bf6607b90ea45adf
SHA256501b7f60d3fcbfa234571e05af4fecb4fa065b75cf0bb08617b0bf5d2f0b1391
SHA512be9c7df5e62bc728a39ef83702aea5bc87ab4dd71a2c78b7fe461ce2695da964c5e460e120c1dfe2d1d0b5391d89650e1b6373c6378672fe0637cbe7527c4354
-
Filesize
72B
MD56c5ccac0e97c76f3974bab623034b04a
SHA1141fba27e93499ac4f7866df7a8b7f5c44a1e41c
SHA256f71af1d75b4a3052db696f401b8c84ee25c34595512ca3a89fe3597f22ad2c72
SHA5126f7d82f659def504540e6565919f842127d317512faaafba55a57f0434c427f8bd497463572c02ba5787fca377aa36efb6d4bcef20cdd55e8925501f0d56fa17
-
Filesize
157B
MD5c0ddddb5b50d28239ca902646499ce9f
SHA122411f55bda3574e4401530792d4a06b9f50acc9
SHA25669c17dbfdcc64e741fe022b648a065d935221e344e5c3bbc3c3bd69406087a50
SHA512ba5cb56d2491f12224774656a1e275b89f5db021b09e5e656430b7522d6b7391df4717368cb458c012c21f116aca80deaa9b79af08de26c21a6c66372d7b48b7
-
Filesize
131B
MD50acf397e7f7d14d5506b96065721f719
SHA1f9450f423bc58e00d85c3fd5e07ad7e84a96ff43
SHA256bbf1ebc9d1e5f1dd2ea7e8c0a1a62a27347375eaea91393c4ee468f3fa2bf44d
SHA512fbc4dab497e44cd2a6fb6b930c08ada069d597fe94a8bdc96d41749d8d218695740f07062ef0a0f0c90c66bfa75eb44600524028b20058282734d506a8ab6624
-
Filesize
25KB
MD570f3958aa9f0f2efd81147e6d32a2cf0
SHA138b5244f07ef7ec65e85ef9a0c0f463ef475f032
SHA25639c4506b5bc25ff0c49164d5af7d2599f0426c39f31aeedf274e32762abf91dd
SHA512c9ee679f4cf5662c1f2c5f2a63a0eb0d5219abe3ed938aa7d24ed3816efd015ef0611be6dc91bd76ba468eaccef94d05c85a146f47a84c83f1b01760a574e1fd
-
Filesize
6KB
MD5e2fa6fc9528aa5fbde71293b34531aad
SHA1c3e3222debb54b2e6bf467aeca27ca3d5270f307
SHA2560c76ec318c78595bc739ee59581460ebf1f06f4650bade42bc599325670b3279
SHA51271cccfb767fbd08f0df81d55b0f6160774a3572c48498d59f72cd27d186d37276d1b96036b741858293ec4a66bba47e7109ea7d40c50b6dc0b75c10eabc53c75
-
Filesize
220B
MD52e72b038600efba9d3fd806f6399feb2
SHA1ff836394d1c017aaa325f6f8d751484eb003fe60
SHA256a41963007706d02d765f343e357db575b799c518db844c91c04dfb2a83ac1348
SHA512bc891fd651eabcaa621f07b1338ff133e9cefead10895c49022654d3373da6d7b057e93927a8f5337be3395da5c4934d2dc6eff9d087fa86885ab217583e89ee
-
Filesize
67B
MD5d8ad6773b632b7d8066ed57c6c482c6b
SHA1c07e66a0e8e58e190392896d7b178b7079741967
SHA25650eb09209f1670f34baec877f8bc19fd1ce7419e10da063b46fa4025558dc4ae
SHA5124bba534c373aa27100f1c5eec84c0a9d77c0dc447dd33de3757c4d656a7c8bb7d602fb214102005e355fb9a22687dff6e141063d086ec4275a9b01c8c8c90fa2
-
Filesize
1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
2.6MB
MD5850905bb253b202528d72a6724d68904
SHA1ab3ad068ac55cff5a8b4f80f4cab5507968d0ce8
SHA256abdd3b7a2034ffeba98a4b5192ee6878e5d05e822f8ded07c7cb413e13c944bc
SHA512a15fb152539326a73ee427fc74760c0e4999708a40b81b5b464a6bba8dc841efbeff2a573418e0754e8d14bd750da7e335f680067a6abc4f7807b6f8a59007a2