Analysis
-
max time kernel
25s -
max time network
147s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
01-09-2024 02:40
Behavioral task
behavioral1
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-x64-20240624-en
General
-
Target
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
-
Size
20.5MB
-
MD5
f95cf2c20d492d6647885e8428d808cc
-
SHA1
3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa
-
SHA256
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c
-
SHA512
3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5
-
SSDEEP
393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /sbin/su fka.ugsonrqogw /system/app/Superuser.apk fka.ugsonrqogw -
pid Process 5069 fka.ugsonrqogw 5069 fka.ugsonrqogw -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/fka.ugsonrqogw/[email protected] 5069 fka.ugsonrqogw /data/user/0/fka.ugsonrqogw/[email protected] 5069 fka.ugsonrqogw -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts fka.ugsonrqogw -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock fka.ugsonrqogw -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 15 IoCs
flow ioc 6 prog-money.com 116 anmon.name 9 anmon.name 136 anmon.name 7 prog-money.com 13 prog-money.com 105 prog-money.com 104 prog-money.com 108 anmon.name 122 prog-money.com 123 andmon.name 8 anmon.name 14 andmon.name 86 prog-money.com 87 anmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground fka.ugsonrqogw -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo fka.ugsonrqogw -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo fka.ugsonrqogw -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver fka.ugsonrqogw -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule fka.ugsonrqogw
Processes
-
fka.ugsonrqogw1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:5069
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD59cf7e03179a00e0097bb8292c310a7f8
SHA18046f1a0d32003f672b2da8ba6c7eb8f54ffcd17
SHA256b428664066ed6496119d7ef35afee74fe8f5eb834939f9cacbf55804aa592438
SHA5121d046cd7d5a96b0b4f0c5d218f97ebc850ea4a3385658ea4a9d36dc05363659d1dc53660f94d4d7d87794cfd60b94593f304e9011421d35f3f17296d28c28cb6
-
Filesize
96KB
MD550f79c872a10622186faaaa1233ffe66
SHA1e2088609c5f5410799f1fb112130038f7f6a0c8a
SHA25696122bcd690ced71e239c6ab47d4979d7841095c4e46431286eefee8394cf306
SHA512bc0769a91882e832256f59029478e58588fc05dd79ff8a12256500ba9a1280b821e5ef3d8cf67f5d23f4eb52f0964903fe54ec51cdc582f8f8cf502e0c8d2f25
-
Filesize
96KB
MD5f227d14edc778c88db08546a89459336
SHA16d87610796c39f11c3e5ae209a23c4f4ef5b8207
SHA256afeb0c7b1ec809fc34b3309f4df680d365eb3d14f7cddccda0adcfd91bc5d6b3
SHA512ae0f1787fc5ee7440c93889c4c7dbd0f5edf1f585cc4a9a8fdcf1079005be5ca5d9f2cc2562ae55b9a5f4918e080110029c036500cea6aecf6d1e09dd8b01d74
-
Filesize
96KB
MD586f13754d296cce82526c4474719f924
SHA14898a543a93cd2fa4f10f68579d606bb8f2a3094
SHA256426e90eeb4c137c09aa09f28aecef2e3b8e00d3e7ce536879a6584a31307bb83
SHA5122380adc0bfa36c7bb24452ba6338651f1a9987cb3a35b415ecabddcd3bf8bd91dbd9334fb318a549690a6b287ab8ca7b443a80cc097cb534aa9d88a7fc79c168
-
Filesize
96KB
MD5f22527afa2b972a9a72c418c648fe8d5
SHA1ffd63f94c44f17a88d46a78d03cbc707081d009b
SHA25656d1c17e426d11bcf5ed39dcb436af3e8df15f1095aaa02fb36e7ee1a6d4883f
SHA512e4a69c56237ae7d4f23e50035cc1e2419a522a58ff4cfd7421f67c74793bf71c5229304af106795620d6b50655d4d10841f478ab01d9c6edbdfb5bf050f5dd84
-
Filesize
96KB
MD5a6a41e277a1a9e5008c1cca1316b2131
SHA1d7431e89e592c5f943f00a53411ef6e757723e5f
SHA25611e1158eccb3b20f996790721115f012d9eeb15b524ef0562eb9fda9d894f282
SHA5129768374067036d7f76c81e77e3db427017cd1db3055475040433bcb5713d667f14383da1301c71de745ff349957fc2479bcb3d9efe79d0e6bda4421a1d80157a
-
Filesize
512B
MD5bc53d038bd6211541dd3858a0626f15f
SHA17146cf0e0e4975d4a68da73424d50aa32ea9ea51
SHA256cc8e736b72b309ef994ab2fa0d4e45117fe537939f5a4f423fa61fa0f5e313d8
SHA51270c3abf9a84563057369bba4f886280c079f64818269e115b1dd2a557e9643cc990ac826181b3d74a5f4f48c10c1cf6aeba6f16925638c7ff9aad7d5781d9454
-
Filesize
8KB
MD598f1cb888ea15020f0e61bf16d3bdc4e
SHA1e6bc2761c94213eb19101bed8b951e70fc2e3095
SHA2569ba37126a5cdf1def080614cc64b277ae050244fdae355f978a73f456817180a
SHA5123a251682e68f64d843319070056656bb0fc9f9ec87b27dbe3adc5bab038f06a537bcc6833880bf774a04341a75efedafb48bfcc12922e82eabf0f1a2840db047
-
Filesize
4KB
MD586c3c19bc2f859a61b7cbd351a7ad5e5
SHA19856ba994fb1821f6a9028a6567d62d941196e80
SHA25610e295286bb3d36eb96582912a8a98d8181a9ca3de85d46f8923f342d7f75c23
SHA51243929f990a1d829c2c4d52cb3e286c93e5974f2ee72ab145d40bc7a5de9fe2c79b6411d94b249970d03681ebb97e87f0db57fa2cf16e73213a875975d1d17a77
-
Filesize
8KB
MD5c6e2f5937a264cbf66a7a1e9cd06947d
SHA1bd7430f8a388d7a470646fb053e9f1c88dd1385b
SHA256d977a9e6a7e71c066d0843f8d357982b3fe596b0cb3f98cb588450f5559ce9ee
SHA51299e3ba8fa99546c3f0e58f481c075b36107c9a5a4fba92a5b4da19a2e27d88dc0bf43eb2600c4fa28bb1f90b18f51e11823efd52b689dcc412f701819966f252
-
Filesize
12KB
MD54becd7b84c664f7425571ff051434a6f
SHA158f9c7fc563cae4135ad091b893d3eb96e8f1f1e
SHA256423c47b65eed4a4579a891c9b74cfae7165d0fa437e9a27f3c8d07b0682aacc5
SHA512c4419bfc0241433f6e27d3042e8c4a042fc04ebae07006f6dbcb720ed0acddcc7cdb47e0a4d03c443e397407a90599bd142ae0b7a54bf9d35c9904bfa1a7cd2c
-
Filesize
20KB
MD5ed8dded5352ad4b9d425364f6952ea0e
SHA15eb1af40fd50e19d519eb79262abf6a56bdceb84
SHA2564890c12d16ae71999d8deee264a50fccf1ef606b95226d6d58f99d7c2a253052
SHA512ee49fabb0a9a57d3fb670413108aefe9354710dc6c752a4b315ccdfe4c35481c19b685f8937121a60ea4357ae2523fe100a078826db61e028c7a7fa1c0470df6
-
/data/user/0/fka.ugsonrqogw/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
/data/user/0/fka.ugsonrqogw/[email protected]
Filesize2.6MB
MD5850905bb253b202528d72a6724d68904
SHA1ab3ad068ac55cff5a8b4f80f4cab5507968d0ce8
SHA256abdd3b7a2034ffeba98a4b5192ee6878e5d05e822f8ded07c7cb413e13c944bc
SHA512a15fb152539326a73ee427fc74760c0e4999708a40b81b5b464a6bba8dc841efbeff2a573418e0754e8d14bd750da7e335f680067a6abc4f7807b6f8a59007a2
-
Filesize
2.6MB
MD5470586b3a055aed7c22156273f38f69f
SHA139866ece4bc4bcdf2613bd67851ee7ba22df85ab
SHA25665daf0c170cda7fde64c441438cf9875248bd33af61af060d943b48bfb405f8d
SHA51295ab906e2be05248360a5d2a3a4edd61a128e1d71dedc35245384799ae68b686d37ba9063bb2e86a891d96acfec47c897bfca290ee6251afcb07f140aca9c540
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5cad856b2334be7312227562963a3ac7b
SHA1c193db7003e53d1bc4f85c44e1650698cf8dccf7
SHA25662ac88250f674efb263cc9fda95adf848c863cb6a60800003a8f0f8386edf13a
SHA512c9c65ae530ea7bc87a936c12dff7c4f79d606767e1c589aa7bed170caef84cbf7ac38b4a1116f81a8fbad8d7f1df5d774bc912dc7327cc4ca41afc73b0b7a29f
-
Filesize
152B
MD54dd44bb71d92b07840dd1ee4e0fe2937
SHA186dae05f56fe166e6677baaf8822b7e6dad8b047
SHA25685ed5d67e5d2f059372e3191849ebc6d1c241c229ebcbb26cb49e679a0881794
SHA512a56dc79e4677a4cd335efa7cdaf013205bdb2468dbbfadd1dc3fc76919f9a9efd82bce10808acda493266e830cf5a7fe86d91844b0b8a1027b1a8cdd0aa182d4
-
Filesize
4KB
MD5c8692fe7af8ea545be029b2c50a45677
SHA1f134af41474c9ea1aa9c73fb44dbef6627179133
SHA256427cb0f5427bab4ae95eb18d30f1fce4014fde8e05fecb9b9e0cabe24d94d631
SHA512f80e981a56a91b764cd1603381a6785afe1d837eb99dcfff16441434b6b9db182ee91dd6a87dc96bd3fa08b1d4e423b266a9234fafb7c3542897877d73262daf
-
Filesize
64B
MD59f1881db4c5d19dba9eef641519a2b91
SHA1094b9eafe9046826a067cf009733844207eb8c8d
SHA25667c3352f71e663b32ab82e570ba47d1e187affec62771f93f94ce03a0e3c1400
SHA512d68b49b9dbd050e268fb9532c91adbb06418801767208235102b32ef90ba7c7106fb1d89629ef69324c48647e13cdd5810968541b1f9d2f42b33b88e8d05698f
-
Filesize
72B
MD50cbb5c184e9ad843df481b43d718bb52
SHA1b9b0b7fed3ae4757ccf37e850a4f5adcaa4c96a0
SHA256d798c189c50d28b7c54196a8e14ac4c89e3286278d1b1c073b24cf4a8284264b
SHA512baa4533542d64bfce65386b9806d95905d01562dfffc31a0c717b899b256f348d474dd0cdf26b971421d24d71a33c2b863a00ab4d48a220ca8bbd300b06ef79a
-
Filesize
160B
MD51cd5587dbac0ffde5eb3a26714982b08
SHA12eab1e6ddf089792533b9f8d3c05598561427246
SHA2566dd6d81bee9cf51ab8dcfaaa011157fdc9dae94460f970aec7126e8672210a55
SHA5121126ea564049dbdeff26e3c7582e0aeaeb848e48bcf98c7d5df7e08c810ca182de1af94c3b8782b121dcb1bf210191d057a6c4a73194804e6f1f42d03b33b0bc
-
Filesize
131B
MD58fd01152b29318a7a21284d32e63590c
SHA1c4e003df7da3f1f5574d3a36da66587236ee711a
SHA256bc79429e437b5afc9d6d9115e8e39a33c00d393c0d085729d7afe16a6d52a869
SHA512cc8d06cfc03af7a39767655ac7eb82d9560cc8a0901d902a2ded06ce1abd50d30e106a7c12bd818620a8ff974e9890871646df9d7a9a96db80d97aff86d3d2fa
-
Filesize
25KB
MD59cb29348ab069ca8d201eaf983d57e34
SHA155184d1f687edf07f8503e6f85889e8f07d57c81
SHA256421c6d835ae2a04cb6470c72d2f9703765220b5658dbde3a14d03158207b3a7a
SHA512f51a9934b6f50e7ab24ce5009ad8b52e07fe05c50fae0c31a740f565d6eb3f7c60a791ad005c812e48c2330bbc81130e729b790478bf3927207c57b1e7f15e0e
-
Filesize
6KB
MD548c7133a297f1b28457a3bff7b975119
SHA1cc388b01ee0e961c633e547b3fd892cda5fc8723
SHA2566c4f52071c0fa687b288d0cc965fe94fe8a2995a88a61953db0c8fedac182248
SHA512f3764a569f0d1e40c8e948d6034aeb7e624186d5a63ef845a37efb723483c1e825a9c968a416f9a7ee9d7c5727f1f678d81ac6a838b3d4137c15cb007f9d0a2e
-
Filesize
220B
MD5417a136d9c0ee950e5b4ae39cfdd32fb
SHA14e7ce111054a56c013716b7bacbedb098a0e18b5
SHA25610670809bfc04683d7f9e3d1b4f77282e9a69df52a729d00f5657da70ad0b0ed
SHA51238b095b69e90a6d79d0f410b7ed13f46181c7096aa7321a4dc88c82d2486deedbd96f7b3d0c38f8790e0e876925778df0b093be25bb6d85ee61ded76663a703b
-
Filesize
67B
MD5d8ad6773b632b7d8066ed57c6c482c6b
SHA1c07e66a0e8e58e190392896d7b178b7079741967
SHA25650eb09209f1670f34baec877f8bc19fd1ce7419e10da063b46fa4025558dc4ae
SHA5124bba534c373aa27100f1c5eec84c0a9d77c0dc447dd33de3757c4d656a7c8bb7d602fb214102005e355fb9a22687dff6e141063d086ec4275a9b01c8c8c90fa2