Analysis

  • max time kernel
    25s
  • max time network
    147s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    01-09-2024 02:40

General

  • Target

    7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk

  • Size

    20.5MB

  • MD5

    f95cf2c20d492d6647885e8428d808cc

  • SHA1

    3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa

  • SHA256

    7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c

  • SHA512

    3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5

  • SSDEEP

    393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 15 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • fka.ugsonrqogw
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Requests cell location
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:5069

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/fka.ugsonrqogw/databases/SettingsDB

    Filesize

    124KB

    MD5

    9cf7e03179a00e0097bb8292c310a7f8

    SHA1

    8046f1a0d32003f672b2da8ba6c7eb8f54ffcd17

    SHA256

    b428664066ed6496119d7ef35afee74fe8f5eb834939f9cacbf55804aa592438

    SHA512

    1d046cd7d5a96b0b4f0c5d218f97ebc850ea4a3385658ea4a9d36dc05363659d1dc53660f94d4d7d87794cfd60b94593f304e9011421d35f3f17296d28c28cb6

  • /data/data/fka.ugsonrqogw/databases/SettingsDB

    Filesize

    96KB

    MD5

    50f79c872a10622186faaaa1233ffe66

    SHA1

    e2088609c5f5410799f1fb112130038f7f6a0c8a

    SHA256

    96122bcd690ced71e239c6ab47d4979d7841095c4e46431286eefee8394cf306

    SHA512

    bc0769a91882e832256f59029478e58588fc05dd79ff8a12256500ba9a1280b821e5ef3d8cf67f5d23f4eb52f0964903fe54ec51cdc582f8f8cf502e0c8d2f25

  • /data/data/fka.ugsonrqogw/databases/SettingsDB

    Filesize

    96KB

    MD5

    f227d14edc778c88db08546a89459336

    SHA1

    6d87610796c39f11c3e5ae209a23c4f4ef5b8207

    SHA256

    afeb0c7b1ec809fc34b3309f4df680d365eb3d14f7cddccda0adcfd91bc5d6b3

    SHA512

    ae0f1787fc5ee7440c93889c4c7dbd0f5edf1f585cc4a9a8fdcf1079005be5ca5d9f2cc2562ae55b9a5f4918e080110029c036500cea6aecf6d1e09dd8b01d74

  • /data/data/fka.ugsonrqogw/databases/SettingsDB

    Filesize

    96KB

    MD5

    86f13754d296cce82526c4474719f924

    SHA1

    4898a543a93cd2fa4f10f68579d606bb8f2a3094

    SHA256

    426e90eeb4c137c09aa09f28aecef2e3b8e00d3e7ce536879a6584a31307bb83

    SHA512

    2380adc0bfa36c7bb24452ba6338651f1a9987cb3a35b415ecabddcd3bf8bd91dbd9334fb318a549690a6b287ab8ca7b443a80cc097cb534aa9d88a7fc79c168

  • /data/data/fka.ugsonrqogw/databases/SettingsDB

    Filesize

    96KB

    MD5

    f22527afa2b972a9a72c418c648fe8d5

    SHA1

    ffd63f94c44f17a88d46a78d03cbc707081d009b

    SHA256

    56d1c17e426d11bcf5ed39dcb436af3e8df15f1095aaa02fb36e7ee1a6d4883f

    SHA512

    e4a69c56237ae7d4f23e50035cc1e2419a522a58ff4cfd7421f67c74793bf71c5229304af106795620d6b50655d4d10841f478ab01d9c6edbdfb5bf050f5dd84

  • /data/data/fka.ugsonrqogw/databases/SettingsDB

    Filesize

    96KB

    MD5

    a6a41e277a1a9e5008c1cca1316b2131

    SHA1

    d7431e89e592c5f943f00a53411ef6e757723e5f

    SHA256

    11e1158eccb3b20f996790721115f012d9eeb15b524ef0562eb9fda9d894f282

    SHA512

    9768374067036d7f76c81e77e3db427017cd1db3055475040433bcb5713d667f14383da1301c71de745ff349957fc2479bcb3d9efe79d0e6bda4421a1d80157a

  • /data/data/fka.ugsonrqogw/databases/SettingsDB-journal

    Filesize

    512B

    MD5

    bc53d038bd6211541dd3858a0626f15f

    SHA1

    7146cf0e0e4975d4a68da73424d50aa32ea9ea51

    SHA256

    cc8e736b72b309ef994ab2fa0d4e45117fe537939f5a4f423fa61fa0f5e313d8

    SHA512

    70c3abf9a84563057369bba4f886280c079f64818269e115b1dd2a557e9643cc990ac826181b3d74a5f4f48c10c1cf6aeba6f16925638c7ff9aad7d5781d9454

  • /data/data/fka.ugsonrqogw/databases/SettingsDB-journal

    Filesize

    8KB

    MD5

    98f1cb888ea15020f0e61bf16d3bdc4e

    SHA1

    e6bc2761c94213eb19101bed8b951e70fc2e3095

    SHA256

    9ba37126a5cdf1def080614cc64b277ae050244fdae355f978a73f456817180a

    SHA512

    3a251682e68f64d843319070056656bb0fc9f9ec87b27dbe3adc5bab038f06a537bcc6833880bf774a04341a75efedafb48bfcc12922e82eabf0f1a2840db047

  • /data/data/fka.ugsonrqogw/databases/SettingsDB-journal

    Filesize

    4KB

    MD5

    86c3c19bc2f859a61b7cbd351a7ad5e5

    SHA1

    9856ba994fb1821f6a9028a6567d62d941196e80

    SHA256

    10e295286bb3d36eb96582912a8a98d8181a9ca3de85d46f8923f342d7f75c23

    SHA512

    43929f990a1d829c2c4d52cb3e286c93e5974f2ee72ab145d40bc7a5de9fe2c79b6411d94b249970d03681ebb97e87f0db57fa2cf16e73213a875975d1d17a77

  • /data/data/fka.ugsonrqogw/databases/SettingsDB-journal

    Filesize

    8KB

    MD5

    c6e2f5937a264cbf66a7a1e9cd06947d

    SHA1

    bd7430f8a388d7a470646fb053e9f1c88dd1385b

    SHA256

    d977a9e6a7e71c066d0843f8d357982b3fe596b0cb3f98cb588450f5559ce9ee

    SHA512

    99e3ba8fa99546c3f0e58f481c075b36107c9a5a4fba92a5b4da19a2e27d88dc0bf43eb2600c4fa28bb1f90b18f51e11823efd52b689dcc412f701819966f252

  • /data/data/fka.ugsonrqogw/databases/SettingsDB-journal

    Filesize

    12KB

    MD5

    4becd7b84c664f7425571ff051434a6f

    SHA1

    58f9c7fc563cae4135ad091b893d3eb96e8f1f1e

    SHA256

    423c47b65eed4a4579a891c9b74cfae7165d0fa437e9a27f3c8d07b0682aacc5

    SHA512

    c4419bfc0241433f6e27d3042e8c4a042fc04ebae07006f6dbcb720ed0acddcc7cdb47e0a4d03c443e397407a90599bd142ae0b7a54bf9d35c9904bfa1a7cd2c

  • /data/data/fka.ugsonrqogw/databases/SettingsDB-journal

    Filesize

    20KB

    MD5

    ed8dded5352ad4b9d425364f6952ea0e

    SHA1

    5eb1af40fd50e19d519eb79262abf6a56bdceb84

    SHA256

    4890c12d16ae71999d8deee264a50fccf1ef606b95226d6d58f99d7c2a253052

    SHA512

    ee49fabb0a9a57d3fb670413108aefe9354710dc6c752a4b315ccdfe4c35481c19b685f8937121a60ea4357ae2523fe100a078826db61e028c7a7fa1c0470df6

  • /data/user/0/fka.ugsonrqogw/[email protected]

    Filesize

    1.2MB

    MD5

    336921950a9f279733cd787f1203d73d

    SHA1

    cefc36a7c17909054cf2a507b34f545af96c0e36

    SHA256

    c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

    SHA512

    6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87

  • /data/user/0/fka.ugsonrqogw/[email protected]

    Filesize

    2.6MB

    MD5

    850905bb253b202528d72a6724d68904

    SHA1

    ab3ad068ac55cff5a8b4f80f4cab5507968d0ce8

    SHA256

    abdd3b7a2034ffeba98a4b5192ee6878e5d05e822f8ded07c7cb413e13c944bc

    SHA512

    a15fb152539326a73ee427fc74760c0e4999708a40b81b5b464a6bba8dc841efbeff2a573418e0754e8d14bd750da7e335f680067a6abc4f7807b6f8a59007a2

  • /storage/emulated/0/.am/dm/md/main.md

    Filesize

    2.6MB

    MD5

    470586b3a055aed7c22156273f38f69f

    SHA1

    39866ece4bc4bcdf2613bd67851ee7ba22df85ab

    SHA256

    65daf0c170cda7fde64c441438cf9875248bd33af61af060d943b48bfb405f8d

    SHA512

    95ab906e2be05248360a5d2a3a4edd61a128e1d71dedc35245384799ae68b686d37ba9063bb2e86a891d96acfec47c897bfca290ee6251afcb07f140aca9c540

  • /storage/emulated/0/.am/dm/md/main_tools.md

    Filesize

    1.2MB

    MD5

    51112e0a7f7962a8e02bc885025414ef

    SHA1

    40622959af4fe349d8881c885b9b30441de8804c

    SHA256

    2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

    SHA512

    f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

  • /storage/emulated/0/.am/log.txt

    Filesize

    173B

    MD5

    cad856b2334be7312227562963a3ac7b

    SHA1

    c193db7003e53d1bc4f85c44e1650698cf8dccf7

    SHA256

    62ac88250f674efb263cc9fda95adf848c863cb6a60800003a8f0f8386edf13a

    SHA512

    c9c65ae530ea7bc87a936c12dff7c4f79d606767e1c589aa7bed170caef84cbf7ac38b4a1116f81a8fbad8d7f1df5d774bc912dc7327cc4ca41afc73b0b7a29f

  • /storage/emulated/0/.am/log.txt

    Filesize

    152B

    MD5

    4dd44bb71d92b07840dd1ee4e0fe2937

    SHA1

    86dae05f56fe166e6677baaf8822b7e6dad8b047

    SHA256

    85ed5d67e5d2f059372e3191849ebc6d1c241c229ebcbb26cb49e679a0881794

    SHA512

    a56dc79e4677a4cd335efa7cdaf013205bdb2468dbbfadd1dc3fc76919f9a9efd82bce10808acda493266e830cf5a7fe86d91844b0b8a1027b1a8cdd0aa182d4

  • /storage/emulated/0/.am/log.txt

    Filesize

    4KB

    MD5

    c8692fe7af8ea545be029b2c50a45677

    SHA1

    f134af41474c9ea1aa9c73fb44dbef6627179133

    SHA256

    427cb0f5427bab4ae95eb18d30f1fce4014fde8e05fecb9b9e0cabe24d94d631

    SHA512

    f80e981a56a91b764cd1603381a6785afe1d837eb99dcfff16441434b6b9db182ee91dd6a87dc96bd3fa08b1d4e423b266a9234fafb7c3542897877d73262daf

  • /storage/emulated/0/.am/log.txt

    Filesize

    64B

    MD5

    9f1881db4c5d19dba9eef641519a2b91

    SHA1

    094b9eafe9046826a067cf009733844207eb8c8d

    SHA256

    67c3352f71e663b32ab82e570ba47d1e187affec62771f93f94ce03a0e3c1400

    SHA512

    d68b49b9dbd050e268fb9532c91adbb06418801767208235102b32ef90ba7c7106fb1d89629ef69324c48647e13cdd5810968541b1f9d2f42b33b88e8d05698f

  • /storage/emulated/0/.am/log.txt

    Filesize

    72B

    MD5

    0cbb5c184e9ad843df481b43d718bb52

    SHA1

    b9b0b7fed3ae4757ccf37e850a4f5adcaa4c96a0

    SHA256

    d798c189c50d28b7c54196a8e14ac4c89e3286278d1b1c073b24cf4a8284264b

    SHA512

    baa4533542d64bfce65386b9806d95905d01562dfffc31a0c717b899b256f348d474dd0cdf26b971421d24d71a33c2b863a00ab4d48a220ca8bbd300b06ef79a

  • /storage/emulated/0/.am/log.txt

    Filesize

    160B

    MD5

    1cd5587dbac0ffde5eb3a26714982b08

    SHA1

    2eab1e6ddf089792533b9f8d3c05598561427246

    SHA256

    6dd6d81bee9cf51ab8dcfaaa011157fdc9dae94460f970aec7126e8672210a55

    SHA512

    1126ea564049dbdeff26e3c7582e0aeaeb848e48bcf98c7d5df7e08c810ca182de1af94c3b8782b121dcb1bf210191d057a6c4a73194804e6f1f42d03b33b0bc

  • /storage/emulated/0/.am/log.txt

    Filesize

    131B

    MD5

    8fd01152b29318a7a21284d32e63590c

    SHA1

    c4e003df7da3f1f5574d3a36da66587236ee711a

    SHA256

    bc79429e437b5afc9d6d9115e8e39a33c00d393c0d085729d7afe16a6d52a869

    SHA512

    cc8d06cfc03af7a39767655ac7eb82d9560cc8a0901d902a2ded06ce1abd50d30e106a7c12bd818620a8ff974e9890871646df9d7a9a96db80d97aff86d3d2fa

  • /storage/emulated/0/.am/log_.txt

    Filesize

    25KB

    MD5

    9cb29348ab069ca8d201eaf983d57e34

    SHA1

    55184d1f687edf07f8503e6f85889e8f07d57c81

    SHA256

    421c6d835ae2a04cb6470c72d2f9703765220b5658dbde3a14d03158207b3a7a

    SHA512

    f51a9934b6f50e7ab24ce5009ad8b52e07fe05c50fae0c31a740f565d6eb3f7c60a791ad005c812e48c2330bbc81130e729b790478bf3927207c57b1e7f15e0e

  • /storage/emulated/0/.am/log_.txt.zip

    Filesize

    6KB

    MD5

    48c7133a297f1b28457a3bff7b975119

    SHA1

    cc388b01ee0e961c633e547b3fd892cda5fc8723

    SHA256

    6c4f52071c0fa687b288d0cc965fe94fe8a2995a88a61953db0c8fedac182248

    SHA512

    f3764a569f0d1e40c8e948d6034aeb7e624186d5a63ef845a37efb723483c1e825a9c968a416f9a7ee9d7c5727f1f678d81ac6a838b3d4137c15cb007f9d0a2e

  • /storage/emulated/0/.am/log_1725158422842.txt.zip

    Filesize

    220B

    MD5

    417a136d9c0ee950e5b4ae39cfdd32fb

    SHA1

    4e7ce111054a56c013716b7bacbedb098a0e18b5

    SHA256

    10670809bfc04683d7f9e3d1b4f77282e9a69df52a729d00f5657da70ad0b0ed

    SHA512

    38b095b69e90a6d79d0f410b7ed13f46181c7096aa7321a4dc88c82d2486deedbd96f7b3d0c38f8790e0e876925778df0b093be25bb6d85ee61ded76663a703b

  • /storage/emulated/0/.am/prog_class.name

    Filesize

    67B

    MD5

    d8ad6773b632b7d8066ed57c6c482c6b

    SHA1

    c07e66a0e8e58e190392896d7b178b7079741967

    SHA256

    50eb09209f1670f34baec877f8bc19fd1ce7419e10da063b46fa4025558dc4ae

    SHA512

    4bba534c373aa27100f1c5eec84c0a9d77c0dc447dd33de3757c4d656a7c8bb7d602fb214102005e355fb9a22687dff6e141063d086ec4275a9b01c8c8c90fa2