andrmonitor | 7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c

Resubmissions

19-10-2024 09:10

241019-k5aveaxhqa 10

05-09-2024 16:10

05-09-2024 16:09

01-09-2024 06:20

01-09-2024 06:13

01-09-2024 02:40

Analysis

max time kernel
140s
max time network
151s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
01-09-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

am.apk
Size

20.5MB
MD5

f95cf2c20d492d6647885e8428d808cc
SHA1

3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa
SHA256

7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c
SHA512

3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5
SSDEEP

393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ

Score

10^/10

andrmonitor banker collection discovery evasion execution infostealer persistence spyware stealth trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor

Checks if the Android device is rooted. 1 TTPs 3 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	fka.ugsonrqogw
/sbin/su	fka.ugsonrqogw
/system/bin/su	fka.ugsonrqogw

Removes its main activity from the application launcher 1 TTPs 2 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4625	fka.ugsonrqogw
4625	fka.ugsonrqogw

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/fka.ugsonrqogw/[email protected]	4625	fka.ugsonrqogw
/data/user/0/fka.ugsonrqogw/[email protected]	4625	fka.ugsonrqogw

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	fka.ugsonrqogw

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	fka.ugsonrqogw

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 10 IoCs

flow	ioc
26	prog-money.com
27	prog-money.com
28	anmon.name
41	anmon.name
44	anmon.name
29	anmon.name
30	prog-money.com
32	andmon.name
45	anmon.name
46	anmon.name

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	fka.ugsonrqogw

Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	fka.ugsonrqogw

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	fka.ugsonrqogw

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	fka.ugsonrqogw

fka.ugsonrqogw
1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4625

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/fka.ugsonrqogw/[email protected]

Filesize
1.2MB

MD5
336921950a9f279733cd787f1203d73d

SHA1
cefc36a7c17909054cf2a507b34f545af96c0e36

SHA256
c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

SHA512
6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87

Download Submit
/data/user/0/fka.ugsonrqogw/[email protected]

Filesize
2.6MB

MD5
850905bb253b202528d72a6724d68904

SHA1
ab3ad068ac55cff5a8b4f80f4cab5507968d0ce8

SHA256
abdd3b7a2034ffeba98a4b5192ee6878e5d05e822f8ded07c7cb413e13c944bc

SHA512
a15fb152539326a73ee427fc74760c0e4999708a40b81b5b464a6bba8dc841efbeff2a573418e0754e8d14bd750da7e335f680067a6abc4f7807b6f8a59007a2

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB

Filesize
124KB

MD5
f15335a640f24813c9b345c99da7e16d

SHA1
a0e7fdc85b3c1420bf342676be577f146f5dce49

SHA256
6baf6ee8c7c503ed9962ff49957fe3c0b707171d1913450d97c84856a6ae31b9

SHA512
5f51ec199de29b23e398d143c4f0faf58ba655a4f455ecafd5b6303c0ef428f3165f5db49daf4697f1dba3033da51113730ee5ad158a9ea9f8f6b9a10b044f19

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB

Filesize
96KB

MD5
706f64b61a3ce7f6d6e77671a5d2f18b

SHA1
5a08d51893417676df424ade06404c6d33f875ab

SHA256
3757f76ba2c7b229384320ba2693ead50e5df9f4c07f0cfbb44fd72e60504314

SHA512
bca7a0783e63b82b915d840d8186927b9f9ecb31e9f16574d5b7f5a9f2171172ae73295b1bc0008c8f5f054d0f409a639b1735104df8a9abd7be91d956368cbd

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB

Filesize
96KB

MD5
f594a2ee04b39e748f43576563333aef

SHA1
5071da373e7af11d04c69868fa68f0d4deb5d55d

SHA256
c64ff86fd13124490bfc98cfa9c6a472a2b2b4ccc82e62a697e61c7e315cb1eb

SHA512
4d788bf3d76be6b1f22d9fb61b73b5ef00e40cba9ed6450cbef330493a5e085c05c9ca4e6e8a039c30ad7069a50652f3d4783d9f026c6726fa3d9564114167a6

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB

Filesize
96KB

MD5
fccdfd14d0b472323cf0fe8ec33d8682

SHA1
2beac700344119cdcab8cab87b8a92830731d967

SHA256
c0a624da22e643c9d520b938f08079b8d2f8c559c77c6e41f06841738f203227

SHA512
4a3de448c341b0cae7f076968909d42db39ea4be396dcc419eb709de54b5f2110d0c86b37b5d30bf9d82e5684ed96b40cecaef59a51f1c9e369db222a1ad2373

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB

Filesize
96KB

MD5
dfbe4eae2fc49957afba75fe12b1c4e4

SHA1
676fd60d881e3fd79a4b974c4d89475ee70ea84d

SHA256
32a1ea8dee3eb42dc0ff66845af96ce260a191c45533fdd921cc94aa85b80e0e

SHA512
3d5ca808896a2f55b9c93a22dad3fb93fecd1f7fe6b0d71b32d1c1965ca7e7f2dec0b434a2c23eb3948bc090b366d38b84ae543e61808fe1a662e5287371f141

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB

Filesize
172KB

MD5
865bb4d2d084eb2998788c23ae35b9eb

SHA1
c165b3e2fb02188327bc2f39bff7fecdbb25e710

SHA256
f16d3a720330e31ca24aa957bfc3b5d501c05b6adb2880e2aec504ae9fb03673

SHA512
9b57d1b28cc70bda9f7814345d09517cdd0d14535d37b528eaf132d1bace2cf9eb9b4d53d31b3a71792bc87688c0bed7f79d763e5336023b44e2b65b7df0bef8

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB-journal

Filesize
512B

MD5
08e144a3e9b34d60c9c08387115c943c

SHA1
fabcb86a5afaa92b6ca8aa38463c8c99306680c7

SHA256
d4cdf9e6cda8caf4148a04f54564fc50fff703ed7a6d3003f5ac0e3d8da89555

SHA512
f0019b79a09cb308f2ecb4e892106446c99fe4a7c881c9f8e74611f21f3c8f8fea1024e0296a0e4c42b02b18ce9db2c1020b18b13f8ec0ed2c28bff24c8c69e7

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB-journal

Filesize
8KB

MD5
647c15b9c6d4331639eedebd329b958b

SHA1
d4a114f9ddb1629693bc5243cf876261da3a6d63

SHA256
0b2f5e66476198945a49f749626efb8d43275b9ef6cdd7faffae4cbc87161f7c

SHA512
7e52b4d570da969335313ccdfda0fcaf02697fbfc1a4c1676f0960dfdbda945d1edfb1a81c07d31887377a43c1085b67694aa0fcd43eafa7916afe2cae60564e

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB-journal

Filesize
4KB

MD5
5af7959ccdf1ea81d9099218ebb21e8f

SHA1
8c002137910bdc39ef14aeec1483fed7c056bfa7

SHA256
9903fc31f2b35953852f3cf8c00025fa1fd1ee946be9bf0c966f9405426a537f

SHA512
af9bbd417dfffc129e9760ed4f5e2bd55fbe34b2ad4b20c542fd46c6c6da7fdce1887b9081565c0564b994ebaa55e0c5bd155e0e662cfa8c61d48d6285afa5c3

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB-journal

Filesize
8KB

MD5
40f3eb5b3d3516c04c87aba8730d499c

SHA1
6ad1869053930f9b35a5068d83ca5d70c96e657f

SHA256
43dc37842a8737f513be6d93eee481dcbc0b189a07efc3273f596fc5867e5f92

SHA512
985450b5de8abf80331db64a0b914827a68b28048e6c80556ab9aa894574c572e21af1aa011ae9a8efd22165a17d9018692cf2a522828c959fae4a9e1b58a06b

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB-journal

Filesize
12KB

MD5
7972b59ef8079f4a4a49a8c86d6f5edc

SHA1
69535350299cf9699a6f119685fec536352b54a4

SHA256
0b1b168b4ff863306c6e1aa41fd4d1f7920d40dfd4b41f6a602448fc3c3bed99

SHA512
b3954c82597ce5bff8124a6eabe0a8e88c55c2885cc4bd0ee21e16bd9716efea91d779299ef887260469f6378a8a0c7aea029f85241d6e359232f0ba5428c4b9

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB-journal

Filesize
24KB

MD5
60e3ac46773068064515819d77cd386c

SHA1
112ebf96587a26f6a9d6d716f52cfc83268b5afc

SHA256
9813885701f5fc9662cfa8f11a3066c09bab54a44dc25b8a037e6f9a42110ca2

SHA512
ba9226a8c4bd490b470ac25c28f1469d355d953d4f5c752cf5de34652d2ee6930928c29d3646804f60ac05b3e8c7e9ac665d58e4e0bf45f9df18f771610682c7

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.6MB

MD5
470586b3a055aed7c22156273f38f69f

SHA1
39866ece4bc4bcdf2613bd67851ee7ba22df85ab

SHA256
65daf0c170cda7fde64c441438cf9875248bd33af61af060d943b48bfb405f8d

SHA512
95ab906e2be05248360a5d2a3a4edd61a128e1d71dedc35245384799ae68b686d37ba9063bb2e86a891d96acfec47c897bfca290ee6251afcb07f140aca9c540

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
51112e0a7f7962a8e02bc885025414ef

SHA1
40622959af4fe349d8881c885b9b30441de8804c

SHA256
2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

SHA512
f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
173B

MD5
76358ec1669d18ed9e4a9324943d04d1

SHA1
4ece047032a4d7eb21b28858dd3826a06d61c6f3

SHA256
79a621bc1777ce41b82bf075fda7bad09049689b8b3b050e787263377154fb04

SHA512
f98bad0fba80487c33f86edc4daa985a3e36eb71a1b29bd5c15bc772f88d5cbadc3823d0e501460d71b55ba5dcdb98974a36fdf2a73a0db473ac83e99b7e59e9

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
152B

MD5
89d3e023fc7c6262c5da5fad70db669a

SHA1
da2080092919371154bfd5323ff493c620c36fa1

SHA256
f444e7a976a04bb29a481449849f8e559923f03d1670cf961a45cddf4dc25ea2

SHA512
47c9ee12a966124489652f4b1ff8868b3579b0f21fbdcc10d2517f14da6d15f066bab0f25423dd7a2400c7e87825e4938a4294b29e384fad100ad320be0e2673

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
4KB

MD5
6deb67ebcc855456e4844ff1c04b9266

SHA1
bf94e8021275d38bb40c285b965ee3119965ff85

SHA256
093247c279f3836acc7b6689f83f47cb8ee1fb35bcff06c85ae7298f70959882

SHA512
6b5e3a6bbba1c61deac0416400fbb5fee6eb013a402560717e3d5fd80470e849c41f743007a292bcb81fbf747e9e119af56712b5798ededa7ad4836992b42bfa

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
64B

MD5
f112b2d5afe4e99f4e4ad9c8726e3fd2

SHA1
36639c83893166b02b8371072a8dd972293ef3d8

SHA256
bf7433f7cc6ff9e1fc0788ce7599a29e71e04b252907b6c74d2c8789785e928f

SHA512
44b7eb5b9bd92aec64d0f96411e50fd321993e2117d6272fad6af47f55d8c4029866384fdf48d39a2ca9524dffd41df5d27bf675d7ca7bb7b9f6e87f2fbccf84

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
72B

MD5
64ff41afdfaf8eec2a6dacdc256e1ad0

SHA1
338db03133b1c496d79caf6c0484abfa8d4c9f68

SHA256
3a3748c23474d0428f4120a0e909a1c211552b8d4be0e58a8a17a06da31330d4

SHA512
8d0b40e64b1b9c46c710d694c2b49c34b68f13d3dd5bb5ac3439be8e1c2be9351ff38742ea3fd31b4d51175c8e17f81feaf8bf2978e5f4e0df85c0fcff5436e4

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
187B

MD5
2afe72ec6ee32d5167b12b7dbcfa50f2

SHA1
65e669117c22a9e29bd1adcebef70cd409081951

SHA256
fd387d12aebbfa4e1cf266f13691717e00515d807987d632b08da64652585e72

SHA512
26e252c26719f6770608b3599381de649ed4bc2cced8bc75c6a66ec335c3e5579ad8b55b57a940235c522af602dc896a91504daacf49e7753af7d59d0d40431c

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
131B

MD5
8915755fb9c166d5961e20d87529f23c

SHA1
0d2328fe2073d8849d770d2230a1572c6e370ad4

SHA256
dd3a6775b8087b8a398941ff23e39dc18f83460163dede6cd3964dd1c0587f7a

SHA512
ba99d600a8c9ea3cdd7c469dda71a8af6289bb6f8d799e66f22bc785688d90380fe5642634c4fd999007e04fd72f575c4adc63607e6093e83780478f29320fb3

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
25KB

MD5
c261638bafa4dcf00784fa5ceeac7e77

SHA1
05415c93f0c92909e5fe543314fc8b2b4e5b789b

SHA256
f20a9893aaa5ba4dd10a94df3ef314bed61371f136deca284c2b82eba49b48bd

SHA512
761bd37895baa96034a54c6e61008f9e0566c639bc8eb0f5a8faec0c83cac783759df8dbc0d97120dc1c47eb1cb6fb3503a646946c596317f689c2e9af2fb5f1

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
6KB

MD5
f69b8e0f2b34405e7c554ba4bc7694b3

SHA1
a98ac299188ae63f4b01cffa48672e3206b2ef25

SHA256
4840ff01fea649c6a3bf313fefe347584aba8d6b1dc16623afbd64d5be5fe369

SHA512
22321d005f63aa17a7826a00c2641cc24a2c135e4418e0274dfd881276eaf38c55f00eb74b164c920cd15d446d0ebb96c0fcf40d06124f0746bcd41dd013cd90

Download Submit
/storage/emulated/0/.am/log_1725158428812.txt.zip

Filesize
220B

MD5
67552406a2efd139fc668a3b3561955a

SHA1
3042153a3ba44a74326a7bae80886522aa3922e4

SHA256
b372f5436653a929fb0a02c726bc60905e5e1503d446c92cdf70deba7556114f

SHA512
3874662d812958631f9dbef90bc501b71d99d799f9447099627232950e26b620641e2baf8a47c51121295a6308a4d0a591f1621f7154d9793b3936534461548b

Download Submit
/storage/emulated/0/.am/prog_class.name

Filesize
67B

MD5
d8ad6773b632b7d8066ed57c6c482c6b

SHA1
c07e66a0e8e58e190392896d7b178b7079741967

SHA256
50eb09209f1670f34baec877f8bc19fd1ce7419e10da063b46fa4025558dc4ae

SHA512
4bba534c373aa27100f1c5eec84c0a9d77c0dc447dd33de3757c4d656a7c8bb7d602fb214102005e355fb9a22687dff6e141063d086ec4275a9b01c8c8c90fa2

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads