andrmonitor | 7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c

Resubmissions

19-10-2024 09:10

241019-k5aveaxhqa 10

05-09-2024 16:10

05-09-2024 16:09

01-09-2024 06:20

01-09-2024 06:13

01-09-2024 02:40

Analysis

max time kernel
589s
max time network
603s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
01-09-2024 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

am.apk
Size

20.5MB
MD5

f95cf2c20d492d6647885e8428d808cc
SHA1

3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa
SHA256

7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c
SHA512

3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5
SSDEEP

393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ

Score

10^/10

andrmonitor banker collection discovery evasion execution infostealer persistence spyware trojan

Malware Config

Signatures

AndrMonitor
AndrMonitor is an Android stalkerware.
trojan infostealer spyware andrmonitor

Checks if the Android device is rooted. 1 TTPs 3 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	fka.ugsonrqogw
/sbin/su	fka.ugsonrqogw
/system/bin/su	fka.ugsonrqogw

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/fka.ugsonrqogw/[email protected]	4343	fka.ugsonrqogw
/data/user/0/fka.ugsonrqogw/[email protected]	4343	fka.ugsonrqogw

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries account information for other applications stored on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	fka.ugsonrqogw

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 24 IoCs

flow	ioc
84	anmon.name
87	anmon.name
93	anmon.name
20	prog-money.com
21	anmon.name
22	anmon.name
61	anmon.name
94	anmon.name
19	prog-money.com
62	anmon.name
64	anmon.name
89	anmon.name
85	anmon.name
86	anmon.name
88	anmon.name
92	anmon.name
46	anmon.name
58	anmon.name
60	anmon.name
82	anmon.name
24	andmon.name
45	anmon.name
59	anmon.name
99	anmon.name

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	fka.ugsonrqogw

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests cell location 1 TTPs 1 IoCs

Uses Android APIs to to get current cell information.

collection discovery

Location Tracking

T1430

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getAllCellInfo	fka.ugsonrqogw

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	fka.ugsonrqogw

fka.ugsonrqogw
1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Makes use of the framework's foreground persistence service
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4343

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Credential Access

Discovery

Location Tracking

T1430

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Location Tracking

T1430

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/fka.ugsonrqogw/[email protected]

Filesize
1.2MB

MD5
336921950a9f279733cd787f1203d73d

SHA1
cefc36a7c17909054cf2a507b34f545af96c0e36

SHA256
c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

SHA512
6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87

Download Submit
/data/user/0/fka.ugsonrqogw/[email protected]

Filesize
2.6MB

MD5
850905bb253b202528d72a6724d68904

SHA1
ab3ad068ac55cff5a8b4f80f4cab5507968d0ce8

SHA256
abdd3b7a2034ffeba98a4b5192ee6878e5d05e822f8ded07c7cb413e13c944bc

SHA512
a15fb152539326a73ee427fc74760c0e4999708a40b81b5b464a6bba8dc841efbeff2a573418e0754e8d14bd750da7e335f680067a6abc4f7807b6f8a59007a2

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB

Filesize
124KB

MD5
011cd6a11afb071cc79ef5019e0548e2

SHA1
06456658c8ad8e29492347ea80b83b0cd1dd20f0

SHA256
9b72e53428efa4d1b97f3e59a765390e5116af3b6be16c645a61a8f96c040c97

SHA512
ad7ef191f6be037bdad532e90c4e48c152b6665e720a640f4bd7ba35801d91b5730f131201da223443b0a964b8bb815c719ca7b6344d8d1ae5655aac4ce16d30

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB

Filesize
96KB

MD5
429b9c6acb0f02970fee6e83322ad71e

SHA1
857ed6d99332b5b04c3a2d280a3d09f903cfc53b

SHA256
c7df4a206dcf0858f9e5c14e1fb8f850ded2d5682f95b0d8dc86cd2c549a9138

SHA512
e32d81d5793ac2249a7982aa7a235f951cd48613fc273747ad748bac7e5343473634050d1e78c6dbd54154e7f7d2014d875ed57ccd9e182fab21a86757633ca7

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB

Filesize
96KB

MD5
f6e9a3cd8fc8c255480664f9198d7c67

SHA1
ed4c65ba990d517044cbb5ba424783ee6c0383c8

SHA256
d155457dfe611cce9215d105589aa1f10dc560794c589c4d094122db57f856a4

SHA512
64ef2e847657175f743b84a4e0f411f84b041d783f515924a901cd1c99d27a867118740dd941870f00267c7d6ea05717b2062c56103bc8d4af2c9318d835a031

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB

Filesize
96KB

MD5
ca0dbbd5fe4a0da2a92640b69937e38c

SHA1
a2f9634f0ebaa4cef365f9df0a2e3a8b893188fb

SHA256
b91048698d6a888154e81e898b36af342dd85638cc149f11291633ef405ca2be

SHA512
bca0782115820ebdf8754f383c67feb691d47c512d48dbfb36d73fc1fea5f29f0991d9bbe28046347cf22d35d70087056dd9408c9f1cfd39f7865941f7163982

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB

Filesize
96KB

MD5
1207f595963205172ec0b41fa3dbaf36

SHA1
d8e1ac99588efe18ec1e16ce27ff1b052294abcd

SHA256
6fcd0f1618d8a45f85636e9a49af13aad8f1206b6052f0cee57906652b150f1c

SHA512
46b6c8d9b1c65c12c951914f66b065cabc625c2532c400902b41d8e3382745f1233d216de3e9c9300557a7c4d84ee258124ebbfcafbfd9b5746bf5e0f8bb388c

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB

Filesize
96KB

MD5
bf01858719247cc8aefbeb2c78cbf3ee

SHA1
5c86b279e84728a8b8014b9bc1190bf4ed82180b

SHA256
577c83f129d7ff3837934e3642cf2246c20a73af5d537b2fe6689d8fce5624ec

SHA512
b6c85d016e8d444a0b528efb2cec7378486d8132ce16b78d9b27bcff6a3da469876888a59241befea80204b80ca3790b8d691295821ae8c61610b462e090ec2a

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB-journal

Filesize
512B

MD5
ce6499f1d8097859b429dee8e9375a84

SHA1
cb340e3c30bd0c8896a197397abb26a471bc7232

SHA256
19a9ebc0e8ad7fa545383637b22da6dae8cb5615b9f88eaf89739482d76892a1

SHA512
6596e40826c2f6cd5e194647000c8e558d6748bfaed1f70c802794b507e2004d54ab22ec095c257d834daf6546546d58370ede8295a62a2f6c7eb5f51fb77d01

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB-journal

Filesize
8KB

MD5
ddc40c3f3345ad31726f65a7d580586b

SHA1
b4ecf714b943337c5394cc610f7b4ade966a878b

SHA256
f5094be1b5a83e14e52b50d7e8fb945a9dd22670bf943459d6efa65503c7fe4d

SHA512
53aa0ed0b2721b24798d5344278560ce2c2ad40555b434712b4f59df5fb7550e2ef8012d3f081d47cc06e613a67dde7020170d784a0955254434b5857c911af9

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB-journal

Filesize
4KB

MD5
2ae49aac2f01f99390a50b941f412b54

SHA1
e067ae3324010c4252f3487b23ae5fa38d0abd17

SHA256
01cf40eb42416eab72b4b8a5855fc07b7993a0e18ea2f25c2f8730239cd8d43e

SHA512
c0d6ee592263995029ffb5c6acf150cb0e43b82fa6e7c3c711e315e8bff62ba74904e625831e26655418189ffc250a19eb6c6c20450187ae87e1c0c8382dbc8a

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB-journal

Filesize
8KB

MD5
95ad694a281fc3deebf21018abd9ae94

SHA1
e2f7fd31f1fd919cef23eac46dad29dddb793632

SHA256
991025fbe8a3f4c20b9eba509fdf92b0dfd5b0ffdf102402164e3ae05a7a75c4

SHA512
db8a8793ae1cdfda4ae4911953846478fb3de09aecb55f5a58d84044964320cba2df2e384b991b379b88f97ff55ef65f94e50b2ebfa1d54ad4b01d2195530c68

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB-journal

Filesize
12KB

MD5
f124158a98a6e20538f9898f6a0eeb4f

SHA1
5ee91f8bc17b0352ac4eb3c6ae07544fbd802cb3

SHA256
cebb1cfc59d330453b9db87420a2f46e832d6f32cf20e64c01667f4a6daae533

SHA512
5952148d77b7f1cb1437947697712e70b1d09d7a9792b7bc0ed99bd90d3fa26f59b8041b00d99033722a8170e2e771046421b7b213d8a7228f316ea196b4bd08

Download Submit
/data/user/0/fka.ugsonrqogw/databases/SettingsDB-journal

Filesize
20KB

MD5
a29db6a37ae3d91b02c4011d4978e87d

SHA1
f048e19a3419c2f450548fa257550d22000d21cb

SHA256
c32825f118ab47e0c4768c177b893a321970297f474a4444d8f651b07d840e2b

SHA512
56df5d210d4939b67954c280e6fd2d260993a1de47794418ed4459ae67bb609df79b46d0977ba56d19a46edae41822890e97621e6d1ff68264fb15b4014c5a45

Download Submit
/storage/emulated/0/.am/dm/md/main.md

Filesize
2.6MB

MD5
470586b3a055aed7c22156273f38f69f

SHA1
39866ece4bc4bcdf2613bd67851ee7ba22df85ab

SHA256
65daf0c170cda7fde64c441438cf9875248bd33af61af060d943b48bfb405f8d

SHA512
95ab906e2be05248360a5d2a3a4edd61a128e1d71dedc35245384799ae68b686d37ba9063bb2e86a891d96acfec47c897bfca290ee6251afcb07f140aca9c540

Download Submit
/storage/emulated/0/.am/dm/md/main_tools.md

Filesize
1.2MB

MD5
51112e0a7f7962a8e02bc885025414ef

SHA1
40622959af4fe349d8881c885b9b30441de8804c

SHA256
2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

SHA512
f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
173B

MD5
50c8739256e3fd5dd70325984096dd91

SHA1
89c35d8e123f8d0fdbdadaf132939c317ec482ed

SHA256
ae6ea2599b39f49b67089bb6903fdb13c7dd13494af40694fd93d79a7a9fe262

SHA512
4ce7726766bab4258dd4d7df4c666ebf9ee208c8f145f71d9341deda0dcac9244772dead0c73af0aad1ea68e46c40ad9d8ae7265f9c058920b5b782de12d7b84

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
152B

MD5
3d4ccdf4a1c6a77639aba50f93e2fe51

SHA1
a3f15285a7bf1397f5314b30ed21fbdbc6b8698c

SHA256
972ade97fd9c0001689b9f1833f621f348b1b5ec643577cfbd8cfff04d4a6cc8

SHA512
ae2aefb76f1e6b92913e1fc61a171feea31dae57d0dc512b197b35419a4b9661195c9ef062cc73d62e196eecfc53e31e080613c5b8cc772af044a527b4b2632c

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
4KB

MD5
a81623869d333bbd8265ff83acccb63e

SHA1
69628c2aadd076f0de0d8e77ec29630910d3fcc1

SHA256
9695f1afa0b40ccaed1b498438ce5ec064fe99d91dec61f019402f08f8285569

SHA512
70ac1d65b8f5357d1e39d87505cae91a52a13170c8479078a5a101ac2511ebab5b97d6c260496065e6288140b91134d3ec253498e54f012023e094bbe1217422

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
64B

MD5
d62733fd48023361bf61ea5ae615417c

SHA1
7db66175f4ffdfe6d50d3036b3b5a5726058295b

SHA256
43a9c8f9c9e0dceefb433f38b493e03481d5e3553ae3463baf986d007073b275

SHA512
2f72bf4887ea4d18fafa87ab3761e160c64d7ee0e8fec47faa42d2f91ac06710ee1287eb83203d02b0110a2f7902c97381765aa6f3bd51d022083f30ec6e28c1

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
72B

MD5
83a7c40ac5433137b0c800ea5c3415ea

SHA1
36bb4f0774a6d47084875f298d308908a95667ad

SHA256
38398550b5f35dabcc603640d8436e33affcaa8dcf208d3c4252d95a509ee9a9

SHA512
494731441fb7f4efb66cfc8a1657a18be04630038c457e4e0dac8f36ffb8e4508fe43559589eb8bd7c501176e80d642d70adbf86cd84571daebbb7d8eac2cc75

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
187B

MD5
0e6415e4bc99e9ab68d09b3c673ede02

SHA1
67f83c3e1e25d2fb561f85b98399652f8940d259

SHA256
74106b2e1deda06b6d5c8159638bcba2b2093d68f47402445de95e5a00521cb2

SHA512
968c8df3faf7d29dbfb32be1f1d6241ed4ebd5ef330577a4b7b0a5ceb24276fd7c9f0c5ef121571fb4437cb0b3d82daadb4bebaf0a8506137470aec5dc295036

Download Submit
/storage/emulated/0/.am/log.txt

Filesize
131B

MD5
7ae12942ab7b86e0f36acc0c4a43398b

SHA1
e50029ed1e0b79d6af0a4312c5502ebf2c6eb8f7

SHA256
e98fa9cf2a075abae3fb8a78eb6e318c4aa549ac66e57c51b9d12e542efd5f82

SHA512
f6f0a238b5de0e80387ae781a0a864ac1b8d6916cf502fafdee2a18d053677edbc50bb4605ae1b8503a1cbe024226ff9b0bbebda0b1b9746893656a3925e468d

Download Submit
/storage/emulated/0/.am/log_.txt

Filesize
22KB

MD5
526089f5907e541c27507b9b3442a927

SHA1
a9570c125bbb5e43a31b4791435e6d2244625f57

SHA256
fdc156f2a1898ff13c42ffc3f1797fa24822222a06153c5ad667bdb157c2d118

SHA512
ec93418a734f045962b35d01bdbb495d876340161bc461d8e7e6efed97247a453cab303d2b8f5778498ee2ddbb3ef6873236b0a04895060cedd093a389c4e150

Download Submit
/storage/emulated/0/.am/log_.txt.zip

Filesize
6KB

MD5
0a45b6411cbe8bb26d1ba5610105cc0b

SHA1
3668205659bbed923ada112195a2353961782ff2

SHA256
714817a2940c24a305e2e8408f0a56e8a9ed272654d5d738235b97ffddfa556a

SHA512
06b26b561c413d708788f588aaf9fff4e20374cde8c9e112f9b456cc04314970286e16e99a94508b273953c16c44cf5bf667217a5a8bf37b934664773fd0ee09

Download Submit
/storage/emulated/0/.am/log_1725171892710.txt.zip

Filesize
220B

MD5
91873a3544353420a4e69a1bec0a1845

SHA1
a1c45936e858023d4ab69d3c1b6f3ede6d057bca

SHA256
6ddf59145502d2e9f58e01178a2f7749fbb87f57bdeaa3e74e2dcbc333649dd9

SHA512
ccead4aa2e391cfda0f3da45d27306c49b0949efe8f93cf72235b263359b258c5d3908e8fbeec796dc1424c15d90719591624cdc0e9268687f4a85e0c9420e2d

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads