Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    01-09-2024 17:10

General

  • Target

    am.apk

  • Size

    20.5MB

  • MD5

    f95cf2c20d492d6647885e8428d808cc

  • SHA1

    3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa

  • SHA256

    7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c

  • SHA512

    3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5

  • SSDEEP

    393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • fka.ugsonrqogw
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Requests cell location
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4209
    • su
      2⤵
        PID:4276

    Network

    MITRE ATT&CK Mobile v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/fka.ugsonrqogw/databases/SettingsDB

      Filesize

      124KB

      MD5

      4c0ccabb25100a908b9db06434a6af8b

      SHA1

      555d9ecfa42e17aec483e1c05be0fc1362db9e66

      SHA256

      79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

      SHA512

      b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

    • /data/data/fka.ugsonrqogw/databases/SettingsDB

      Filesize

      96KB

      MD5

      1a5f8e3e667bad13196487d7e8c03340

      SHA1

      d7a9a0ac208fdca508fad225ff29d6989cb90714

      SHA256

      75dd97bb2b5691ff51774c011bfe397b04db340ca75233352df3166df9eb9217

      SHA512

      0a77bd3ff8ff42d0abd120a5ccc3a4222c25da2ca7fcfb2a6cdd5ca980e37c5b2b5a947dd78c26a74ef35718177aca8ee4cc98f3b1e01f430eff36a4c31c9ed7

    • /data/data/fka.ugsonrqogw/databases/SettingsDB

      Filesize

      96KB

      MD5

      fc17eebd64bbebe2f8ed42c06229a6b7

      SHA1

      9eee3dfcb90bb571c897cea7f8123773623b6dd3

      SHA256

      9a7a2120e981a9a2837077640d8a158392fa23296afd8105d494b76d6084c12a

      SHA512

      a020269742d93453efe66dc6eef9a5d334d9e8fbba9422461b33ec4b264b8e62ab1dfa7d8b2b36825004e5792f2252450bcfc67217bdea14c1524f9e9cd5d1a0

    • /data/data/fka.ugsonrqogw/databases/SettingsDB

      Filesize

      52KB

      MD5

      b6815b344f6926d458cea05acd052cdd

      SHA1

      88f524aff1d4c5fee979a203dd952427871a7097

      SHA256

      028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

      SHA512

      0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

    • /data/data/fka.ugsonrqogw/databases/SettingsDB

      Filesize

      96KB

      MD5

      03fcd53478226adfe4b07ea46daad6cc

      SHA1

      8f303cc7eba481e0cf0c830a71225cd5a4fe84ba

      SHA256

      5d96469c9ec5a528290f4e3d5388099599b252c20d83457dd0826a17e6299a0c

      SHA512

      42c60cfe5bdbd9d2354ffa225c8449bcecce2acac4839e89a994c32f3db3d5008eb271967d7edd1ca798b34dc63cf3a1b27616accf8043ea54b662ca21f88cba

    • /data/data/fka.ugsonrqogw/databases/SettingsDB

      Filesize

      144KB

      MD5

      b3f61accb329a155910f4cd2dae5e662

      SHA1

      4663708fa1654c4508367077b3121ef0447063c6

      SHA256

      96e67f2cd4fb5786181de3d63680fbe472ea308f3bbd8c821bd41b1bac940d90

      SHA512

      de5c7dd7870467d5c30624471bcc15aea837e8fd149590178645b942daa2749b9199c9c2541368a56257233a327b6013be6fa97a64b3817e299ddd8f35378900

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-journal

      Filesize

      512B

      MD5

      ffb04baa0fb835b881524fe3191b8b00

      SHA1

      0bd938cbbe8db4993156756636506196b4aa0f92

      SHA256

      baefdb0fbbc3ba0017595bf31c202d9c9fd7de00570a88120f79cd2488115a66

      SHA512

      5e5b33ff77739c0647aaa5d292cb280b775d836df2b2329738fe00e17dc72c392557fec45ac8ccfae900dcc509bcc46bfb549ac83c8539abf2f00137ce3c33e4

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-shm

      Filesize

      32KB

      MD5

      bb7df04e1b0a2570657527a7e108ae23

      SHA1

      5188431849b4613152fd7bdba6a3ff0a4fd6424b

      SHA256

      c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

      SHA512

      768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-wal

      Filesize

      414KB

      MD5

      285ec6bd0f64e654ce9bb339feb7fb23

      SHA1

      2c10bfd88cfde82485fbee0cf1c4a01e524dfcb3

      SHA256

      464064dd20f3ad7801fff6ec8f5a35efd79ac8488522f404779a9a5b126fe748

      SHA512

      736010a8a42aa2d09a905f2c13566b475feacb50150d8e33a603c5c82e42ff527979efd952450d1cf2c5d57d846330d99b3cbacd67bee2685e39ed5f62d729a8

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      c8d8a4b4204df880a1a01d8cdaa9147b

      SHA1

      c7b88a6ae3270dbb0b84d735420ced955bca4637

      SHA256

      29fa2191d004358720b358e0be7a7f996dc14d67531b79d1e4a87f65842abb4d

      SHA512

      73acb61e84cf2013be532806d212fc090b42aa442892e93ef760ac3aad06d8dd5fa102a959048b505c705e02b4f2813bcf887ba7fa97f96a7497a82a300ecca3

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      9bc0b9c0412560c368bf8538a0ede9f0

      SHA1

      99c8914fd008bd4e73ffc81edcb655ae137f2b1b

      SHA256

      10d22eb0ce1687af1bc68d85cf26bc1286b48e7d39fa37f78e318a704996b866

      SHA512

      2598fa928d63f727528d5a4d3020e2635a464f42a86488bf3723824cd44a48b94ea2fdeddf492059ba1e58dc1b0d329d1db65c49be94c19f15df097906f85cdb

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-wal

      Filesize

      4KB

      MD5

      fa75d1fb9d6edd20c8b37817e8abd3e7

      SHA1

      26f01096fbf346d1fe2c1dc5b8e1bbc5a8bc72f2

      SHA256

      2a8a8baf88509fb26d9fb2523481d3e81894cd7680691182453926274b12136e

      SHA512

      74fdc3d8f30f3e57856c97bdf995e89c48f820fef050464f26ec91ae51ad75737eef574234f7a88fb6128d58e4129a2ed693b2b836a33dead995318da2b5ad59

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      22a0bd83d4dbd569eb95da577dcb4fe5

      SHA1

      5e476c71a056b58f9706f381e0ae622c7f03a6b4

      SHA256

      211eb69db7d7e901c0d4731df40017f3ee50518642c5f756d16af0a29147cac1

      SHA512

      6e6cafc53ea5be0bb072e08b920527d6ec7bbb6d581754feb3058ef4a1034d8121df7d605b4a5744f158e76bebdcd539e3972e4b32cd78b4f32cbc43525d9dda

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-wal

      Filesize

      418KB

      MD5

      9e71b629b8ae6a87fa84cbcbb227b872

      SHA1

      cd9543857c2c32de94a4723c2c9c8e8ae6c59577

      SHA256

      e09417e18e77e27df956f3ef24886bfdda24eb316f6c094f4e20084f27a79e49

      SHA512

      f5091cb8473d00fa0eeab03fed7a22c5d7869c9f59bc0c70a1a5bd192ee5d96aa20b8870bca36d754cbeb29735a972f57d5b8fe9bcf349e316221b5a2718c2b8

    • /storage/emulated/0/.am/dm/md/main.md

      Filesize

      2.6MB

      MD5

      470586b3a055aed7c22156273f38f69f

      SHA1

      39866ece4bc4bcdf2613bd67851ee7ba22df85ab

      SHA256

      65daf0c170cda7fde64c441438cf9875248bd33af61af060d943b48bfb405f8d

      SHA512

      95ab906e2be05248360a5d2a3a4edd61a128e1d71dedc35245384799ae68b686d37ba9063bb2e86a891d96acfec47c897bfca290ee6251afcb07f140aca9c540

    • /storage/emulated/0/.am/dm/md/main_tools.md

      Filesize

      1.2MB

      MD5

      51112e0a7f7962a8e02bc885025414ef

      SHA1

      40622959af4fe349d8881c885b9b30441de8804c

      SHA256

      2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

      SHA512

      f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

    • /storage/emulated/0/.am/log.txt

      Filesize

      173B

      MD5

      e79207be661ce0193863c6c7184f12a4

      SHA1

      a9a069d0ef01a383d289d32d99f729c9fe676507

      SHA256

      98095e2a918a023bb12422642402af14f63c4bd649dcdeae977d8d8170eb8040

      SHA512

      6f74ef4e93e1f92b40bf97cd7fbc98b9063ac4f9af178044608935c7d7d2bd145a96db84dc25350d7dc7f821eb7c9c35185858f23ff4fcce63e53b3be2d19981

    • /storage/emulated/0/.am/log.txt

      Filesize

      152B

      MD5

      70bc9605ad0ab712f5a386d3d175e63b

      SHA1

      70872aa22623b127215d985db14eb191f67c89e5

      SHA256

      5b32c3426a1cc01b4dfbfa31a8ed739c5f9e8aa8d62e85887f69d6ccfc3b4ecc

      SHA512

      2c96cb284ccb355638788f0379b1aa970d73b7622db17671ca4bbc31b104965db08ded5e822a0d08227c655e8409ba7a625698110c86b2743d694c639ebf58d4

    • /storage/emulated/0/.am/log.txt

      Filesize

      3KB

      MD5

      66919065dd0b8c7091d806bd0ca1682e

      SHA1

      a8ae26d415b3c4499b4e0f2ec8a9d7c404172430

      SHA256

      35c11257522a87895d3debc10473ac65e88eed009144dd64ffdeb8400f897472

      SHA512

      054b55be48df1511a5b76afd9b21df83401c188f892e87293ca931c92c78ece48590cd9e81b02358bdd3b1c9a6f5de2ca14f8ee37bfb66091d9406ef8564f8ae

    • /storage/emulated/0/.am/log.txt

      Filesize

      64B

      MD5

      fff57b1ad255a70121a9697eb59a2d1d

      SHA1

      8ee40d8799359af0c2fa091762a23f230f2eca39

      SHA256

      0f3e523b0686639eb21001f21e7cb9ed7877b9d9fbd11483ee1a48304e99118e

      SHA512

      6a44c029dd5ca22ee22385af09f44ab3c8e96bddb732ac1aae24059dc0915816be5dfa833ed613472061f20b7cd8b92e0f49b8ff15ff5b735d9a17027f40004f

    • /storage/emulated/0/.am/log.txt

      Filesize

      72B

      MD5

      92b5ee0513be5154d21e10027bb81d56

      SHA1

      9f389a7fd191b34b3a98eb3d62c66001e9c7d7dc

      SHA256

      942de05240cb61da12c0cba9ea889bbd92377b6c25212ce93c96c16985cfe561

      SHA512

      6ac27537c5170dd58adbd82371fd9fc20438a56eee86f5b7e7ef0515d16b9d2bdf24ee6567647f17adff90d623308409cb6628da858bd7881371e5ecc9d51e53

    • /storage/emulated/0/.am/log.txt

      Filesize

      157B

      MD5

      50e3386e86495eee07dc8968adacd01a

      SHA1

      a8e4da169401ac8a1d05e13d0d2b2187f2e15070

      SHA256

      2a8769f1a02409122d5e78c2e5e157d779236dd2e97da91f600b7acb3ed1be6a

      SHA512

      1500d13ed8b21dc9e7bc00ef0caf936b25c9fafb69d082d8b6fe24e7b18b22798483fbd91ed52b6643113098b541d1b6363a95b01e0e1bcaf6e123da9b6da36d

    • /storage/emulated/0/.am/log.txt

      Filesize

      131B

      MD5

      5d315cd81929fadb2a6393d4ef110aa2

      SHA1

      c076fb8846b7235322594c6d9b257fd76f51f8e7

      SHA256

      01bf3cd61160ca5fe6723910a35f5a3e4822f7f833841127778f96fde04533a7

      SHA512

      867ac1bf7e73845e790b7d2e207e351bf98a18fe988e51e04187322df5a7770acf9e9b4ee9bcd0fe75dbd3694d2b1361246b30b310782d7ea22186e579064263

    • /storage/emulated/0/.am/log_.txt

      Filesize

      25KB

      MD5

      8b10b9f55ec60613c4fee726c1496a6c

      SHA1

      d43d1bd4cacb475f078474c57ddac6b6e40c38cf

      SHA256

      1dc2ca9c651a7da6dd2c42ec1ddad960b31ca7a2e8caf0ec7a9a220aa8503282

      SHA512

      64fedd092f9ca286e019ec635930a50f053c1038b8e315154aa89866f3e7c0b0ce95aad1bb84f672d41df72ca36fc6bbf913c7459d8ac1f78747455109658bed

    • /storage/emulated/0/.am/log_.txt.zip

      Filesize

      6KB

      MD5

      3e2becd1cc52264fcf0254b359850b0d

      SHA1

      cd604a0b911297630df3d4c9a1f08174a086e56e

      SHA256

      5deb25bd7504938daadc5293cdef944217f8ecfe130b2e7d773519aa3b8039ab

      SHA512

      40e61960510991e235d53dc316acda6eed3c188c434f8e1cc31325814ef7ab2f7d3015cc1dee4f8e0093ddfa96627c081f415024ee49295efe1916ff4bbb59c7

    • /storage/emulated/0/.am/log_1725210648458.txt.zip

      Filesize

      220B

      MD5

      23793ef513a75ef6fbbd0f95dceb2409

      SHA1

      52230875e22c91eff80a7b44d721666e561ca51f

      SHA256

      71f40b9e0ebc847ec44a0c72fa5ad9f6b42ac45ff0347071b596362c9ccf5a79

      SHA512

      23d9d94a27d4962e230159b562b5d4b72f4cf3efcd7774a6690e63d1501eb8cd20ebabe582e5cf5df4d35b8ddbcdc118efdd7bfbb121b87e26449376fe6bb56c

    • /storage/emulated/0/.am/prog_class.name

      Filesize

      67B

      MD5

      d8ad6773b632b7d8066ed57c6c482c6b

      SHA1

      c07e66a0e8e58e190392896d7b178b7079741967

      SHA256

      50eb09209f1670f34baec877f8bc19fd1ce7419e10da063b46fa4025558dc4ae

      SHA512

      4bba534c373aa27100f1c5eec84c0a9d77c0dc447dd33de3757c4d656a7c8bb7d602fb214102005e355fb9a22687dff6e141063d086ec4275a9b01c8c8c90fa2

    • Anonymous-DexFile@0xd3454000-0xd357f4b8

      Filesize

      1.2MB

      MD5

      336921950a9f279733cd787f1203d73d

      SHA1

      cefc36a7c17909054cf2a507b34f545af96c0e36

      SHA256

      c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

      SHA512

      6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87

    • Anonymous-DexFile@0xd362d000-0xd38be638

      Filesize

      2.6MB

      MD5

      850905bb253b202528d72a6724d68904

      SHA1

      ab3ad068ac55cff5a8b4f80f4cab5507968d0ce8

      SHA256

      abdd3b7a2034ffeba98a4b5192ee6878e5d05e822f8ded07c7cb413e13c944bc

      SHA512

      a15fb152539326a73ee427fc74760c0e4999708a40b81b5b464a6bba8dc841efbeff2a573418e0754e8d14bd750da7e335f680067a6abc4f7807b6f8a59007a2