Analysis
-
max time kernel
139s -
max time network
150s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
01-09-2024 17:10
Behavioral task
behavioral1
Sample
am.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
am.apk
Resource
android-x64-20240624-en
General
-
Target
am.apk
-
Size
20.5MB
-
MD5
f95cf2c20d492d6647885e8428d808cc
-
SHA1
3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa
-
SHA256
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c
-
SHA512
3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5
-
SSDEEP
393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk fka.ugsonrqogw /sbin/su fka.ugsonrqogw -
pid Process 4209 fka.ugsonrqogw 4209 fka.ugsonrqogw -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xd362d000-0xd38be638 4209 fka.ugsonrqogw Anonymous-DexFile@0xd3454000-0xd357f4b8 4209 fka.ugsonrqogw -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts fka.ugsonrqogw -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock fka.ugsonrqogw -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 3 IoCs
flow ioc 4 prog-money.com 6 anmon.name 11 andmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground fka.ugsonrqogw -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo fka.ugsonrqogw -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo fka.ugsonrqogw -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver fka.ugsonrqogw -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule fka.ugsonrqogw
Processes
-
fka.ugsonrqogw1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4209 -
su2⤵PID:4276
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD54c0ccabb25100a908b9db06434a6af8b
SHA1555d9ecfa42e17aec483e1c05be0fc1362db9e66
SHA25679aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304
SHA512b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb
-
Filesize
96KB
MD51a5f8e3e667bad13196487d7e8c03340
SHA1d7a9a0ac208fdca508fad225ff29d6989cb90714
SHA25675dd97bb2b5691ff51774c011bfe397b04db340ca75233352df3166df9eb9217
SHA5120a77bd3ff8ff42d0abd120a5ccc3a4222c25da2ca7fcfb2a6cdd5ca980e37c5b2b5a947dd78c26a74ef35718177aca8ee4cc98f3b1e01f430eff36a4c31c9ed7
-
Filesize
96KB
MD5fc17eebd64bbebe2f8ed42c06229a6b7
SHA19eee3dfcb90bb571c897cea7f8123773623b6dd3
SHA2569a7a2120e981a9a2837077640d8a158392fa23296afd8105d494b76d6084c12a
SHA512a020269742d93453efe66dc6eef9a5d334d9e8fbba9422461b33ec4b264b8e62ab1dfa7d8b2b36825004e5792f2252450bcfc67217bdea14c1524f9e9cd5d1a0
-
Filesize
52KB
MD5b6815b344f6926d458cea05acd052cdd
SHA188f524aff1d4c5fee979a203dd952427871a7097
SHA256028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA5120431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade
-
Filesize
96KB
MD503fcd53478226adfe4b07ea46daad6cc
SHA18f303cc7eba481e0cf0c830a71225cd5a4fe84ba
SHA2565d96469c9ec5a528290f4e3d5388099599b252c20d83457dd0826a17e6299a0c
SHA51242c60cfe5bdbd9d2354ffa225c8449bcecce2acac4839e89a994c32f3db3d5008eb271967d7edd1ca798b34dc63cf3a1b27616accf8043ea54b662ca21f88cba
-
Filesize
144KB
MD5b3f61accb329a155910f4cd2dae5e662
SHA14663708fa1654c4508367077b3121ef0447063c6
SHA25696e67f2cd4fb5786181de3d63680fbe472ea308f3bbd8c821bd41b1bac940d90
SHA512de5c7dd7870467d5c30624471bcc15aea837e8fd149590178645b942daa2749b9199c9c2541368a56257233a327b6013be6fa97a64b3817e299ddd8f35378900
-
Filesize
512B
MD5ffb04baa0fb835b881524fe3191b8b00
SHA10bd938cbbe8db4993156756636506196b4aa0f92
SHA256baefdb0fbbc3ba0017595bf31c202d9c9fd7de00570a88120f79cd2488115a66
SHA5125e5b33ff77739c0647aaa5d292cb280b775d836df2b2329738fe00e17dc72c392557fec45ac8ccfae900dcc509bcc46bfb549ac83c8539abf2f00137ce3c33e4
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
414KB
MD5285ec6bd0f64e654ce9bb339feb7fb23
SHA12c10bfd88cfde82485fbee0cf1c4a01e524dfcb3
SHA256464064dd20f3ad7801fff6ec8f5a35efd79ac8488522f404779a9a5b126fe748
SHA512736010a8a42aa2d09a905f2c13566b475feacb50150d8e33a603c5c82e42ff527979efd952450d1cf2c5d57d846330d99b3cbacd67bee2685e39ed5f62d729a8
-
Filesize
8KB
MD5c8d8a4b4204df880a1a01d8cdaa9147b
SHA1c7b88a6ae3270dbb0b84d735420ced955bca4637
SHA25629fa2191d004358720b358e0be7a7f996dc14d67531b79d1e4a87f65842abb4d
SHA51273acb61e84cf2013be532806d212fc090b42aa442892e93ef760ac3aad06d8dd5fa102a959048b505c705e02b4f2813bcf887ba7fa97f96a7497a82a300ecca3
-
Filesize
8KB
MD59bc0b9c0412560c368bf8538a0ede9f0
SHA199c8914fd008bd4e73ffc81edcb655ae137f2b1b
SHA25610d22eb0ce1687af1bc68d85cf26bc1286b48e7d39fa37f78e318a704996b866
SHA5122598fa928d63f727528d5a4d3020e2635a464f42a86488bf3723824cd44a48b94ea2fdeddf492059ba1e58dc1b0d329d1db65c49be94c19f15df097906f85cdb
-
Filesize
4KB
MD5fa75d1fb9d6edd20c8b37817e8abd3e7
SHA126f01096fbf346d1fe2c1dc5b8e1bbc5a8bc72f2
SHA2562a8a8baf88509fb26d9fb2523481d3e81894cd7680691182453926274b12136e
SHA51274fdc3d8f30f3e57856c97bdf995e89c48f820fef050464f26ec91ae51ad75737eef574234f7a88fb6128d58e4129a2ed693b2b836a33dead995318da2b5ad59
-
Filesize
8KB
MD522a0bd83d4dbd569eb95da577dcb4fe5
SHA15e476c71a056b58f9706f381e0ae622c7f03a6b4
SHA256211eb69db7d7e901c0d4731df40017f3ee50518642c5f756d16af0a29147cac1
SHA5126e6cafc53ea5be0bb072e08b920527d6ec7bbb6d581754feb3058ef4a1034d8121df7d605b4a5744f158e76bebdcd539e3972e4b32cd78b4f32cbc43525d9dda
-
Filesize
418KB
MD59e71b629b8ae6a87fa84cbcbb227b872
SHA1cd9543857c2c32de94a4723c2c9c8e8ae6c59577
SHA256e09417e18e77e27df956f3ef24886bfdda24eb316f6c094f4e20084f27a79e49
SHA512f5091cb8473d00fa0eeab03fed7a22c5d7869c9f59bc0c70a1a5bd192ee5d96aa20b8870bca36d754cbeb29735a972f57d5b8fe9bcf349e316221b5a2718c2b8
-
Filesize
2.6MB
MD5470586b3a055aed7c22156273f38f69f
SHA139866ece4bc4bcdf2613bd67851ee7ba22df85ab
SHA25665daf0c170cda7fde64c441438cf9875248bd33af61af060d943b48bfb405f8d
SHA51295ab906e2be05248360a5d2a3a4edd61a128e1d71dedc35245384799ae68b686d37ba9063bb2e86a891d96acfec47c897bfca290ee6251afcb07f140aca9c540
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5e79207be661ce0193863c6c7184f12a4
SHA1a9a069d0ef01a383d289d32d99f729c9fe676507
SHA25698095e2a918a023bb12422642402af14f63c4bd649dcdeae977d8d8170eb8040
SHA5126f74ef4e93e1f92b40bf97cd7fbc98b9063ac4f9af178044608935c7d7d2bd145a96db84dc25350d7dc7f821eb7c9c35185858f23ff4fcce63e53b3be2d19981
-
Filesize
152B
MD570bc9605ad0ab712f5a386d3d175e63b
SHA170872aa22623b127215d985db14eb191f67c89e5
SHA2565b32c3426a1cc01b4dfbfa31a8ed739c5f9e8aa8d62e85887f69d6ccfc3b4ecc
SHA5122c96cb284ccb355638788f0379b1aa970d73b7622db17671ca4bbc31b104965db08ded5e822a0d08227c655e8409ba7a625698110c86b2743d694c639ebf58d4
-
Filesize
3KB
MD566919065dd0b8c7091d806bd0ca1682e
SHA1a8ae26d415b3c4499b4e0f2ec8a9d7c404172430
SHA25635c11257522a87895d3debc10473ac65e88eed009144dd64ffdeb8400f897472
SHA512054b55be48df1511a5b76afd9b21df83401c188f892e87293ca931c92c78ece48590cd9e81b02358bdd3b1c9a6f5de2ca14f8ee37bfb66091d9406ef8564f8ae
-
Filesize
64B
MD5fff57b1ad255a70121a9697eb59a2d1d
SHA18ee40d8799359af0c2fa091762a23f230f2eca39
SHA2560f3e523b0686639eb21001f21e7cb9ed7877b9d9fbd11483ee1a48304e99118e
SHA5126a44c029dd5ca22ee22385af09f44ab3c8e96bddb732ac1aae24059dc0915816be5dfa833ed613472061f20b7cd8b92e0f49b8ff15ff5b735d9a17027f40004f
-
Filesize
72B
MD592b5ee0513be5154d21e10027bb81d56
SHA19f389a7fd191b34b3a98eb3d62c66001e9c7d7dc
SHA256942de05240cb61da12c0cba9ea889bbd92377b6c25212ce93c96c16985cfe561
SHA5126ac27537c5170dd58adbd82371fd9fc20438a56eee86f5b7e7ef0515d16b9d2bdf24ee6567647f17adff90d623308409cb6628da858bd7881371e5ecc9d51e53
-
Filesize
157B
MD550e3386e86495eee07dc8968adacd01a
SHA1a8e4da169401ac8a1d05e13d0d2b2187f2e15070
SHA2562a8769f1a02409122d5e78c2e5e157d779236dd2e97da91f600b7acb3ed1be6a
SHA5121500d13ed8b21dc9e7bc00ef0caf936b25c9fafb69d082d8b6fe24e7b18b22798483fbd91ed52b6643113098b541d1b6363a95b01e0e1bcaf6e123da9b6da36d
-
Filesize
131B
MD55d315cd81929fadb2a6393d4ef110aa2
SHA1c076fb8846b7235322594c6d9b257fd76f51f8e7
SHA25601bf3cd61160ca5fe6723910a35f5a3e4822f7f833841127778f96fde04533a7
SHA512867ac1bf7e73845e790b7d2e207e351bf98a18fe988e51e04187322df5a7770acf9e9b4ee9bcd0fe75dbd3694d2b1361246b30b310782d7ea22186e579064263
-
Filesize
25KB
MD58b10b9f55ec60613c4fee726c1496a6c
SHA1d43d1bd4cacb475f078474c57ddac6b6e40c38cf
SHA2561dc2ca9c651a7da6dd2c42ec1ddad960b31ca7a2e8caf0ec7a9a220aa8503282
SHA51264fedd092f9ca286e019ec635930a50f053c1038b8e315154aa89866f3e7c0b0ce95aad1bb84f672d41df72ca36fc6bbf913c7459d8ac1f78747455109658bed
-
Filesize
6KB
MD53e2becd1cc52264fcf0254b359850b0d
SHA1cd604a0b911297630df3d4c9a1f08174a086e56e
SHA2565deb25bd7504938daadc5293cdef944217f8ecfe130b2e7d773519aa3b8039ab
SHA51240e61960510991e235d53dc316acda6eed3c188c434f8e1cc31325814ef7ab2f7d3015cc1dee4f8e0093ddfa96627c081f415024ee49295efe1916ff4bbb59c7
-
Filesize
220B
MD523793ef513a75ef6fbbd0f95dceb2409
SHA152230875e22c91eff80a7b44d721666e561ca51f
SHA25671f40b9e0ebc847ec44a0c72fa5ad9f6b42ac45ff0347071b596362c9ccf5a79
SHA51223d9d94a27d4962e230159b562b5d4b72f4cf3efcd7774a6690e63d1501eb8cd20ebabe582e5cf5df4d35b8ddbcdc118efdd7bfbb121b87e26449376fe6bb56c
-
Filesize
67B
MD5d8ad6773b632b7d8066ed57c6c482c6b
SHA1c07e66a0e8e58e190392896d7b178b7079741967
SHA25650eb09209f1670f34baec877f8bc19fd1ce7419e10da063b46fa4025558dc4ae
SHA5124bba534c373aa27100f1c5eec84c0a9d77c0dc447dd33de3757c4d656a7c8bb7d602fb214102005e355fb9a22687dff6e141063d086ec4275a9b01c8c8c90fa2
-
Filesize
1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
2.6MB
MD5850905bb253b202528d72a6724d68904
SHA1ab3ad068ac55cff5a8b4f80f4cab5507968d0ce8
SHA256abdd3b7a2034ffeba98a4b5192ee6878e5d05e822f8ded07c7cb413e13c944bc
SHA512a15fb152539326a73ee427fc74760c0e4999708a40b81b5b464a6bba8dc841efbeff2a573418e0754e8d14bd750da7e335f680067a6abc4f7807b6f8a59007a2