Analysis
-
max time kernel
11s -
max time network
155s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
01-09-2024 17:10
Behavioral task
behavioral1
Sample
am.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
am.apk
Resource
android-x64-20240624-en
General
-
Target
am.apk
-
Size
20.5MB
-
MD5
f95cf2c20d492d6647885e8428d808cc
-
SHA1
3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa
-
SHA256
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c
-
SHA512
3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5
-
SSDEEP
393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /sbin/su fka.ugsonrqogw /system/app/Superuser.apk fka.ugsonrqogw -
pid Process 4941 fka.ugsonrqogw -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/fka.ugsonrqogw/[email protected] 4941 fka.ugsonrqogw /data/user/0/fka.ugsonrqogw/[email protected] 4941 fka.ugsonrqogw -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 13 IoCs
flow ioc 32 prog-money.com 83 anmon.name 84 anmon.name 104 andmon.name 111 anmon.name 35 anmon.name 40 andmon.name 77 prog-money.com 78 prog-money.com 33 prog-money.com 34 anmon.name 58 anmon.name 110 anmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground fka.ugsonrqogw -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo fka.ugsonrqogw -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver fka.ugsonrqogw
Processes
-
fka.ugsonrqogw1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4941
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD59cf7e03179a00e0097bb8292c310a7f8
SHA18046f1a0d32003f672b2da8ba6c7eb8f54ffcd17
SHA256b428664066ed6496119d7ef35afee74fe8f5eb834939f9cacbf55804aa592438
SHA5121d046cd7d5a96b0b4f0c5d218f97ebc850ea4a3385658ea4a9d36dc05363659d1dc53660f94d4d7d87794cfd60b94593f304e9011421d35f3f17296d28c28cb6
-
Filesize
512B
MD5f3cd08c866cda53ed80ef37c3b3e15f8
SHA14d2753be418a131af7d4491f551c72f63e5fb8a0
SHA25698b49b895091c6e14b8f81d5e33873e12ee7c9b862998352bccae6681363da0c
SHA512b6aae52c9242ccc4c6ef4736f7110537802ce27cff1489c26559214f6d48ab0140749d2e335978e67f8242959b3fe656648dcfaec4edad738fc931cdce546df2
-
Filesize
8KB
MD5d5d27f5e757fc66ccec3decc7b0c1ff7
SHA10fdc1e682a411aa934b358a0f08a892f25c4d864
SHA256a8fc274f850f578c2704453fb3562e53e3f9d65c00cc9e8e8de14f85b6635ffd
SHA512d70faf2a6c1f4703a7c3236e623fc9572745f3989715b9248c3359eec60794673d56710ab71056a0fdb91954925025e6c862f41059f4088392e4c13399544dff
-
Filesize
4KB
MD5aa01ac4eaf290f4e80dc9b04e03ec118
SHA1c202e14f7910d86eee7fbd722c921e97cb373121
SHA256a9bd82b7922ce5d3778025315e2cf8a4c3ce63b2b7f91a033416e44401141bfa
SHA512ead2ec7bc50df48dd91c3fe7756c146b0ebd59e78ffa38ae75dfbaa97810df062d6c8daff6b92aa2c885fb1c03d5207fdec1f0537fa1916d92e0654912c31047
-
Filesize
8KB
MD52f6331c6ad4b4c56bc8eca986d66a8e5
SHA1303eb36ca273a65c59aa0f09c08fe42e91dfeffe
SHA2564102f2fce60c4da9bfc83a7fed5236de72509f4a5004e85f155e3727ff366191
SHA5129f6f142158519c9b978568f0406a4ac76231df8e7049eb62a21225a186078e6036e98ce013944a23323a05cee78c0e3ce000b45e2d0216f86f8da13135f2b2e0
-
Filesize
12KB
MD589e8c8a4733284fa914b9b72aad323d8
SHA14664cb8e20857bda7ac4a4263212fc0d37dd16f4
SHA2564e023559f895220e22021108ebb89b51198d2d065cebb2b42d3fc80834c8c981
SHA512f3035c04fc06e1e020e3e9c741deaf4c0027d295fa78a2ddf488e7ab8679791071db66e4836b98a00bd3face9bfd69c54aa61d4655daf8d408797f134f019f26
-
Filesize
20KB
MD5ea2559c81002e38bf1b1138ce0a639f0
SHA1372160f9a304af89f7c695951cfa8e830b0c744b
SHA2560d38f8cd2b6c8d59d9d3621af6b234a210f031d1c30b5eff8ba78ff67ebe9a13
SHA512e44b478fe99c4c7794bfd884885750b12acb327cc79aa01dc3628c6eef85469855d845c6e2e7c5f09766f8f613e6fd554e0b7ee2b89571a6fe9d95f79d74fd0a
-
/data/user/0/fka.ugsonrqogw/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
/data/user/0/fka.ugsonrqogw/[email protected]
Filesize2.6MB
MD5850905bb253b202528d72a6724d68904
SHA1ab3ad068ac55cff5a8b4f80f4cab5507968d0ce8
SHA256abdd3b7a2034ffeba98a4b5192ee6878e5d05e822f8ded07c7cb413e13c944bc
SHA512a15fb152539326a73ee427fc74760c0e4999708a40b81b5b464a6bba8dc841efbeff2a573418e0754e8d14bd750da7e335f680067a6abc4f7807b6f8a59007a2
-
Filesize
2.6MB
MD5470586b3a055aed7c22156273f38f69f
SHA139866ece4bc4bcdf2613bd67851ee7ba22df85ab
SHA25665daf0c170cda7fde64c441438cf9875248bd33af61af060d943b48bfb405f8d
SHA51295ab906e2be05248360a5d2a3a4edd61a128e1d71dedc35245384799ae68b686d37ba9063bb2e86a891d96acfec47c897bfca290ee6251afcb07f140aca9c540
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5fe5d3af97545d5a79b4e0dc4d9971454
SHA1e7a15c72f8f166edd9df0780edc4a4ce9afe07d2
SHA256ce20ec4538d5d0e6da5d54ffb8f8d150faca610119daa7516eb05eb40f21659d
SHA51285f8c78a3e4a3d8fa94e5a3d64c82140676ebc86b63056b7b72845ae58b0f7514942099dca976d16c52fb473a0ef895437e0281842051806337b3473607e29b4
-
Filesize
152B
MD5f83fd2140185dcdbd1e717290f0c2c01
SHA1e812fdb36df6de53ef8f4a68f0e7a9c9b5d83186
SHA2569aa271c94d0e29473235ac2326f2fe5b3dc21f190456e80b7d6cf9c422112ddf
SHA51256436689b4b06466afde9e6b7a23b02a18b92a75f865288ece2616c56edbd0970200e71fca615fff0cbb49de9a1e5ab198bb7cfdf3a7543ce365776fb8d48769
-
Filesize
4KB
MD559228b810bc53c3dacef7b8bd96831d7
SHA1ab1ba0688defc06e5ceaa1a719187edebc5477e4
SHA256ddd41fe060642f6f1e08bec0395e48ad14a422e2f2ee6d1b2f862bf4e4f1682a
SHA512c451880c409b2a8b88b27f4f4d8a29a3bc1031af2348da4ba51155ecd5a2be7391803ff7f094c0fa60218d0db9966a9156f0c7f8aa4103f358de5710652d0539
-
Filesize
64B
MD50c33377643095442ead4e1fda3767e2b
SHA16236d0b51e55f8435d3c86560939c47c6c83cbe1
SHA256df44fb3e48a958d8615ad3a7d8a920da7392668c300e95496e3425a94b4e69e8
SHA512f030cbc75a5f9e7b160f1d34eb20c3a533f9728542da569e877da57f1e116d6311c401286304ae1dc0f6cca8c945698b565140b66a9cfa42003a600650c9c16b
-
Filesize
72B
MD5afd352c36edfad92a05618c8632e0a95
SHA1f2dedf136e6cbe6b36e9423101c15e6ba4a5ac68
SHA256f2fd0dc90e170bf1e214fcd6d4577823242d7c1fc0c6532fe5b3b8b50e9ca0b4
SHA512c9fbf4a5b1bbf306c59cbf6086bb5208cccb5fcb63e75cc03aca93a7dbb8c5dbb3a3711f35b65d83541a4346e636797488a36605ee479f01e3573cb33d02adec
-
Filesize
160B
MD58996976477e9e730bb0ba618d2a902e6
SHA161f73c57786a99164d394e0b4e314e48e893f4c2
SHA256bb85129211f49ee0d5310e9dfc6ba17b943a84b4b7d9175619efedad0eb3c644
SHA51242287c42bc3726d54719c5365a5e2cce71c0c059143ce576cfd7d4a359245e8c72ea6eec9ee45d19b85505732c25c327c65e733b4b46864a7450d4c336fa9ace
-
Filesize
131B
MD5a80ef52b84da6fcec4e989ba6e06fdc9
SHA17713c3953ab4486adf0b8898316cba119b106231
SHA2564ad94fd01a3a67dcf3fb3e0b7a312b10461a41a23eaf85dd7a0db5e89fdd7dfd
SHA512ebd3fa3b48d6c756b6f8f12e50d7edfdc67c1a3be5fc7066d64c36c710177741082890871f02b2ea370aeee6bd1e1f0771fd28d77857d6100c8e1cb2276be58e
-
Filesize
67B
MD5d8ad6773b632b7d8066ed57c6c482c6b
SHA1c07e66a0e8e58e190392896d7b178b7079741967
SHA25650eb09209f1670f34baec877f8bc19fd1ce7419e10da063b46fa4025558dc4ae
SHA5124bba534c373aa27100f1c5eec84c0a9d77c0dc447dd33de3757c4d656a7c8bb7d602fb214102005e355fb9a22687dff6e141063d086ec4275a9b01c8c8c90fa2