Analysis
-
max time kernel
12s -
max time network
155s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
02-09-2024 01:09
Behavioral task
behavioral1
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-x64-20240624-en
General
-
Target
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
-
Size
20.5MB
-
MD5
f95cf2c20d492d6647885e8428d808cc
-
SHA1
3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa
-
SHA256
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c
-
SHA512
3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5
-
SSDEEP
393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk fka.ugsonrqogw /sbin/su fka.ugsonrqogw -
pid Process 4968 fka.ugsonrqogw -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/fka.ugsonrqogw/[email protected] 4968 fka.ugsonrqogw /data/user/0/fka.ugsonrqogw/[email protected] 4968 fka.ugsonrqogw -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 13 IoCs
flow ioc 34 anmon.name 42 andmon.name 46 anmon.name 47 anmon.name 104 anmon.name 118 andmon.name 33 prog-money.com 35 anmon.name 101 prog-money.com 32 prog-money.com 126 anmon.name 99 prog-money.com 103 anmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground fka.ugsonrqogw -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo fka.ugsonrqogw -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver fka.ugsonrqogw
Processes
-
fka.ugsonrqogw1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4968
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD59cf7e03179a00e0097bb8292c310a7f8
SHA18046f1a0d32003f672b2da8ba6c7eb8f54ffcd17
SHA256b428664066ed6496119d7ef35afee74fe8f5eb834939f9cacbf55804aa592438
SHA5121d046cd7d5a96b0b4f0c5d218f97ebc850ea4a3385658ea4a9d36dc05363659d1dc53660f94d4d7d87794cfd60b94593f304e9011421d35f3f17296d28c28cb6
-
Filesize
512B
MD5226e05633ecd3ad3623068b955cfbb0b
SHA1d782cd944c6cc091e84454dcb2545e2791b66ea1
SHA2565c454dd55f77df5920ac7f7fc9d37af5a0ffdf1193092f5e0583c7c94e78b311
SHA512d60917ee1e854af2e0c1c7bfd323f605ee895d4aa3fe3126fc7e9ec3ab810db4a70cbe2e82dd5fa23d80553702760365df7fc5445426fcf20682bdda66ba28bb
-
Filesize
8KB
MD5a790afb0f7b8bcce4c29ee51cc6de44a
SHA1bb2ebda2cc7c856cde61db61ba615d79c759f904
SHA256745057d432925a51e867817ac6cd264a8b709ac82e3fe244a502f265d87aff44
SHA51223cc7faca033c38e26bc1b79cd7752b49bb37d0257a8827fdb78c82e324b803da4b11254a9ac5ae4f045c4c5d21e6aef79a6be3d932864b5b9daab3c96702f52
-
Filesize
4KB
MD53750867044c995a2dd422c330235daee
SHA12b1c8d7bd983583ee3bf90574ad87944e803f76a
SHA2564e1e9b85faf3163ae6a7272b6f6f73896613cf0baffcddf51672fc53a9de6b07
SHA5120971f9e30df106f1a39efcf8cbf43e86842bd759699adba9fe173ae9f1cc73b40718c3cabfbf17ec1dff1bc4e8d9e007581672b56f8f1bdbcd31710454d3c7bc
-
Filesize
8KB
MD5a839cf8d4b9ac7327d3dfee6c0d5760b
SHA171720eced4896aef6a6255c53457beeb34c1472b
SHA256bb031c1582816690e9fe143f14c4e2f38d83ac8b58fb46224e78761ccb8f2afe
SHA512c1d3f8ed28964d36577aa71764a123cd03d91faa66ad0dae1652244dc2cd169f139ab8c8fcd52550007b8d8b6debd8b424af5ae2ebcf05c278cd6f952674e874
-
Filesize
12KB
MD55c7eebc5e7ec089b2a669f8a8c70b0ed
SHA188feb43c572b2401b465d3d06af5caf0bbc4c637
SHA2564318515bcd7e63a05e11a6a6a6ef79b00614a998bd522868c2c3814005c865f5
SHA512eaae19bd35b827c37fd76564054ac42be7f7a98669a9e5a7a90a7d0d92b46f66a673c66607650d5ac0ec06b67cddcd5ee6461758b299d64175a4b6761b5d840b
-
Filesize
20KB
MD54e07ed932ea6ebd259293e9e000964e6
SHA1a27b3385bd83a3cc1bac13dfbcf461582ec088d4
SHA2569cacdeddcb0d986b3f5be01514d42de4383fb21ae1ed6f042bd9a4f393feca5a
SHA5128935c0b7563676eff56d6fea96381b45a1e46d43e31489689ff7f2f9f762a69401b4f3ed22f47ae496eba9f50acd4f986099f03f0c8ad1d53091cb34c2a699f5
-
/data/user/0/fka.ugsonrqogw/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
/data/user/0/fka.ugsonrqogw/[email protected]
Filesize2.6MB
MD5850905bb253b202528d72a6724d68904
SHA1ab3ad068ac55cff5a8b4f80f4cab5507968d0ce8
SHA256abdd3b7a2034ffeba98a4b5192ee6878e5d05e822f8ded07c7cb413e13c944bc
SHA512a15fb152539326a73ee427fc74760c0e4999708a40b81b5b464a6bba8dc841efbeff2a573418e0754e8d14bd750da7e335f680067a6abc4f7807b6f8a59007a2
-
Filesize
2.6MB
MD5470586b3a055aed7c22156273f38f69f
SHA139866ece4bc4bcdf2613bd67851ee7ba22df85ab
SHA25665daf0c170cda7fde64c441438cf9875248bd33af61af060d943b48bfb405f8d
SHA51295ab906e2be05248360a5d2a3a4edd61a128e1d71dedc35245384799ae68b686d37ba9063bb2e86a891d96acfec47c897bfca290ee6251afcb07f140aca9c540
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5be21b231725981c569fba0c3e99c473f
SHA11db9b69a4d8592d45ec9b3a3a8b959d747618673
SHA2565b2e37115d0d49bf690c9b22f0b31cb2ba988f1567c2b0c73ed760402fe3817f
SHA51212547327e584a0428d1bb2edd36846d6df1c6a1eae442869a192bfe04c3d6b01474259e26d2f63638e895717bdea586e7da1185baffd2d40ab64a1a3bf9b5605
-
Filesize
152B
MD5ce7be3edeba8288dffc38beb306df683
SHA1f018a8d42d865fce221f6cce1189cdcb0349d4d4
SHA25648e5c2cdf1e686f546f6d609f129b86a7e286719fc9e8b2d4edb32e7dbbd42cd
SHA5123866909713f2124bbb1b9090c37cdff06cae1770cb2b1a2bb989b12c52de531f7a3ec66480d405223e367d525d6acd90db4a898f54ef0f10ad0dd6ba721e80bb
-
Filesize
4KB
MD5d61d1ab4a6a21443a932dcec98f7fb7e
SHA1724ab55b0963bfb23d2ecb42a828db63fc1577b2
SHA2565d77fefd069deec9b3e420b4fe199afa628b179812fd17f10a9a0f144ebe3849
SHA512ef9c055ec8053066a42711901b51e525ef70698186b8a680f32ec58a0d4418aff1997341fa2f39428327910d20ac7731d38620ef829c2ab2196cc587ea46c324
-
Filesize
64B
MD55dd7967b9c36cf1fc7cfab8c8dfeced4
SHA174ba2e9ebfaf42b434d8588bf4a6c56ac8a16c00
SHA2568009f237cca526f3adc2475ebc2b339dce9d250dd626357c53f643e4458098b2
SHA512e00025a172488b0f249c20d69d257be9781b2a0326be8a774ba0e7fd4806b3eddde3395bc56ed1f44885f9257043f3ef45a9a6813bbc531e02dc30456325b859
-
Filesize
72B
MD56d00d5e3d98b3cfd4e815772286a75d0
SHA18b756dd5017e15a1ef41a0c41ded5463ae1e0cfb
SHA256b593abdad917719bdc95a38d10a3a98dc48f360852c4fd3ae7707c1e2f1945bf
SHA51235d5be6e5a88fdf7a81f1feeb8a257bea37d6f68432e0af50018bfe0d8386250cdb81cd18c6fa802c3591d9b31898f6907506914ff82c7a2a1f46cf042a85ddd
-
Filesize
160B
MD55d756f76e3724e1b39040953d12b55c6
SHA1c340d41037c1b4272ec055a83590796e167adf9d
SHA256ffc3cf443f53beb1f58f2f751165b85af3bb7fa61e94c3750174dc9d9c22e575
SHA5125a93700a6812089adc3c56f57d3934e1038d5bf6d0002c48db0400699cdc58e367a8a0a4bf475b1970b4e7d3e6c2060cda876c96445d6030b79ef3a8b3a40230
-
Filesize
131B
MD51b4c01d00967cd72bdf8d9575fd65f6a
SHA1360366ccd9dda5dce5c69d55f64fc4aefdb4aad6
SHA25642b67059e2f97150ea0e33c1ceefd28606c6d35289e889e011057f57bb460ac7
SHA512af16c663f2c5392eaa7692b4ba268d53cab415ccb18af41bce609d6d347bcd47f109264838482776e2d6415150e39eeed6a79e164fd5bb4bbb7d79448ea0973a
-
Filesize
67B
MD5d8ad6773b632b7d8066ed57c6c482c6b
SHA1c07e66a0e8e58e190392896d7b178b7079741967
SHA25650eb09209f1670f34baec877f8bc19fd1ce7419e10da063b46fa4025558dc4ae
SHA5124bba534c373aa27100f1c5eec84c0a9d77c0dc447dd33de3757c4d656a7c8bb7d602fb214102005e355fb9a22687dff6e141063d086ec4275a9b01c8c8c90fa2