Analysis
-
max time kernel
54s -
max time network
153s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
03-09-2024 02:00
Behavioral task
behavioral1
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-x64-20240624-en
General
-
Target
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
-
Size
20.5MB
-
MD5
f95cf2c20d492d6647885e8428d808cc
-
SHA1
3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa
-
SHA256
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c
-
SHA512
3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5
-
SSDEEP
393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk fka.ugsonrqogw /sbin/su fka.ugsonrqogw -
pid Process 4931 fka.ugsonrqogw 4931 fka.ugsonrqogw -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/fka.ugsonrqogw/[email protected] 4931 fka.ugsonrqogw /data/user/0/fka.ugsonrqogw/[email protected] 4931 fka.ugsonrqogw -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts fka.ugsonrqogw -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock fka.ugsonrqogw -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 11 IoCs
flow ioc 8 anmon.name 13 prog-money.com 54 anmon.name 57 anmon.name 6 prog-money.com 7 prog-money.com 9 anmon.name 14 andmon.name 53 prog-money.com 55 anmon.name 58 anmon.name -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground fka.ugsonrqogw -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo fka.ugsonrqogw -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo fka.ugsonrqogw -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver fka.ugsonrqogw -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule fka.ugsonrqogw
Processes
-
fka.ugsonrqogw1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4931
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD59cf7e03179a00e0097bb8292c310a7f8
SHA18046f1a0d32003f672b2da8ba6c7eb8f54ffcd17
SHA256b428664066ed6496119d7ef35afee74fe8f5eb834939f9cacbf55804aa592438
SHA5121d046cd7d5a96b0b4f0c5d218f97ebc850ea4a3385658ea4a9d36dc05363659d1dc53660f94d4d7d87794cfd60b94593f304e9011421d35f3f17296d28c28cb6
-
Filesize
96KB
MD517f63c37caada1ab28321d8fd87c9192
SHA1b8db806a61d7f1d1a8f540ef846c99f97a465504
SHA25668fe7e9b45aa68a873f713ab0dc18f3f70e2499d251329b3bf61283f3e8177cf
SHA512f1dd36b811190c9e55aa511e93cca280981e95f4561081ea20757867335ff7f6dc14f1bf60f8708afbff7fc9143d0730bcf32b844dbaeea1bbde2ddef7c4126f
-
Filesize
96KB
MD5c1c28a7c1f9903d6eb1e48ec8062c491
SHA1b08cf0c7ebed81bc2bafa76c9fb12594d17c76b0
SHA256cdd0ec55286574e25e7e0e4eaae7cdc9fd39b61a1af74491e043f32451db27c3
SHA5129314fc1bece08f62ae1b97055f588c30a9e7773458c83a6037d1859716d5594374fcf30ba14dbb6d11da36c3023f84f3050bd8456a41c42eebcba46a58e05a70
-
Filesize
96KB
MD5c7df8b12ae08918473391ec9963a82ac
SHA1a8d88701230102bd0657d582d2f83faade3c6462
SHA256b1a5909a9e9b827d8c2440425b4a0d181db704ee5346e3475a9592da93cfdcd4
SHA51205163ee4880420c26b29e7f161fb21dbd91ce17fb101319199a53c41d646afa4c7be3129e5b2220428f9b0468c10230ff95c3c24fa6a7678e690ec3a07b8af6c
-
Filesize
96KB
MD55a89e59c8c08d5ff41762245e1180eb4
SHA1830ae9909dcc89ccdfaab70e96e18304e0a1cc1a
SHA256ee63158511acbcd24db231f0c7f0365be8d6edcd3d70455c63bf02c157ade363
SHA51290609f1418af247c2db74dc6cee18b2c8fb11e7fa0e9d2d3542abcbcd632a9ed8a82fd288675fae782a182c71d1563379a5b79dc373740965d4e76f5fbf3452a
-
Filesize
160KB
MD58cdcd14c72e86eb88f975c085ff24d79
SHA14be623c06ec4b8d4450fdd2a0c930aa048053cf5
SHA256598bb73fa0f335dc4b34133d3d7cfe680b20ebff2534bf6e3aebbc0bd746a33c
SHA512c9f237f72fe3b74934b275f852b1fd289585310023cc3be56b6f5685990c0c0e62ecb60ac250e9383bb3f8ad9724bf095b59846cecf78dba2c5afe53686ba5ef
-
Filesize
512B
MD5d6c6a8806fd78a952f52aadd583421ff
SHA16eb5a371715b7503a7227d704d775256ed672f46
SHA2564e5fe487e25b44a734bd29812d9bb0783d5d44c367fdab03b1672b692273556e
SHA512a8389ad59897df6b9d8995444ada8cc4eec644ac2606d10d5300391a19df98e21879b16d4741056303ac0e11c6d7c798ed9c3cc72754ace4039b63e00f7fee50
-
Filesize
8KB
MD5c129bec333ffbda50fe30b4d4bea3577
SHA1405f84908f26eae7c3399972ddffde2b06abe7cb
SHA256627cbe45c3fb1727294d87f0de7a950eae62d0892262c2b0fcc79c0499cfd8f8
SHA512adf1d63ec1a23e61f1d218b18f3ba522674b45d4d7b1599d40ae2eca7e2119163ee4694a131f0cb738ffaea65e9c342ecdb385ddbf6e20d02800de8c04fdde0b
-
Filesize
4KB
MD5f7b02dae6a01d73f65c6910c7cdea9e3
SHA13165c963d0fd4c752a04a8d1d5dd73adf1b56ac6
SHA2560d7a6c7a1dbeb9eedf27ccb2144d3caf1ace954f6eded4cb05510b00be3d9520
SHA512a6b9a1f82d8bcf318d00a6076469353f2cd274ec7a031647b7092bca9cbcf7b969fca29749e8e5812e453cc68be308a048df2e750597c60b4698e7d049d715b9
-
Filesize
8KB
MD52c18d9b616def06257aba2847764a344
SHA1e2995c32c437d9c71552ddcf2ae20239d1cf8cd0
SHA2562409290e54bb8f1c9d3de60403b3a33ab905943028c6c8912e5911a5a4a33d90
SHA512fddc919676a881782ab56c57839b434a6c31b819a2c6e02f3ee530370b6630e6987a4db35f6cc241c05948ba4c50c35debd0cebf531a5d40fedbda9b5a3825c8
-
Filesize
12KB
MD59c1a272f8674115ee85f8f6215ecfd90
SHA157a38a1044d1d15f2d5d6d45db6e423d09e8459c
SHA2569149989d28569fb91fd9342c59b90343968d333f96c4c8cf697445ff17c04ed0
SHA512844ff6af7806a81f8e5d285c57bd60f9ef1076a4d08188ba2ec9447fd8c64928caab79b1acfdb291a55158465c46bd2f1429ae811f7bbb123ba5a1a617e34f67
-
Filesize
20KB
MD5b83c2510db41d61840626ca3bc91e60a
SHA1672cd5823836c2f74bf4ef2bc8f1e030e733ae8b
SHA2566f2f66f4dddc59e1dc2349e7e3da9d0de2dd38d6b67c4f56557a5b5d396c92f2
SHA512e85f559f4b20d641e6ca552967351428787bd07267662b4dcda58f28cae9d2cdcddb8ac4bbca9899995ba9df7963361a1f1c6561d4af3cddda621fd5199f0ec7
-
/data/user/0/fka.ugsonrqogw/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
/data/user/0/fka.ugsonrqogw/[email protected]
Filesize2.6MB
MD5850905bb253b202528d72a6724d68904
SHA1ab3ad068ac55cff5a8b4f80f4cab5507968d0ce8
SHA256abdd3b7a2034ffeba98a4b5192ee6878e5d05e822f8ded07c7cb413e13c944bc
SHA512a15fb152539326a73ee427fc74760c0e4999708a40b81b5b464a6bba8dc841efbeff2a573418e0754e8d14bd750da7e335f680067a6abc4f7807b6f8a59007a2
-
Filesize
2.6MB
MD5470586b3a055aed7c22156273f38f69f
SHA139866ece4bc4bcdf2613bd67851ee7ba22df85ab
SHA25665daf0c170cda7fde64c441438cf9875248bd33af61af060d943b48bfb405f8d
SHA51295ab906e2be05248360a5d2a3a4edd61a128e1d71dedc35245384799ae68b686d37ba9063bb2e86a891d96acfec47c897bfca290ee6251afcb07f140aca9c540
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
172B
MD596e00de5723f6a316c15095a6a7b730f
SHA13ac37ad06dd3a6f3d96592b3ef72141b318dac4c
SHA2561263a3a2978a46664e28d379fa2400f33489e6682aa29c4aefff6dee3c4ccb5b
SHA512896737caea1816a309e0161c17b7f2cec6996508fdf8bf603a6a42346f8fc345145113a3efba1377aec8500fc27f24da26e9442c296076dd5467a2c8180401bc
-
Filesize
151B
MD5c2d4f2390cd0b7d948626dcca7a51d31
SHA18c513ffed38f35655b3a22c4d8adcebaa2526eea
SHA256200fdfb87ea810df0880ee498be5c3d2088ab6039df966ca6996d2aabc1c84d6
SHA512326f0179b16e48933f97a9029384975143e2a53f92a381c5f1179f8df8191329eafd3522ae2f589dc94e549b3b47f0e83b719226245a14b5f936ed4139f5fc23
-
Filesize
4KB
MD536a7e89d7d650f370e4af30a525994a6
SHA1cd01b2ecb5490de2ee4506955868ae254f2d5c65
SHA2566edfefad7113511cb59a68169376ed2e8842d2aba922450a7bf82301eac02228
SHA5126c0968fed301cf7813d056ad8fcfb1365d6ea722f4b3e7ca2b3b6d6a1c179afd2ac456e4be595a547abbe20b0c57daf63415d574ebcbcfc088d60a720b6bd439
-
Filesize
63B
MD5b19726128836b3897160f8f9e560a01f
SHA1aaf4b341bb10de7cff634f33167a82bcf69fa15e
SHA25696c926f0289cea9a324500825b244cb7fb188fb365779355d79749e138254c60
SHA512f5a9704c23d980793fa68e4a7573b5db712caf9101230084069f96a9d3f3d5da889df207e82f6932d54c4281fc06217a308fe34e77fe17ba71d6bd00cab83c3c
-
Filesize
71B
MD5e5f009aed5da8e204c4ec425202c4d76
SHA194d3baadfa21b18082d3a5381ce131be42f51ba2
SHA25685497b7a6bd32340a60baedefe39ae33c4470331c7d7a752d932f61728d98999
SHA51202caead8ed691d9e7042c7fc7e23b8afa9f140cad1844182575fc28d9278a7b8b1ed1e2a5942502a889baa54c88f4f643aa24c81ff55853793ad0cce2a060db8
-
Filesize
159B
MD54fd0cb732c7978a6ad5bbf142d727ad5
SHA18fad9bf728911b169aac5713b1f50c59125c0b72
SHA256a94fbd7fe27646b8d233dda1d2bdda30a877e7efd8a99d1877d2a4bf7bf8f708
SHA512d1747c7330f027ec42d45fd1ef4b80d25dd968c42751ab03d7c7d349a32bd8433fce3224d904b51a72136ccb88267361bede6802502e1cca22c982cb435483c9
-
Filesize
130B
MD5366c4ea72e16b78369c90581ee219d6e
SHA1353479ae20ef23dace7fabeb2acd07a23738b56e
SHA256ae75ab5b6976c300a257fef3bbf4606ecbcb7ac7b2adf4bdaa969ee4cf786c39
SHA512f324f9d7a959b591330954734b6eab3498bd8ada72b3e391569f8612797c8d8086be5efe072434588f32a7d63c63c4eb71114f86ea4b7ccf5ee76e10ca8a583e
-
Filesize
25KB
MD57bc809b318888306586eb94c911f4e1e
SHA13d429ec3ee3c124a6535264188e8df19cc3bf8de
SHA256fe2f6bb8eabba2b716cdfb010373adbcfeaaa6a41a637a9168dced28dcb1f4c8
SHA5129087af9ea91ebf160bf2bdb88126de870ebfefbc107ba2f6ee023fb2eb6cd8d65a93a2c701141cdea4210c893ab572767b215c3661629ca8a761c011aed3c664
-
Filesize
6KB
MD5e9afeb11aa9e4cfce20740d51c2ee887
SHA1479088a8f3f198f9205d56e4ed12a62a7abe5ac9
SHA256c268b7f9c523c3666d902eeef7bd72ad020af55c584cb77ec7c92dc4a5fc1868
SHA512efd69ee2d83e66ce7d390631ba3f783ffcfa7b7d109387275d2595bea48b894cde1a9f3a1c942564a95809f29faeae2df984e772bc4641ed7d759055d5bca1ef
-
Filesize
219B
MD51ece6ca0e0d2fc15e369dc946ee64a64
SHA136ffc2657cc0770b9976e43fef2db974972997ca
SHA25671f1f7d0f1dcf2f0581be7b7abc5f746063befe61bd6d934c056de40a808acdb
SHA512d8af88440050a6ea0b05b4061c3e7990c0318a4168ce7e0d71e3a2ae55d61d78545e7ddcaf8a194c343727bd15dcdfecf54c0e126ee1b74142ed376af90842b0
-
Filesize
67B
MD5d8ad6773b632b7d8066ed57c6c482c6b
SHA1c07e66a0e8e58e190392896d7b178b7079741967
SHA25650eb09209f1670f34baec877f8bc19fd1ce7419e10da063b46fa4025558dc4ae
SHA5124bba534c373aa27100f1c5eec84c0a9d77c0dc447dd33de3757c4d656a7c8bb7d602fb214102005e355fb9a22687dff6e141063d086ec4275a9b01c8c8c90fa2