Analysis
-
max time kernel
140s -
max time network
152s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
10-09-2024 17:17
Behavioral task
behavioral1
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
-
Size
20.5MB
-
MD5
f95cf2c20d492d6647885e8428d808cc
-
SHA1
3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa
-
SHA256
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c
-
SHA512
3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5
-
SSDEEP
393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk fka.ugsonrqogw /sbin/su fka.ugsonrqogw -
pid Process 4253 fka.ugsonrqogw 4253 fka.ugsonrqogw -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process Anonymous-DexFile@0xca9f2000-0xcac83638 4253 fka.ugsonrqogw Anonymous-DexFile@0xca886000-0xca9b14b8 4253 fka.ugsonrqogw -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts fka.ugsonrqogw -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock fka.ugsonrqogw -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 5 IoCs
flow ioc 9 anmon.name 10 anmon.name 11 anmon.name 17 andmon.name 4 prog-money.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground fka.ugsonrqogw -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo fka.ugsonrqogw -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo fka.ugsonrqogw -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver fka.ugsonrqogw -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule fka.ugsonrqogw
Processes
-
fka.ugsonrqogw1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4253 -
su2⤵PID:4297
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD54c0ccabb25100a908b9db06434a6af8b
SHA1555d9ecfa42e17aec483e1c05be0fc1362db9e66
SHA25679aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304
SHA512b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb
-
Filesize
96KB
MD5105f30c1c4f9399693836a48753ef637
SHA11b8fc507df5400acbb6e6051a3d9618b8a4d1a90
SHA256fa81de7c427cf0c863ce3880306d8e0c950807b6c37ba1af7ec23e3a46ebf6e5
SHA51225d25a0df61f08c32d24a3350c51be5fd6196044b044619b48831e023ab9cdc255d8be97434ad8deb4a87c550a40e50154604dd3e60239c42c593844c3ff67a4
-
Filesize
96KB
MD57d360a09e41846830b7706894ef4066a
SHA17b5d32967fa5ffb5d751f0805cf0f357ac5e2a40
SHA256ff52306d15cf66485374a584239b8dd997b8bf13bdd0d614d9ae9f785a339547
SHA51240d99227143452154dc8fcf956745ba78bc9c0e019d9f005ac6f5d57bbfea7d188e94a1951fdbf33ecabeb12b4246925d4ec0818bc091c251efc5e4dcc11a0dd
-
Filesize
52KB
MD5b6815b344f6926d458cea05acd052cdd
SHA188f524aff1d4c5fee979a203dd952427871a7097
SHA256028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366
SHA5120431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade
-
Filesize
96KB
MD57531fb538c530ed2219e4bbd70969808
SHA11de0f0573d53efa24ff0d38fa3c6111fd1a01b40
SHA2560ec61fb90d71602494c62ea4f12e1f9504f46cf0474daef43f93bb46be32e4f8
SHA512083c171adaa41182aea49f5d6fd56a3294c44c570da9fc1a52f6c867ef715ac2fd47ee38b7b88ef883d81300e138096955b8a8bd2d1cae0beb015642d8ecb063
-
Filesize
144KB
MD5073ca3e14215372c460b0dea17b751ae
SHA1e5d0f828cc23825f8bee21a92f85aa2468a066a1
SHA256fae96199d43db001fecade8872fbb6ca6ee4f337a41eba1be72a24a22bbcec7c
SHA5126204023ec6acf5ccac246b0f0b97f540820a167330c9ab390bd9db99ecf9d7826ac5801fad08ee9931aaf6cae27a2e27e37df4c6b06ecfe54096ae2020b8d06c
-
Filesize
512B
MD5ec835237aed3f38284ad715d9f5e4453
SHA1950194ab55a0d9b1ed37fa68b2db270d6a5526e1
SHA2563328da64ef8093198735956948116f485fa2e72af91a57cbb1c0f85f52ff10b3
SHA5123cf3dba0c65655a5cb713cfad753ba5a635c24958d457c338b429e98fda318b51bfc5ee12097d65fd7011a51cce5604478e21299560dda252851bc3848575b65
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
414KB
MD52e2a5e911d7487e7283dc4f33b77c036
SHA1760e3168aec927317e7e428aa84e64ed7f2cf920
SHA256c55c3d2a2db9bad17d8ba3b0100b2db13c60b40e2ca71a4af239bafa08623204
SHA512d012b520a6832a329e01a8b94d03d5d8781862b2eb9be123e5c8df3aa6d8963e972b9019f413b0f1e5b37d02d99a547063350a881ac838621aac3e636e192df5
-
Filesize
8KB
MD5b5b067507e65a9db3f4feecae03bd260
SHA14e7271fdf7cd0183ffde205dadbde536ac40aff8
SHA256c1ff695eab6ed6d29e45d443c9166bb0f4d33eb670685d659069de1744e0054c
SHA5122bb65216013c1167fa1f08e2b0f03d98872abb82f98b2c844ff990c3842f7e566aa2dfbbac85c9bb532369beefe48940e8f5fcfb1419450c2d13487fa528c55d
-
Filesize
8KB
MD57965801d937e0e230ea39f5180c70baa
SHA17e17144746032ced5ac38093156664655797b7c8
SHA256fcba8c772f1e845e215d06530e8b657d00657ea442f74dd92a5958f5789b4338
SHA512927c2cf75dccbe6b3b772c94f86a6d27524b2007ff291d28e67ea269279443869e741284b492302f8ec8a31d863422eaf8c0c4220c8d604d7b929037f2a36393
-
Filesize
4KB
MD595651fa10dfdb470b92e0b4563fa0c38
SHA17ae07c7a6a5943d55edc908a13cb5e7d695f987c
SHA256f89aa9cfbce3638a8d47cfe477f8d8a031b3468b707934d89f8ebbb57c195cc8
SHA5125423034c2a183f9dd6861586d6a69f0fc05b4585eab0f274e4c8cb00eb734b25b21508e8e414d8dc6d444b09f39a786bf22378e7654fed8ec1b74c14bbec9be7
-
Filesize
8KB
MD51549efc3a776cb9aa029ed523b5c1e65
SHA1113d5d398d74251b688c323a196f738842e72b01
SHA256bbf0df466c259782fc94dd4a559cb13bf04c18b65796212711be4de426a2babc
SHA51224cd80653204fe119f1f5f1b4f9a57f8a55fc0dfff48c71005bea435ff6599efd939348e0e5e4e99d6b5ee95e1086e671ebf78639dcd443fce6d192ff2e658c7
-
Filesize
418KB
MD547234e0e64685083770a73014d0fab0d
SHA1fed5a98e2640a99be8d75fec63d4fa2e7fe12003
SHA256f5437b5519d776afecc5656e2258f65639d390f72467cf8e3b7200243330610f
SHA512e0b12abac06abbfc18fde8b9784d5f7fe7d019159f358555257910bebe33863a4c46f07dd6c4ab49db0173a0a5653633c179666ad6a9e0ce9eef6e3fd46086dd
-
Filesize
2.6MB
MD5470586b3a055aed7c22156273f38f69f
SHA139866ece4bc4bcdf2613bd67851ee7ba22df85ab
SHA25665daf0c170cda7fde64c441438cf9875248bd33af61af060d943b48bfb405f8d
SHA51295ab906e2be05248360a5d2a3a4edd61a128e1d71dedc35245384799ae68b686d37ba9063bb2e86a891d96acfec47c897bfca290ee6251afcb07f140aca9c540
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5a6d7e7260be1f20fc1479120ef56cfca
SHA1c15b78aa1acf441e5e93369e769f2a62d973708b
SHA2566c62d2525db840a47b5470f463d9c7ac904e599d2ca2b78e6a1839bd6faa548a
SHA5128a7c891a347a7a828bef369ce69d96005caedaf511dc6a0d2947074b86d967e984a4baf1c30226b5b9e32d7b1f88d2d612fc558ffa07fe8176871982a002fb19
-
Filesize
152B
MD58e60044e0d4baf93e3e29ac81ba6b359
SHA1391882191c5e253287b89e9355496bd43a537439
SHA2567ab550dad7bc0dd1b1142ac475dd9201b659b1c3e6dbdbe5d2d8bbae3894f2f8
SHA512079a66ccf7e6518e1ece1bac5665e22ee16cedce20ce1daeb7357a8cb07993ce27e1f782c16e28bc8599520a7def9a6d0e7ed1894932418cd3e6e0f295faa698
-
Filesize
3KB
MD5b6a6a0fc90ef49d0da9a5d4d7bf884da
SHA13615f693b1d6fcb301f16d87ead8727c92a5e7b0
SHA256315722cdb8255e0457bc2507432e7ccc5debfeb16ed4f2446cca629ace0795f3
SHA512742d43124a38d3c5e97b0e8bf3f9c8e6d64a2b1feefe783438f5f19db45e996bb70831b9b5d1d79a45b3b90613270e6801c167472605456488289059c5de9c11
-
Filesize
64B
MD54682740f8b80e2bd7257eb1ae2b8c9cf
SHA1dc2a9db55949f5c02a08bd1e9ecc8dd3d0012a53
SHA256725ad3426bf20cc7fd30e98dcec45c38abda854be2c0267def78c50ce843c405
SHA5126793627e6045c8af1a55be326953f749d7433fd3597aa40b8af39669fbcd53045572ff48b7babc873e76a85d4add3c6387ce76c5a724971e994cd5a39c58c340
-
Filesize
72B
MD50b370cc79dc0efcd5fcff132c97722c5
SHA11e2ce1890b38a89322ae0fae8eeec7b89f7bd682
SHA256c4cc9e26c1f980d8bb139fc6297d319b36fcc3e3c16e271b04d762040a609f91
SHA512b79453eb66be4060d5d0e494ce0d642c568011962687472d8bd000193d75a70fa3ac9b4684b4e1df2e59064fbaada249792df06562d55883221ce764ba05883e
-
Filesize
157B
MD55ac936a9614df76ecc171ede606601d7
SHA1c2b0e823c56ab16c1eec9f2be79f6b03351f237c
SHA256cc69dd163abd3cc29b7378933c394ff92dce8f23e9f279f2e2bba2aae8520b36
SHA512be42684c8eb59ca80a2cef94f5404df7f46b597a38c9bee61fb50533a8d6dd161d690472e775db452123daf680267fff930f273ed5d43f07feb1693362283747
-
Filesize
131B
MD5add13ee0ad5f9a6833e5f86b33eaae74
SHA1b7a42c27773f711b1ef216f535f22ec9a1d7ecf2
SHA25665446898c0fd17f5ad5118f3d72c174239d14539949506385e0efb7df9e95ede
SHA5127205a6f9b4032fe91def6842d71c751feb21dc0df49ec20ad2492cf0ce96836cc0b46e7d5d9284c28ec19fb845fe7ce48f5cc65cd7043cf2640a68c5772a67ff
-
Filesize
25KB
MD5456cc0d6e552edffbbc7865ac39d53fb
SHA1ae57217a406d9d4fc1b470b8ede600d6314cf57d
SHA256e801031fbcb4f64686a8cc9ae41df614c22bd279f2331dac28b0ed4d914f90c7
SHA512e0ecb151712e45474f73afba21bc0a6ce2104acb8e6c8a018d901e162368c366789539ddc5f61610fbcc4b822fe33b6ad3eec8f1ad60eab7c957aaceb051a745
-
Filesize
6KB
MD58896a302f09a3c4db2f9b466fcefe724
SHA1d6bbdc38ef1368c6f21f62f314eeb33f32a122ac
SHA256d60771f227a7b4fd6d8d0f0fb03f06d149414eac10b648e40eb22a2cd9689c6f
SHA512386ed4c90d0aab1282bb7c9816893974891f19980425fb8030b1ef54a23a7ab9d92bf8ba6d994a472183351ce7c95af67e73c1f023917f47a794e7b7c4d8a684
-
Filesize
219B
MD57f892722b1c7911fbfb9360fd417a8f6
SHA1795362f0c86b3084987d866af48b1dfa955df1a8
SHA2560d1308b8495cc94f32687760f1c8b5d6b00560bc525a9018f7c8f829fe22992a
SHA512a2cf166a05bda95950cc234840f4e11030b679d9d239595cff3f53ba955418aab367d5718da89dd1a948b880eecd91e587eb7344d1ba16b4ba6f83116f55e0a7
-
Filesize
67B
MD5d8ad6773b632b7d8066ed57c6c482c6b
SHA1c07e66a0e8e58e190392896d7b178b7079741967
SHA25650eb09209f1670f34baec877f8bc19fd1ce7419e10da063b46fa4025558dc4ae
SHA5124bba534c373aa27100f1c5eec84c0a9d77c0dc447dd33de3757c4d656a7c8bb7d602fb214102005e355fb9a22687dff6e141063d086ec4275a9b01c8c8c90fa2
-
Filesize
1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
Filesize
2.6MB
MD5850905bb253b202528d72a6724d68904
SHA1ab3ad068ac55cff5a8b4f80f4cab5507968d0ce8
SHA256abdd3b7a2034ffeba98a4b5192ee6878e5d05e822f8ded07c7cb413e13c944bc
SHA512a15fb152539326a73ee427fc74760c0e4999708a40b81b5b464a6bba8dc841efbeff2a573418e0754e8d14bd750da7e335f680067a6abc4f7807b6f8a59007a2