Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    10-09-2024 17:17

General

  • Target

    7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk

  • Size

    20.5MB

  • MD5

    f95cf2c20d492d6647885e8428d808cc

  • SHA1

    3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa

  • SHA256

    7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c

  • SHA512

    3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5

  • SSDEEP

    393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ

Malware Config

Signatures

  • AndrMonitor

    AndrMonitor is an Android stalkerware.

  • Checks if the Android device is rooted. 1 TTPs 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 5 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests cell location 1 TTPs 1 IoCs

    Uses Android APIs to to get current cell information.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • fka.ugsonrqogw
    1⤵
    • Checks if the Android device is rooted.
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Queries account information for other applications stored on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about the current Wi-Fi connection
    • Requests cell location
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4253
    • su
      2⤵
        PID:4297

    Network

    MITRE ATT&CK Mobile v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • /data/data/fka.ugsonrqogw/databases/SettingsDB

      Filesize

      124KB

      MD5

      4c0ccabb25100a908b9db06434a6af8b

      SHA1

      555d9ecfa42e17aec483e1c05be0fc1362db9e66

      SHA256

      79aee6f8af24ae6adc8537de3a061bde3778d3d9634265b85b3e8727d4116304

      SHA512

      b9a4a1227fa927f0ef987a720c5bf16af71f3fba8c1a40d5387ad0d4ba193a1b7b23634b0850af7c25b55c8b2e984e7c84ab8fb3e55c83b3bc2ff859f4dcc5bb

    • /data/data/fka.ugsonrqogw/databases/SettingsDB

      Filesize

      96KB

      MD5

      105f30c1c4f9399693836a48753ef637

      SHA1

      1b8fc507df5400acbb6e6051a3d9618b8a4d1a90

      SHA256

      fa81de7c427cf0c863ce3880306d8e0c950807b6c37ba1af7ec23e3a46ebf6e5

      SHA512

      25d25a0df61f08c32d24a3350c51be5fd6196044b044619b48831e023ab9cdc255d8be97434ad8deb4a87c550a40e50154604dd3e60239c42c593844c3ff67a4

    • /data/data/fka.ugsonrqogw/databases/SettingsDB

      Filesize

      96KB

      MD5

      7d360a09e41846830b7706894ef4066a

      SHA1

      7b5d32967fa5ffb5d751f0805cf0f357ac5e2a40

      SHA256

      ff52306d15cf66485374a584239b8dd997b8bf13bdd0d614d9ae9f785a339547

      SHA512

      40d99227143452154dc8fcf956745ba78bc9c0e019d9f005ac6f5d57bbfea7d188e94a1951fdbf33ecabeb12b4246925d4ec0818bc091c251efc5e4dcc11a0dd

    • /data/data/fka.ugsonrqogw/databases/SettingsDB

      Filesize

      52KB

      MD5

      b6815b344f6926d458cea05acd052cdd

      SHA1

      88f524aff1d4c5fee979a203dd952427871a7097

      SHA256

      028666f28ae0086b18fb740f792e8a80ad05547f0c7cb9d2dc8080e5125db366

      SHA512

      0431375f80e9c467d0abb042e43681a973bce455fe8354f5a138f19a3b28d3adc7eac3fe4c20bf44f085810749569b87a393185cd8f8bf2687f0923b8de4dade

    • /data/data/fka.ugsonrqogw/databases/SettingsDB

      Filesize

      96KB

      MD5

      7531fb538c530ed2219e4bbd70969808

      SHA1

      1de0f0573d53efa24ff0d38fa3c6111fd1a01b40

      SHA256

      0ec61fb90d71602494c62ea4f12e1f9504f46cf0474daef43f93bb46be32e4f8

      SHA512

      083c171adaa41182aea49f5d6fd56a3294c44c570da9fc1a52f6c867ef715ac2fd47ee38b7b88ef883d81300e138096955b8a8bd2d1cae0beb015642d8ecb063

    • /data/data/fka.ugsonrqogw/databases/SettingsDB

      Filesize

      144KB

      MD5

      073ca3e14215372c460b0dea17b751ae

      SHA1

      e5d0f828cc23825f8bee21a92f85aa2468a066a1

      SHA256

      fae96199d43db001fecade8872fbb6ca6ee4f337a41eba1be72a24a22bbcec7c

      SHA512

      6204023ec6acf5ccac246b0f0b97f540820a167330c9ab390bd9db99ecf9d7826ac5801fad08ee9931aaf6cae27a2e27e37df4c6b06ecfe54096ae2020b8d06c

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-journal

      Filesize

      512B

      MD5

      ec835237aed3f38284ad715d9f5e4453

      SHA1

      950194ab55a0d9b1ed37fa68b2db270d6a5526e1

      SHA256

      3328da64ef8093198735956948116f485fa2e72af91a57cbb1c0f85f52ff10b3

      SHA512

      3cf3dba0c65655a5cb713cfad753ba5a635c24958d457c338b429e98fda318b51bfc5ee12097d65fd7011a51cce5604478e21299560dda252851bc3848575b65

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-shm

      Filesize

      32KB

      MD5

      bb7df04e1b0a2570657527a7e108ae23

      SHA1

      5188431849b4613152fd7bdba6a3ff0a4fd6424b

      SHA256

      c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

      SHA512

      768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-wal

      Filesize

      414KB

      MD5

      2e2a5e911d7487e7283dc4f33b77c036

      SHA1

      760e3168aec927317e7e428aa84e64ed7f2cf920

      SHA256

      c55c3d2a2db9bad17d8ba3b0100b2db13c60b40e2ca71a4af239bafa08623204

      SHA512

      d012b520a6832a329e01a8b94d03d5d8781862b2eb9be123e5c8df3aa6d8963e972b9019f413b0f1e5b37d02d99a547063350a881ac838621aac3e636e192df5

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      b5b067507e65a9db3f4feecae03bd260

      SHA1

      4e7271fdf7cd0183ffde205dadbde536ac40aff8

      SHA256

      c1ff695eab6ed6d29e45d443c9166bb0f4d33eb670685d659069de1744e0054c

      SHA512

      2bb65216013c1167fa1f08e2b0f03d98872abb82f98b2c844ff990c3842f7e566aa2dfbbac85c9bb532369beefe48940e8f5fcfb1419450c2d13487fa528c55d

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      7965801d937e0e230ea39f5180c70baa

      SHA1

      7e17144746032ced5ac38093156664655797b7c8

      SHA256

      fcba8c772f1e845e215d06530e8b657d00657ea442f74dd92a5958f5789b4338

      SHA512

      927c2cf75dccbe6b3b772c94f86a6d27524b2007ff291d28e67ea269279443869e741284b492302f8ec8a31d863422eaf8c0c4220c8d604d7b929037f2a36393

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-wal

      Filesize

      4KB

      MD5

      95651fa10dfdb470b92e0b4563fa0c38

      SHA1

      7ae07c7a6a5943d55edc908a13cb5e7d695f987c

      SHA256

      f89aa9cfbce3638a8d47cfe477f8d8a031b3468b707934d89f8ebbb57c195cc8

      SHA512

      5423034c2a183f9dd6861586d6a69f0fc05b4585eab0f274e4c8cb00eb734b25b21508e8e414d8dc6d444b09f39a786bf22378e7654fed8ec1b74c14bbec9be7

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-wal

      Filesize

      8KB

      MD5

      1549efc3a776cb9aa029ed523b5c1e65

      SHA1

      113d5d398d74251b688c323a196f738842e72b01

      SHA256

      bbf0df466c259782fc94dd4a559cb13bf04c18b65796212711be4de426a2babc

      SHA512

      24cd80653204fe119f1f5f1b4f9a57f8a55fc0dfff48c71005bea435ff6599efd939348e0e5e4e99d6b5ee95e1086e671ebf78639dcd443fce6d192ff2e658c7

    • /data/data/fka.ugsonrqogw/databases/SettingsDB-wal

      Filesize

      418KB

      MD5

      47234e0e64685083770a73014d0fab0d

      SHA1

      fed5a98e2640a99be8d75fec63d4fa2e7fe12003

      SHA256

      f5437b5519d776afecc5656e2258f65639d390f72467cf8e3b7200243330610f

      SHA512

      e0b12abac06abbfc18fde8b9784d5f7fe7d019159f358555257910bebe33863a4c46f07dd6c4ab49db0173a0a5653633c179666ad6a9e0ce9eef6e3fd46086dd

    • /storage/emulated/0/.am/dm/md/main.md

      Filesize

      2.6MB

      MD5

      470586b3a055aed7c22156273f38f69f

      SHA1

      39866ece4bc4bcdf2613bd67851ee7ba22df85ab

      SHA256

      65daf0c170cda7fde64c441438cf9875248bd33af61af060d943b48bfb405f8d

      SHA512

      95ab906e2be05248360a5d2a3a4edd61a128e1d71dedc35245384799ae68b686d37ba9063bb2e86a891d96acfec47c897bfca290ee6251afcb07f140aca9c540

    • /storage/emulated/0/.am/dm/md/main_tools.md

      Filesize

      1.2MB

      MD5

      51112e0a7f7962a8e02bc885025414ef

      SHA1

      40622959af4fe349d8881c885b9b30441de8804c

      SHA256

      2b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0

      SHA512

      f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402

    • /storage/emulated/0/.am/log.txt

      Filesize

      173B

      MD5

      a6d7e7260be1f20fc1479120ef56cfca

      SHA1

      c15b78aa1acf441e5e93369e769f2a62d973708b

      SHA256

      6c62d2525db840a47b5470f463d9c7ac904e599d2ca2b78e6a1839bd6faa548a

      SHA512

      8a7c891a347a7a828bef369ce69d96005caedaf511dc6a0d2947074b86d967e984a4baf1c30226b5b9e32d7b1f88d2d612fc558ffa07fe8176871982a002fb19

    • /storage/emulated/0/.am/log.txt

      Filesize

      152B

      MD5

      8e60044e0d4baf93e3e29ac81ba6b359

      SHA1

      391882191c5e253287b89e9355496bd43a537439

      SHA256

      7ab550dad7bc0dd1b1142ac475dd9201b659b1c3e6dbdbe5d2d8bbae3894f2f8

      SHA512

      079a66ccf7e6518e1ece1bac5665e22ee16cedce20ce1daeb7357a8cb07993ce27e1f782c16e28bc8599520a7def9a6d0e7ed1894932418cd3e6e0f295faa698

    • /storage/emulated/0/.am/log.txt

      Filesize

      3KB

      MD5

      b6a6a0fc90ef49d0da9a5d4d7bf884da

      SHA1

      3615f693b1d6fcb301f16d87ead8727c92a5e7b0

      SHA256

      315722cdb8255e0457bc2507432e7ccc5debfeb16ed4f2446cca629ace0795f3

      SHA512

      742d43124a38d3c5e97b0e8bf3f9c8e6d64a2b1feefe783438f5f19db45e996bb70831b9b5d1d79a45b3b90613270e6801c167472605456488289059c5de9c11

    • /storage/emulated/0/.am/log.txt

      Filesize

      64B

      MD5

      4682740f8b80e2bd7257eb1ae2b8c9cf

      SHA1

      dc2a9db55949f5c02a08bd1e9ecc8dd3d0012a53

      SHA256

      725ad3426bf20cc7fd30e98dcec45c38abda854be2c0267def78c50ce843c405

      SHA512

      6793627e6045c8af1a55be326953f749d7433fd3597aa40b8af39669fbcd53045572ff48b7babc873e76a85d4add3c6387ce76c5a724971e994cd5a39c58c340

    • /storage/emulated/0/.am/log.txt

      Filesize

      72B

      MD5

      0b370cc79dc0efcd5fcff132c97722c5

      SHA1

      1e2ce1890b38a89322ae0fae8eeec7b89f7bd682

      SHA256

      c4cc9e26c1f980d8bb139fc6297d319b36fcc3e3c16e271b04d762040a609f91

      SHA512

      b79453eb66be4060d5d0e494ce0d642c568011962687472d8bd000193d75a70fa3ac9b4684b4e1df2e59064fbaada249792df06562d55883221ce764ba05883e

    • /storage/emulated/0/.am/log.txt

      Filesize

      157B

      MD5

      5ac936a9614df76ecc171ede606601d7

      SHA1

      c2b0e823c56ab16c1eec9f2be79f6b03351f237c

      SHA256

      cc69dd163abd3cc29b7378933c394ff92dce8f23e9f279f2e2bba2aae8520b36

      SHA512

      be42684c8eb59ca80a2cef94f5404df7f46b597a38c9bee61fb50533a8d6dd161d690472e775db452123daf680267fff930f273ed5d43f07feb1693362283747

    • /storage/emulated/0/.am/log.txt

      Filesize

      131B

      MD5

      add13ee0ad5f9a6833e5f86b33eaae74

      SHA1

      b7a42c27773f711b1ef216f535f22ec9a1d7ecf2

      SHA256

      65446898c0fd17f5ad5118f3d72c174239d14539949506385e0efb7df9e95ede

      SHA512

      7205a6f9b4032fe91def6842d71c751feb21dc0df49ec20ad2492cf0ce96836cc0b46e7d5d9284c28ec19fb845fe7ce48f5cc65cd7043cf2640a68c5772a67ff

    • /storage/emulated/0/.am/log_.txt

      Filesize

      25KB

      MD5

      456cc0d6e552edffbbc7865ac39d53fb

      SHA1

      ae57217a406d9d4fc1b470b8ede600d6314cf57d

      SHA256

      e801031fbcb4f64686a8cc9ae41df614c22bd279f2331dac28b0ed4d914f90c7

      SHA512

      e0ecb151712e45474f73afba21bc0a6ce2104acb8e6c8a018d901e162368c366789539ddc5f61610fbcc4b822fe33b6ad3eec8f1ad60eab7c957aaceb051a745

    • /storage/emulated/0/.am/log_.txt.zip

      Filesize

      6KB

      MD5

      8896a302f09a3c4db2f9b466fcefe724

      SHA1

      d6bbdc38ef1368c6f21f62f314eeb33f32a122ac

      SHA256

      d60771f227a7b4fd6d8d0f0fb03f06d149414eac10b648e40eb22a2cd9689c6f

      SHA512

      386ed4c90d0aab1282bb7c9816893974891f19980425fb8030b1ef54a23a7ab9d92bf8ba6d994a472183351ce7c95af67e73c1f023917f47a794e7b7c4d8a684

    • /storage/emulated/0/.am/log_1725988663309.txt.zip

      Filesize

      219B

      MD5

      7f892722b1c7911fbfb9360fd417a8f6

      SHA1

      795362f0c86b3084987d866af48b1dfa955df1a8

      SHA256

      0d1308b8495cc94f32687760f1c8b5d6b00560bc525a9018f7c8f829fe22992a

      SHA512

      a2cf166a05bda95950cc234840f4e11030b679d9d239595cff3f53ba955418aab367d5718da89dd1a948b880eecd91e587eb7344d1ba16b4ba6f83116f55e0a7

    • /storage/emulated/0/.am/prog_class.name

      Filesize

      67B

      MD5

      d8ad6773b632b7d8066ed57c6c482c6b

      SHA1

      c07e66a0e8e58e190392896d7b178b7079741967

      SHA256

      50eb09209f1670f34baec877f8bc19fd1ce7419e10da063b46fa4025558dc4ae

      SHA512

      4bba534c373aa27100f1c5eec84c0a9d77c0dc447dd33de3757c4d656a7c8bb7d602fb214102005e355fb9a22687dff6e141063d086ec4275a9b01c8c8c90fa2

    • Anonymous-DexFile@0xca886000-0xca9b14b8

      Filesize

      1.2MB

      MD5

      336921950a9f279733cd787f1203d73d

      SHA1

      cefc36a7c17909054cf2a507b34f545af96c0e36

      SHA256

      c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c

      SHA512

      6fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87

    • Anonymous-DexFile@0xca9f2000-0xcac83638

      Filesize

      2.6MB

      MD5

      850905bb253b202528d72a6724d68904

      SHA1

      ab3ad068ac55cff5a8b4f80f4cab5507968d0ce8

      SHA256

      abdd3b7a2034ffeba98a4b5192ee6878e5d05e822f8ded07c7cb413e13c944bc

      SHA512

      a15fb152539326a73ee427fc74760c0e4999708a40b81b5b464a6bba8dc841efbeff2a573418e0754e8d14bd750da7e335f680067a6abc4f7807b6f8a59007a2