Analysis
-
max time kernel
74s -
max time network
158s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
30-09-2024 12:11
Behavioral task
behavioral1
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral2
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
-
Size
20.5MB
-
MD5
f95cf2c20d492d6647885e8428d808cc
-
SHA1
3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa
-
SHA256
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c
-
SHA512
3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5
-
SSDEEP
393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 2 IoCs
ioc Process /system/app/Superuser.apk fka.ugsonrqogw /sbin/su fka.ugsonrqogw -
pid Process 4923 fka.ugsonrqogw 4923 fka.ugsonrqogw -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/fka.ugsonrqogw/[email protected] 4923 fka.ugsonrqogw /data/user/0/fka.ugsonrqogw/[email protected] 4923 fka.ugsonrqogw -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccounts fka.ugsonrqogw -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock fka.ugsonrqogw -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 7 IoCs
flow ioc 46 anmon.name 51 andmon.name 9 prog-money.com 10 prog-money.com 11 anmon.name 12 anmon.name 45 prog-money.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground fka.ugsonrqogw -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo fka.ugsonrqogw -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo fka.ugsonrqogw -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver fka.ugsonrqogw -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule fka.ugsonrqogw
Processes
-
fka.ugsonrqogw1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4923
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
124KB
MD59cf7e03179a00e0097bb8292c310a7f8
SHA18046f1a0d32003f672b2da8ba6c7eb8f54ffcd17
SHA256b428664066ed6496119d7ef35afee74fe8f5eb834939f9cacbf55804aa592438
SHA5121d046cd7d5a96b0b4f0c5d218f97ebc850ea4a3385658ea4a9d36dc05363659d1dc53660f94d4d7d87794cfd60b94593f304e9011421d35f3f17296d28c28cb6
-
Filesize
96KB
MD5f1c5e2aa9a4c3de666d45eeaf7c2caed
SHA19a7aff98f501192e368a69d78bd01a3959fcee58
SHA25682a363488c58a116a61dd3340403b4be021f74b3a43c076f493879cbd6385b3a
SHA5120052e8fae716b336628cf9345c423f1aa0c18b2c54ab7ad6edba856acea16035eb43bf06ba8ab12af63ad468a9aafad5041341d88fe84a324e627196b426016c
-
Filesize
96KB
MD5d7eafa60da8ec05c719a3e0059e3552d
SHA1b662318c7d304309d27fd14a64cc094ec0a3ce80
SHA2568f4e849d9dd3f115d6be83e535b25edc34d046a561e1f81724c215578b9df61a
SHA512a30512b750edbfebf7d358a4c390adedc41b206d6d35bdbae3bd3263c157c37fd9668ce757d5595a9fb6f6700dfa7920cfcac777ba747ac65647c370078618c4
-
Filesize
96KB
MD584713740323b3eb8f6c6410a8b79faeb
SHA1c4f669038aef67fa56285ab94fd0e4a87567e6d8
SHA2567dddf1d67d8e4fd8f3575a39bb1f7e10a8c544c692f0310fd904750a17d0c1b5
SHA5122656e0973b33059f233d543bdcbdad2ccfc5070a8d7ebc1210e3c2a125ed845555533f7e1ec95362d591e37f59ca778032a8faccff0bd41a5d25a7cbdf0a3981
-
Filesize
96KB
MD5b741e37b197120a08e4d86e19a5c53a5
SHA127f0ef6dbe8a79d0f954f31dba6fb193a6cbca55
SHA2568accc0d8287d78ca7e4a1186d4ae2431c9789b443524b956bb4bdbee8fea0336
SHA512d57ec5069bc62166949fed9622489fba26809c447aa3a958259b5080384dae5fa8bbda8c3c03532906c1b6f59388430a3977a7e973e77e991eff08a01f549f35
-
Filesize
160KB
MD5c53dc000c439708623cc5fb4d4dcf7e8
SHA10688431101be1c8a076b312e7a94322e98a7594a
SHA256c9d0523f3ecc4325abf1aff49c3530f5fbd870a8e2d1f7a184b460d939582089
SHA5128e773f56ec38d260f0bcae8d72dbe94d31a9ee83f474f0ea77d805dabd6feb481421b38a8deaa7b9a0d4908f41ed38156179ebdfcb7979b2c714bcbf572ff636
-
Filesize
512B
MD5fc01ffb11a8cd2d7fd6b6dedc9d5331f
SHA1d31a2eda2e830dff5150eee0f65378d5ae1a48bf
SHA2566925f9f49f4d2027ec9ae7c832f063280baaec565af5885ad73b90b0baf1ce69
SHA5124dcdcfd130b40a27e92b1c348cf6d7e3f8273c540beb3b3c8e82e9f18442245ee9c3e6a0e72c840882dc2c0fe0e6bea0882ef7b320b435a8cf4c8205efdae0fe
-
Filesize
8KB
MD54c9af7e660f4ce6d1f4d11e143c1b0b7
SHA118c2864a486d7e524c36630308a0a7c083672d3a
SHA2567564c645e105ee9313e42e168a42a6fb1c8eecfb4718227b504079a54e701487
SHA512a66a41f88083ac3f8e10845a2e0dd34957ea403f3e1e3f5aaf20629c7a8f16d708d4aadf904b144fad61f70fc0e9b93d4e01bc5321372ec75aa135ebb71dc838
-
Filesize
4KB
MD5c74d44dce7db360204b6bb60ae7742ad
SHA1266bc7f376270f05be9ffdbd6ba3cb0d5e6c08d0
SHA256b6a0c9df07bb276f663a10861743c42bb8de0e595176d656619b5d3ae83774e6
SHA512777c6d256ba8239cf218af0b10b15b1d4b7f89de3c6e471e46cac2d0782135408903029be982df9807b038fda379f0e785e8bf1b34ea5e3cff87fdc0db1672f2
-
Filesize
8KB
MD5c3fbe9a2e5b518b7730f3e74ec63bb55
SHA119967e5a83db68c78187cc3f456dae3789738be1
SHA256ce806a436feab023f64114f711b6f1e42dedb92cd35d20a77d8e966853b16228
SHA512f3e6df8a4b054305f0f4e654fe24233a122d5998b1d49b406d50b5ec6dbf91aecafefac6bdf623c28a5cf1d823f78a6361da314176446663cf06154ec04f9937
-
Filesize
12KB
MD51e7be1f83fdc94538d83784d8715aecd
SHA10f53dbb11d55717d20fbc9d0ee588e4b089bdeb8
SHA2560b83987da66bd3f904217309622fa14ebddf8ddf42548b30e1afc6c54c59329f
SHA512828cb5694821406b76ca459c7bc9d734a93f7a3cec7c18657a0197079c398244d0ba90d024658ef4e9e0c31bf288f8a9b4713d2f622a8c1b0d205921d114ea48
-
Filesize
20KB
MD537a42b7fa7ca707c292e7dda01ea0cb9
SHA1f7a68f22fa306cbd12086aca0645b366cdc46aa1
SHA2565ae6633e76598e3fb69492df70e57237ca242ed644b4928baa4ad2f2ed623214
SHA512d1345c6baa301e8fbea3891adcdca6723d71e460c5911064e430d4ba093eb70127c7462159948489111b191c1f5604fda943cb2f5365baee2d9dfa029fe77c62
-
/data/user/0/fka.ugsonrqogw/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
/data/user/0/fka.ugsonrqogw/[email protected]
Filesize2.6MB
MD5850905bb253b202528d72a6724d68904
SHA1ab3ad068ac55cff5a8b4f80f4cab5507968d0ce8
SHA256abdd3b7a2034ffeba98a4b5192ee6878e5d05e822f8ded07c7cb413e13c944bc
SHA512a15fb152539326a73ee427fc74760c0e4999708a40b81b5b464a6bba8dc841efbeff2a573418e0754e8d14bd750da7e335f680067a6abc4f7807b6f8a59007a2
-
Filesize
2.6MB
MD5470586b3a055aed7c22156273f38f69f
SHA139866ece4bc4bcdf2613bd67851ee7ba22df85ab
SHA25665daf0c170cda7fde64c441438cf9875248bd33af61af060d943b48bfb405f8d
SHA51295ab906e2be05248360a5d2a3a4edd61a128e1d71dedc35245384799ae68b686d37ba9063bb2e86a891d96acfec47c897bfca290ee6251afcb07f140aca9c540
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5e70e9971239504516bf2ef53eb9d9f3a
SHA12361abc5068bfc86c9391a9d50653165db40225c
SHA256cc41d2796ab8a54b19a3ed2000981c1357681d8dd1b965567a15d55afee4d6cd
SHA51224a8ac324d4116cc798b113126d6cba6e9e2620ff9c48ff8aa37c951d12f7970da29960558b44c0ed55eaf21194fd40c5a3385f13ccc46026a47cee431b27845
-
Filesize
152B
MD52bc10d7dfa1ed87aa1d0e4ce0f850811
SHA1dd1d36cdcdae30db61130d6db0b007431d31671d
SHA256d42f1f3ffb21ba76e1abe67da009855e1e2842f49520d85f9aa5ca37ff0e5bdb
SHA51280db3c47064e3b1b8db65a22edd940726963c6f82c00e9277dfe7647bd1972dd355ae3f11670bcecbe31c093c8db23ad1e0a8330241758872c58a4946a68947e
-
Filesize
4KB
MD5c9bd1fffd6e337793db790d86cdd5fa4
SHA10d7fc14af793156d45bcbcb5564233d5329e74e5
SHA25667ecf5862ed77c9d4fdd66ebf23b35bc73957cf666aeb008486458c9dcd4f1c0
SHA5128c35a3bec7b11dfe8484b83e19a5aba7aaf6464c0b48dc10d0fe8f067816cb0c5f2893e7c0d635c71520fb46ff48438db27350e5eeae491a605fb1baddf194f7
-
Filesize
64B
MD5c8da8409a3bed200152f13edf528a6c8
SHA19587ce891074e6feee136d4c8883cdd67a847e2a
SHA2564ce5fa013cd9db1db50bdc92a89b621adf13f7caad4709d4d422099c3df3c429
SHA51206cb5ef6b946eca03b3f7a88fa72eba0d18e8092761bcd385916677ed6b90b36a4676e2f8d608c4432aa65fb37b8dc05b15f0922e885df94048fb4ce19247db5
-
Filesize
72B
MD546aeb5c4ec30ca564c2ce7ebebf0b496
SHA18318a281580c0257f2e3e322c436f661ac4047ca
SHA2564d1595b55a3a8844436b9c9e0ad166f30874a69ba9814004d6afeedb79e9abaa
SHA5122cf1bb42b7613ed8e7e111b8b1f50e6f6057a9a70d82697c7b96247bcaeee8ab938103e4eeadd4c26480c7bc0c43e70d9b32291e230f95b716f20dd2f14ac91d
-
Filesize
160B
MD5870ab51477a72960523271406a406fd7
SHA1725df47fff18bae2f70d8e8c7b2817781b7ec853
SHA256a0ecf4652c40bf4d8b4eed59d797f2dd8b0574c4d34f1cbb884f1772bbec320d
SHA5121dbaf61b505d9a158f68e24b19cdd10246363a591778af6f6da82e3408bdc1d21bc30b2ec32197c1cf5081a5eb9e5b7dc90c1c2b8382da56d3a8b7edac773089
-
Filesize
131B
MD52b917bb225bb988b8b308f95772fac9f
SHA1fbf7e94b8a455fa9d3bc315a35214150bbf5da95
SHA256b2f1cf96fca3c2781c5d4fefaca7276668089df2b8640244d62831d52ec2bc2f
SHA51216c018a4177304c2d2e1aff2508d97a2246939a4cb9b1727f3dc70ebceb9ea7ee7f873b4337e58d99bbf69381189d3d45ed91222fbb85de0fb2a926ffba95366
-
Filesize
27KB
MD5dd853adced8e852b6f5ce477f3822a15
SHA1800067bf872c769d4fc83166674d33463d27d069
SHA25660b269e640795b273b063b908d2d080595e94ca9d6781171d6b7d4ca094e3e75
SHA5120e4ee492991ccb84ccc43c62291182d7f77d35fd5941b1200702301e3ed9e7c4bc6e467b2d834ad92da29a03bf44a40e30c105db50928cf78d3e07df01a59b58
-
Filesize
6KB
MD558f079e35964edb37246bb44565c615d
SHA1c31762ba5437517c36cb358462a36df00a459ca0
SHA256a4dfab1aa228d2e072ced67b45b600785a916cc3e53361d592dc6f720a7e8af0
SHA5126d6063caed2c0e9927871562ee698de3e9773413892029e4d834d3e87afd667ca0db53d59e9d261f78ebb6fa1b33ebee2a8d85a7f581550a861a82e3b99ded61
-
Filesize
67B
MD5d8ad6773b632b7d8066ed57c6c482c6b
SHA1c07e66a0e8e58e190392896d7b178b7079741967
SHA25650eb09209f1670f34baec877f8bc19fd1ce7419e10da063b46fa4025558dc4ae
SHA5124bba534c373aa27100f1c5eec84c0a9d77c0dc447dd33de3757c4d656a7c8bb7d602fb214102005e355fb9a22687dff6e141063d086ec4275a9b01c8c8c90fa2