Analysis
-
max time kernel
140s -
max time network
150s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
30-09-2024 12:11
Behavioral task
behavioral1
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral2
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c.apk
-
Size
20.5MB
-
MD5
f95cf2c20d492d6647885e8428d808cc
-
SHA1
3ac3b2f7b6ef2adf78e3a35463d38c94bc0615fa
-
SHA256
7b9ce40a5db59d489387d2f0cf3ef0a058b5a7cccb1dfeca54e4d1f30e46dd1c
-
SHA512
3d5033bfa909468d92aad54eb5a308ffea9684471cc15810974a43e5c39e81558173774599b79d1d37fd7478516f8ba922d76035694764adb0f0a053636917c5
-
SSDEEP
393216:Hq0sJA35z7A79L+BCZ1mbgafiubcYZzb/T9i/zVN2I+TX5RUKpPbNiRSKcsIJ6:HqbJA35z7c5JPmbBffcSzti/zVN2IkpQ
Malware Config
Signatures
-
AndrMonitor
AndrMonitor is an Android stalkerware.
-
Checks if the Android device is rooted. 1 TTPs 3 IoCs
ioc Process /system/app/Superuser.apk fka.ugsonrqogw /sbin/su fka.ugsonrqogw /system/bin/su fka.ugsonrqogw -
pid Process 4631 fka.ugsonrqogw 4631 fka.ugsonrqogw -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/fka.ugsonrqogw/[email protected] 4631 fka.ugsonrqogw /data/user/0/fka.ugsonrqogw/[email protected] 4631 fka.ugsonrqogw -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
description ioc Process Framework service call android.accounts.IAccountManager.getAccountsAsUser fka.ugsonrqogw -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock fka.ugsonrqogw -
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org 5 IoCs
flow ioc 31 anmon.name 32 anmon.name 33 andmon.name 29 prog-money.com 30 prog-money.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground fka.ugsonrqogw -
Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
description ioc Process Framework service call android.net.wifi.IWifiManager.getConnectionInfo fka.ugsonrqogw -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests cell location 1 TTPs 1 IoCs
Uses Android APIs to to get current cell information.
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo fka.ugsonrqogw -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule fka.ugsonrqogw
Processes
-
fka.ugsonrqogw1⤵
- Checks if the Android device is rooted.
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about the current Wi-Fi connection
- Requests cell location
- Schedules tasks to execute at a specified time
PID:4631
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/fka.ugsonrqogw/[email protected]
Filesize1.2MB
MD5336921950a9f279733cd787f1203d73d
SHA1cefc36a7c17909054cf2a507b34f545af96c0e36
SHA256c6f157d3401cf969f57b4d102e14fc097676f11cd4911a68a3e08cafaf2aa94c
SHA5126fa4f733298e00a8495648b623c04a5a7912a6a5af26089749e9ad26f30e20ba8295dfb901084bbf7e6976acb65ac78d7ce7a0037b1a4044ec5ddecd29801f87
-
/data/user/0/fka.ugsonrqogw/[email protected]
Filesize2.6MB
MD5850905bb253b202528d72a6724d68904
SHA1ab3ad068ac55cff5a8b4f80f4cab5507968d0ce8
SHA256abdd3b7a2034ffeba98a4b5192ee6878e5d05e822f8ded07c7cb413e13c944bc
SHA512a15fb152539326a73ee427fc74760c0e4999708a40b81b5b464a6bba8dc841efbeff2a573418e0754e8d14bd750da7e335f680067a6abc4f7807b6f8a59007a2
-
Filesize
124KB
MD5f15335a640f24813c9b345c99da7e16d
SHA1a0e7fdc85b3c1420bf342676be577f146f5dce49
SHA2566baf6ee8c7c503ed9962ff49957fe3c0b707171d1913450d97c84856a6ae31b9
SHA5125f51ec199de29b23e398d143c4f0faf58ba655a4f455ecafd5b6303c0ef428f3165f5db49daf4697f1dba3033da51113730ee5ad158a9ea9f8f6b9a10b044f19
-
Filesize
96KB
MD50610fb0a3566b8489a10cd7c3e714f36
SHA15300a6110e67be9ea2e97104ed4d6dd0ea04974c
SHA256c530b27f365a3bdc6820bc85098a9aa3a84ad6092916cc04aeca536a881c949f
SHA51230e735ed00c2808fb9eaf4a62d1d993252c1c2d8d45d949bc7faa34a461a387051869e7917e0fe164a3c95fb3225ac544f6df27ae54204448cdebfebcaf509e0
-
Filesize
96KB
MD5bad23bf0c7687cced984e0bde1240351
SHA1b64faef06ba0142f0e857df5463fac5eea34c704
SHA25697c7d55333368461c9d5317ad6919e4424477e5781227e091edc79fefc86de69
SHA512bdc37524061f1a8be0e1b4b38f7656adc84fdc01b81692215b3c8c0ef60e24c10ac1acb0847d9112f1c4555591452130623de891f5c98e6bcc0aa96390b2ee9f
-
Filesize
96KB
MD5a48bbdfb8c75c472009b632895ccb72e
SHA1891dbc1066f8d3cca65e6c8ae995539975228811
SHA2560ae32c057c4c6bf367c098482fed134a1f8e08157e3a3538321976d76c8a220f
SHA5129f185c3ab6d991a439a8c1de8914f43694dd77f64fcd953043a1236fa2adb4a0393bdfd1fb2b12cdcbaf81c6db96cf3ab7461d347bad483482f59156661a20fe
-
Filesize
96KB
MD55b37a9c89eee7da76a4874e86da9e96d
SHA1dc9ef77f42399756d9ab4e6a516b6f1f0657f0a1
SHA256ea66d7013d8440aff48c938942bd309d56d049547a492392916af91b8a70f698
SHA51250a77b575e1c3b66eefc14f06e96da2e6b0fb0f87eac877aa801e281b7461ee29e81b191ce638a5fdf37a9a686cae750cfcaadcbe993871775c3b531de9346e4
-
Filesize
172KB
MD557edc2f3f7bcec312b366bfaac434517
SHA142da6cd70ca15aefb5f8c6e980546024129ad455
SHA256c344c9f6398a3afdd1275796fd29aa0dc4892eced959bfb3f2c228484cae8b67
SHA512e6cd1eefc697b3ba4c8e653093c5a07aeeacbe0d82095617ece01f215f5e57a93e3663ee0a4ca660b7edd4ab80217287a81fcdca725e03f077722395b7e96777
-
Filesize
512B
MD5ac55cb5758d376734c9054af508bdd26
SHA14ea3012021670eb3682174d14e375f0d78a5d8f2
SHA25602ac1d16ed75531cafad945879ee2a1ffbbdada3bc2b404bdf069047f1f2740b
SHA512d52ffeb94672c714de86143c7cf49b43f9e9604e4e0c17e869f3118629d82e04d2c81d70f4298f1258b0bf17e0465cee1c8b161609247a204bbc3b9b99eebbe8
-
Filesize
8KB
MD5e53eb0b61ad69038a0c4f2455f900c05
SHA1b224713136580b5ba7b00287ece812a1577d0ba7
SHA256fe9273ded5bdcabbafccddfa23dfeba0527b63dfd38d9bb0cc166ecfe9407b60
SHA512793f37d6293338ded6f01ca64ded40ffadc60de7c1426edf555a8629934f2d2e22d2c31b7089042844182367f664a8e00168cbf7a8860ca315bece015ab521ac
-
Filesize
4KB
MD50ed4b8b988fccadba1e45f077a05cdc4
SHA1f69ca74f98f1a690efd142a36b45d6a2771d6541
SHA2566211e0d25394d1543443d97c62326d7a3656373280f8954ac62aab6ebc144e8b
SHA512ac42a0d599465241614343c0b8c1b972d440befe72859895b2db63a0aad4ff79ae113b91d25a25a2d1835dddbb86484a3693978972897b5a1c1fe82a360d6590
-
Filesize
8KB
MD5ede0a66abf8071081f7ec836d51b3ba1
SHA120244d176ce0adbd09685382bc19dbd4db0650e9
SHA256af09ad39e24fe933d8e5aeb932bfe87ece53b9d80662dfe2ac6ffdf794c54b10
SHA51200fab6b9a1503135b433a10fdf24e511045fba01a492912e030b1ed142b7252045a5ab959d5fa82baf3ff61ef65316b7e7b40a0e05a735628fda59798495ee51
-
Filesize
12KB
MD503f0cae84bc4588ba404753b91fd978c
SHA194f37f38fb9fe13d18b1158465d550fabf9b0146
SHA2565192bd12a11e29c8951def7cd160bf9b232288a780dd7a13a25cfb652afda7a0
SHA5127690e2c14e5cef4d2e5fdb5f39d0a53e0cdd5a552cd4e4302a5375245c8c91bc158369642c4bc77d6c3b2ecfdce298250ea6f6117c11b618a5d083b2ceba07bb
-
Filesize
24KB
MD5c1668836d337cba869fe60ad5090cf45
SHA15605868553d3e8569b0f762c8e637154f2875550
SHA256b45449aea55866121ac19ce66954148a2fb402507f8f3cfa944849c9a8b81395
SHA5120ac3e62739595978f80dac81924a5a59ba2233e7608f4be2033a29d082a6780fcb1b5b1a63dde56ab0fda4775a5d9dd5905fae91efe559acf437e5def3f16313
-
Filesize
2.6MB
MD5470586b3a055aed7c22156273f38f69f
SHA139866ece4bc4bcdf2613bd67851ee7ba22df85ab
SHA25665daf0c170cda7fde64c441438cf9875248bd33af61af060d943b48bfb405f8d
SHA51295ab906e2be05248360a5d2a3a4edd61a128e1d71dedc35245384799ae68b686d37ba9063bb2e86a891d96acfec47c897bfca290ee6251afcb07f140aca9c540
-
Filesize
1.2MB
MD551112e0a7f7962a8e02bc885025414ef
SHA140622959af4fe349d8881c885b9b30441de8804c
SHA2562b089f76930214706716aceba0bc6cefe6e132d14dd7d0a7c59eaa4f90f126f0
SHA512f02971a0f493fb72539381c3d1503d8573e8bc67f147014f443df8c01e71bb28437f832c5702d25a8bef2c34c64fb1f46d0000523eed04ea7981186ada22e402
-
Filesize
173B
MD5d2235cc3bc30acb783fd53c4c2a74856
SHA16b0149065f6c304ab7bfde68e27ca35d84598668
SHA2567949eed8b7c56ce185b94358f7d1670162047e0c15146b2e139415f32c4c475e
SHA512a746588b74439cc66066620336f5e42d8d3216b248219bab0b56c25ab59e4f2a602cd80baa93cc328471f253eea73da472e0d3c0f63ba97bf5c74f70194e3716
-
Filesize
152B
MD5ac01f8b61d0a2068f43ae90841d43b33
SHA101fbc5c532ac4931e17e3079aac24d89f4900195
SHA256baec8e002e7b4728fd188d184aa19e6dc2bdfb93517bdaebcd98604c09e34c46
SHA512aa49d60f8af8236fcfd4a7822c069e3c16ade6edf91135ba41e99f4d7172d69fb2e16c0f88a4a7722478aa15b39e37b77ead37c3cc78f939a171176c8ce931b0
-
Filesize
4KB
MD52b6a618d7fd6ede0329232146a4f91f5
SHA1891a4c589a90f6ad41abaa4839a06aa888c3b115
SHA256e52a3371d4bc808859f7171484ce1f86e5d3638329f27cb7a26289f8ee203353
SHA512f79f2310f29608d789ddb53d14b6b5159db22444c128d697b72f982f8e81f1043246b76c98b1e6ca77ecd36c4866f2601878b107f3dcc31eaf7657524590d732
-
Filesize
64B
MD5cd873bb1b8450c210f0589039ed3a424
SHA1496293c82835033f55758e57c8177a5a2de148e7
SHA25610750ed5bde69015424855217e4d7dfabf3b5f0dd47b8a1c1f1cd33392e18cbb
SHA512ab777a4bfa5152a3dd20d7f18ce689ae58b31fb93b80ee50ac26808cda2b468c27c5f005167b02e8595ef2f80b8703285ce142caf8bad4ea259ecd787ea86d41
-
Filesize
72B
MD5fb2a856fa56a841dda0c9a83386bb41e
SHA1ade6d4568dbf0977f0f676cdd393044530041a5a
SHA2569eb298fb6b1239ba53a307ec30575af9e7c7e64c9903df353d89ceb17ac1949a
SHA51229e329583cd9fb583414ce207a28e58f90ad3fae09b9a15babea880216f2ca343c536ce80b105e2e5557c642577ed852b6124d7c954ee0cd4240ef65cabb11ea
-
Filesize
187B
MD5c7ea600ff2583c367e00cc552a3845ae
SHA13c88362caaa0737da00bf40db66c3b73d71a4a6d
SHA2561ac729cf96a15816fd2d272419c1a19f492d7ad91dbda12dc889cffabe93b9e5
SHA5120a2a703e26f99796a35f52cf062305c41553e959382cf34429908cdc2b365edb87734b150f704167ab6ddb80702f50f60878672e9f3e2e6c5daef11adcf6585c
-
Filesize
131B
MD541aa2b7e3b60f91d2cd32bee11c2ab17
SHA1d9fcde22fddfb899d80b5ca661e8233e70bde54e
SHA25609a0d3ee0bbc30576222ea955ccb7d9b0e920bad0a315a34b5bda1a053643259
SHA512344edd474a1d46eb99a0c71325895718da8e1d7d6282eeab01c2e893c2582fc33e1acf4b5bbd8541e341da2769c466e62f8ad98717359b6027430858799f3c29
-
Filesize
26KB
MD57641e84e0d2dc7ffcda7b364155bd7eb
SHA18a975edd441b8ada94ba33308a9ee82cd9727e80
SHA2569daa769d87f5c7f1eb6c7ce8c7ee5249cf1bb10987c40deb6a00a232370f12f5
SHA512914198e902d354630b661f37c7ec3c9c5ab0c4d861859eadc2b40000651f187601f6b13a4a2f3d0e64139e514b4d0fab3fb8e4752b78a3f835801f20585d5c81
-
Filesize
6KB
MD578e536de6b268033a5ebfc7de74f3538
SHA1f4e13e6711c1f32454243caa32bf8a9f26c43938
SHA256a9a2aeb7f4928685f8eee903c021b013a8cda67d308e0ba16feec67f43167078
SHA5126b7493df338ef26d1777e3d4c86f19b7efa27b43eb6ae7db4410d476d1ac3adca0c098f51b039a3db1df4593e8abb9fa78ee2a90e159f5886a33b9e411ce53c3
-
Filesize
219B
MD54177b8bdce1a7d850c9afb9f0c0fe6eb
SHA16e385cdd0dc8c24bc7f2692939ae9fd2595df1d2
SHA2565120d94763d0b694844efcd2d834ba20e1d47e4bfe7bd9976ae708f03192efc5
SHA5127102b7f63eb8403b91645ce792db7813b8f3771011b1838738267c4d6971ee6a16cbade3f5682ccf03af08f4d77bf63d9b7f3b35d3ac51f6cccfaf97e500b698
-
Filesize
67B
MD5d8ad6773b632b7d8066ed57c6c482c6b
SHA1c07e66a0e8e58e190392896d7b178b7079741967
SHA25650eb09209f1670f34baec877f8bc19fd1ce7419e10da063b46fa4025558dc4ae
SHA5124bba534c373aa27100f1c5eec84c0a9d77c0dc447dd33de3757c4d656a7c8bb7d602fb214102005e355fb9a22687dff6e141063d086ec4275a9b01c8c8c90fa2