Malware Analysis Report

2025-01-19 05:34

Sample ID 240313-1x1zmaad4s
Target 1656386b8a6b263ed97eee3026ffcbdaa8c5765dde9d9b705860ae8b663c7816.bin
SHA256 1656386b8a6b263ed97eee3026ffcbdaa8c5765dde9d9b705860ae8b663c7816
Tags
collection evasion stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

1656386b8a6b263ed97eee3026ffcbdaa8c5765dde9d9b705860ae8b663c7816

Threat Level: Likely malicious

The file 1656386b8a6b263ed97eee3026ffcbdaa8c5765dde9d9b705860ae8b663c7816.bin was found to be: Likely malicious.

Malicious Activity Summary

collection evasion stealth trojan

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Looks up external IP address via web service

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 22:02

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 22:02

Reported

2024-03-13 22:12

Platform

android-x86-arm-20240221-en

Max time kernel

140s

Max time network

149s

Command Line

com.spacex.gplayer

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.spacex.gplayer

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
DE 213.199.39.73:8001 213.199.39.73 tcp
US 1.1.1.1:53 api64.ipify.org udp
US 173.231.16.77:443 api64.ipify.org tcp
DE 213.199.39.73:80 213.199.39.73 tcp
US 1.1.1.1:53 ws-eu.pusher.com udp
IE 54.170.134.228:443 ws-eu.pusher.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/misc/profiles/cur/0/com.spacex.gplayer/primary.prof

MD5 ca0e058b828a6f408bdca44715831739
SHA1 cd3362b130fe9670e9f2e184ab479d269ea4ccdb
SHA256 53591a2400fbdac436dd1ff3f597967e32c550def9bbbe1f3943622723e23e96
SHA512 01b622b6cbd38f0dae05582c9a9dca5b7bc704e3972b4b72d0139c4a7a42ba603bcc660942264ef0b41dbdad83c41a3560e95ea16635e3c892a2240533d29088

/data/data/com.spacex.gplayer/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 6b2aa5128446f39216278f047328b6e1
SHA1 ca7221e993f498e5212cef2530f6252c5288d27f
SHA256 5335a072db08fb23b3116179797d058eba0918cfc244c697bf6d67bd5e530644
SHA512 8fa298352bdd4eb7e3e4c14d49f2dbf15fd15ad98dc4def45f7a474be137fef2393ecd726a94813ba3d5e7bb389f6da2fc2475ce66f94a2013a29278baa1f8f6

/data/data/com.spacex.gplayer/files/profileInstalled

MD5 e72202357ccaf4e6acc16dad967a1aac
SHA1 8bf02d289d6133030496de96568eaca6ebad255b
SHA256 96969eca66d4257710de34ec9534174cd641f49f716ac0c800f978bf925b3bec
SHA512 c2f95eaa15bbb3ffdc9ed763e4978be6d00c2f943c867935bc2b617837a95f2ea96a7a344d506a57798135a95ffb2f56f8aa5e772f0eee0feab785f20ef028ce

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 22:02

Reported

2024-03-13 22:12

Platform

android-x64-20240221-en

Max time kernel

87s

Max time network

152s

Command Line

com.spacex.gplayer

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A

Processes

com.spacex.gplayer

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
DE 213.199.39.73:8001 213.199.39.73 tcp
US 1.1.1.1:53 api64.ipify.org udp
US 173.231.16.77:443 api64.ipify.org tcp
DE 213.199.39.73:80 213.199.39.73 tcp
US 1.1.1.1:53 ws-eu.pusher.com udp
IE 34.251.246.31:443 ws-eu.pusher.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/misc/profiles/cur/0/com.spacex.gplayer/primary.prof

MD5 ca0e058b828a6f408bdca44715831739
SHA1 cd3362b130fe9670e9f2e184ab479d269ea4ccdb
SHA256 53591a2400fbdac436dd1ff3f597967e32c550def9bbbe1f3943622723e23e96
SHA512 01b622b6cbd38f0dae05582c9a9dca5b7bc704e3972b4b72d0139c4a7a42ba603bcc660942264ef0b41dbdad83c41a3560e95ea16635e3c892a2240533d29088

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-13 22:02

Reported

2024-03-13 22:12

Platform

android-x64-arm64-20240221-en

Max time kernel

47s

Max time network

155s

Command Line

com.spacex.gplayer

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.spacex.gplayer

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
DE 213.199.39.73:8001 213.199.39.73 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api64.ipify.org udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 104.237.62.213:443 api64.ipify.org tcp
DE 213.199.39.73:80 213.199.39.73 tcp
DE 213.199.39.73:80 213.199.39.73 tcp
US 1.1.1.1:53 ws-eu.pusher.com udp
IE 34.242.116.175:443 ws-eu.pusher.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/misc/profiles/cur/0/com.spacex.gplayer/primary.prof

MD5 ca0e058b828a6f408bdca44715831739
SHA1 cd3362b130fe9670e9f2e184ab479d269ea4ccdb
SHA256 53591a2400fbdac436dd1ff3f597967e32c550def9bbbe1f3943622723e23e96
SHA512 01b622b6cbd38f0dae05582c9a9dca5b7bc704e3972b4b72d0139c4a7a42ba603bcc660942264ef0b41dbdad83c41a3560e95ea16635e3c892a2240533d29088

/data/data/com.spacex.gplayer/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 f85b1eaea2e74308a8b8ba4fa736aa78
SHA1 2c2fa2570aae46c4bbd420847b31dd419f4bf348
SHA256 f78f479f6962971c7ed82d7125fa8ffc6a032235bc437562bb9401c240e2af3e
SHA512 64e55f4399e88fe70ee86a0f1d21b9d1554e1eeaf9ba3cd7f25033181c7642d5badfddfebec3033cd192cd34841e806b45e1ad2064c6d9813dd6dac15807dd76