Malware Analysis Report

2025-01-02 07:47

Sample ID 240509-zrrnbsec6s
Target MullvadVPN-2024.2-beta2.apk
SHA256 0e15252eaa8583762ae8a88fe3f62c1fb1479a3c600e3d2a54ac353b3d7fb7a8
Tags
privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e15252eaa8583762ae8a88fe3f62c1fb1479a3c600e3d2a54ac353b3d7fb7a8

Threat Level: Known bad

The file MullvadVPN-2024.2-beta2.apk was found to be: Known bad.

Malicious Activity Summary

privateloader

Privateloader family

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-09 20:57

Signatures

Privateloader family

privateloader

Declares services with permission to bind to the system

Description Indicator Process Target
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by quick settings tile services to bind with the system. Allows apps to add custom tiles to the quick settings menu. android.permission.BIND_QUICK_SETTINGS_TILE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 20:57

Reported

2024-05-09 20:59

Platform

android-33-x64-arm64-20240508.1-en

Max time kernel

47s

Max time network

54s

Command Line

net.mullvad.mullvadvpn

Signatures

N/A

Processes

net.mullvad.mullvadvpn

net.mullvad.mullvadvpn:mullvadvpn_daemon

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
BE 108.177.15.188:5228 tcp
GB 142.250.200.4:443 tcp
GB 216.58.201.100:443 udp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ipv4.am.i.mullvad.net udp
US 1.1.1.1:53 ipv4.am.i.mullvad.net udp
SE 45.83.223.196:443 tcp
SE 45.83.223.233:443 ipv4.am.i.mullvad.net tcp
GB 216.58.212.195:443 tcp
SE 45.83.223.196:443 tcp
SE 45.83.223.196:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 172.217.169.67:443 tcp
US 162.159.61.3:443 udp
GB 172.217.169.67:443 udp
US 1.1.1.1:53 mullvad.net udp
GB 216.58.201.100:443 udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
SE 45.83.223.209:443 mullvad.net tcp
BE 108.177.15.84:443 tcp
SE 45.83.223.209:443 mullvad.net tcp
US 162.159.61.3:443 udp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 172.217.16.234:443 safebrowsing.googleapis.com tcp
SE 45.83.223.209:443 mullvad.net tcp
SE 45.83.223.233:443 ipv4.am.i.mullvad.net tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.227:443 update.googleapis.com tcp

Files

/data/misc/profiles/cur/0/net.mullvad.mullvadvpn/primary.prof

MD5 5041ec42b953e4de1e34aef026c055f7
SHA1 68492c2d855f469bf965b33b5bf792431be25da1
SHA256 2997be1e4959d5092753e54d18f901346c7b0a43e3c047b1b563ce2e7c783604
SHA512 e6c50af2cb9ae8b0d026242047340c095419e11b20e467a1bc59462e604983b3f25663187eb0b47bbf1abcf46fed1c0b652eace07af90c31a60ccaaf1c537c31

/data/data/net.mullvad.mullvadvpn/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 5b3441009325c3cd3fd862e2c42c5a04
SHA1 2b45737a5752b75aea3602175852bcae300793e6
SHA256 d49714610cda97bbaba9110cc680b2286b9f3867477b91116406f86a115ed5b1
SHA512 cd6ded639a75365cafbdf12153182e3061f778f88f6aae1e5a68b7fa882fa831f788258c049ff7ba192710436cd4b2b73956163be2413057e5a696e562eb7a0e

/data/data/net.mullvad.mullvadvpn/files/profileInstalled

MD5 dd7d4498c95513f917e8aeeb1f194095
SHA1 1ca6122cf166b0148939e6b78db34db05b65bd67
SHA256 1af5529905b48229078c86924e150017cff123befe113a51c554d40f6acfe108
SHA512 fb784b948a05f7bc081a2a630563b3367496ae5815d9ca1bbb9e9eefb2695b5ffd76c644e2e4b13bba2db870cc065701bce4130999e58eec0004a834c4e2553b

/data/data/net.mullvad.mullvadvpn/files/d7b0fa10-d67a-4ea5-a12b-df940c24fac1

MD5 c98475795afd3fe6317e7fc626b74d09
SHA1 069515f955d16e6e7f16de5f31928437efd4cfdb
SHA256 bea80220686dee71177b3497bd3ae762699a589e0dc063f669f9ddfbf12a6852
SHA512 127938298437c3c99680f5658b54fad42478ceb549233d3a6c955ce33a8b2983887208eee30f67613ac0642403591cf6bcb082b726997123f72f3153ef3b4c13

/data/data/net.mullvad.mullvadvpn/files/device.json

MD5 b4e513da6cca918c1b3523f5dbef3c99
SHA1 1756be85c3f495edf72047ba613e6adc013d34d7
SHA256 c4c3dce12cdfa879f35f5415b76421d80ae0bbfa415380ab04b0cccd12f7647d
SHA512 4bf9f6effd89c2ab5a7542884b490f524c48d9b3421b2ff77f1ebcaba73f54aa323447a670b6a88d6d330bcb649542ae0a47852ac22afc2b1cc6ec4319be980a

/data/data/net.mullvad.mullvadvpn/files/account-history.json

MD5 75451f661356a919e3b8fcb50c32df8e
SHA1 15f1da9cacdc3baeb5c8615caae7aa0537fe44b5
SHA256 74008a8a79b7b3c10175be1fb31778b0157fb622533b7ea321390c55a83b703e
SHA512 d816f32242f9b3009616ca4ed0ad76c2c2e590d52440ae57b783b2f414256dcdc8ef21059f9b37816d6f43b6d5e2638a111cda1473d7df3b9e91f33dce95cd8a