Analysis Overview
SHA256
0e15252eaa8583762ae8a88fe3f62c1fb1479a3c600e3d2a54ac353b3d7fb7a8
Threat Level: Known bad
The file MullvadVPN-2024.2-beta2.apk was found to be: Known bad.
Malicious Activity Summary
Privateloader family
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-09 20:57
Signatures
Privateloader family
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by VPN services to bind with the system. Allows apps to provision VPN services. | android.permission.BIND_VPN_SERVICE | N/A | N/A |
| Required by quick settings tile services to bind with the system. Allows apps to add custom tiles to the quick settings menu. | android.permission.BIND_QUICK_SETTINGS_TILE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 20:57
Reported
2024-05-09 20:59
Platform
android-33-x64-arm64-20240508.1-en
Max time kernel
47s
Max time network
54s
Command Line
Signatures
Processes
net.mullvad.mullvadvpn
net.mullvad.mullvadvpn:mullvadvpn_daemon
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.201.100:443 | udp | |
| BE | 108.177.15.188:5228 | tcp | |
| GB | 142.250.200.4:443 | tcp | |
| GB | 216.58.201.100:443 | udp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ipv4.am.i.mullvad.net | udp |
| US | 1.1.1.1:53 | ipv4.am.i.mullvad.net | udp |
| SE | 45.83.223.196:443 | tcp | |
| SE | 45.83.223.233:443 | ipv4.am.i.mullvad.net | tcp |
| GB | 216.58.212.195:443 | tcp | |
| SE | 45.83.223.196:443 | tcp | |
| SE | 45.83.223.196:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| GB | 172.217.169.67:443 | tcp | |
| US | 162.159.61.3:443 | udp | |
| GB | 172.217.169.67:443 | udp | |
| US | 1.1.1.1:53 | mullvad.net | udp |
| GB | 216.58.201.100:443 | udp | |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| SE | 45.83.223.209:443 | mullvad.net | tcp |
| BE | 108.177.15.84:443 | tcp | |
| SE | 45.83.223.209:443 | mullvad.net | tcp |
| US | 162.159.61.3:443 | udp | |
| GB | 142.250.200.36:443 | tcp | |
| US | 1.1.1.1:53 | safebrowsing.googleapis.com | udp |
| GB | 172.217.16.234:443 | safebrowsing.googleapis.com | tcp |
| SE | 45.83.223.209:443 | mullvad.net | tcp |
| SE | 45.83.223.233:443 | ipv4.am.i.mullvad.net | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 142.250.187.227:443 | update.googleapis.com | tcp |
Files
/data/misc/profiles/cur/0/net.mullvad.mullvadvpn/primary.prof
| MD5 | 5041ec42b953e4de1e34aef026c055f7 |
| SHA1 | 68492c2d855f469bf965b33b5bf792431be25da1 |
| SHA256 | 2997be1e4959d5092753e54d18f901346c7b0a43e3c047b1b563ce2e7c783604 |
| SHA512 | e6c50af2cb9ae8b0d026242047340c095419e11b20e467a1bc59462e604983b3f25663187eb0b47bbf1abcf46fed1c0b652eace07af90c31a60ccaaf1c537c31 |
/data/data/net.mullvad.mullvadvpn/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 5b3441009325c3cd3fd862e2c42c5a04 |
| SHA1 | 2b45737a5752b75aea3602175852bcae300793e6 |
| SHA256 | d49714610cda97bbaba9110cc680b2286b9f3867477b91116406f86a115ed5b1 |
| SHA512 | cd6ded639a75365cafbdf12153182e3061f778f88f6aae1e5a68b7fa882fa831f788258c049ff7ba192710436cd4b2b73956163be2413057e5a696e562eb7a0e |
/data/data/net.mullvad.mullvadvpn/files/profileInstalled
| MD5 | dd7d4498c95513f917e8aeeb1f194095 |
| SHA1 | 1ca6122cf166b0148939e6b78db34db05b65bd67 |
| SHA256 | 1af5529905b48229078c86924e150017cff123befe113a51c554d40f6acfe108 |
| SHA512 | fb784b948a05f7bc081a2a630563b3367496ae5815d9ca1bbb9e9eefb2695b5ffd76c644e2e4b13bba2db870cc065701bce4130999e58eec0004a834c4e2553b |
/data/data/net.mullvad.mullvadvpn/files/d7b0fa10-d67a-4ea5-a12b-df940c24fac1
| MD5 | c98475795afd3fe6317e7fc626b74d09 |
| SHA1 | 069515f955d16e6e7f16de5f31928437efd4cfdb |
| SHA256 | bea80220686dee71177b3497bd3ae762699a589e0dc063f669f9ddfbf12a6852 |
| SHA512 | 127938298437c3c99680f5658b54fad42478ceb549233d3a6c955ce33a8b2983887208eee30f67613ac0642403591cf6bcb082b726997123f72f3153ef3b4c13 |
/data/data/net.mullvad.mullvadvpn/files/device.json
| MD5 | b4e513da6cca918c1b3523f5dbef3c99 |
| SHA1 | 1756be85c3f495edf72047ba613e6adc013d34d7 |
| SHA256 | c4c3dce12cdfa879f35f5415b76421d80ae0bbfa415380ab04b0cccd12f7647d |
| SHA512 | 4bf9f6effd89c2ab5a7542884b490f524c48d9b3421b2ff77f1ebcaba73f54aa323447a670b6a88d6d330bcb649542ae0a47852ac22afc2b1cc6ec4319be980a |
/data/data/net.mullvad.mullvadvpn/files/account-history.json
| MD5 | 75451f661356a919e3b8fcb50c32df8e |
| SHA1 | 15f1da9cacdc3baeb5c8615caae7aa0537fe44b5 |
| SHA256 | 74008a8a79b7b3c10175be1fb31778b0157fb622533b7ea321390c55a83b703e |
| SHA512 | d816f32242f9b3009616ca4ed0ad76c2c2e590d52440ae57b783b2f414256dcdc8ef21059f9b37816d6f43b6d5e2638a111cda1473d7df3b9e91f33dce95cd8a |