Malware Analysis Report

2024-10-19 12:07

Sample ID 240519-1yv5rscc26
Target fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.bin
SHA256 fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711
Tags
collection credential_access discovery evasion persistence stealth trojan impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711

Threat Level: Likely malicious

The file fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.bin was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion persistence stealth trojan impact

Makes use of the framework's Accessibility service

Prevents application removal

Removes its main activity from the application launcher

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Checks memory information

Queries the phone number (MSISDN for GSM devices)

Requests enabling of the accessibility settings.

Checks CPU information

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Declares services with permission to bind to the system

Acquires the wake lock

Looks up external IP address via web service

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 22:04

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 22:03

Reported

2024-05-19 22:24

Platform

android-x86-arm-20240514-en

Max time kernel

134s

Max time network

182s

Command Line

com.spacex.mmobile

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.spacex.mmobile

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 xyz.spacextraffic.com udp
DE 213.199.39.73:443 xyz.spacextraffic.com tcp
DE 213.199.39.73:443 xyz.spacextraffic.com tcp
DE 213.199.39.73:443 xyz.spacextraffic.com tcp
DE 213.199.39.73:443 xyz.spacextraffic.com tcp
US 1.1.1.1:53 spacextraffic.com udp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
US 1.1.1.1:53 ws-eu.pusher.com udp
US 1.1.1.1:53 api64.ipify.org udp
US 64.185.227.155:443 api64.ipify.org tcp
DE 213.199.39.73:443 spacextraffic.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
IE 52.51.106.160:443 ws-eu.pusher.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof

MD5 5032d05f9208570676ba8f0a7fd00e18
SHA1 8e7863eb1aaa553943c12b93562c270963a06705
SHA256 2271f2c773e476d229b58b0c0ee7e38198ab0038886e3695c9943f18d102bac5
SHA512 9701f80aad5f3ddacef0186b187ccad100fee7231cc7110dc944b378c6d6597f6dfcbd2c3b3cc086e9ac50c89e8c148370f83d5f71c6c1ae1cbe864ce5a78fab

/data/data/com.spacex.mmobile/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 1c6aa22fb10115716d1c98a6a8baae28
SHA1 de6d049b8e5fc56280669dc6badcec26a9093d20
SHA256 08f839aa269af34d3a34e09acc54946a3401638a6e09eab161c05337c9845b59
SHA512 56853e7ec29568891f0a39e8c9571e9b0e02cd0ff64b24159c8223d0ea46fe2940d1fb898181782dee3cf2ecf3c0b26c75caa9a8f9db9f9ae19532ec336cb887

/data/data/com.spacex.mmobile/files/profileInstalled

MD5 ce1f063fb9f2005e1b6f04c21829d92f
SHA1 158d6857acb9a1066c8e865002c05df53b4e0a77
SHA256 6570c0b671b3cd30dd1c44bfa459c76daac0acad64e207231d56239a9d0b702e
SHA512 b7a28247757c97799c33fec2115af8123b329fae807b1f8c456be5c0f97b5cc50d1406726a367d944f2cf8b402ac084bace2b0d70706f231625277b5d672bea2

/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof

MD5 50be10a6f66c43873afbced293cfcbee
SHA1 d267936e9d81461962ea93f76d55593c431e13fa
SHA256 e9147d3dfbc2b37026a9670e32d1622772b5a3b8786b20236a106ce92e91c63f
SHA512 0acaa3bfd33793a70f4f131825ed070b98b38f64bc7ac057dff08e7d49aa21d50dfc0ef832131411b9719a999aeea718766d78affbce7294415fbdafcc0cb015

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 22:03

Reported

2024-05-19 22:24

Platform

android-x64-20240514-en

Max time kernel

49s

Max time network

183s

Command Line

com.spacex.mmobile

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A

Processes

com.spacex.mmobile

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 xyz.spacextraffic.com udp
DE 213.199.39.73:443 xyz.spacextraffic.com tcp
DE 213.199.39.73:443 xyz.spacextraffic.com tcp
DE 213.199.39.73:443 xyz.spacextraffic.com tcp
DE 213.199.39.73:443 xyz.spacextraffic.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 spacextraffic.com udp
DE 213.199.39.73:443 spacextraffic.com tcp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
GB 172.217.169.14:443 tcp
DE 213.199.39.73:443 spacextraffic.com tcp
US 1.1.1.1:53 ws-eu.pusher.com udp
IE 52.51.106.160:443 ws-eu.pusher.com tcp
US 1.1.1.1:53 api64.ipify.org udp
US 64.185.227.155:443 api64.ipify.org tcp
DE 213.199.39.73:443 spacextraffic.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof

MD5 5032d05f9208570676ba8f0a7fd00e18
SHA1 8e7863eb1aaa553943c12b93562c270963a06705
SHA256 2271f2c773e476d229b58b0c0ee7e38198ab0038886e3695c9943f18d102bac5
SHA512 9701f80aad5f3ddacef0186b187ccad100fee7231cc7110dc944b378c6d6597f6dfcbd2c3b3cc086e9ac50c89e8c148370f83d5f71c6c1ae1cbe864ce5a78fab

/data/data/com.spacex.mmobile/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 1c37e1108a49c7d9f570f902cf5567d2
SHA1 2838a6cb531d4ae2a1e2cde4ad432bd225b72051
SHA256 2619a739017b15d438b688a3d4dd73e23f8f26b182c41160591ea1d246c01b6f
SHA512 5b75cf2d68f1eb67f3a1e82bff3fb569698cd0044cb22d9fab439ac4e85c4c8938047450e97af8bd0e57271475f96cf7b85ad2218d5eeeaf6b01455077e4b384

/data/data/com.spacex.mmobile/files/profileInstalled

MD5 f9eb470c405be2ca997bcb57e120929c
SHA1 ab703d38af0a42a40fda4c4865a8cbaadc1a0cf9
SHA256 8aff2f34588ba5cc78ae8cc375f5834e8bb3250e51c7a555fcf0c3d6e5726c54
SHA512 7705a5f49f3c3e24bfa7ad145002fdc684bd54c9c2b8f8bc88ad5595025294543e95e3355715db65c5653ea18285f87a69f6ba39e3945f78b9a0283f6f030044

/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof

MD5 0cecfa3abb73fad1389ed8f52a861a13
SHA1 23709a4d24d2622b79e77a900033d7c1bd704caf
SHA256 52053ca08bfe0d091324fe4de4e55ffd1817e714d3a1e098dad136c6f38ca955
SHA512 97b5fb94a5f82e2e30ed279d87e632ed3867f26118befb21c7398ef25313fcc37e797baf110fc2d96d8c83f8c15103a92245ec157eb3defd6fa72cf2e62718c4

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-19 22:03

Reported

2024-05-19 22:25

Platform

android-x64-arm64-20240514-en

Max time kernel

51s

Max time network

182s

Command Line

com.spacex.mmobile

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.spacex.mmobile

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 xyz.spacextraffic.com udp
DE 213.199.39.73:443 xyz.spacextraffic.com tcp
DE 213.199.39.73:443 xyz.spacextraffic.com tcp
DE 213.199.39.73:443 xyz.spacextraffic.com tcp
DE 213.199.39.73:443 xyz.spacextraffic.com tcp
US 1.1.1.1:53 spacextraffic.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
DE 213.199.39.73:443 spacextraffic.com tcp
US 1.1.1.1:53 ws-eu.pusher.com udp
IE 52.48.0.15:443 ws-eu.pusher.com tcp
US 1.1.1.1:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
DE 213.199.39.73:443 spacextraffic.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof

MD5 5032d05f9208570676ba8f0a7fd00e18
SHA1 8e7863eb1aaa553943c12b93562c270963a06705
SHA256 2271f2c773e476d229b58b0c0ee7e38198ab0038886e3695c9943f18d102bac5
SHA512 9701f80aad5f3ddacef0186b187ccad100fee7231cc7110dc944b378c6d6597f6dfcbd2c3b3cc086e9ac50c89e8c148370f83d5f71c6c1ae1cbe864ce5a78fab

/data/data/com.spacex.mmobile/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 745e3394ce581c846bb766e73216bf81
SHA1 43e37b50dd6efed1dbe322c1737e6a38a8266599
SHA256 17de5958986349bf83562a655e020db65e16651b1e5677201aaaa7c885611327
SHA512 ae171efb02cbbbdbcb9e66212b49e9080d6c8cbbe517bd4667392cc76bc7604c1709eeae5e336592820ee1a8475263749592e5f151c16467fe437d077780fe5e

/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof

MD5 6f773512ba04d04a691ef662d8d6c803
SHA1 93dd62bcf501feb481c2ed5fb468b9f38970442a
SHA256 2aadd765390f998a7a5d86e17799c556de8dbaab0fbf847c3df1eabdfdc5b941
SHA512 34dbb8cdea1d059fd4ca986e1389381992faa43d09a6fd6bbf8075c92fec18e81fa743f1f6ba92a6c9d805e06bd15023d9e3a7c9dbb1d1b29606b2470733cbe9