Analysis Overview
SHA256
402099e936e9ce58a39e8c5b7f288711f8c03d39bfba4f10323477f7f697a777
Threat Level: Likely malicious
The file 402099e936e9ce58a39e8c5b7f288711f8c03d39bfba4f10323477f7f697a777.bin was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Makes use of the framework's Accessibility service
Prevents application removal
Queries the phone number (MSISDN for GSM devices)
Registers a broadcast receiver at runtime (usually for listening for system events)
Requests enabling of the accessibility settings.
Makes use of the framework's foreground persistence service
Requests disabling of battery optimizations (often used to enable hiding in the background).
Declares services with permission to bind to the system
Requests dangerous framework permissions
Acquires the wake lock
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-19 22:04
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 22:04
Reported
2024-05-19 22:27
Platform
android-x86-arm-20240514-en
Max time kernel
169s
Max time network
181s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Prevents application removal
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Makes use of the framework's foreground persistence service
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.setServiceForeground | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Requests enabling of the accessibility settings.
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACCESSIBILITY_SETTINGS | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Processes
com.spacex.mmobile
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.10:443 | tcp | |
| US | 1.1.1.1:53 | api.spacexmmobile.com | udp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| GB | 142.250.200.3:443 | tcp | |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| US | 1.1.1.1:53 | ws-eu.pusher.com | udp |
| IE | 52.48.0.15:443 | ws-eu.pusher.com | tcp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| GB | 142.250.180.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| GB | 172.217.169.10:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.201.106:443 | semanticlocation-pa.googleapis.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| GB | 172.217.169.10:443 | tcp |
Files
/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof
| MD5 | 02dfdda9302874d7e041994fe11ba307 |
| SHA1 | 8348c24f5edf9f0193f362c483c83a7807fa3c40 |
| SHA256 | a85cf46a39a20dc04557f47f5084a517b87cfad4599d28a7c59518e6c1c23857 |
| SHA512 | df51c5a819ed9689ba866d5add070f116b90910af95a0921297dbf132d75da877d1a327685c614ff59af46fb1d523fa6f609669a3f5690f775dd8fdea91e8364 |
/data/data/com.spacex.mmobile/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 8f1505402158af487c864c20d084a33d |
| SHA1 | 182737449d0c2299bf0d1706d47bc1c52aeb6420 |
| SHA256 | e9b6b79802538f23c951808c945b323e2ca1e92129d854111fac675598a61d2a |
| SHA512 | 99d239b26387f5ce6874582db9655fbb966bc8e3c3ce552fbd2ac5f9dfd9705b96eeff03a15266cc4f4126f0e92c2eda4ba841fa7b4ed599a2dff54d421cd9d6 |
/data/data/com.spacex.mmobile/files/profileInstalled
| MD5 | 4d5a48292f29cc6a75c6d2751c5235b1 |
| SHA1 | 0f0a956c2eae1fe88ffa0c1e453249c5248bda2f |
| SHA256 | 03d692172837703b224e166184df3c2f38d1d380750de95043bd4511b618fbdb |
| SHA512 | 596ddf6ec2a43fa2967208093cee51b91567a430a45ec7f987f69729e4149ff84be15f92f69bc7ae5bd1de59550e442928f248f6161664cacf81676cf101f550 |
/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof
| MD5 | 006b1dc43d7569af6c3c2bcc293757f9 |
| SHA1 | 7fb046e881d8f47cdb9a04394e0ad937964fd7e4 |
| SHA256 | fe2ae33aca4b7b53bcbf2d03fe9290a94ed5ec637dbfa7ebdb9cd5c3a5141069 |
| SHA512 | c13bf4568b0c14d3dd76ee5875bd10b294de7de3e26914753033f605eddebfc1762e2137a0590e4f9eaddbc499ec732b6c5955152029f11c0967aa722111a7db |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-19 22:04
Reported
2024-05-19 22:27
Platform
android-x64-20240514-en
Max time kernel
48s
Max time network
184s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Prevents application removal
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Makes use of the framework's foreground persistence service
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.setServiceForeground | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
com.spacex.mmobile
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.227:443 | tcp | |
| GB | 142.250.178.10:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | api.spacexmmobile.com | udp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| GB | 172.217.169.14:443 | tcp | |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| US | 1.1.1.1:53 | ws-eu.pusher.com | udp |
| IE | 54.78.212.88:443 | ws-eu.pusher.com | tcp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 172.217.16.228:443 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.187.194:443 | tcp |
Files
/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof
| MD5 | 02dfdda9302874d7e041994fe11ba307 |
| SHA1 | 8348c24f5edf9f0193f362c483c83a7807fa3c40 |
| SHA256 | a85cf46a39a20dc04557f47f5084a517b87cfad4599d28a7c59518e6c1c23857 |
| SHA512 | df51c5a819ed9689ba866d5add070f116b90910af95a0921297dbf132d75da877d1a327685c614ff59af46fb1d523fa6f609669a3f5690f775dd8fdea91e8364 |
/data/data/com.spacex.mmobile/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 03eebd020cafef17fb00db73abb8f035 |
| SHA1 | ae33808dceb2ccc9caa0abd5981f9fe0f5e79a66 |
| SHA256 | 3f93b7e142d0e2ca91b65b2c6d6d38c301be1c175325b16201029e04ec683ec4 |
| SHA512 | a4faf999814bc8d0e5af1b28d311317e1f634aaef405aa6ff270a436c5c928c1145465ef462d65a506639f1a78c9570d82d9aa063ead1caf3f2300daddef5efc |
/data/data/com.spacex.mmobile/files/profileInstalled
| MD5 | ef0d6faaf9e6691639b4f5b8bde383ed |
| SHA1 | 3f4f262957f0ef6dc4a6d5fe450c7f8b47e6a2a8 |
| SHA256 | 02f9b6e8868dfbe5ae56664e3c27fc4c00c89a306225c8fd99b919a20c48670b |
| SHA512 | c6bb288d33325cd376c47143dcb6fe349b2db2beaaa266deb9412e1923d046ac765aee392007388acb08631a4bb5e4c1eb5039916deff4fdbf9a6c560b227eac |
/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof
| MD5 | 47b45599bbea5c6d2170d26ac82d4c08 |
| SHA1 | 1de4633edd26eff1dbb7b72749a5f0551c7cf588 |
| SHA256 | 978218ae72ee70094280f6733375e296a41cf450ed8bfb9bd69f8f6ce289e85d |
| SHA512 | 5eb2d23895e9b668426ba6b8e4348b1d537efd76e27745ad917d99ea88cae4a714f13b6774f2b51332fe5acd5a31bc12c56ad54e7c393000fbff1f11493404fc |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-19 22:04
Reported
2024-05-19 22:27
Platform
android-x64-arm64-20240514-en
Max time kernel
48s
Max time network
184s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Prevents application removal
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Makes use of the framework's foreground persistence service
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.setServiceForeground | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Requests enabling of the accessibility settings.
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACCESSIBILITY_SETTINGS | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Processes
com.spacex.mmobile
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | api.spacexmmobile.com | udp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.200:443 | ssl.google-analytics.com | tcp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| US | 1.1.1.1:53 | ws-eu.pusher.com | udp |
| IE | 54.220.109.231:443 | ws-eu.pusher.com | tcp |
| DE | 84.247.157.24:443 | api.spacexmmobile.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof
| MD5 | 02dfdda9302874d7e041994fe11ba307 |
| SHA1 | 8348c24f5edf9f0193f362c483c83a7807fa3c40 |
| SHA256 | a85cf46a39a20dc04557f47f5084a517b87cfad4599d28a7c59518e6c1c23857 |
| SHA512 | df51c5a819ed9689ba866d5add070f116b90910af95a0921297dbf132d75da877d1a327685c614ff59af46fb1d523fa6f609669a3f5690f775dd8fdea91e8364 |
/data/data/com.spacex.mmobile/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 6fe4b941d6d110c7d4f3029561e5cf6a |
| SHA1 | 42491f9ca5a1a72d125fbd2d5a1f20e394ede923 |
| SHA256 | 922c0dd92792dfd75488b27de620e2b1ad66a5e4bb38892671ec2421100f7945 |
| SHA512 | 35d80b058c851facf658a80835e6e0264999c12ee2eb0471b65049458d8eabf3270258e2821de210324d27787ee3e2ad7a4773fc48d0135d7b7d7a3f7f2d1285 |
/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof
| MD5 | 1a432b2d71f14a8a4e315998cc4dc57f |
| SHA1 | 639e426e34ea33bb573589cc6539abeef86cedde |
| SHA256 | d140d359138329c9a613a19f6552efa9182b63a87e7ec1d5e814cc7bf1b7e98c |
| SHA512 | 4c8b22fdcd85c46a0087aa40e49b8a4ebc0f8195a7bfcf31049db315c495406b9d557c67c80e364df6031c2a6106a636e2a1f47af1f58d1ffed25fb6405f3387 |