Malware Analysis Report

2024-10-19 12:06

Sample ID 240519-1yzsyscc35
Target 402099e936e9ce58a39e8c5b7f288711f8c03d39bfba4f10323477f7f697a777.bin
SHA256 402099e936e9ce58a39e8c5b7f288711f8c03d39bfba4f10323477f7f697a777
Tags
collection credential_access discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

402099e936e9ce58a39e8c5b7f288711f8c03d39bfba4f10323477f7f697a777

Threat Level: Likely malicious

The file 402099e936e9ce58a39e8c5b7f288711f8c03d39bfba4f10323477f7f697a777.bin was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Prevents application removal

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests enabling of the accessibility settings.

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 22:04

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 22:04

Reported

2024-05-19 22:27

Platform

android-x86-arm-20240514-en

Max time kernel

169s

Max time network

181s

Command Line

com.spacex.mmobile

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.spacex.mmobile

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 api.spacexmmobile.com udp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
GB 142.250.200.3:443 tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
US 1.1.1.1:53 ws-eu.pusher.com udp
IE 52.48.0.15:443 ws-eu.pusher.com tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
GB 172.217.169.10:443 tcp

Files

/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof

MD5 02dfdda9302874d7e041994fe11ba307
SHA1 8348c24f5edf9f0193f362c483c83a7807fa3c40
SHA256 a85cf46a39a20dc04557f47f5084a517b87cfad4599d28a7c59518e6c1c23857
SHA512 df51c5a819ed9689ba866d5add070f116b90910af95a0921297dbf132d75da877d1a327685c614ff59af46fb1d523fa6f609669a3f5690f775dd8fdea91e8364

/data/data/com.spacex.mmobile/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 8f1505402158af487c864c20d084a33d
SHA1 182737449d0c2299bf0d1706d47bc1c52aeb6420
SHA256 e9b6b79802538f23c951808c945b323e2ca1e92129d854111fac675598a61d2a
SHA512 99d239b26387f5ce6874582db9655fbb966bc8e3c3ce552fbd2ac5f9dfd9705b96eeff03a15266cc4f4126f0e92c2eda4ba841fa7b4ed599a2dff54d421cd9d6

/data/data/com.spacex.mmobile/files/profileInstalled

MD5 4d5a48292f29cc6a75c6d2751c5235b1
SHA1 0f0a956c2eae1fe88ffa0c1e453249c5248bda2f
SHA256 03d692172837703b224e166184df3c2f38d1d380750de95043bd4511b618fbdb
SHA512 596ddf6ec2a43fa2967208093cee51b91567a430a45ec7f987f69729e4149ff84be15f92f69bc7ae5bd1de59550e442928f248f6161664cacf81676cf101f550

/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof

MD5 006b1dc43d7569af6c3c2bcc293757f9
SHA1 7fb046e881d8f47cdb9a04394e0ad937964fd7e4
SHA256 fe2ae33aca4b7b53bcbf2d03fe9290a94ed5ec637dbfa7ebdb9cd5c3a5141069
SHA512 c13bf4568b0c14d3dd76ee5875bd10b294de7de3e26914753033f605eddebfc1762e2137a0590e4f9eaddbc499ec732b6c5955152029f11c0967aa722111a7db

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 22:04

Reported

2024-05-19 22:27

Platform

android-x64-20240514-en

Max time kernel

48s

Max time network

184s

Command Line

com.spacex.mmobile

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.spacex.mmobile

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.227:443 tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 api.spacexmmobile.com udp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
GB 172.217.169.14:443 tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
US 1.1.1.1:53 ws-eu.pusher.com udp
IE 54.78.212.88:443 ws-eu.pusher.com tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.187.194:443 tcp

Files

/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof

MD5 02dfdda9302874d7e041994fe11ba307
SHA1 8348c24f5edf9f0193f362c483c83a7807fa3c40
SHA256 a85cf46a39a20dc04557f47f5084a517b87cfad4599d28a7c59518e6c1c23857
SHA512 df51c5a819ed9689ba866d5add070f116b90910af95a0921297dbf132d75da877d1a327685c614ff59af46fb1d523fa6f609669a3f5690f775dd8fdea91e8364

/data/data/com.spacex.mmobile/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 03eebd020cafef17fb00db73abb8f035
SHA1 ae33808dceb2ccc9caa0abd5981f9fe0f5e79a66
SHA256 3f93b7e142d0e2ca91b65b2c6d6d38c301be1c175325b16201029e04ec683ec4
SHA512 a4faf999814bc8d0e5af1b28d311317e1f634aaef405aa6ff270a436c5c928c1145465ef462d65a506639f1a78c9570d82d9aa063ead1caf3f2300daddef5efc

/data/data/com.spacex.mmobile/files/profileInstalled

MD5 ef0d6faaf9e6691639b4f5b8bde383ed
SHA1 3f4f262957f0ef6dc4a6d5fe450c7f8b47e6a2a8
SHA256 02f9b6e8868dfbe5ae56664e3c27fc4c00c89a306225c8fd99b919a20c48670b
SHA512 c6bb288d33325cd376c47143dcb6fe349b2db2beaaa266deb9412e1923d046ac765aee392007388acb08631a4bb5e4c1eb5039916deff4fdbf9a6c560b227eac

/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof

MD5 47b45599bbea5c6d2170d26ac82d4c08
SHA1 1de4633edd26eff1dbb7b72749a5f0551c7cf588
SHA256 978218ae72ee70094280f6733375e296a41cf450ed8bfb9bd69f8f6ce289e85d
SHA512 5eb2d23895e9b668426ba6b8e4348b1d537efd76e27745ad917d99ea88cae4a714f13b6774f2b51332fe5acd5a31bc12c56ad54e7c393000fbff1f11493404fc

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-19 22:04

Reported

2024-05-19 22:27

Platform

android-x64-arm64-20240514-en

Max time kernel

48s

Max time network

184s

Command Line

com.spacex.mmobile

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.spacex.mmobile

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 api.spacexmmobile.com udp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
US 1.1.1.1:53 ws-eu.pusher.com udp
IE 54.220.109.231:443 ws-eu.pusher.com tcp
DE 84.247.157.24:443 api.spacexmmobile.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof

MD5 02dfdda9302874d7e041994fe11ba307
SHA1 8348c24f5edf9f0193f362c483c83a7807fa3c40
SHA256 a85cf46a39a20dc04557f47f5084a517b87cfad4599d28a7c59518e6c1c23857
SHA512 df51c5a819ed9689ba866d5add070f116b90910af95a0921297dbf132d75da877d1a327685c614ff59af46fb1d523fa6f609669a3f5690f775dd8fdea91e8364

/data/data/com.spacex.mmobile/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 6fe4b941d6d110c7d4f3029561e5cf6a
SHA1 42491f9ca5a1a72d125fbd2d5a1f20e394ede923
SHA256 922c0dd92792dfd75488b27de620e2b1ad66a5e4bb38892671ec2421100f7945
SHA512 35d80b058c851facf658a80835e6e0264999c12ee2eb0471b65049458d8eabf3270258e2821de210324d27787ee3e2ad7a4773fc48d0135d7b7d7a3f7f2d1285

/data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof

MD5 1a432b2d71f14a8a4e315998cc4dc57f
SHA1 639e426e34ea33bb573589cc6539abeef86cedde
SHA256 d140d359138329c9a613a19f6552efa9182b63a87e7ec1d5e814cc7bf1b7e98c
SHA512 4c8b22fdcd85c46a0087aa40e49b8a4ebc0f8195a7bfcf31049db315c495406b9d557c67c80e364df6031c2a6106a636e2a1f47af1f58d1ffed25fb6405f3387