Malware Analysis Report

2025-01-23 12:30

Sample ID 241105-vcxhtatqdt
Target VPN Service Pro .apk
SHA256 d492cf0729e9e846be934ba081dec52c6136141e31dc50a533731f62522d1f9a
Tags
spynote collection credential_access evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d492cf0729e9e846be934ba081dec52c6136141e31dc50a533731f62522d1f9a

Threat Level: Known bad

The file VPN Service Pro .apk was found to be: Known bad.

Malicious Activity Summary

spynote collection credential_access evasion execution persistence

Spynote family

Spynote payload

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Acquires the wake lock

Requests enabling of the accessibility settings.

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 16:51

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 16:51

Reported

2024-11-05 16:52

Platform

android-x64-20240624-en

Max time kernel

70s

Max time network

77s

Command Line

european.tubes.agreement

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

european.tubes.agreement

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 craxs007-53582.portmap.host udp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-11-05.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-05.txt

MD5 bcda3ea991660c7e05d39a1e0ed3beb6
SHA1 024450a5e41e4e4e7ab1678a1fa2fdd1b41d4f65
SHA256 403c898ed4d2df3c2eadea3b24d657d3aa53316a85873f55b349066ac3860153
SHA512 d85e96987e190cc4ff851c29548f4484af444104da6ecf68160a561227beeb1f7343679b677b513d4a8fd85b2f3b96e265a239d8ff5793686e533dd8c7c64f17

/storage/emulated/0/Config/sys/apps/log/log-2024-11-05.txt

MD5 99fe1c139a4a82bb13535f02cd9f8d9a
SHA1 e5fed6c55c884b8f938a04918b5922c91681f795
SHA256 b65340f5f9513c06f3e02065d259cd9a3de109fdf0563300c163b06e77704348
SHA512 edfa69c0fcc4da64eaed539e4748886694e31a031b8822d85b993c067597bb12231d0af973e2ee7aff56ceca73c09ff1a8a96613193ec60d7097011434206509

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 16:51

Reported

2024-11-05 16:52

Platform

android-x64-arm64-20240624-en

Max time kernel

66s

Max time network

75s

Command Line

european.tubes.agreement

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

european.tubes.agreement

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 craxs007-53582.portmap.host udp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-11-05.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-05.txt

MD5 bcda3ea991660c7e05d39a1e0ed3beb6
SHA1 024450a5e41e4e4e7ab1678a1fa2fdd1b41d4f65
SHA256 403c898ed4d2df3c2eadea3b24d657d3aa53316a85873f55b349066ac3860153
SHA512 d85e96987e190cc4ff851c29548f4484af444104da6ecf68160a561227beeb1f7343679b677b513d4a8fd85b2f3b96e265a239d8ff5793686e533dd8c7c64f17

/storage/emulated/0/Config/sys/apps/log/log-2024-11-05.txt

MD5 b1a2d7543616b6b5b7f4b33485273c0b
SHA1 b070b6e862be837c96ab4efd162ee9ca32ad14cd
SHA256 e35b61a77b5a582676646c7dde9a2bfeb752ff73a4af250dc1c181dc542765c6
SHA512 dc60a807c944a3e5ac6f095009200c511caa742400280aae29fc0749adcf0551b2252f90e46f20b80c1368f65a2f6fea91d0307c641eefff8f9ec9eee434f64e

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-05 16:51

Reported

2024-11-05 16:52

Platform

android-33-x64-arm64-20240910-en

Max time kernel

68s

Max time network

70s

Command Line

european.tubes.agreement

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

european.tubes.agreement

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 craxs007-53582.portmap.host udp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
GB 216.58.213.14:443 android.apis.google.com udp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
US 172.64.41.3:443 tcp
US 1.1.1.1:53 chrome.cloudflare-dns.com udp
US 172.64.41.3:443 chrome.cloudflare-dns.com tcp
US 172.64.41.3:443 chrome.cloudflare-dns.com tcp
US 172.64.41.3:443 chrome.cloudflare-dns.com tcp
BE 66.102.1.84:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 udp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
US 1.1.1.1:53 update.googleapis.com udp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
GB 172.217.16.227:443 update.googleapis.com tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-11-05.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-05.txt

MD5 ba30336bf53d54ed3c0ea69dd545de8c
SHA1 ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA256 2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512 eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

/storage/emulated/0/Config/sys/apps/log/log-2024-11-05.txt

MD5 01c31a64fbc7d202c1b12c96291b3483
SHA1 874f08cbe6d1056437a2e7b347a6eab9c899c1fe
SHA256 435a58e2fae46db3716f9f7b512442308cffed4a79a43196064e29704fafa99b
SHA512 0f726db8f3f15e24247d49711f178219d33b375cb0ba6d27818e63bf18feafe281ec6b28dbc1cb55ca2c72bda672869ee6c5e79678bf7acdacdcdd42c06cb8bb

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-05 16:51

Reported

2024-11-05 16:52

Platform

android-x86-arm-20240910-en

Max time kernel

70s

Max time network

72s

Command Line

european.tubes.agreement

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

european.tubes.agreement

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 172.217.169.42:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 craxs007-53582.portmap.host udp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp
DE 193.161.193.99:53582 craxs007-53582.portmap.host tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-11-05.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-11-05.txt

MD5 404d9e3fcb4c932ac8cac5a08b4ff39c
SHA1 5077728ad31a2af6d40ddf7b08cae46fb2cdd7a2
SHA256 a736bddaf45aeb0d1b06e713f454adaa6fb1df85a1880b7c62631c249986e5cf
SHA512 577a673d98539d09d3eff0996f1065734bda941e10d12c9654e3cb1af7dd71a7ba039c32f62ff2871ca2a63377bb8e4bbaec032cb8a844608817b49a9c2bf218

/storage/emulated/0/Config/sys/apps/log/log-2024-11-05.txt

MD5 3459beb9240952accb5584a707edf07e
SHA1 b7c08897fa4ff2e0b3e1a4c74856574704ae7f12
SHA256 e6c72a733a6cd51add901d50335db5e1601fbc505785f6a2740ab4c61f60f844
SHA512 c2fcedef69792e15a53c584864c588867fa668e63c2ff424da4f4ea208cfe1b31cd4c27fe6ec0da20084dd373c6dabe74bccc384eaf828d46d673918536fe993