Malware Analysis Report

2024-09-09 17:17

Sample ID 240613-3ml4tszapj
Target PokeMMO-Client.apk
SHA256 37ff7fcdd8c2ae0103888ddf2cf64f6fe8bfcf49f1f8c31e2cbf49943dd95dad
Tags
evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

37ff7fcdd8c2ae0103888ddf2cf64f6fe8bfcf49f1f8c31e2cbf49943dd95dad

Threat Level: Likely malicious

The file PokeMMO-Client.apk was found to be: Likely malicious.

Malicious Activity Summary

evasion

Checks if the Android device is rooted.

Requests dangerous framework permissions

Checks the presence of a debugger

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:38

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:37

Reported

2024-06-13 23:42

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

172s

Command Line

eu.pokemmo.client

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A
N/A /system/bin/su N/A N/A

Checks the presence of a debugger

evasion

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

eu.pokemmo.client

Network

Country Destination Domain Proto
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 dl.pokemmo.com udp
US 104.26.6.220:443 dl.pokemmo.com tcp
GB 172.217.169.68:443 udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.180.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.180.3:443 udp
GB 216.58.212.227:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/eu.pokemmo.client/files/console.log

MD5 8828485b721d8de4f0b822d8e474c6bf
SHA1 3ad398d57560a65f671cda53650c24fb8cc653cc
SHA256 411a6a517b92830f3682962520df1a87d08dcbd68b5449d196b9a6c0d9d3c753
SHA512 7d66c8e017186d79ccb9de3b39eb8ea0bb2d20dfdce652eae9558842eb4cfafe5fc6d729d95b35f5702057ad735b42a09aabf7e8447cb620e9e60b5f2da6497a

/data/data/eu.pokemmo.client/databases/com.google.android.datatransport.events-journal

MD5 f117913ad83056009439b07332d860d4
SHA1 b16412587a7e034899723e2460bf8af8d92b6608
SHA256 87ab3f61b2cd269b2e9538144d8da434b73a3b80d722c26881aa34c828cfd924
SHA512 6193ba938d840a7d4add2c79cd6e4ae88d10422193a22d3e37514fe4f20508240bb2f01f3a24860b85a58a3046de553678360e4da4736940cd1bb0a11d646aa2

/data/data/eu.pokemmo.client/databases/com.google.android.datatransport.events

MD5 32a3559cd8adfaa31d9f8a184945268c
SHA1 33e3a2582078a1dcda6df5699f182b960e1a5d0e
SHA256 17daf7982d6ff628e363603547d54af3a2d0384053bedf0093dc8bc11049a0e0
SHA512 cc65c7e4905d1f18e61183d54ed59ccc91ec6ac24c011317d3044f228a4cc3c1a6981f8caa17c4356d8758441f3f781bfdba071590907501f0c84f6946a24c0f

/data/data/eu.pokemmo.client/databases/com.google.android.datatransport.events-journal

MD5 4a9df35d8a9ba7f63327567e2fbb32d7
SHA1 b84af79929cc352f98f8f5f8abc60cf8b2dd7b7f
SHA256 a79f903f2daba91f7d2af9e659ebec74fa9a54aa5136e6a727aea4f12ff73302
SHA512 2e41285399ec6bfa7523d1e2bcfafb08c4c4da9fdc32e8d9230653828293aef38192739bb10f67a9f92ce017e0ea463a19393746cfd6c08a1f17256ec5d6d1e1

/data/data/eu.pokemmo.client/databases/com.google.android.datatransport.events-journal

MD5 4b29fcf8f18d0f212e24bb8749416d8f
SHA1 95b71891ece35106403a686a6370a21adda45902
SHA256 842da3fa154feca30e6a8d75e0d3a1125f89276d1b46910961d9ff624b2e7ae2
SHA512 42f1cdb648b4404aac92ece385e415e0434d203beaf999e7a07ba1e75dd3471b78054a80c5b4c64f998730a2aca542febe1581b740069a9c474e82494c629902

/data/data/eu.pokemmo.client/files/.com.google.firebase.crashlytics.files.v2:eu.pokemmo.client/open-sessions/666B831A02BD00011112AB7323859CA2/native/session.json

MD5 6bfbb0a1d0b0315654169453fb25c4bd
SHA1 ad2d0d0a580277f5e03fb1c5ced1765b3174644c
SHA256 7dd8169f934a8f0e6465a41422caaac828f8de87d4bfd3fec6784eeec74c2283
SHA512 497ac23d7f9bf72bfa3d5f4e8cf3dd75c49e17261f0bb9345c5945055b91dca1a73c7f6d7f236a985ee69156cdc22aac4f34a2b7d79760a0b3d0a92fcedbb610

/data/data/eu.pokemmo.client/files/.com.google.firebase.crashlytics.files.v2:eu.pokemmo.client/open-sessions/666B831A02BD00011112AB7323859CA2/native/app.json

MD5 07c99bdcfcdf4a7dc2c9a319c2235c0a
SHA1 9b81ff120d97e6e475d451ac27b573113ab0a9ab
SHA256 12ece26b82a10e1f36fff9e02bd81d9051bc398a20b80b7f8628c2b6e6b77684
SHA512 a0ccf7e249de95feb4dfc56a1dd8066bdd26ff6e772be5ec8aaf4c7a73762a8b27486b81b97c45c504717ec23df180cab26c0f573d5a9b4c59d785862c19878d

/data/data/eu.pokemmo.client/files/.com.google.firebase.crashlytics.files.v2:eu.pokemmo.client/open-sessions/666B831A02BD00011112AB7323859CA2/native/os.json

MD5 87e2b9d6edc06545b88235933e703881
SHA1 b29448a47c87bfe3a59286e3cf4e02eb72581a7e
SHA256 77b886b74dd48e22effd172c38ee914ced97247f4516c319f09cb8c9ebce4c7a
SHA512 ccccd682e14a485c8c8d13ca0105d196d00fe02bed941d939154a199c14e741eac6522f378f509ed14a52efd38e479930ae223f6f317a35b0787d82e553db3a6

/data/data/eu.pokemmo.client/files/.com.google.firebase.crashlytics.files.v2:eu.pokemmo.client/open-sessions/666B831A02BD00011112AB7323859CA2/native/device.json

MD5 1cd7dac218f14887d69c38d27173c805
SHA1 c688688fd0836da0010b8177bbd27520b9e25f0f
SHA256 ba39dc14a7e15d58fe090a1ac5f1c2d745290b293a28ea958fcdfa63400244a4
SHA512 85d11c9073425e343e587f1f265f04366037dff4ffd600dac3b9c7b74a0ce623607cc0631c6802ca27e6ac2d62e9f93846358bff6b6a506c89747721ed7daf6e

/data/data/eu.pokemmo.client/files/.com.google.firebase.crashlytics.files.v2:eu.pokemmo.client/open-sessions/666B831A02BD00011112AB7323859CA2/report

MD5 ef574ec7c00950a4641b5e841636d4a4
SHA1 82740280c92818959c61b317256b6404d75e0472
SHA256 f6a63e704475fa2fea13017a41b1bbbb78645128669834461ad381cde54c5cb4
SHA512 164eded6f3540f1dd942635fcdc7a5ca788524f01c494680d606824bec05bbc9091ac429c1f6f8f1556caca84533c8ff65413f0a207e025c73097774b671bffa

/data/data/eu.pokemmo.client/files/.com.google.firebase.crashlytics.files.v2:eu.pokemmo.client/open-sessions/666B831A02BD00011112AB7323859CA2/user-data

MD5 4a32cd326c70c95f1d799b8c541ad410
SHA1 d8f5e6fcb097eed1abe03a65089909a4a656b2fe
SHA256 51704c03dd0bc014334c32b1d5273861896d551c9cf3e284e961b6159e3afaa2
SHA512 84aca4e6a3bc300101951481af20eb2b8d981d03708f9a9fd873a7a15cdae039accb63baa2f5d6052c077121636b52c8714603743f53de9dfd2a46fd22756fdd

/data/data/eu.pokemmo.client/files/.com.google.firebase.crashlytics.files.v2:eu.pokemmo.client/open-sessions/666B831A02BD00011112AB7323859CA2/userlog.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/eu.pokemmo.client/files/.com.google.firebase.crashlytics.files.v2:eu.pokemmo.client/open-sessions/666B831A02BD00011112AB7323859CA2/userlog

MD5 e0b1127ec08ea620aa260a33ecd61284
SHA1 7f6cb9ab4a24130f2b6308a3a500e964c781e38d
SHA256 8b69cbd07a19681fc14858061c91ee0fcfbd493ec3f4fb882e10ffa3b129bd49
SHA512 a94269d213886c9cd9c3a3c6500e09a7de89f016357d55a474dbf3ae09e4b9b54ef603df55eb3ef639437e574cb2b1244f6bd8ff5458f15a1e5213731148b080

/data/data/eu.pokemmo.client/files/.com.google.firebase.crashlytics.files.v2:eu.pokemmo.client/open-sessions/666B831A02BD00011112AB7323859CA2/keys

MD5 e85fb2ae231cbec5d831ac137e3276db
SHA1 31f4eb5083db5144726c4058063a812036e02f39
SHA256 e676e15cfb6df9aba1677290fd6b49afca445422e704a1c8d462811de4282015
SHA512 33d71b4c319450508de0edb3c2d4429e90f6c93e31ef69fa677616db29313d25500652958e21b9fbb32a0d75344d1c6f1afcc67bc430a8695bdd15653713781d