Malware Analysis Report

2024-11-13 17:15

Sample ID 241107-waze3awlds
Target com.whatsapp2plus-39.00.apk
SHA256 087988a6259e8fd826f8cd54ea22f12c74037eb00b1ffcfe9e8473def4fd06d9
Tags
upx triada discovery evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

087988a6259e8fd826f8cd54ea22f12c74037eb00b1ffcfe9e8473def4fd06d9

Threat Level: Known bad

The file com.whatsapp2plus-39.00.apk was found to be: Known bad.

Malicious Activity Summary

upx triada discovery evasion

Android Triada payload

Triada family

Patched UPX-packed file

Loads dropped Dex/Jar

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Declares services with permission to bind to the system

UPX packed file

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 17:44

Signatures

Android Triada payload

Description Indicator Process Target
N/A N/A N/A N/A

Triada family

triada

Patched UPX-packed file

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by chooser target services to bind with the system. Allows apps to modify targets that handle user actions. android.permission.BIND_CHOOSER_TARGET_SERVICE N/A N/A
Required by remote views services to bind with the system. Allows apps to share and display views across different processes. android.permission.BIND_REMOTEVIEWS N/A N/A
Required by telecom connection services to bind with the system. Allows apps to manage phone call aspects such as call setup and notifications. android.permission.BIND_TELECOM_CONNECTION_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to advertise and connect to nearby devices via Wi-Fi. android.permission.NEARBY_WIFI_DEVICES N/A N/A
Required to be able to discover and pair nearby Bluetooth devices. android.permission.BLUETOOTH_SCAN N/A N/A
Required to be able to advertise to nearby Bluetooth devices. android.permission.BLUETOOTH_ADVERTISE N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 17:43

Reported

2024-11-07 17:46

Platform

android-33-x64-arm64-20240624-en

Max time kernel

8s

Max time network

134s

Command Line

com.WhatsApp2Plus

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.extensions.jar N/A N/A
N/A /system_ext/framework/androidx.window.extensions.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.WhatsApp2Plus

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 udp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
GB 216.58.212.234:443 digitalassetlinks.googleapis.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.187.202:443 remoteprovisioning.googleapis.com tcp
US 1.1.1.1:53 static.whatsapp.net udp
GB 163.70.151.60:443 static.whatsapp.net tcp
GB 163.70.151.60:443 static.whatsapp.net tcp
GB 163.70.151.60:443 static.whatsapp.net tcp
GB 163.70.151.60:443 static.whatsapp.net tcp
GB 163.70.151.60:443 static.whatsapp.net tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.201.99:443 tcp
US 172.64.41.3:443 udp
GB 216.58.201.99:443 udp
GB 142.250.187.196:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
US 1.1.1.1:53 uptade.watsap.app udp
US 1.1.1.1:53 announcement.fouadmods.com udp
US 104.21.41.32:443 announcement.fouadmods.com tcp
LT 84.32.84.48:443 uptade.watsap.app tcp
LT 84.32.84.48:443 uptade.watsap.app tcp
GB 142.250.187.196:443 udp
US 1.1.1.1:53 v.whatsapp.net udp
GB 163.70.147.60:443 v.whatsapp.net tcp
GB 163.70.147.60:443 v.whatsapp.net tcp
GB 163.70.147.60:443 v.whatsapp.net tcp

Files

/system_ext/framework/androidx.window.extensions.jar

MD5 3056e1bdb7d4e19789d0319eff484bd0
SHA1 6791ae47aa9466fe0bca27ad6643f846853bbee4
SHA256 8e6331a07c9f2ac139214c527dcaff2c82d126bbe7bd3420cdc36d6a8c9204b0
SHA512 c790980fd68d9f89e32743bc28846807d5e5947c555f494de47714dec5cbd0c08d81c3260fa463759d1b17a953af3c44ec30b14fb08bf6b29db3837346c9f658

/system_ext/framework/androidx.window.sidecar.jar

MD5 29469324e59dfcc052f24b5af4e7b2c4
SHA1 10c1e17ac6f598037bb51baa07945663645de4eb
SHA256 9195dc6a1c75a841384050240dfc972e48178964993fba6619788625f4b40d1a
SHA512 5e27c2b1431369a248298f2f749136a575005584f9999f2a4c204a0c47adce2e33c8df9f058bdafa1bde1c99e46d175560cedfcddcd8581718ed1d9973c37cc2

/data/data/com.WhatsApp2Plus/files/Logs/whatsapp.log

MD5 eb0faca3770c76ad4eb6d6f501e09a98
SHA1 555f49a3f0a2ae1cf134a6e72a9a6f473125c442
SHA256 04445e3b90c746194fbd04c0ee39934fa9a7d894967d840c745a19214a4133f9
SHA512 416c4ed355af686d904aaef04fe3baa74c2c38582630473ca305d39ca33cd09ab9fb52811ece5b309946156afcaebde599f1e5a4e6197c9360744619a5294e91

/data/data/com.WhatsApp2Plus/databases/com.google.android.datatransport.events-journal

MD5 8f0f8de38af4931dfb8baa15e988003c
SHA1 eb70de009b0e0b406fbed7fadb9db79df9be3707
SHA256 1ead98ac94087f0157893eca7cf3bbe00b31070c763fe96df094e5f9fa4e3af9
SHA512 4bbf5157637db086aab86410b8729448a28662a4d38e416b0f7925970bc37eef4dec9e91095c7aa6d47befb48341be2aff2305dfead733771df8ca824c8f4cae

/data/data/com.WhatsApp2Plus/databases/com.google.android.datatransport.events

MD5 bf587536bb0750f66c7718c8204c9fb3
SHA1 b9fc9635a7a009ca0c06b35b86b020dd6743a3c7
SHA256 7e49cd11d75e9adae6d9dee0819d8968336a3a6905f4b310753085a6d348dc08
SHA512 02392665aea20cb222953868342f295b06867c866ba65f1f59945eb66de52412c0b25367832a92f7d5870d56e587d129a1fe265689f53fac203b0b406b54b730

/data/data/com.WhatsApp2Plus/databases/com.google.android.datatransport.events-journal

MD5 a0d0cf368c33653958b18368d03d890d
SHA1 0fd3314a5c4284a14bd528aadcd3f8752c705a69
SHA256 158105996db7066499d7698558521f74ef94d5f211bf9742d76bd0d9974e37d0
SHA512 b2ab117e0c626c3f03c9c518340a09b1e397bc206adf3bc32a9a53317be6096fe4f7becd8148c558babf0a40ba2e6aba6eb9b941adc3e12eb05b97908701a89c

/data/data/com.WhatsApp2Plus/databases/com.google.android.datatransport.events-journal

MD5 c6d220f799c65cef66e1a4bedaebdafc
SHA1 205324a03254e77a1b45b3a484cc4b3629afde71
SHA256 63e4e0e8c3af0ce1fa5a3b056262fea5a48c4bddbf201cb4ccc9855e6c21cdbb
SHA512 28ae34b37c600690e213aa4bd053caa09a13019bce5a27e5b7f42745c19a14415736834c44a22f134181a60812a2e4cbb0fc5d09112210c66170f43167c4b0c2

/data/data/com.WhatsApp2Plus/files/PersistedInstallation5449512080563613740tmp

MD5 df2317851c25911d264e63102a8299bb
SHA1 1af6b2c83ccf594538f4ecb4c392e2b0eea40120
SHA256 7b9571d420a6c37565f610dee07ff8c3c933261de595a4b8017a29f4e4e5a242
SHA512 bee8ba7f91237cd13af721e6ec20da3324b933dd3fa2c3d707f39b8caae86ca724c8da0851a8db4b4ba3e4e7d614c10d440b46469c2371ad98213609d3d925c2

/data/data/com.WhatsApp2Plus/databases/BTOR.DB-journal

MD5 48e716e896b32b7eaa7723f0bfc81d26
SHA1 58d97c1997791a23fe20a85b2a1c17de3ace19b4
SHA256 e51da9f6b0c1dc3569bcbd9abd22ec0d6f9d011b5b754d9cc6c6f6afc9daa368
SHA512 3d2c18a77e28a95c12283cb9e41b2f09147f6155f2ffd0f891dc85c90d7b77a3a745a5f51ffa278e4fd98f804b898b63f433876a905d5e14f9405f5224f0e510

/data/data/com.WhatsApp2Plus/databases/BTOR.DB

MD5 6365b8be8792f9d6cdf02b86aac88673
SHA1 e9ea1b6b1db7bb348cfb63357c451215e2c016af
SHA256 63ccde4cb62894420110307fb114801ed6ea591182334a2c564187d7987648cd
SHA512 d53f6cc31df48c5ec099d7ee96465071aeffe2f1d06d0e31d9f326ebf846f72a5d4d7d1833999c5c7cbc36410a6422e0a7ea4411aaea9c75c7e55ef3eeee373c

/data/data/com.WhatsApp2Plus/databases/BTOR.DB-journal

MD5 108e044e4b025bdb87aa0e11a7281621
SHA1 e6f389d7620cbee065f6f9ecc170dd0afb5dcbe9
SHA256 975beb184b013676b48c1937bbaef47d2094bd24683d2a6cb7a60e03779132cd
SHA512 c69f88a067d5013feb271c31c45a60cd4a1c6768b32e4ba9f85d1de5e65c4f87bb99bae522d92398b30419b4bfa9b093a40977ca2e15a69eef5ba66dc30e2b97

/data/data/com.WhatsApp2Plus/databases/BTOR.DB-journal

MD5 09b61a0e0c1ecb0cafdcf670f75b7b67
SHA1 ea3a5116925e6a6e8626a33c626a1c1bf3661c18
SHA256 cee8d44e6dde0b5bc44ba4b06a835b322c302bf1c6ccbc54a7cdf5404e0285aa
SHA512 a314dc1c4ee5c9d9f072ec5fd7ec0a3ba601a0e0dda72b849a72c0a11b7997bcc9c2b7823f75f914d8a5204f0571cf0b2df0e800dcbe4fbb19cc049d418a9fb9

/data/data/com.WhatsApp2Plus/databases/EHS.DB-journal

MD5 d0ce2d6772a8a79a316a5aef5658040e
SHA1 c17416a3cc72971298b1da832ff6a82c41132e2c
SHA256 aba3b75ae6f516779265a5b71ffe0b0b4e91028b4e5119299150331c5a218695
SHA512 7b7a4a01579c30cab25f2671e9b497ed23b80aa9c13b6e338bf2fb75efcc1421317e0719f945841546fc1b8a7d5f508918c651ae674215436991a7d553bd98be

/data/data/com.WhatsApp2Plus/databases/EHS.DB

MD5 b48f7ffd789fab6a4600554e8c474935
SHA1 6c6896fd3437878a91b014c74bfe2b2c83c2b4ee
SHA256 fdb4a80bb6a82170b194773754f858b74915ae61cf6995ccf149f55b167c7b28
SHA512 43802b7b7adafaba9231d0aac2fc659461c2f3f71cd0e89f5bf1ed54535866f6700364b9a42a269dba0346987cc8a47c031edf8709ee5543ff17aeab82148403

/data/data/com.WhatsApp2Plus/databases/EHS.DB-journal

MD5 5e4a68717a0aebba6fb6b6cd43ceadcf
SHA1 6dc0b1b3abaa5ba794e4e5593f6b2e7a19d6e665
SHA256 03c31a51e48264bd96c0bc1b8162d13e791122a96d2cd75a7372457029fb11b7
SHA512 d52de2a4cb8c1a89d2542f63ee7d3b9b79e63e89be347013639b188c70ab465f9154104afafa66cab68e992eadc2a8a9b3ffb6fa33f133b8b5f0103e12472994

/data/data/com.WhatsApp2Plus/databases/EHS.DB-journal

MD5 f53924776f1ffcf13272e0dbd015073f
SHA1 cf67983c4117774c1f323ea1c2e468c1ff4d77a3
SHA256 0023a79238ce076d3904133c515ed848ff27e49635175e655badc550436a2d82
SHA512 d9d3cb7bd1fa914188d132338ff10e4fc1a3711c1ba206228d36374ceb740023a2ff485c6bd2ba96b1114d56a77b2fd89b59d1f0c35df1e0038fbf970aa16d2c

/data/data/com.WhatsApp2Plus/files/PersistedInstallation1852966154554028856tmp

MD5 717086e64ec0c74c3e3f4c507f99fba5
SHA1 7cdec9a96c63658d6bc7469a98bf35b82e2fcca7
SHA256 b361a0f5aa28b0b5f7fa087cf34275761ab26ed22f6bfcacdb1cfb4cb59bfd41
SHA512 af5b957b24d516bdb8c8c811214fe9b9aa873ee264306d69b1633953bc1413475d88d6c035b81769c683883a5624c976763b56084f24cbd3345b1a8b0739f19f

/data/data/com.WhatsApp2Plus/lib-main/dso_state

MD5 93b885adfe0da089cdf634904fd59f71
SHA1 5ba93c9db0cff93f52b521d7420e43f6eda2784f
SHA256 6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
SHA512 b8244d028981d693af7b456af8efa4cad63d282e19ff14942c246e50d9351d22704a802a71c3580b6370de4ceb293c324a8423342557d4e5c38438f0e36910ee

/data/data/com.WhatsApp2Plus/files/decompressed/libs.spo/.superpack_version

MD5 964ce4ab1927221e9402b23f0e7bf923
SHA1 d743a9d98c74dcd318f92fd17362edaedbbc5e86
SHA256 27cc937e06e2c3c35efe7bde50e5a57ff9cf9068b9fdb6526c40b12dd6085e87
SHA512 5e59aa6be8ee2d8d55ecc7f2ad6414721618eb3c7292eb0bf92b92af8706962c4129e4002d09c165734ecd4db283e2d7f554d6c760ea7b8aab20e870dcaf68cc

/data/data/com.WhatsApp2Plus/lib-main/dso_deps

MD5 7e08f3e619cface95d1c368657a8f875
SHA1 bd788f67ef6bdf740999389facf8e12f691bcd81
SHA256 aa95d14d2f96dae15b817c5815b118b0f15f16de7a37e8ecc10c9d837d96faef
SHA512 6aeaff661536da57147c28a4a7b959bb7de9507df47b91d823865e809b7e556ca268bdbfdd0fb957a7953369343b5d18b3365ba7856218a0df02ec17ca2e8044

/data/data/com.WhatsApp2Plus/lib-main/dso_manifest

MD5 c06857e9ea338f3f3a24bb78f8fbdf6f
SHA1 c5a0a2529d2deb60fec041b4fbd722a2ebe31702
SHA256 957b88b12730e646e0f33d3618b77dfa579e8231e3c59c7104be7165611c8027
SHA512 29f61516876c25379a7bf4faa2b3ca6f6b53eac90e7de47671fec4a818d51441b4025cd7909f7c0a0d113ab6c5ff00cb3700c286bac7319185b77905feec4fb1

/data/data/com.WhatsApp2Plus/lib-main/dso_state

MD5 55a54008ad1ba589aa210d2629c1df41
SHA1 bf8b4530d8d246dd74ac53a13471bba17941dff7
SHA256 4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a
SHA512 7b54b66836c1fbdd13d2441d9e1434dc62ca677fb68f5fe66a464baadecdbd00576f8d6b5ac3bcc80844b7d50b1cc6603444bbe7cfcf8fc0aa1ee3c636d9e339

/data/data/com.WhatsApp2Plus/databases/wa.db-journal

MD5 b63c4f4a8738bd58194ecd5331ecd8c9
SHA1 2f3f92f494fde8cf4887bade6ac62eda18e68dc7
SHA256 53e95eec4de55e478ad881b18ca4bf8827d674417bc841f4110ad683f7bb8582
SHA512 31538bd21d7b1edeba0973dfe1a20a6ffd087eed550903d6bbcadc08071156df880b9f0e628adfd835eda4c60915ca1a7dc9c598367823024f14f4bb606d668f

/data/data/com.WhatsApp2Plus/databases/wa.db

MD5 0eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1 fee434f784e73cc7916322e949f727caf8363102
SHA256 b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512 b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

/data/data/com.WhatsApp2Plus/databases/wa.db-wal

MD5 892d02b39612601698f5d2fa50085733
SHA1 a3ce0d5f23dfe6ee1e391c0d204a524f1d8f12b7
SHA256 d63fa42848bfa521b53167cbaeb2ea754be79da42fb848f189d2b81063f8f1b0
SHA512 e492db24e2e6d92c8d7e17d2c6bfbf89d71ab2d594356084d81868dffcab58a4e544899e06424a757f86051861d85aeb1ae37c2b1df86a7f2392dbaac5285be4