Malware Analysis Report

2025-01-19 05:50

Sample ID 241212-rg8vvsylfm
Target smartpayzone.apk
SHA256 714f140717663febb87371031c7a102166c96a6e8e22a7ee6836907f01e53261
Tags
flytrap discovery evasion impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

714f140717663febb87371031c7a102166c96a6e8e22a7ee6836907f01e53261

Threat Level: Known bad

The file smartpayzone.apk was found to be: Known bad.

Malicious Activity Summary

flytrap discovery evasion impact

Flytrap family

Checks if the Android device is rooted.

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Checks the presence of a debugger

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-12 14:11

Signatures

Flytrap family

flytrap

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to discover and pair nearby Bluetooth devices. android.permission.BLUETOOTH_SCAN N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Required to be able to advertise to nearby Bluetooth devices. android.permission.BLUETOOTH_ADVERTISE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-12 14:11

Reported

2024-12-12 14:17

Platform

android-x86-arm-20240624-en

Max time kernel

6s

Max time network

303s

Command Line

com.ri.smartpayzone

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ri.smartpayzone

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
US 1.1.1.1:53 firebase-settings.crashlytics.com udp
GB 216.58.201.99:443 firebase-settings.crashlytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
GB 142.250.187.227:80 tcp
GB 216.58.204.68:443 tcp
GB 216.58.213.10:443 digitalassetlinks.googleapis.com tcp
GB 172.217.169.34:443 tcp
GB 216.58.213.10:443 digitalassetlinks.googleapis.com tcp
GB 216.58.213.10:443 digitalassetlinks.googleapis.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.178.3:443 tcp
GB 142.250.178.3:443 tcp
GB 142.250.200.46:443 tcp
GB 216.58.213.10:443 digitalassetlinks.googleapis.com tcp
GB 142.250.178.3:443 tcp
GB 142.250.178.3:443 tcp

Files

/data/data/com.ri.smartpayzone/files/PersistedInstallation635835258527596189tmp

MD5 355b3992b0400d002f900aa48a18ac0a
SHA1 e0f1277f2691487fe960f939674d202883612283
SHA256 d11fb38654d0fabdf9b1702f57c71b48b31cbc86cf521117590f04a95454f974
SHA512 054dece3bd2ca0392d991df60cba40f3d534c1102d5de68714d4763c27261e8e33494e2896b208a35f1993997eac0e6bbd05389f7a1eb8d631e3a165bdcda8b5

/data/data/com.ri.smartpayzone/databases/com.google.android.datatransport.events-journal

MD5 aa5c80a0554c92986fa3dc89d36d8a3e
SHA1 8f304c79218150e47fb067ff5abe1b8084606d47
SHA256 b2a61062190d7f3970c30ff284e0c6c483cd3d0dda23aa1f8a7d9f92470ca3d6
SHA512 6031676b3b547a2d1ce01d695051bd46e6423db9f861ed8782097225889f9a5b3658a870fc559014f424320b9fdbdaa6c9e0e4b04d8e349ebf0f2f837440de8b

/data/data/com.ri.smartpayzone/files/.com.google.firebase.crashlytics.files.v2:com.ri.smartpayzone/open-sessions/675AEF570173000110BCE7B7EA396D12/report

MD5 d758a480d5ab5ebb4f9e77291300820f
SHA1 846d90ebd2a5531c2d4f3eb162c91f2cf80c3352
SHA256 a723e7ca0ffab93d82ae3421d8884444fd57699b7b7558d5e09696289095e436
SHA512 8d9c633756fce5fc8f637e299601026dba4adf7de755a8a5995d763829a19df1f38a30f258489ec33e1bfab01029e9dbbd8a822d7322f0386623097aeff4d648

/data/data/com.ri.smartpayzone/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ri.smartpayzone/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ri.smartpayzone/databases/com.google.android.datatransport.events-wal

MD5 90649e2595337b713c26741052618b10
SHA1 54a9ef579e9ed5f14d95897ff9c94a9ffb3f1ece
SHA256 b3561ade2a5da8415e0ab5888717b93f23dae37cf9930d70bda5781844ec7b48
SHA512 3ec3fada3d70ca61912ce622eb481145f0db35da2a11a67cf1c0dac4d1e1e20340e6211068aabc0fbc9546706e02d9b5197c7b2e218e6bcc30c33d74dbb8e704

/data/data/com.ri.smartpayzone/files/.com.google.firebase.crashlytics.files.v2:com.ri.smartpayzone/com.crashlytics.settings.json

MD5 ec5c7386e5c0844abe8fa7cf66d4cfab
SHA1 70498213de5f26783b6a38b4bd7a7f4fd3f3619f
SHA256 3d41b898656c7bd8948b2af8101308a7dffdaec5254f643ef81b284cfbb42a74
SHA512 d2779428a35552f4c7f604b5c6c198b33894ac4ec08ede653c44931ffd9e7c56aa9d9875e947fd1f29f5c4e6643e82397557bc660569771e9f78e083dc888599

/data/data/com.ri.smartpayzone/files/PersistedInstallation8346944253738214002tmp

MD5 91781b7e8441a7b54b08232ebbc26263
SHA1 9415948c7398e06fd0d6d8ccb3a76b4df9a6f984
SHA256 11cef634564297c0da8ae424e5d335e6d0fa9c40aae161066be2d258ea3419d0
SHA512 2f30ff3abcd7a4fea6e522e6f0dbd5e006d9c768d4fe3ffb588e036f01a613284cc1f545c0fbfa0a9627c902f8cd691bce06de3a571efd72a1e96184d2a31535

/data/data/com.ri.smartpayzone/databases/CFPGCore-journal

MD5 c8894a4fef1795ef7afcf85ee6abaea7
SHA1 9d2b4a7d201329fe79812ff087f1021e4214f0e6
SHA256 10f2c0d92cb0be194b10ab4dd6eee2116b2e1760aecc1f47f03da8cf98286e57
SHA512 727a2c10898e5f63f0a2940e60f7dac53cc3e049469a8b306d676eb88e2e0f786ee681e32f298822536a349425665282ebf91fa434d32e34f0067905246c96a6

/data/data/com.ri.smartpayzone/databases/CFPGCore

MD5 7948e5ae3bc5ee76b396700182475ba4
SHA1 2dc89f04b85e6897bfc870924ba0019dd79da491
SHA256 cb84f5e4bcebdb379ac202eef16ef8a3bb933dee8bd5d7f69f391484e7d83a05
SHA512 dbd4cea1045f06b98bef50c0a3f0a645945c78455367d9659962c466e93d9bb132d6f29c061aaf51767b5e99638d4ae0cdc84c8eefbbffe73f2c3e392e7e7995

/data/data/com.ri.smartpayzone/databases/CFPGCore-wal

MD5 1af0f66fb82e22dbdde41d44c9ad0727
SHA1 9a287a311d32bbbd680cdba0a08896e2472438bc
SHA256 67638e0444c71060c78fff90ec6bffcffa605e19cb3f1106266cc42a4684d7a6
SHA512 4868de7674f14220648eaf8d7e96946f3499912b9ab7d60fc7fce8d85453a95bd6b35b3eb810619f34420ec23136ec88197374375c5c560ba877d08150a7aeb1

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-12 14:11

Reported

2024-12-12 14:17

Platform

android-x64-20240624-en

Max time kernel

7s

Max time network

311s

Command Line

com.ri.smartpayzone

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /system/xbin/su N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks the presence of a debugger

evasion

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ri.smartpayzone

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
US 1.1.1.1:53 firebase-settings.crashlytics.com udp
GB 172.217.169.67:443 firebase-settings.crashlytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
GB 216.58.201.106:443 digitalassetlinks.googleapis.com tcp
GB 172.217.169.42:443 digitalassetlinks.googleapis.com tcp
GB 142.250.200.34:443 tcp
GB 172.217.169.42:443 digitalassetlinks.googleapis.com tcp
GB 216.58.213.10:443 digitalassetlinks.googleapis.com tcp
GB 216.58.213.10:443 digitalassetlinks.googleapis.com tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp

Files

/data/data/com.ri.smartpayzone/databases/com.google.android.datatransport.events-journal

MD5 dc5c63839e720b97dc406988cef2d3b9
SHA1 350522c457ba928f18b85ff1d3d55488f0d9c753
SHA256 17479d6a1e5d0884360fff4d9f1469bfa884a82e2384a97162c1e34ffaa9d190
SHA512 f01eceb071988d324eaeb12368727ab083a047d4c439f6aa03dd47749751bb624d5becd09774168f9db6056fa3103306df1aca745114c0764a354b83e5b87f8d

/data/data/com.ri.smartpayzone/databases/com.google.android.datatransport.events

MD5 c14f5ba1d82a43547d06efa1a716d84f
SHA1 044d90681d9fe7cf1d3896d4b9ffccbb9b6b1064
SHA256 f5e05f85e5cf6cc8f55e3afc686c2f3ac95f6cf2178f8c1b2edf97a7ae11befc
SHA512 99c967f281b9230cf7724d3fedf377da33ab6070dba3080f5db03548899a6426d65990da82df77c9e9054d6d6a23352066dff26350881aee7646fda76d4022eb

/data/data/com.ri.smartpayzone/databases/com.google.android.datatransport.events-journal

MD5 c8c3ebb4ccf7e6bc1e16f6a7b4ed14c7
SHA1 d9d1ee8a05e1c86c18c7f5f2eebbfed35a5a4717
SHA256 26ce40cf43118750317fac221fa3705aad0b981bdd950c8e3f0e2720cd2c8cd7
SHA512 9d24fd84ee68f3aa06af349152fe5e385df9c575497b021e450a498486fffde3336eb09588aa99e2ac02930d7c948b9cfffba71729e3ec7bbfeadf826797a27e

/data/data/com.ri.smartpayzone/files/PersistedInstallation2813809100189951251tmp

MD5 e54f007af854dd41841f8063ea460307
SHA1 d4f8195185a0385559d908cee9dbe2dad6e309b5
SHA256 65193e0ee72513a16fa601c4cac8ee272fb4ca4a29c274044b949506fa04787e
SHA512 a2062b036c168755382d7b4e38fc6dbb3df3da02d1e1786313b80ea8b0f3b4489433703aa95b2e6c3c8e3567d25c66ef51a0afefcff00b8f988d4a9950bd1c71

/data/data/com.ri.smartpayzone/databases/com.google.android.datatransport.events-journal

MD5 5510bc278085ca4bffad18656157c040
SHA1 d6965e389471f1f924ed1e371ae9c697a6f08cf0
SHA256 1ff63f02c2a2ceb774a71d5589316b4afab9d053b1afdd9dab1d7eac76b1082d
SHA512 dd8a698134dc217f7aef9953ae0565f05e8a4a3d6fbf5600ad2acab91dbf3a74afc46eedf681b5dcd28c68c126e7f3f16ea3f15fd1c31072f44417e7d6f9ce25

/data/data/com.ri.smartpayzone/files/.com.google.firebase.crashlytics.files.v2:com.ri.smartpayzone/open-sessions/675AEF5A03760001134FE087B33CF49B/report

MD5 3f23f668e66d8d14d49e37b989f1541f
SHA1 f4d7aabc4e1d34a6a808e8841678b9dd42410e88
SHA256 6e1d7d158d8b94445ff2a5866740544cab3af4fe14ee965cd1cead45dc7ea73b
SHA512 eb381c91ebe787a42b1c31427bdd6868d5a7a2ed6851d301a36a6688af3cad99bedd47e1a2182cbe2275486525a156275671104f59d743914d5eddeba1e88bdf

/data/data/com.ri.smartpayzone/files/.com.google.firebase.crashlytics.files.v2:com.ri.smartpayzone/com.crashlytics.settings.json

MD5 7a963b24707734b0819f2ae7a53e407a
SHA1 d127ba3d351e8a31baa3b526cd4a9d3dcec3e9d8
SHA256 3690239a346d8184c55d03b5fb5a3d6098acaf941d79b5b0f607602115d895ae
SHA512 f0ab3fccc3e869f85eb11db25766f209010e444e013ae41cc2c4ba24515f2ceeb47b664efabdf3750d208b8b9c17aee0103103a841dae6832a67c9dd865d49db

/data/data/com.ri.smartpayzone/files/PersistedInstallation129598317593792285tmp

MD5 8ba7735b1dd746a1f06c63a75c2dc9f0
SHA1 cd1caba8b2d299dfba7813493cf5d297c467becc
SHA256 976571aa921546b110e126a717bdf7eeaa92cd114b89ac1474e6a185d85c26e8
SHA512 9cae624dba6a8189c79580af098dd60e570bd3f5a45d4c86d93b2c0cf9bdc668a2dda72f536ca90d0c0e9ef17e039b0c3f7c8a1783f14a6ca744307c9940327f

/data/data/com.ri.smartpayzone/databases/CFPGCore-journal

MD5 795b4fe115b0c02a0c4c763b374dbca0
SHA1 8d023ee657990c2b8ac9bbea5748fdf2a40e3274
SHA256 7622779eb595795944f1cd7f8d5e5f340b7fcc3abdf02f8172a7b9de87d64764
SHA512 a110a1ab0a978cd3a0b6832e7e29bb540bd51b99f4d5cac14d11ac6213e243f1624e82f6fd736ec21aecbc495bbe3cc5edb3c5b513eb943fc6a1d3ddc6da7632

/data/data/com.ri.smartpayzone/databases/CFPGCore

MD5 ef9650627a35f169c276082cd6c9ae61
SHA1 c8a9cec5ae5e3b2a0026d225bb1cfa63dfe5820b
SHA256 a4feccd5666316055adf7c7612df476c210b78e0f65225a87edc5dbeb04aa673
SHA512 1edcbfba742311ddff823b98be6eb263d68da584038875aa3fde86224f1af2b84cbe08d4f0dad3f8552a541743a2ff1b8ef1ecf8d87a3eba53a9a7802ebc0248

/data/data/com.ri.smartpayzone/databases/CFPGCore-journal

MD5 214377dd5d37ca288d20787501cfaf11
SHA1 371904f395ce1638f4bf66c3262c6ae74ecfc1a3
SHA256 4a7d6592e73d07995893128fd7aa852791920b456736af24c82379bb581bbe34
SHA512 fbc5233458b77b8eb413ea2305c3f7e13e2ca2e0f477bb4072d7fdaf11a62b80960ff3297c661176f6372f42a7ecb585cc5d8d8bb01316a7e270d25b2eed7b09

/data/data/com.ri.smartpayzone/databases/CFPGCore-journal

MD5 99cd204fb00ed51025ca3b965a030b23
SHA1 dbb43f66872fd0c135a1d6455dee9bd27110e3ac
SHA256 f1a2b532cffb25644720608240afe882b8f7e82e5d47d681b214e9a6d0b48ef3
SHA512 96bf116269b2cee613cc48cd5aad55ceb35ceb29d95cbbd7279239e23011a661209667dd15fad2025a5247d145a29fce0c1689e954044d77aea475e8791f43b8

/data/data/com.ri.smartpayzone/databases/CFPGCore-journal

MD5 a8530071ffa74de355dd167901bcc37d
SHA1 0da1eb4c0a2ddcfd1cc59f214d879477fb1e822b
SHA256 02b523b1815fbe4c7c16bef8110152ac35e8cee77baa32657c93992fa8f63534
SHA512 840eab50d5117cd8d2ff9018e0e12d43ab6d75fd2716664d812e21a5c70cb40c104d0d529b989ab2bd9288a0183f42caa056391453c26c2348b79411a72b8518

/data/data/com.ri.smartpayzone/databases/CFPGCore-journal

MD5 9b2c279e84cb862a7dbe03820755aa23
SHA1 072070e3872bdc72c84eef0c7f9e8c965f5b4eab
SHA256 c2a4b2278d49f3da7d2685bb77186ac1cb5bdfb7455a7ae8b44cde11f4800b1c
SHA512 077dfebb15083f6809288e9463a05190bb56fa8e3b4dcdef70fc430738c6e89155ef0ffb099067cf321651fd62babd8a04313373c50278809042f3d0654a6f3e

/data/data/com.ri.smartpayzone/databases/CFPGCore-journal

MD5 f9a74283959ddcfc4ac074988f078739
SHA1 7480a343f54638ec6de8ca0ae901f5d42ca51530
SHA256 edb789383325c751d0ddf7d99ec0f3e1c889922c34bc142d498baac84a519266
SHA512 fbeadf95bad2db716db81206f4047e550daae3266f23004960e6f194da3de247bd57303f1773ec90f71bc52e1917313d6637d691756e9339ce97ad0c4c1199cf