Malware Analysis Report

2025-04-03 09:09

Sample ID 250302-1bjs8av1et
Target WhatsApp Business.apk
SHA256 e732ac95aac2dd92fea28abf70f113aca63995327048b78b3a3afd10366ec5d3
Tags
triada discovery evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e732ac95aac2dd92fea28abf70f113aca63995327048b78b3a3afd10366ec5d3

Threat Level: Known bad

The file WhatsApp Business.apk was found to be: Known bad.

Malicious Activity Summary

triada discovery evasion

Android Triada payload

Triada family

Loads dropped Dex/Jar

Queries information about active data network

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-02 21:28

Signatures

Android Triada payload

Description Indicator Process Target
N/A N/A N/A N/A

Triada family

triada

Declares services with permission to bind to the system

Description Indicator Process Target
Required by chooser target services to bind with the system. Allows apps to modify targets that handle user actions. android.permission.BIND_CHOOSER_TARGET_SERVICE N/A N/A
Required by remote views services to bind with the system. Allows apps to share and display views across different processes. android.permission.BIND_REMOTEVIEWS N/A N/A
Required by telecom connection services to bind with the system. Allows apps to manage phone call aspects such as call setup and notifications. android.permission.BIND_TELECOM_CONNECTION_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to advertise and connect to nearby devices via Wi-Fi. android.permission.NEARBY_WIFI_DEVICES N/A N/A
Required to be able to discover and pair nearby Bluetooth devices. android.permission.BLUETOOTH_SCAN N/A N/A
Required to be able to advertise to nearby Bluetooth devices. android.permission.BLUETOOTH_ADVERTISE N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-02 21:28

Reported

2025-03-02 21:29

Platform

android-x86-arm-20240910-en

Max time kernel

1s

Max time network

19s

Command Line

com.whatsapp.w4b

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.whatsapp.w4b

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
AU 1.1.1.1:53 digitalassetlinks.googleapis.com udp
GB 142.250.179.234:443 digitalassetlinks.googleapis.com tcp

Files

/data/data/com.whatsapp.w4b/files/Logs/whatsapp.log

MD5 49472313559d3aa52ce377b594980d27
SHA1 124ebb3df156209fc7d81ffa34778c7ada30c5be
SHA256 63891b84fcb0c9a87352df3f27699be6b09a42e5d291eec0d4469c0aaaf9047d
SHA512 df638e34c8b917b23e8ea91b228ee4433c5c7f8413f27f91d9bf51c21d5f05dc001f5b4e46fdc5338c509eb3e1b7f7b7732a24f492b0a6efab2bc27fdc41ccf5

/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-journal

MD5 56683d77eb6c188e0cc00b4ff845d045
SHA1 22e103e3feeb7f2eb7d004d23c3a311ea5fa8ead
SHA256 849b0f8c0bca07eee9d52d70500577f0b8d285826adbb7b4ead9adad268654b6
SHA512 f46ed629200e27af90d3db64ed052d85787aa0fc2d32c0345fc86d993eddd8c83903c587422b31ab74c1e42b7a6b4a45ad8247d05dcf3c5ba4956ad7424aebc5

/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-wal

MD5 4059df4a81026d87f6b06e6798bb69dd
SHA1 1bb7758cd83f2673700d017fb9653fab8d9eacb0
SHA256 13323235daf78e6485334dcbe9291004858e776418a78f615be316848f760f68
SHA512 17f6d526bae55c4f6b1a6286f27a9b1b3b6c0ea9ba67abe60f926dcdd16aa917da1033995e3947f541dd2ca18f6a5e209ef71bb6a520c04d4e09c99be0c9f65a

/data/data/com.whatsapp.w4b/files/crash_sentinel

MD5 02df83b6a47fa70f0912572a6ee89bc5
SHA1 6a278eed093c687b02f4127a6f8f6b4c4afef286
SHA256 07af999053dfa5ae7f406f30cf9f5fab57d370d2ac6641cf7a1ae1187943f54b
SHA512 d3a5ea0201419e82269280b971fdfd9773cba865511142d77ce32f9414390dea4f79acf385e0d681e08c4a0ea39c6322dd02fd9031767ab79dbbb1689a19c795

/data/data/com.whatsapp.w4b/files/PersistedInstallation2065137773045395897tmp

MD5 06dc164df12e35c4938cb5e7226c33b9
SHA1 766b6536ebd023acec1aa1f3242366a49073ba61
SHA256 a88b1b95e566d99440f7c303c8171df872f95fe020d15e23642aba7e6b6e0783
SHA512 cf61cde58a6f4d858c1104248a843f2b2167c144cc63cd0d5fa82877a8db355c75a430ce8d3b454f86d61c67338408e34d5ad52bdfdbeef31033a8f6bd084c80

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-02 21:28

Reported

2025-03-02 21:31

Platform

android-x64-20240910-en

Max time kernel

1s

Max time network

156s

Command Line

com.whatsapp.w4b

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.whatsapp.w4b

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
AU 1.1.1.1:53 digitalassetlinks.googleapis.com udp
GB 142.250.187.202:443 digitalassetlinks.googleapis.com tcp
AU 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 216.58.213.2:443 tcp

Files

/data/data/com.whatsapp.w4b/files/Logs/whatsapp.log

MD5 8eb0db825307a1fdaf9403047f2db501
SHA1 7fbde4a0c8768f6ce559f5069603d08199db7694
SHA256 b8ec9666f0c260047601ed28f4b4bb9ee7b3db308321dd5bd65fa610a6755d20
SHA512 1c6d21bee0ca33ffbd9b3ef060b5aba0d95a98ddb12717ab04e5b76f159fd3269f3d9cb3b29efb6b94fbfac9bba35f275f2335864c018bef610fad0c02671ce8

/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-journal

MD5 6de7890e1be50c9648bbafcb2d43a12d
SHA1 7d6b7cc94839a928a45ae569e7d8f72df44f0bb7
SHA256 c30ca41c2f1ef07b35213e59a21b576461447d668871bb5555c44eef1787d373
SHA512 0378f3cc37f441a6fd159288da1b230785874de27c39b59bc503406d891556cacc627068308aba66d34383e23ee37ed301bc57115a10eea804c16d39d4e5d432

/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events

MD5 ea628e04765adaf4238a5dcdff4bbd51
SHA1 a801947619ea8c368efe9c006a324dc6339ac60b
SHA256 885e337c2156e4dbf2176a9677ade50418740532d222ccae5ad4aa371b54c6a4
SHA512 c0287b0e7b690a7231a37d1745c49f3d861b22aa65dd769ba6a8b5ab9da55443f749957781ee05a405019c39e1be45d37a971b821bffd62a1d5620bc39119abe

/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-journal

MD5 6a04e05ab47564881c93b2d26ee58d17
SHA1 425c4598e31976801240387a4f129fa430e96165
SHA256 ee5668d3b27dde2a8f78e9ff54562d0a5c6dd7122a17368f7db402aa68cf941b
SHA512 e3564c088668b9895678fe2f5713c20e8e54689ff950453c619f1f0ce1bd7978f71aaeb11d7131fe870965c7dfc12db1624bee43783a40bbb5e05257468fe52b

/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-journal

MD5 2ef72c5495f37ba311cf46bc73968a11
SHA1 b5d2c442a7102d90793e54dc15bfd0c94f7203ab
SHA256 c893769b8c3423ad2a4a486b84a6e0c27f97c78101225a9acf481cec3d3f1a43
SHA512 bd84e28abddaa52989bba28af4b9622e541aa2ce20ac34c9e9a0f2f629845ee415e624a8a0ea7c4bc4e4aad994c6124be2eef510363041fdbdf0710bd4dc60f6

/data/data/com.whatsapp.w4b/files/PersistedInstallation6343418706531246338tmp

MD5 0c40c00ae5efc1f26aaa182f0a85bd51
SHA1 9606570389767451a716d8b6d798b3ff731a8cbf
SHA256 7bb05fd0cd233cedd07885c36aea5619bbddc2b3f4c86afb11bb4b7080f31876
SHA512 73dbae09b91f3adeff9af2c314634c62e5cca5b485b38e8c583ff2ff8e29fe24bcf02b21bdc2bea3080d87d1e397c18e866b56df8a255510671d4b45d697ffa9

/data/data/com.whatsapp.w4b/files/crash_sentinel

MD5 ca6ff421e87273a0a669431ca4e50b15
SHA1 084515c11df37301a07d62dbf556c3e0e8b3e3a4
SHA256 f5c52efcbf4a2fea45bccf487ac16e30b08ddfdb6b8452ce3cc24f92e8461966
SHA512 31bc338ace678efaf53292d2962d7f4123f52a0b52064b0dfc7480e3f0970eb8896806c3f1636d3f19d2bb2e98e46429d9b6d1774f84252dd35b7f8e39170e9f

Analysis: behavioral3

Detonation Overview

Submitted

2025-03-02 21:28

Reported

2025-03-02 21:31

Platform

android-x64-arm64-20240910-en

Max time kernel

1s

Max time network

151s

Command Line

com.whatsapp.w4b

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.whatsapp.w4b

Network

Country Destination Domain Proto
US 216.239.34.223:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
AU 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
AU 1.1.1.1:53 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
GB 172.217.169.14:443 www.youtube.com tcp
AU 1.1.1.1:53 digitalassetlinks.googleapis.com udp
GB 172.217.169.10:443 digitalassetlinks.googleapis.com tcp
US 216.239.32.223:443 tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.179.225:443 tcp
GB 142.250.200.33:443 tcp
US 216.239.32.223:443 tcp
US 216.239.32.223:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/data/com.whatsapp.w4b/files/Logs/whatsapp.log

MD5 b7444c3f16325bf045f57e098aa1d305
SHA1 4e2dbf41cb2fd93c8698779894f1f49421290058
SHA256 23e8fcf27249d4a3ad24ab29e32359d016191fe62190b1523d85f0291cd1e362
SHA512 951c046b41fcf723001958d90a5c7d1d569da0e99325ba7cf75b7019084699cda8eae04ea42b99ddc354faa568581d310277b012d34b9075b1a624f2bad63952

/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-journal

MD5 34279d0d4d0959f3eb00754d47348c68
SHA1 328cb75845fd59f608467307aa0f84c334441952
SHA256 a9160e8ccb139bb23c6542215eb998f6f2c7e77691afe02e85608420a77ecb53
SHA512 d7b5d00d2a8171d7aed4977927ce8ed868579353dd5c6c87b6f55b7d6bdc65ed92e6182106d2b9a61c616f84d52ed5d8e7823f6b4cd325398099e6f80f72e46d

/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events

MD5 171aedf968e17a2744d2585715606cb9
SHA1 bbeddeb3b89fcf809619c35b4a318a80e7d5b029
SHA256 d2ab452d9360848f46af866b870b5c6fc98230b09c72b89cb1a4b2778586678e
SHA512 78a0f517ee3d21c153dda6dbfec4187ebaee9d520d7b1b63f358bcb125d08aea53f26943907a56fdeba40161d9fc7e4fd63f9ae3154dd2ad887ba0162738285b

/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-journal

MD5 3a9df43cce4b86632aed432ec207152d
SHA1 84d91987bb43177b4b1a65baeb23ffb22ad39ae0
SHA256 7c27b8c9d253ae290d99bc75d5a00beb238f7d81a1cc3ff7e088781a85cdadb7
SHA512 4c8b08b336328f031af3d890144a7bed47e378378e9a92101a26d990035439217f60bfc50927f3c9e29343515e0a726fed0a259804ba5baee6f5991d36e32271

/data/data/com.whatsapp.w4b/databases/com.google.android.datatransport.events-journal

MD5 1c0196aebd35f334d9b040a11b0564bd
SHA1 91cbb3dfa85ad186626b4c6d42c11fe204cb87cd
SHA256 f7befc9661f43715c36cbdca316ec76e2bb20898637aa341187ac5e21bd1b6e7
SHA512 88ae4d2fc9de4fcd663395f92372e408c65958c2124236805d0171ae48d96f7fcde4df09e39d2b4914e7ddfee81dd2f78714fab46c95450d04f0525b10c5d4a0

/data/data/com.whatsapp.w4b/files/crash_sentinel

MD5 444f4b5cb3a664a4a47d9c57c60bca0b
SHA1 635a7b0a32ccb2d4a2dee296cc04447d18836e9e
SHA256 61ec74dec9062e0390ab3c41b26f573e0498a6b0350a895233147348c1990b76
SHA512 ea03fe79bb60a4fcd2bcc5e6168024780d7b0c3a523a74199e5438b4451e780174e05c6b97b4faf2b7107518221bf6ca4e8dffc8a566f1c7d074d3a870964e17

/data/data/com.whatsapp.w4b/files/PersistedInstallation6601206200003120009tmp

MD5 cb32abcc74db6a55a88546a458c353c2
SHA1 8ea528369d2620e37eaf7ed14333ca7a41408fc7
SHA256 a429d6cd245b2605fe57cc82720cfe301b68e1f6d79b4c778a1a1ec8e725ed4b
SHA512 f216e6b24b7e05a366807d9d2f73cded2748008ba8dadba777571de0669afdbdc197267b91a5795e3b74d24d3180827f8f20736a41ef25e880bbcc1ded359cd9