Analysis Overview
SHA256
92dc910b5df989defcf8733985776f35797681ea11bc9da2432b6dfb589b9778
Threat Level: Known bad
The file NEAS.92dc910b5df989defcf8733985776f35797681ea11bc9da2432b6dfb589b9778apk.zip was found to be: Known bad.
Malicious Activity Summary
Irata family
Irata payload
Requests dangerous framework permissions
Acquires the wake lock
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-10 02:31
Signatures
Irata family
Irata payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-10 02:31
Reported
2023-12-10 02:34
Platform
android-x64-20231023.1-en
Max time kernel
1368440s
Max time network
150s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
com.lyufo.play
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| NL | 142.251.36.10:443 | tcp | |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.250.179.168:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| DE | 172.217.23.206:443 | android.apis.google.com | tcp |
| DE | 172.217.23.206:443 | android.apis.google.com | tcp |
| NL | 142.250.179.206:443 | tcp | |
| NL | 142.250.179.132:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| US | 1.1.1.1:53 | www.google.com | udp |
| DE | 172.217.23.196:443 | www.google.com | tcp |
| NL | 142.250.179.142:443 | tcp | |
| NL | 172.217.168.226:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| US | 1.1.1.1:53 | g.tenor.com | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | www.google.com | udp |
| NL | 142.251.36.36:443 | www.google.com | tcp |
| NL | 142.251.36.36:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| DE | 172.217.23.206:443 | www.youtube.com | tcp |
| US | 1.1.1.1:53 | www.google.com | udp |
| US | 1.1.1.1:53 | g.tenor.com | udp |
| US | 1.1.1.1:53 | www.google.com | udp |
| NL | 142.251.36.4:443 | www.google.com | tcp |
| NL | 142.251.36.4:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 216.58.214.14:443 | android.apis.google.com | tcp |
| NL | 216.58.214.14:443 | android.apis.google.com | tcp |
| NL | 216.58.214.14:443 | android.apis.google.com | tcp |
| NL | 216.58.214.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | mdh-pa.googleapis.com | udp |
| NL | 216.58.214.14:443 | android.apis.google.com | tcp |
Files
/data/data/com.lyufo.play/files/PersistedInstallation4021899304945042850tmp
| MD5 | 407f863692aa4e89db654510bcb9b5c2 |
| SHA1 | 0765de067cf0ded54a19847c57c8962667749881 |
| SHA256 | 79ab2ccd7ad6d98718f551fa0ae38ce4505609270f6ac46ac742f3eeb8d98d4d |
| SHA512 | c194eedcb66b995723b8d359ca29338848646cc4655c5e7e1f402e89314f5501936348b8a3ded3cbe66c291922cefcab713cb9b6de1e1904adc7ff87cebe29c3 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 76a8bf8f83220d7846098de542324cd5 |
| SHA1 | 64b9f97c764de5d9dd0d8dd8b118416ea699c6ea |
| SHA256 | 21579649954eb306229cc1615ebb1f1fb9b6066198bf1ccb14df0ed0bf1fdebb |
| SHA512 | 4c5a419ec9ca5ed234d409f097e5d95926901b614469638403f9a7673d8d3bf4377d78b10fd1d1216cb287f5c94f9c3d89a4cd8e0afc6450a9213fc6e462527b |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db
| MD5 | 188c0542bc062e48b614e5ca8c1081af |
| SHA1 | 0eb9b89a5c92957cd1fe748cc063b32853339774 |
| SHA256 | c1ccc325c2699ed7f556cf171566317f706a911c4d02b1644a2a7908b93da58b |
| SHA512 | 62a67f2c56bc3b40d49c80094f160d355a8f67130e1924109426e0481008bc2cd11a9e2675a901abd03cad1e7fe0028031e20d826437edcf35b6f86e2499c2b4 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 095e99c1eaffabadb8d31ab1783fcad1 |
| SHA1 | cea10c201dee943f47d815e253bab47298b5cda8 |
| SHA256 | d334c92a5ed225b73fc9fb190c29279878605f7b9f999f6560dd52df287d9aff |
| SHA512 | 662891187702eb0f0bf18af7177ea524b9162d238231f38d1f6fa88a3dfb1b4cca204c7e4a7b7812688d6878f13b9b3083f5f88cd9532dc45d1f88d3f895c478 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 83500aede409f25fc978d2e8d0c51cf3 |
| SHA1 | 3f9ea6493ab450e5bf1f86f5a78a850cf149230a |
| SHA256 | 81e046a1f36cf0bcbd383e390fc23ad08459d67b753d836238cf550513cc3ad2 |
| SHA512 | d99ae9e06acb80a00157714a5d1f15b15ebc29637472b257b44aefdbe4c7f5d0f641b53885947cda3056466f347c71eec41ad631c9a0dd29c09d14980c91e217 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | c6829a4fe36ff5bd5fe66c3df9a4ce0b |
| SHA1 | 1421fb53ed49ffae3aadd6038b5c0328accc0b47 |
| SHA256 | 2e32934136fa0cb469e5d2e16d586860c12de6386540d1c8683339ed9b760af0 |
| SHA512 | 6dea50ba4b999fb76f06fa3226f0565fd9b26f8752c8e130633d4f107b67018923f330423b733e927c9bbb5b9d2fc5aa7bdb04a73c8fa5dac60bd8a4d27e572e |
/data/data/com.lyufo.play/files/PersistedInstallation5286543172415686612tmp
| MD5 | 8295aa9aa2aefc01cd1aec17c3e120e3 |
| SHA1 | 2c0c92a6161b839313c0612bad618a445995479a |
| SHA256 | 173c729ce6415ad03e8975debd6a71d06261e80825fac037668215d817d662a3 |
| SHA512 | 69aeeb6990a8cd37783305f72d95fb9654d6a470fe09c9d0934fbc09358b3d5918feb31690bdb5932de1f369845869f04f5a1dfaded0698765ff87b85dd3a23c |
Analysis: behavioral3
Detonation Overview
Submitted
2023-12-10 02:31
Reported
2023-12-10 02:34
Platform
android-x64-arm64-20231023-en
Max time kernel
1368442s
Max time network
134s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
com.lyufo.play
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 216.58.214.10:443 | tcp | |
| NL | 216.58.214.10:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.36.40:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.36.4:443 | tcp | |
| NL | 142.251.36.4:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.206:443 | android.apis.google.com | tcp |
Files
/data/data/com.lyufo.play/files/PersistedInstallation824770282926908060tmp
| MD5 | 9645fc8431583af48b5395193cc49e5d |
| SHA1 | d59c664f0a9e1a4ceae7756b215d7da5bab43898 |
| SHA256 | a50023a9e41a7863d1aa1f76da06589b382f3124b92a1ab7db17390ee2c497ad |
| SHA512 | d45d372978883ca988fb83e316dd339ed62aa54a51979e52540c07c059045e9d206480eff4cf1696df8471542c636382cd7af00ec0aaa4960c866447eaaa182d |
/data/data/com.lyufo.play/files/PersistedInstallation3401469043499633825tmp
| MD5 | 9a9f2967a92129adb29533caf8dae625 |
| SHA1 | b56cf6d9e495420dca30cc257276dafd302d005b |
| SHA256 | 7656d7eafcac869268c90ae03c1c3a274fbebd0793437e6fa9807394c5d84e31 |
| SHA512 | e23fbde95359f479848a05c2946b8e437c683732282be3496bd80778af57430abad3a746f4d0ff9daec8f44f2577b6ee09fc69d94082c968246c2f4150e04487 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | c7458381577d2f097053dcc3a0c51b81 |
| SHA1 | ba32021e1e2cf9b01bb6eca380e1918f9107dbd5 |
| SHA256 | 436cb201458e8bad094c3941a706cb40339f8f1fa15075d7d8d89a2678dfcfd9 |
| SHA512 | 1341a3b624d4026cfc1540f6f61ab67edd31b684190a9cd9ae983896aa08917fdd9e658cd0f45190b4fc2cf7764ecfe4eabbc25c8c382203c62f0064e602ed25 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db
| MD5 | d9cf75fdd1c2292d986f6c3d5d60f2c8 |
| SHA1 | 07ecb1d3a26d952ae5fecf54f36699ab498510b1 |
| SHA256 | 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a |
| SHA512 | 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 1149ac8dddab014393a94321d0a00a43 |
| SHA1 | 4261bfa7fa26e5f59ef013f3d7c9d1f59ad19a11 |
| SHA256 | 250a05b8df079e9f0042bb66d1a5e7e619dcdb4e43a74b75640f471797e48115 |
| SHA512 | f5193e7a865882ffd5be4c62c1e73185fe9ac2c014754100e1a50f350b7b08f34b1111b9226da68bb86c71fe0828ba6abd8f6e89b69b4159bab49f52441b5eac |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 162aee773bb3e78155b2014e4dcacdb6 |
| SHA1 | 17cd05aaee404891bbae042eb343275996c30c15 |
| SHA256 | 2188a011437d3029c4d98d6105c47a635e77c8cf1c0a7ae7d5bb9a14d8906928 |
| SHA512 | 7aaa7d7f97edc8820d36aea47a47ed0f491f14710ffbc555a45ad318ef50e65a2649399a3c892a5f6148fc7af1bf8b23cbcf48f23e295c99a4c00585147250f8 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 602517a37c5de2a3e8a8481632041fa0 |
| SHA1 | 64201da6411d20871bdf6ee9bef9f8f5c977204f |
| SHA256 | 6bb51fade4734f07339104784df980cd3085354af6414864da49bbd065e29521 |
| SHA512 | c130bf2669193cc493344dc0505bc4b404f3f5a25c0715bdf82eebbe8bfe39ac9314cbb92c702c6e7cbc7b11385d62302860bc725e33cb4048a8ce9d385b861a |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 3f5421cc78f3735f2dae64e35be4196a |
| SHA1 | 8813a3224167361a068e82befdea2403450b6e87 |
| SHA256 | fed7ca7ccaca697ec43f954f773f4fb82d92e55fe4312c3164c906c162175b92 |
| SHA512 | e898ec4fa802831095c3c909c8b2940963960dfbc69d69b5158c5f3da8da7f80e0cfe983afc3e0f1e98d68d4cf3fe82dd1ff31bdd906c9b36d23583640c451d3 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-10 02:31
Reported
2023-12-10 02:34
Platform
android-x86-arm-20231023-en
Max time kernel
1368440s
Max time network
131s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
com.lyufo.play
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| NL | 142.250.179.202:443 | semanticlocation-pa.googleapis.com | tcp |
| NL | 142.250.179.170:443 | semanticlocation-pa.googleapis.com | tcp |
| NL | 142.251.36.14:443 | tcp | |
| NL | 142.251.36.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| DE | 172.217.23.206:443 | android.apis.google.com | tcp |
Files
/data/data/com.lyufo.play/files/PersistedInstallation4342481186420717161tmp
| MD5 | 8184e32f88f7e2c609e2cd90f7789dc4 |
| SHA1 | f27f0a5b88c1909b45723a2406cf3fc98fb44f2e |
| SHA256 | 082caf6b8388e088b8af78c02fae39a8aff937424cbf80597867ca03daaddaf6 |
| SHA512 | 0e89ee876bc55bd65a0fbd1bab1bab80f1853ad00abd800b411e563af6560848767b15b04763f75bf11a7613be72a289202a3eda45d8a0f9c0052a2adaef0a59 |