Malware Analysis Report

2025-01-19 06:04

Sample ID 231210-czt24adbe5
Target NEAS.92dc910b5df989defcf8733985776f35797681ea11bc9da2432b6dfb589b9778apk.zip
SHA256 92dc910b5df989defcf8733985776f35797681ea11bc9da2432b6dfb589b9778
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92dc910b5df989defcf8733985776f35797681ea11bc9da2432b6dfb589b9778

Threat Level: Known bad

The file NEAS.92dc910b5df989defcf8733985776f35797681ea11bc9da2432b6dfb589b9778apk.zip was found to be: Known bad.

Malicious Activity Summary

irata

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-10 02:31

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-10 02:31

Reported

2023-12-10 02:34

Platform

android-x64-20231023.1-en

Max time kernel

1368440s

Max time network

150s

Command Line

com.lyufo.play

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.lyufo.play

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
NL 142.251.36.10:443 tcp
US 1.1.1.1:53 www.youtube.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.168:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
DE 172.217.23.206:443 android.apis.google.com tcp
NL 142.250.179.206:443 tcp
NL 142.250.179.132:443 tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
DE 172.217.23.196:443 www.google.com tcp
NL 142.250.179.142:443 tcp
NL 172.217.168.226:443 tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 www.google.com udp
NL 142.251.36.36:443 www.google.com tcp
NL 142.251.36.36:443 www.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
DE 172.217.23.206:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 www.google.com udp
NL 142.251.36.4:443 www.google.com tcp
NL 142.251.36.4:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 216.58.214.14:443 android.apis.google.com tcp
NL 216.58.214.14:443 android.apis.google.com tcp
NL 216.58.214.14:443 android.apis.google.com tcp
NL 216.58.214.14:443 android.apis.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
NL 216.58.214.14:443 android.apis.google.com tcp

Files

/data/data/com.lyufo.play/files/PersistedInstallation4021899304945042850tmp

MD5 407f863692aa4e89db654510bcb9b5c2
SHA1 0765de067cf0ded54a19847c57c8962667749881
SHA256 79ab2ccd7ad6d98718f551fa0ae38ce4505609270f6ac46ac742f3eeb8d98d4d
SHA512 c194eedcb66b995723b8d359ca29338848646cc4655c5e7e1f402e89314f5501936348b8a3ded3cbe66c291922cefcab713cb9b6de1e1904adc7ff87cebe29c3

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 76a8bf8f83220d7846098de542324cd5
SHA1 64b9f97c764de5d9dd0d8dd8b118416ea699c6ea
SHA256 21579649954eb306229cc1615ebb1f1fb9b6066198bf1ccb14df0ed0bf1fdebb
SHA512 4c5a419ec9ca5ed234d409f097e5d95926901b614469638403f9a7673d8d3bf4377d78b10fd1d1216cb287f5c94f9c3d89a4cd8e0afc6450a9213fc6e462527b

/data/data/com.lyufo.play/databases/google_app_measurement_local.db

MD5 188c0542bc062e48b614e5ca8c1081af
SHA1 0eb9b89a5c92957cd1fe748cc063b32853339774
SHA256 c1ccc325c2699ed7f556cf171566317f706a911c4d02b1644a2a7908b93da58b
SHA512 62a67f2c56bc3b40d49c80094f160d355a8f67130e1924109426e0481008bc2cd11a9e2675a901abd03cad1e7fe0028031e20d826437edcf35b6f86e2499c2b4

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 095e99c1eaffabadb8d31ab1783fcad1
SHA1 cea10c201dee943f47d815e253bab47298b5cda8
SHA256 d334c92a5ed225b73fc9fb190c29279878605f7b9f999f6560dd52df287d9aff
SHA512 662891187702eb0f0bf18af7177ea524b9162d238231f38d1f6fa88a3dfb1b4cca204c7e4a7b7812688d6878f13b9b3083f5f88cd9532dc45d1f88d3f895c478

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 83500aede409f25fc978d2e8d0c51cf3
SHA1 3f9ea6493ab450e5bf1f86f5a78a850cf149230a
SHA256 81e046a1f36cf0bcbd383e390fc23ad08459d67b753d836238cf550513cc3ad2
SHA512 d99ae9e06acb80a00157714a5d1f15b15ebc29637472b257b44aefdbe4c7f5d0f641b53885947cda3056466f347c71eec41ad631c9a0dd29c09d14980c91e217

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 c6829a4fe36ff5bd5fe66c3df9a4ce0b
SHA1 1421fb53ed49ffae3aadd6038b5c0328accc0b47
SHA256 2e32934136fa0cb469e5d2e16d586860c12de6386540d1c8683339ed9b760af0
SHA512 6dea50ba4b999fb76f06fa3226f0565fd9b26f8752c8e130633d4f107b67018923f330423b733e927c9bbb5b9d2fc5aa7bdb04a73c8fa5dac60bd8a4d27e572e

/data/data/com.lyufo.play/files/PersistedInstallation5286543172415686612tmp

MD5 8295aa9aa2aefc01cd1aec17c3e120e3
SHA1 2c0c92a6161b839313c0612bad618a445995479a
SHA256 173c729ce6415ad03e8975debd6a71d06261e80825fac037668215d817d662a3
SHA512 69aeeb6990a8cd37783305f72d95fb9654d6a470fe09c9d0934fbc09358b3d5918feb31690bdb5932de1f369845869f04f5a1dfaded0698765ff87b85dd3a23c

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-10 02:31

Reported

2023-12-10 02:34

Platform

android-x64-arm64-20231023-en

Max time kernel

1368442s

Max time network

134s

Command Line

com.lyufo.play

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.lyufo.play

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 216.58.214.10:443 tcp
NL 216.58.214.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.4:443 tcp
NL 142.251.36.4:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.206:443 android.apis.google.com tcp

Files

/data/data/com.lyufo.play/files/PersistedInstallation824770282926908060tmp

MD5 9645fc8431583af48b5395193cc49e5d
SHA1 d59c664f0a9e1a4ceae7756b215d7da5bab43898
SHA256 a50023a9e41a7863d1aa1f76da06589b382f3124b92a1ab7db17390ee2c497ad
SHA512 d45d372978883ca988fb83e316dd339ed62aa54a51979e52540c07c059045e9d206480eff4cf1696df8471542c636382cd7af00ec0aaa4960c866447eaaa182d

/data/data/com.lyufo.play/files/PersistedInstallation3401469043499633825tmp

MD5 9a9f2967a92129adb29533caf8dae625
SHA1 b56cf6d9e495420dca30cc257276dafd302d005b
SHA256 7656d7eafcac869268c90ae03c1c3a274fbebd0793437e6fa9807394c5d84e31
SHA512 e23fbde95359f479848a05c2946b8e437c683732282be3496bd80778af57430abad3a746f4d0ff9daec8f44f2577b6ee09fc69d94082c968246c2f4150e04487

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 c7458381577d2f097053dcc3a0c51b81
SHA1 ba32021e1e2cf9b01bb6eca380e1918f9107dbd5
SHA256 436cb201458e8bad094c3941a706cb40339f8f1fa15075d7d8d89a2678dfcfd9
SHA512 1341a3b624d4026cfc1540f6f61ab67edd31b684190a9cd9ae983896aa08917fdd9e658cd0f45190b4fc2cf7764ecfe4eabbc25c8c382203c62f0064e602ed25

/data/data/com.lyufo.play/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 1149ac8dddab014393a94321d0a00a43
SHA1 4261bfa7fa26e5f59ef013f3d7c9d1f59ad19a11
SHA256 250a05b8df079e9f0042bb66d1a5e7e619dcdb4e43a74b75640f471797e48115
SHA512 f5193e7a865882ffd5be4c62c1e73185fe9ac2c014754100e1a50f350b7b08f34b1111b9226da68bb86c71fe0828ba6abd8f6e89b69b4159bab49f52441b5eac

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 162aee773bb3e78155b2014e4dcacdb6
SHA1 17cd05aaee404891bbae042eb343275996c30c15
SHA256 2188a011437d3029c4d98d6105c47a635e77c8cf1c0a7ae7d5bb9a14d8906928
SHA512 7aaa7d7f97edc8820d36aea47a47ed0f491f14710ffbc555a45ad318ef50e65a2649399a3c892a5f6148fc7af1bf8b23cbcf48f23e295c99a4c00585147250f8

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 602517a37c5de2a3e8a8481632041fa0
SHA1 64201da6411d20871bdf6ee9bef9f8f5c977204f
SHA256 6bb51fade4734f07339104784df980cd3085354af6414864da49bbd065e29521
SHA512 c130bf2669193cc493344dc0505bc4b404f3f5a25c0715bdf82eebbe8bfe39ac9314cbb92c702c6e7cbc7b11385d62302860bc725e33cb4048a8ce9d385b861a

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 3f5421cc78f3735f2dae64e35be4196a
SHA1 8813a3224167361a068e82befdea2403450b6e87
SHA256 fed7ca7ccaca697ec43f954f773f4fb82d92e55fe4312c3164c906c162175b92
SHA512 e898ec4fa802831095c3c909c8b2940963960dfbc69d69b5158c5f3da8da7f80e0cfe983afc3e0f1e98d68d4cf3fe82dd1ff31bdd906c9b36d23583640c451d3

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-10 02:31

Reported

2023-12-10 02:34

Platform

android-x86-arm-20231023-en

Max time kernel

1368440s

Max time network

131s

Command Line

com.lyufo.play

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.lyufo.play

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.202:443 semanticlocation-pa.googleapis.com tcp
NL 142.250.179.170:443 semanticlocation-pa.googleapis.com tcp
NL 142.251.36.14:443 tcp
NL 142.251.36.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp

Files

/data/data/com.lyufo.play/files/PersistedInstallation4342481186420717161tmp

MD5 8184e32f88f7e2c609e2cd90f7789dc4
SHA1 f27f0a5b88c1909b45723a2406cf3fc98fb44f2e
SHA256 082caf6b8388e088b8af78c02fae39a8aff937424cbf80597867ca03daaddaf6
SHA512 0e89ee876bc55bd65a0fbd1bab1bab80f1853ad00abd800b411e563af6560848767b15b04763f75bf11a7613be72a289202a3eda45d8a0f9c0052a2adaef0a59