Malware Analysis Report

2025-01-19 06:00

Sample ID 231219-3qjg4shcdq
Target 6e2f1ac9cd516a3f3d967c2f853279afbca37e44b347b4b6924b7e66e1bb054c
SHA256 6e2f1ac9cd516a3f3d967c2f853279afbca37e44b347b4b6924b7e66e1bb054c
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e2f1ac9cd516a3f3d967c2f853279afbca37e44b347b4b6924b7e66e1bb054c

Threat Level: Known bad

The file 6e2f1ac9cd516a3f3d967c2f853279afbca37e44b347b4b6924b7e66e1bb054c was found to be: Known bad.

Malicious Activity Summary

irata

Irata family

Irata payload

Loads dropped Dex/Jar

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-19 23:43

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-19 23:43

Reported

2023-12-20 09:42

Platform

android-x86-arm-20231215-en

Max time kernel

2258128s

Max time network

136s

Command Line

com.firedl.aidymatic.gp

Signatures

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.firedl.aidymatic.gp/cache/1582435991586.jar N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.firedl.aidymatic.gp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 216.58.212.226:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 aidymatic.co.uk udp
GB 188.74.70.101:80 aidymatic.co.uk tcp
GB 188.74.70.101:80 aidymatic.co.uk tcp
GB 188.74.70.101:443 aidymatic.co.uk tcp
GB 188.74.70.101:443 aidymatic.co.uk tcp
GB 216.58.212.226:443 googleads.g.doubleclick.net tcp
GB 216.58.212.226:443 googleads.g.doubleclick.net tcp
GB 216.58.212.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.firedl.aidymatic.gp/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.firedl.aidymatic.gp/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-19 23:43

Reported

2023-12-20 08:53

Platform

android-x64-20231215-en

Max time kernel

2255223s

Max time network

155s

Command Line

com.firedl.aidymatic.gp

Signatures

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.firedl.aidymatic.gp/cache/1582435991586.jar N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.firedl.aidymatic.gp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 172.217.169.34:443 googleads.g.doubleclick.net tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 aidymatic.co.uk udp
GB 188.74.70.101:80 aidymatic.co.uk tcp
GB 188.74.70.101:80 aidymatic.co.uk tcp
GB 188.74.70.101:443 aidymatic.co.uk tcp
GB 188.74.70.101:443 aidymatic.co.uk tcp
GB 172.217.169.34:443 googleads.g.doubleclick.net tcp
GB 172.217.169.34:443 googleads.g.doubleclick.net tcp
GB 172.217.169.34:443 googleads.g.doubleclick.net tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
FR 216.58.204.78:443 tcp
FR 216.58.201.98:443 tcp

Files

/data/data/com.firedl.aidymatic.gp/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.firedl.aidymatic.gp/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-19 23:43

Reported

2023-12-20 08:53

Platform

android-x64-arm64-20231215-en

Max time kernel

2255223s

Max time network

148s

Command Line

com.firedl.aidymatic.gp

Signatures

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.firedl.aidymatic.gp/cache/1582435991586.jar N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.firedl.aidymatic.gp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 udp
GB 142.250.178.14:443 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
FR 216.58.204.74:443 tcp
FR 216.58.204.74:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.187.226:443 googleads.g.doubleclick.net tcp
GB 142.250.187.226:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 aidymatic.co.uk udp
GB 188.74.70.101:80 aidymatic.co.uk tcp
GB 188.74.70.101:80 aidymatic.co.uk tcp
GB 188.74.70.101:443 aidymatic.co.uk tcp
GB 188.74.70.101:443 aidymatic.co.uk tcp
GB 142.250.187.226:443 googleads.g.doubleclick.net tcp
GB 142.250.187.226:443 googleads.g.doubleclick.net tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/com.firedl.aidymatic.gp/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/com.firedl.aidymatic.gp/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56