Malware Analysis Report

2025-01-19 06:25

Sample ID 231219-3qv6xaccc4
Target 6e3804cb0f2e6dfbbd98e95bb210a5f5e42c87df69427af466fcab370eeffed3
SHA256 6e3804cb0f2e6dfbbd98e95bb210a5f5e42c87df69427af466fcab370eeffed3
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e3804cb0f2e6dfbbd98e95bb210a5f5e42c87df69427af466fcab370eeffed3

Threat Level: Known bad

The file 6e3804cb0f2e6dfbbd98e95bb210a5f5e42c87df69427af466fcab370eeffed3 was found to be: Known bad.

Malicious Activity Summary

irata

Irata family

Irata payload

Acquires the wake lock

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-19 23:43

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-19 23:43

Reported

2023-12-20 22:45

Platform

android-x86-arm-20231215-en

Max time kernel

2305170s

Max time network

136s

Command Line

ir.robic.daryaei

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Processes

ir.robic.daryaei

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 738bf5d3186648a2bd76d8a65582207a.s.adad.ir udp
US 1.1.1.1:53 738bf5d3186648a2bd76d8a65582207a.s.adad.ir udp
US 1.1.1.1:53 738bf5d3186648a2bd76d8a65582207a.s.adad.ir udp
US 1.1.1.1:53 738bf5d3186648a2bd76d8a65582207a.s.adad.ir udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp

Files

/data/data/ir.robic.daryaei/databases/__pushe_base_lib_db-journal

MD5 ed358e5086b1fc7cf86ddbfef9d7e248
SHA1 3e1653d1be6e6ed97c6fde7837b1849ee32e355a
SHA256 37f28bb27795e89af2bc9d5afa96a00a33e6c2d1b68e79aad514374debb607ea
SHA512 537b741e9df5a264d008bfee48af99c8f4da421a0c9bb02133a6b0e5e1d9a637456fef09761848e381fbe7adffbe81b1856e40d6af8ecff4a6564dddf9d33a1e

/data/data/ir.robic.daryaei/databases/__pushe_base_lib_db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/ir.robic.daryaei/databases/__pushe_base_lib_db-wal

MD5 a79a2fee060ccc59313d1c82b087bf19
SHA1 d9bfe6468468153643471b29f742e86c519f19d5
SHA256 722dfc32eeffaf851978102fcc778fbaddeea4ca129b837d128ad6fad0ac7ef8
SHA512 dd2e90a23cf315dcf4ec38d309153b76e7fe59206137fac9e5e089c1f13dd590b6e12f33eff6075ee5bbef8eaebf29e0c0ea2bd75f341f2781a97004be39a309

/data/data/ir.robic.daryaei/files/daryai.db

MD5 06fe7dc230e9deb9a5ccd10511d8bf60
SHA1 4088be49b5310b656115c48a5bcfec759a3f97bd
SHA256 4164f2bdd2ff5b8509b04b24d78ed8e072c06f63dbb8183290ff1a1ee87bb781
SHA512 5d11c5e79dedeb89b2c24d7da697d83dd171de387f158ef293d908c3ec7063ba59137998cc6394c52fc553d289b02906aa9cfa9bc13057b426dabda1fde90f72

/data/data/ir.robic.daryaei/files/daryai.db-journal

MD5 88ce42ce83aa3c4e58aaf92d3c0dbdfa
SHA1 eca6d9ebc091d73d57f7e5fc7b6bf37873f1d32c
SHA256 a6da01c325eccf650c439545cc9ff39335fc9fe3dc598ef1ec720edbe0b2a111
SHA512 78b0b1b4953a4e99dd802c39424e90602ee70907ae182e1742afe7ddc61d84a6cdaf1f2161a5d44f0dcea9d37e5c3d901951be3481b4f0d5b613b610ca7d73e8

/data/data/ir.robic.daryaei/files/daryai.db

MD5 96134b9869fdbfb6491584a296f45ef9
SHA1 3089cc30719070b354614b87160e4b946ccecfe9
SHA256 b812f2f316cb78784b424c8586c244810ef3fe44bbe870fedc8811d611fcde51
SHA512 bb9c4c0af35f2a2c641d21d13d3ba715e16621c90069c75463339620174881631f347aa4ea5cf9a75c1d3d92e9aa3befec50f75f448e4e33e8d4a97d11fc29c6

/data/data/ir.robic.daryaei/databases/evernote_jobs.db-journal

MD5 f42a7b39fbf430773f9f5dbdfe9c07b1
SHA1 c18fee2fc91e72c75978ef15990118c6d48e9f33
SHA256 3fca15ca87dd0a31df65df7e869cf3d2523ea10d3ed32a5bac97b2fa23509763
SHA512 8af0910ec0f1b613656ec8dabb8d29b9f23834cb6441acd04ea1589918341579a53d447a10001e79108e1a3ca62b074e641374f131b619190555ea1a0094d1bf

/data/data/ir.robic.daryaei/databases/evernote_jobs.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/ir.robic.daryaei/databases/evernote_jobs.db-wal

MD5 ce63147f33c1272fb83bb6e2c89fd9f7
SHA1 cd58cddd9e75ff3608b7c16e28bf21458c3ef934
SHA256 58994a35950f6f77e25e74f80b53c7cd306f4ab920dcc918a7a65afdd3e037f7
SHA512 32b0899931d8b24ab53bbfef2a31ef7b867906b2cc450117b3d86c84ce1c3f4fbe200005f4d12656e3709c2ff296cb7e6da9f9c530d101395e68ab6bd7b9d467

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-19 23:43

Reported

2023-12-20 21:26

Platform

android-x64-20231215-en

Max time kernel

2300410s

Max time network

164s

Command Line

ir.robic.daryaei

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Processes

ir.robic.daryaei

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 738bf5d3186648a2bd76d8a65582207a.s.adad.ir udp
US 1.1.1.1:53 738bf5d3186648a2bd76d8a65582207a.s.adad.ir udp
US 1.1.1.1:53 738bf5d3186648a2bd76d8a65582207a.s.adad.ir udp
US 1.1.1.1:53 738bf5d3186648a2bd76d8a65582207a.s.adad.ir udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
FR 216.58.201.100:443 tcp
FR 216.58.201.100:443 tcp
GB 172.217.169.46:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/ir.robic.daryaei/databases/__pushe_base_lib_db-journal

MD5 a49a6bb559cc9a2d8a3f24d5a78196bb
SHA1 7f18df679116c43618f200ef57a6ee6e4bf191aa
SHA256 e943e26ffa2cbbf23f9c6e1e1e8574683f8bee281b0e225fdd251fcca6edce28
SHA512 214d308ddd3775766d43234aa9f6144d739f7f7c456ea6d042578519101eff156ca73548c56c1c54845e7ab8262810444c5608ad1a643bed43b611cc662fa185

/data/data/ir.robic.daryaei/databases/__pushe_base_lib_db

MD5 ea628e04765adaf4238a5dcdff4bbd51
SHA1 a801947619ea8c368efe9c006a324dc6339ac60b
SHA256 885e337c2156e4dbf2176a9677ade50418740532d222ccae5ad4aa371b54c6a4
SHA512 c0287b0e7b690a7231a37d1745c49f3d861b22aa65dd769ba6a8b5ab9da55443f749957781ee05a405019c39e1be45d37a971b821bffd62a1d5620bc39119abe

/data/data/ir.robic.daryaei/databases/__pushe_base_lib_db-journal

MD5 19bd918a3128341ab042a205b70d7322
SHA1 b63c70b6e9fb35eb60463aef192ef58cf2f74319
SHA256 81ff0c8403c0427048436a2880e7abb46dfc827a039fc7eab9dd1920ee48b49b
SHA512 732f7cd08e152a9b8ebaadde95dccfac170f0f95e7573a3bfbdfeded43b0a3508d086015e88f989f882e4c8c0eb9d65b130ebc3ef707dfb1caf14278be25dc55

/data/data/ir.robic.daryaei/databases/__pushe_base_lib_db-journal

MD5 0571b6d4541937f4fec7cf368c768bbf
SHA1 dba67a599d9aeecbcc0c3d49d8a82cd2fdbda8f4
SHA256 51d099a9ccd830fa38fc352ffb4d0d6fe4c241fa4b1d44db52a8debc92538a66
SHA512 e83053a6c7919f5fd28759bb18563027808e74fadf730be81b0d89cb022e8cea9e55920be9f504f7dc19d9db270263556fd4609a88afedd35ebb3bab8001bbbb

/data/data/ir.robic.daryaei/files/daryai.db

MD5 06fe7dc230e9deb9a5ccd10511d8bf60
SHA1 4088be49b5310b656115c48a5bcfec759a3f97bd
SHA256 4164f2bdd2ff5b8509b04b24d78ed8e072c06f63dbb8183290ff1a1ee87bb781
SHA512 5d11c5e79dedeb89b2c24d7da697d83dd171de387f158ef293d908c3ec7063ba59137998cc6394c52fc553d289b02906aa9cfa9bc13057b426dabda1fde90f72

/data/data/ir.robic.daryaei/databases/evernote_jobs.db-journal

MD5 613a026f942cb4831338547a1a0ae8c2
SHA1 8cbc46b46fb97b203441d9fe66ba7de6634a6d3b
SHA256 ac43598e81d3b2df43498cd808811e37b75bc832be1c4ebec6bd444a1c7fd574
SHA512 916ad7ada59b83dd6b132e30cba5d957229d8269cb4a03a6adfa41d16c57c175750a75dff168efaad1639f2e2d767e02423d20e68318267b6d6a7395995dc26c

/data/data/ir.robic.daryaei/databases/evernote_jobs.db

MD5 12627a2ec645c4a4bc50dba5903afd59
SHA1 504005c938517e61bcf68b65a055c2faba635c2e
SHA256 f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903
SHA512 7ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd

/data/data/ir.robic.daryaei/databases/evernote_jobs.db-journal

MD5 5c4844ad8cbebae84cb380682e6d1e8f
SHA1 3556884f55e21afba1faa5b7494edd08d4129fdb
SHA256 4f91d033d4db7960ab1f5ff6cc66011ec7d741fbb25107b033ff6fca9db34fd4
SHA512 689450430298438c14b0db75efa62fdffce2a06cb806ebc558774056d71dc07cca362c3f932d6006bc6ec253169d7a5d7b8f832fc268267d22c5eac8e188dc5b

/data/data/ir.robic.daryaei/databases/evernote_jobs.db-journal

MD5 4ea8b18f7a30c079cd03be28409e5e13
SHA1 fe0a379f1768abc8c335c854503366929c274240
SHA256 a55d2605126d9e8fb480731df73cbd9503f4a0db1bec01772a3b500563705d3f
SHA512 d4089fa056864657473b8f8a0607734b267738d2d7ebddd6e8c078afc4517a60e97835b3e00a94759a6d7df14d0c1c59e48680cbda14ac6ba19ce32fbaf35384

/data/data/ir.robic.daryaei/databases/evernote_jobs.db-journal

MD5 c26c01ebd8248542c4b21b1e85f32393
SHA1 0995b2a0707545718a3054499b38e7ae230685be
SHA256 914e12024ecdff371f9c3de12be816e5e6dab05bdb11b6b7da06b46f1dd31684
SHA512 b91e976af751a09295cf489f98b9567395ed4dcdd60c65088c76b56a0a929e0c6d6df1837ccb8d197284f5f6c4b9183b5ec19d60f457168446436be97b6c6157

/data/data/ir.robic.daryaei/databases/evernote_jobs.db-journal

MD5 b46ab8b580a136d546210744cb7bb886
SHA1 cfdb98c8064c856bbb65ebfd079df1165e3103aa
SHA256 4e01205ed8c01191cd8335180f482fd89ec9fc38e4d1dd971f4bab4577b115b8
SHA512 463efb5f0ba8aa0febcc4e50c94ce0ad6571aab565f27263db01e07b093c8caa038b213768efda15771e627d1b8889d7a1dd01e0e1abd26a3979579dbd1d23ac

/data/data/ir.robic.daryaei/databases/evernote_jobs.db-journal

MD5 e9ee48e1f7ea6c6b834537f09c3a1fa0
SHA1 0929b9527bc8e6c3fa8dfd87f5d269c84f9df12f
SHA256 74b0a4f40cee3dac5c9060dac8ed100e4ca24088373217c51df366f03261a587
SHA512 fd76afd4e450c511029d1db2ee913b0997dd3a975a8848ff406bc9e923d77ab1beea7980ffa2167cad1e8a90783b68cd9b5fe9b69bab1820765d91bfa02f10ed

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-19 23:43

Reported

2023-12-20 21:27

Platform

android-x64-arm64-20231215-en

Max time kernel

2300458s

Max time network

138s

Command Line

ir.robic.daryaei

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

ir.robic.daryaei

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 udp
GB 142.250.200.46:443 udp
FR 216.58.201.106:443 tcp
FR 216.58.201.106:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 738bf5d3186648a2bd76d8a65582207a.s.adad.ir udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/user/0/ir.robic.daryaei/databases/__pushe_base_lib_db-journal

MD5 c66c4216de7429aff7df277131c6a51d
SHA1 885dd329edf0ae4838b0f846f8a7bb8a5a454503
SHA256 74bc3a1657d1492d3db4b71653850ac4a77ce357be3e7d1f4a4073c15639cf3c
SHA512 c04263042411b8cd40fa6b753a691a93d7495b8864227cb231b84549fdce8bb671fe51eab4728fbcd3325537ba914b0487447e81a2e528df9c882428d9919a92

/data/user/0/ir.robic.daryaei/databases/__pushe_base_lib_db

MD5 2cdf77d5c14dd3f313b60c691579a0b9
SHA1 6a74a7a3170cabead82152871c90749afdd6f310
SHA256 55ba022e5aa9eb87c256026289112e4c0531a41d0d56380fcf845de71ff99ca0
SHA512 eaf21f0acf8b98ac8bf4bce81e66a07d6a501483b141bfb7a2ef476a8dc9927ccd39971f4e0d1f7969576dbf7abb7befb3bec04e40c5a9b28fa7a2f15ae7a98c

/data/user/0/ir.robic.daryaei/databases/__pushe_base_lib_db-journal

MD5 28f7152b01f9a7f841dd653758436acb
SHA1 d3a0e153875b4a5a53d6d9eae7047d2d1ee50ba4
SHA256 06f668dd2c5498dbfa9d3717ed0142fc62296f68408d21a1e5c017066f7cd49e
SHA512 06bc809ed9ee92b07c7523d567e60d22387cf036b7b8c2c0efa4bd32c798e4c31e9798f58b46468c0011426515682501068b6a480cd4f96ebab3632419df7821

/data/user/0/ir.robic.daryaei/databases/__pushe_base_lib_db-journal

MD5 f955dc9b1d09422bff907c81aa72a07a
SHA1 225c8acd02e7a0a3920acc1cabe4738a78c5bc54
SHA256 93f86d29d277f56269ae31875e7e156558ebaf9bdd362793a6baf0964e07c0c4
SHA512 2130d1081407118baa49a59ba83afb1d8589e44a4e15037b38739051f0c9782e2d9e314dbd5a0a1ccbdb977f79a8e2985e8a466319a105636e3225a311414176

/data/user/0/ir.robic.daryaei/files/daryai.db

MD5 06fe7dc230e9deb9a5ccd10511d8bf60
SHA1 4088be49b5310b656115c48a5bcfec759a3f97bd
SHA256 4164f2bdd2ff5b8509b04b24d78ed8e072c06f63dbb8183290ff1a1ee87bb781
SHA512 5d11c5e79dedeb89b2c24d7da697d83dd171de387f158ef293d908c3ec7063ba59137998cc6394c52fc553d289b02906aa9cfa9bc13057b426dabda1fde90f72

/data/user/0/ir.robic.daryaei/databases/evernote_jobs.db-journal

MD5 c520b14f87bb1ca7e436d2e83a452b61
SHA1 92dc643b713ea099ec42d5fbbd9606086ae048f0
SHA256 82d1eb17265fb0947f4ccde149e21b1ea63a40098f93651fa374a769017c452f
SHA512 59032ad47894333df7e94e87fa7cef1a6af294f67efb8acb38b798b85d562af3dfdc4efc102d88de8d96fdb972bc492edc2a3ddd3b211fce3250d58a2f67a904

/data/user/0/ir.robic.daryaei/databases/evernote_jobs.db

MD5 520b324339bc541aa166437776f8f844
SHA1 09bbf459c4102a341897b2d227f3b99fd5fd9f60
SHA256 fa1f4bfd86170104b8ead147da53735afa2182c930878f98740a4c1f0f20ebca
SHA512 4d91fe84a338671b1bcca164790faaffa8d2029478354f26bdf7a693da1f62f89926e0a34637d664f48afe2b1cf9647139065014f8b71db4a923d575bb571ff1

/data/user/0/ir.robic.daryaei/databases/evernote_jobs.db-journal

MD5 1831c08516de509e56ce4a777516c2ef
SHA1 bd1a33b9bb06602ecf35571d9551b670b5d2cac5
SHA256 e966b8654f0bbc3ada9bc489051c6225cd2028b6e48ce0ef1056816c522278cb
SHA512 3717ea4e551ea727da95e64b2d13c18fff7ed66dfe4db10396a60d4d9a4a56ecc3362d03bbd403b486bef6cd5188237e51d57e831698fa8ce457202b01830ff7

/data/user/0/ir.robic.daryaei/databases/evernote_jobs.db-journal

MD5 56f4babcd6e7efc9cc8a08ef7a458501
SHA1 36b0d0709e7b17f24e94748d5454614c13a32d77
SHA256 a1582243ac42df7c36406def528c9a357d77c4e0906fbee0c5a682e67e353ac6
SHA512 5b108204bb8aa631ac87ddcbe8743474119f58f6cf885cc60db77ad8b9d22ee627ed05ae40e127adae6e911dfa368824c996a1be14cdedd1d3ef918c66b5e678

/data/user/0/ir.robic.daryaei/databases/evernote_jobs.db-journal

MD5 62f3b2b21e9b35aa60fca461e40fc3f3
SHA1 323382994b9e3b173e55e935d191fb286a9e09ad
SHA256 c927ee28b36297a8ea150833d20c169a5617948d16d0745fb539fc1730e17f37
SHA512 4aede9c2d8442f9f2261472b37fbf0be40542b26bfff2c435bbc5f7a1d4728a35516521de2920fc8109b55b846bab9f599e3110468f81dd2a19965fb105edb30

/data/user/0/ir.robic.daryaei/databases/evernote_jobs.db-journal

MD5 acd7d5581d4d1b76514e125003d62d5d
SHA1 c695ec418f8aa047ef36a4f4043afc98cf122074
SHA256 ec85d829921c8c3ec29c2f2d44ea496820ac514e9f0d43c47f60fd2d2814bbe2
SHA512 145706bbaba87f4316baed4830448ddf2d3cead74a16ae17573604fc4da502b60e5a3c41f9636e71438cf8a737be50bf8ea895a5096526b00145e4a081b97184

/data/user/0/ir.robic.daryaei/databases/evernote_jobs.db-journal

MD5 77b04d9ec8fa2afa0e2d7b6a7d1ef456
SHA1 98c365dae7c38c0ad4905cdb73c114351bf38710
SHA256 3c1dfaadb36644afb969c8e70e2db24e62e7783113cc31356e8824fcfebda123
SHA512 a50432f6bc09a0aa297a2de3a03722ddd66dfa46fc49bd5f73eace36ddb3640087461b8c9e4632b4742a76f4bacaf55878e2d3d0f2d33320195f0a03263bdd8a