Malware Analysis Report

2025-01-19 06:43

Sample ID 231220-hfjpxagafj
Target 8c51d677df5b35eb6a737cffa020b323d989cb904d8bbf18ef0c2addf3f00eac
SHA256 8c51d677df5b35eb6a737cffa020b323d989cb904d8bbf18ef0c2addf3f00eac
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c51d677df5b35eb6a737cffa020b323d989cb904d8bbf18ef0c2addf3f00eac

Threat Level: Known bad

The file 8c51d677df5b35eb6a737cffa020b323d989cb904d8bbf18ef0c2addf3f00eac was found to be: Known bad.

Malicious Activity Summary

irata

Irata family

Loads dropped Dex/Jar

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-20 06:40

Signatures

Irata family

irata

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-20 06:40

Reported

2023-12-23 01:13

Platform

android-x86-arm-20231215-en

Max time kernel

2486793s

Max time network

139s

Command Line

realrat.siqe.holp

Signatures

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/realrat.siqe.holp/cache/natives_sec_blob1424921492337847694.dex N/A N/A
N/A /data/user/0/realrat.siqe.holp/cache/natives_sec_blob1424921492337847694.dex N/A N/A
N/A /data/user/0/realrat.siqe.holp/cache/natives_sec_blob1424921492337847694.dex N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

realrat.siqe.holp

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/realrat.siqe.holp/cache/natives_sec_blob1424921492337847694.dex --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/realrat.siqe.holp/cache/oat/x86/natives_sec_blob1424921492337847694.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/realrat.siqe.holp/files/cloneSettings.json

MD5 d08c86b93470645b80e6371892c307bb
SHA1 62d258e4770ebc8e0ea0774cc4254229b0b57d39
SHA256 6b41f67a335794eb95c9f68363d2f98a81e6934c1e7d2915195ec690971275c2
SHA512 630bafe967883899311b60207322f8252fd22ca311dd4dd2932baa40869bd5e1dd644532c2ebd2711c354de12887acc947cd641bf0b40d5549471dcf0bd621be

/data/data/realrat.siqe.holp/cache/natives_sec_blob1424921492337847694.dex

MD5 ffcba9530d4f171ab67983f5d1950b54
SHA1 e74f816c65dc89dfbd668d27b65b4da0cde26b49
SHA256 ced12259631608d6af65bf72ddb6695d0c945bdc3f539a4e7778377f0ed25e3d
SHA512 c6251e08db812b41a63476755ff34f2f4fec232e910a6a4769b0a77a281e7ad48e7cb86f5d7bd7b67b579d3e5ab770b6145600f8877d72aabe626e2bc944ded6

/data/user/0/realrat.siqe.holp/cache/natives_sec_blob1424921492337847694.dex

MD5 4ecdf266a248c661a60e78b21cac0857
SHA1 5cf08634f40c63bf2b48d51e13935168e465a4cf
SHA256 fc42736ea857ccbcca8f65cfb9fb4d32f643be781724020026a386233b304546
SHA512 b7edb37b3df48ecd7cfffc60b32d5e800e4de5ad321e91e2ac441daa2377ff5f9fc4bc37bd47c0156926556dfea35ef00e4e1ace86fe646cfeeeed957be65c92