Analysis Overview
SHA256
1219e3cea3335b4ea5d0baedcde97d79d1228fda728e2cb00811f091093cc41d
Threat Level: Known bad
The file 1219e3cea3335b4ea5d0baedcde97d79d1228fda728e2cb00811f091093cc41d was found to be: Known bad.
Malicious Activity Summary
Irata payload
Irata family
Requests cell location
Requests dangerous framework permissions
Acquires the wake lock
Reads information about phone network operator.
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-23 12:29
Signatures
Irata family
Irata payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Reported
0001-01-01 00:00
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-23 12:29
Reported
2023-12-27 13:13
Platform
android-x64-20231215-en
Max time kernel
2875776s
Max time network
149s
Command Line
Signatures
Requests cell location
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getCellLocation | N/A | N/A |
| Framework service call | com.android.internal.telephony.ITelephony.getAllCellInfo | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Reads information about phone network operator.
Processes
ir.mostafakeshvaree_iran2016.polo
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | bayan313.ir | udp |
| BE | 64.233.167.188:5228 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 216.58.212.228:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | bayan313.ir | udp |
| US | 1.1.1.1:53 | ip.pushe.co | udp |
| US | 162.243.147.245:80 | ip.pushe.co | tcp |
| US | 162.243.147.245:80 | ip.pushe.co | tcp |
| US | 162.243.147.245:80 | ip.pushe.co | tcp |
| US | 1.1.1.1:53 | bayan313.ir | udp |
| US | 1.1.1.1:53 | bayan313.ir | udp |
| FR | 216.58.201.100:443 | tcp | |
| FR | 216.58.201.100:443 | tcp | |
| US | 162.243.147.245:80 | ip.pushe.co | tcp |
| GB | 216.58.212.228:443 | www.google.com | tcp |
| GB | 172.217.169.46:443 | tcp | |
| GB | 142.250.200.2:443 | tcp |
Files
/data/data/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db-journal
| MD5 | 3f4c13220f0175c3970a1d7e1431f589 |
| SHA1 | d94d646e74a9ca4b18b0b6628ed1384f0ab7ad76 |
| SHA256 | 60cc33cdccf678629aea2d2c25912d8b8751186dae1b6009e37897ad5ac5356f |
| SHA512 | 959201384117751348dcc5f1e953fbf66b19ba049207fe68add5956269d316b3a86133cd917aba9210309e3ce86e30807c483acfbb1818967011a0677552cef7 |
/data/data/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db
| MD5 | bbdf0fe87d89fa50cfc98eab6846c622 |
| SHA1 | fbf6ab8758336d2821f85c5093547583c80beefd |
| SHA256 | 60f9279286a520d1665eef1eebf5d14f6aece71bed190acbd71c6b9bd7ec7665 |
| SHA512 | d5462451cc38e6840a4fa507de481048fd8c341769d77cdc337528d6b7b7dd24b55216a82bf30af47aab76c72b8850c555f3f9a905d085786e15d2e2b402c7c8 |
/data/data/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db
| MD5 | 95c9ef85ed5941838762726c35cc7a10 |
| SHA1 | b4aa773c4bf3c44734cc6ed7aef8e55b994123a2 |
| SHA256 | fbb70139793d51caf2718498daeed82400cc97e8889999ac43598c4a07a97801 |
| SHA512 | 60cac294e19d4c18ba540ff94a143cec8e27c686bd0523f5760b96982001a48965d0bf74c9c65118de11946aafd8794903853abf102a5a9d564b5c3f907ba4ac |
/data/data/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db
| MD5 | 2e79852259a91bd6a03a57e5748ffa1c |
| SHA1 | c7934e2aefd42c57b78b1c167b7dd453023e5f38 |
| SHA256 | e48bf038b11e434fa81189ba01cb440f97b557a32537a87d75261c90c62d3342 |
| SHA512 | c59d834c9c884e27f8a0aab17bf96c510772339a8a2b827e02203ebf7970bbfd8377013eaece58edae9606baa6a5def0d7a3dd361c81b99315cc6f5de011122c |
/data/data/ir.mostafakeshvaree_iran2016.polo/databases/__pushe_base_lib_db-journal
| MD5 | 6d6b3a21561d9cc9997ecce8e0a2c9a2 |
| SHA1 | b56cf40bab10070be19493874adb9a5602552fb4 |
| SHA256 | aaeb80c3418b885e18f1e2c901da2235d01982585af71436cb24b88238ddea04 |
| SHA512 | 45dc03a26464c85338f250ad4ef20002d37f763ec832dc2007079758fdca37f2f85cf2f6b71a04b218ebab0146f0247b908ae539f5578551c20f6e7c31d5da79 |
/data/data/ir.mostafakeshvaree_iran2016.polo/databases/__pushe_base_lib_db-journal
| MD5 | f14270f814d6004bb5622884013a7f06 |
| SHA1 | 9e19e018c57e16905b3ac43f4c9049ef1c3df21c |
| SHA256 | f3fdbe7eb431a4754530e376313def5c06b31b144867ac4c4f7c8095c7da73d7 |
| SHA512 | a0b5e9e2f782e8b63c57a28bc14159cf9102f664e54cd8f818957b9bb83bb3f1cf21aaabec2749462317007e9b0e7f5e546638a7e1424a1d70bfa13614fa6f49 |
/data/data/ir.mostafakeshvaree_iran2016.polo/databases/__pushe_base_lib_db-journal
| MD5 | 078cc97b7df721315f33d7d11f2ab134 |
| SHA1 | 6a78af7c048546fe75cd57e0a22f90b266e99da8 |
| SHA256 | 056659024b6eb5827a847141ba2293b6b6715752a788ec1566c593d894f434a8 |
| SHA512 | 29ab255e5b80bbc916e1c0d2b1cfb104187982289d8228933bcb75eff56549fbb3c1eda35b2accff0fa3869710eb834ce3c0ebc043cdc2eb54758b20a98f4731 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-12-23 12:29
Reported
2023-12-27 13:14
Platform
android-x64-arm64-20231215-en
Max time kernel
2875689s
Max time network
146s
Command Line
Signatures
Processes
ir.mostafakeshvaree_iran2016.polo
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.213.14:443 | tcp | |
| GB | 216.58.213.14:443 | tcp | |
| GB | 216.58.213.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | ca.pushe.ir | udp |
| BE | 64.233.184.188:5228 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 216.58.212.228:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | ip.pushe.co | udp |
| US | 162.243.147.245:80 | ip.pushe.co | tcp |
| US | 162.243.147.245:80 | ip.pushe.co | tcp |
| US | 162.243.147.245:80 | ip.pushe.co | tcp |
| US | 162.243.147.245:80 | ip.pushe.co | tcp |
| FR | 216.58.201.100:443 | tcp | |
| FR | 216.58.201.100:443 | tcp |
Files
/data/user/0/ir.mostafakeshvaree_iran2016.polo/files/unsent_requests
| MD5 | 0d210bfb2a0e1f1b4c082a6a0f79de07 |
| SHA1 | bb8ed9e364db79d1d9f2fcde3f15091893222faa |
| SHA256 | 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d |
| SHA512 | 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1 |
/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db-journal
| MD5 | cc02cbab914b08887bb6b93575350ee5 |
| SHA1 | 35d23a73ecb73b5fa2696eec4edfc6033f0c9aed |
| SHA256 | 7e56eacb4a1fb7e2240867993eaaff08de2cfca955330ab6e8b53e375b18f04b |
| SHA512 | a4b1e8a01d8c01e06485354693e2d3e22f21ea7ecfb6cf5da934e713c3c085a8a34f0fed2095736626d330511d510dd1de9440abd2301ab919a5f3bcbb30924e |
/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db
| MD5 | 171aedf968e17a2744d2585715606cb9 |
| SHA1 | bbeddeb3b89fcf809619c35b4a318a80e7d5b029 |
| SHA256 | d2ab452d9360848f46af866b870b5c6fc98230b09c72b89cb1a4b2778586678e |
| SHA512 | 78a0f517ee3d21c153dda6dbfec4187ebaee9d520d7b1b63f358bcb125d08aea53f26943907a56fdeba40161d9fc7e4fd63f9ae3154dd2ad887ba0162738285b |
/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db-journal
| MD5 | ebc62c8fdbd39b6851ad21bfc9462ea4 |
| SHA1 | e168bd7ea2b2dbdd8e85e2e97c3c09b3aee1c701 |
| SHA256 | 7dc4166711aa0dbdd795616d430efac1395e8feabc4b49ddc8164dd0caa7d952 |
| SHA512 | 0b7ea7cf7a1d8b5cf33c2193d20c945929ee4ed18d7df5473ced5314ec0cd20307bf47b3c3cbeeff32f1eb71089b3615c1b47c8bfa3ec3edeea72d7f2034c29c |
/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db-journal
| MD5 | 59db75958421c0f1720f25c42f901ebf |
| SHA1 | 9c878045aa547c9f469fc1f26a7fd7ebd067c4ae |
| SHA256 | f1a9a1461f8d2f39c03c1881b742c42045c16dcb721f38996136021fc99fe852 |
| SHA512 | e20c065426aa5edae5e69da5594c34378d25d4cc6e9e80f63eb84571a9fa3ad90444a9531e5c0cba3835ab16009b504fdcbc0800edeb7018b80820deb1ed4dfd |
/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db-journal
| MD5 | 8f450bd1c13488bf2ed3e6ee91952c17 |
| SHA1 | 2d678d7a78115f77ac2b594651c43f085b540576 |
| SHA256 | 10264c7c494b257ea7597baa0670cee1abb47f7301734886d8d74357acf0ae08 |
| SHA512 | d737d185bed45496e31ece36ea9543eefa2e848153c0b1cc0ec8d58074bf222f1494138dda9b8eb5c765bf83ff2b42de6f73985364a40ba1a35fe938be4f282e |
/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db
| MD5 | c15808a299116d6f1b477bf5184aaf1a |
| SHA1 | ffc391aa70d07243276233097f06a153775b57f9 |
| SHA256 | 4f944fe273bcfb1892e722a94409a4ddb15f6255931e9306487e559452d046ab |
| SHA512 | 9e3a88686d1ea01d4362efb5d6b02fccfc033c77226bcd417631b7a058162fcf0951d41f0c3bcebb41c9cf13bd63fc09ce2859c6a03552e2439492dc25c505fe |
/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/__pushe_base_lib_db-journal
| MD5 | 65715cfe457d46c0753ff07c905332f1 |
| SHA1 | 052c5fae96ad13c94c71788d6d88e4ae7d24af3d |
| SHA256 | 2e88d00c8ef1b0e65ea546945a26a768cc2a61baba283fbe31378e44e7f74e46 |
| SHA512 | 051913a3aeaa4f68e21bd972af7608ef3aaec4b59c517e0364cfdaf75ed6104a670605cfa8ac17dd5ce32acb769bf696063feecbe14f68f6df8b80f6386825ed |
/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/__pushe_base_lib_db
| MD5 | 2cdf77d5c14dd3f313b60c691579a0b9 |
| SHA1 | 6a74a7a3170cabead82152871c90749afdd6f310 |
| SHA256 | 55ba022e5aa9eb87c256026289112e4c0531a41d0d56380fcf845de71ff99ca0 |
| SHA512 | eaf21f0acf8b98ac8bf4bce81e66a07d6a501483b141bfb7a2ef476a8dc9927ccd39971f4e0d1f7969576dbf7abb7befb3bec04e40c5a9b28fa7a2f15ae7a98c |
/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/__pushe_base_lib_db-journal
| MD5 | fcbfaefd9c6fd175dbfde4d589ffa953 |
| SHA1 | 85c48cbe70d3db05e0a6ef1efff2640286c2e591 |
| SHA256 | 18ceb63d7e213cdc6c78452cdd631886d61bca24f634be7ccf8cceec2b5428d6 |
| SHA512 | f28989e8ca455786b12c223fda73325eb02907615d084e529f23e909530adf9f2c9c0b612c0d5f61aec8c86d77ae95edaf5465caa45aee3e03b25b13a499bd29 |
/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/__pushe_base_lib_db-journal
| MD5 | 84db7a3fddd1ea6ddb3523dc7881ebc4 |
| SHA1 | 81235bfd2b61bbaedf50e126e60997d90c4bfbcb |
| SHA256 | 0ac0c9e289c42c8c5f214338f56bc5999c58761550029d735797751152c72194 |
| SHA512 | 3ccf1471a5347bf5ed8eb9ce7159779e10ef42630c4146b9dcfc98892b245f95a6e862e86e537259c1cb64c908200ac86e23f818832c15fc6258e2a54d73c2b5 |
/data/user/0/ir.mostafakeshvaree_iran2016.polo/files/4_5942895236148625435.db
| MD5 | 9309dc8d055e8ae624bc0ff215931b43 |
| SHA1 | 4449ab18f11529653fcc2de04f7e7ad8f56fbf2b |
| SHA256 | fd6c1ceef266dcfb11ce3543120964434c0d387e64a0b0321919b1411f57aa58 |
| SHA512 | de75b430740619aba2a62b37617d8662795eef680b632ba8e607c5ee584c2535cb222c797937db49bb45ffbd6124a775a9731a0b7aadde0cb6ff9c05d5876aec |