Malware Analysis Report

2025-01-19 06:33

Sample ID 231223-pnzvesbha8
Target 1219e3cea3335b4ea5d0baedcde97d79d1228fda728e2cb00811f091093cc41d
SHA256 1219e3cea3335b4ea5d0baedcde97d79d1228fda728e2cb00811f091093cc41d
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1219e3cea3335b4ea5d0baedcde97d79d1228fda728e2cb00811f091093cc41d

Threat Level: Known bad

The file 1219e3cea3335b4ea5d0baedcde97d79d1228fda728e2cb00811f091093cc41d was found to be: Known bad.

Malicious Activity Summary

irata

Irata payload

Irata family

Requests cell location

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-23 12:29

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Reported

0001-01-01 00:00

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-23 12:29

Reported

2023-12-27 13:13

Platform

android-x64-20231215-en

Max time kernel

2875776s

Max time network

149s

Command Line

ir.mostafakeshvaree_iran2016.polo

Signatures

Requests cell location

Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Processes

ir.mostafakeshvaree_iran2016.polo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 bayan313.ir udp
BE 64.233.167.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp
US 1.1.1.1:53 bayan313.ir udp
US 1.1.1.1:53 ip.pushe.co udp
US 162.243.147.245:80 ip.pushe.co tcp
US 162.243.147.245:80 ip.pushe.co tcp
US 162.243.147.245:80 ip.pushe.co tcp
US 1.1.1.1:53 bayan313.ir udp
US 1.1.1.1:53 bayan313.ir udp
FR 216.58.201.100:443 tcp
FR 216.58.201.100:443 tcp
US 162.243.147.245:80 ip.pushe.co tcp
GB 216.58.212.228:443 www.google.com tcp
GB 172.217.169.46:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db-journal

MD5 3f4c13220f0175c3970a1d7e1431f589
SHA1 d94d646e74a9ca4b18b0b6628ed1384f0ab7ad76
SHA256 60cc33cdccf678629aea2d2c25912d8b8751186dae1b6009e37897ad5ac5356f
SHA512 959201384117751348dcc5f1e953fbf66b19ba049207fe68add5956269d316b3a86133cd917aba9210309e3ce86e30807c483acfbb1818967011a0677552cef7

/data/data/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db

MD5 bbdf0fe87d89fa50cfc98eab6846c622
SHA1 fbf6ab8758336d2821f85c5093547583c80beefd
SHA256 60f9279286a520d1665eef1eebf5d14f6aece71bed190acbd71c6b9bd7ec7665
SHA512 d5462451cc38e6840a4fa507de481048fd8c341769d77cdc337528d6b7b7dd24b55216a82bf30af47aab76c72b8850c555f3f9a905d085786e15d2e2b402c7c8

/data/data/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db

MD5 95c9ef85ed5941838762726c35cc7a10
SHA1 b4aa773c4bf3c44734cc6ed7aef8e55b994123a2
SHA256 fbb70139793d51caf2718498daeed82400cc97e8889999ac43598c4a07a97801
SHA512 60cac294e19d4c18ba540ff94a143cec8e27c686bd0523f5760b96982001a48965d0bf74c9c65118de11946aafd8794903853abf102a5a9d564b5c3f907ba4ac

/data/data/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db

MD5 2e79852259a91bd6a03a57e5748ffa1c
SHA1 c7934e2aefd42c57b78b1c167b7dd453023e5f38
SHA256 e48bf038b11e434fa81189ba01cb440f97b557a32537a87d75261c90c62d3342
SHA512 c59d834c9c884e27f8a0aab17bf96c510772339a8a2b827e02203ebf7970bbfd8377013eaece58edae9606baa6a5def0d7a3dd361c81b99315cc6f5de011122c

/data/data/ir.mostafakeshvaree_iran2016.polo/databases/__pushe_base_lib_db-journal

MD5 6d6b3a21561d9cc9997ecce8e0a2c9a2
SHA1 b56cf40bab10070be19493874adb9a5602552fb4
SHA256 aaeb80c3418b885e18f1e2c901da2235d01982585af71436cb24b88238ddea04
SHA512 45dc03a26464c85338f250ad4ef20002d37f763ec832dc2007079758fdca37f2f85cf2f6b71a04b218ebab0146f0247b908ae539f5578551c20f6e7c31d5da79

/data/data/ir.mostafakeshvaree_iran2016.polo/databases/__pushe_base_lib_db-journal

MD5 f14270f814d6004bb5622884013a7f06
SHA1 9e19e018c57e16905b3ac43f4c9049ef1c3df21c
SHA256 f3fdbe7eb431a4754530e376313def5c06b31b144867ac4c4f7c8095c7da73d7
SHA512 a0b5e9e2f782e8b63c57a28bc14159cf9102f664e54cd8f818957b9bb83bb3f1cf21aaabec2749462317007e9b0e7f5e546638a7e1424a1d70bfa13614fa6f49

/data/data/ir.mostafakeshvaree_iran2016.polo/databases/__pushe_base_lib_db-journal

MD5 078cc97b7df721315f33d7d11f2ab134
SHA1 6a78af7c048546fe75cd57e0a22f90b266e99da8
SHA256 056659024b6eb5827a847141ba2293b6b6715752a788ec1566c593d894f434a8
SHA512 29ab255e5b80bbc916e1c0d2b1cfb104187982289d8228933bcb75eff56549fbb3c1eda35b2accff0fa3869710eb834ce3c0ebc043cdc2eb54758b20a98f4731

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-23 12:29

Reported

2023-12-27 13:14

Platform

android-x64-arm64-20231215-en

Max time kernel

2875689s

Max time network

146s

Command Line

ir.mostafakeshvaree_iran2016.polo

Signatures

N/A

Processes

ir.mostafakeshvaree_iran2016.polo

Network

Country Destination Domain Proto
GB 216.58.213.14:443 tcp
GB 216.58.213.14:443 tcp
GB 216.58.213.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 ca.pushe.ir udp
BE 64.233.184.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp
US 1.1.1.1:53 ip.pushe.co udp
US 162.243.147.245:80 ip.pushe.co tcp
US 162.243.147.245:80 ip.pushe.co tcp
US 162.243.147.245:80 ip.pushe.co tcp
US 162.243.147.245:80 ip.pushe.co tcp
FR 216.58.201.100:443 tcp
FR 216.58.201.100:443 tcp

Files

/data/user/0/ir.mostafakeshvaree_iran2016.polo/files/unsent_requests

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db-journal

MD5 cc02cbab914b08887bb6b93575350ee5
SHA1 35d23a73ecb73b5fa2696eec4edfc6033f0c9aed
SHA256 7e56eacb4a1fb7e2240867993eaaff08de2cfca955330ab6e8b53e375b18f04b
SHA512 a4b1e8a01d8c01e06485354693e2d3e22f21ea7ecfb6cf5da934e713c3c085a8a34f0fed2095736626d330511d510dd1de9440abd2301ab919a5f3bcbb30924e

/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db

MD5 171aedf968e17a2744d2585715606cb9
SHA1 bbeddeb3b89fcf809619c35b4a318a80e7d5b029
SHA256 d2ab452d9360848f46af866b870b5c6fc98230b09c72b89cb1a4b2778586678e
SHA512 78a0f517ee3d21c153dda6dbfec4187ebaee9d520d7b1b63f358bcb125d08aea53f26943907a56fdeba40161d9fc7e4fd63f9ae3154dd2ad887ba0162738285b

/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db-journal

MD5 ebc62c8fdbd39b6851ad21bfc9462ea4
SHA1 e168bd7ea2b2dbdd8e85e2e97c3c09b3aee1c701
SHA256 7dc4166711aa0dbdd795616d430efac1395e8feabc4b49ddc8164dd0caa7d952
SHA512 0b7ea7cf7a1d8b5cf33c2193d20c945929ee4ed18d7df5473ced5314ec0cd20307bf47b3c3cbeeff32f1eb71089b3615c1b47c8bfa3ec3edeea72d7f2034c29c

/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db-journal

MD5 59db75958421c0f1720f25c42f901ebf
SHA1 9c878045aa547c9f469fc1f26a7fd7ebd067c4ae
SHA256 f1a9a1461f8d2f39c03c1881b742c42045c16dcb721f38996136021fc99fe852
SHA512 e20c065426aa5edae5e69da5594c34378d25d4cc6e9e80f63eb84571a9fa3ad90444a9531e5c0cba3835ab16009b504fdcbc0800edeb7018b80820deb1ed4dfd

/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db-journal

MD5 8f450bd1c13488bf2ed3e6ee91952c17
SHA1 2d678d7a78115f77ac2b594651c43f085b540576
SHA256 10264c7c494b257ea7597baa0670cee1abb47f7301734886d8d74357acf0ae08
SHA512 d737d185bed45496e31ece36ea9543eefa2e848153c0b1cc0ec8d58074bf222f1494138dda9b8eb5c765bf83ff2b42de6f73985364a40ba1a35fe938be4f282e

/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/evernote_jobs.db

MD5 c15808a299116d6f1b477bf5184aaf1a
SHA1 ffc391aa70d07243276233097f06a153775b57f9
SHA256 4f944fe273bcfb1892e722a94409a4ddb15f6255931e9306487e559452d046ab
SHA512 9e3a88686d1ea01d4362efb5d6b02fccfc033c77226bcd417631b7a058162fcf0951d41f0c3bcebb41c9cf13bd63fc09ce2859c6a03552e2439492dc25c505fe

/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/__pushe_base_lib_db-journal

MD5 65715cfe457d46c0753ff07c905332f1
SHA1 052c5fae96ad13c94c71788d6d88e4ae7d24af3d
SHA256 2e88d00c8ef1b0e65ea546945a26a768cc2a61baba283fbe31378e44e7f74e46
SHA512 051913a3aeaa4f68e21bd972af7608ef3aaec4b59c517e0364cfdaf75ed6104a670605cfa8ac17dd5ce32acb769bf696063feecbe14f68f6df8b80f6386825ed

/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/__pushe_base_lib_db

MD5 2cdf77d5c14dd3f313b60c691579a0b9
SHA1 6a74a7a3170cabead82152871c90749afdd6f310
SHA256 55ba022e5aa9eb87c256026289112e4c0531a41d0d56380fcf845de71ff99ca0
SHA512 eaf21f0acf8b98ac8bf4bce81e66a07d6a501483b141bfb7a2ef476a8dc9927ccd39971f4e0d1f7969576dbf7abb7befb3bec04e40c5a9b28fa7a2f15ae7a98c

/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/__pushe_base_lib_db-journal

MD5 fcbfaefd9c6fd175dbfde4d589ffa953
SHA1 85c48cbe70d3db05e0a6ef1efff2640286c2e591
SHA256 18ceb63d7e213cdc6c78452cdd631886d61bca24f634be7ccf8cceec2b5428d6
SHA512 f28989e8ca455786b12c223fda73325eb02907615d084e529f23e909530adf9f2c9c0b612c0d5f61aec8c86d77ae95edaf5465caa45aee3e03b25b13a499bd29

/data/user/0/ir.mostafakeshvaree_iran2016.polo/databases/__pushe_base_lib_db-journal

MD5 84db7a3fddd1ea6ddb3523dc7881ebc4
SHA1 81235bfd2b61bbaedf50e126e60997d90c4bfbcb
SHA256 0ac0c9e289c42c8c5f214338f56bc5999c58761550029d735797751152c72194
SHA512 3ccf1471a5347bf5ed8eb9ce7159779e10ef42630c4146b9dcfc98892b245f95a6e862e86e537259c1cb64c908200ac86e23f818832c15fc6258e2a54d73c2b5

/data/user/0/ir.mostafakeshvaree_iran2016.polo/files/4_5942895236148625435.db

MD5 9309dc8d055e8ae624bc0ff215931b43
SHA1 4449ab18f11529653fcc2de04f7e7ad8f56fbf2b
SHA256 fd6c1ceef266dcfb11ce3543120964434c0d387e64a0b0321919b1411f57aa58
SHA512 de75b430740619aba2a62b37617d8662795eef680b632ba8e607c5ee584c2535cb222c797937db49bb45ffbd6124a775a9731a0b7aadde0cb6ff9c05d5876aec