Malware Analysis Report

2025-01-19 06:34

Sample ID 231223-spzslahef2
Target 3bc8276f098154c3aa83761b0a2ee8f92e3c2c86f2b050a9c5d34aa3912a4081
SHA256 3bc8276f098154c3aa83761b0a2ee8f92e3c2c86f2b050a9c5d34aa3912a4081
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bc8276f098154c3aa83761b0a2ee8f92e3c2c86f2b050a9c5d34aa3912a4081

Threat Level: Known bad

The file 3bc8276f098154c3aa83761b0a2ee8f92e3c2c86f2b050a9c5d34aa3912a4081 was found to be: Known bad.

Malicious Activity Summary

irata

Irata family

Irata payload

Acquires the wake lock

Requests dangerous framework permissions

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-23 15:18

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-23 15:18

Reported

2023-12-23 15:28

Platform

android-x86-arm-20231215-en

Max time kernel

2538140s

Max time network

137s

Command Line

ir.dariadar.omlet

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

ir.dariadar.omlet

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/ir.dariadar.omlet/files/majic.db

MD5 685e7fb605a4ef14ac4f96324fa409a6
SHA1 d9fa04fb69f17182de1e743b2067313000dabe06
SHA256 ae0eac72a223de9884f1218df077326dcc40bc41b2c8b8897b3533cdf62fc9b1
SHA512 0f2443966150dd0e0bcb331c0d2021fe1afef22c2cb6fd0282864d499cbb351fb1fddef3c827efb1169c2e6d88346de0fa92a963874a6be33f7472a02a6d43c8

/data/data/ir.dariadar.omlet/files/majic.db-journal

MD5 4b12b652e92064c427e64338a442be10
SHA1 c5dc9cff82dfa6de03d88079421804d1ef5d7954
SHA256 0a4d1d87af59f4cc08152b3a1fbb9515cd6c8d1c6f3f90a2730da8bd419fc058
SHA512 9da6dfa9521b52dd8485b7d3c71cd8edc1ac0d63ad4dca190992a77dd9a7a2e29ffc7dcee2e47426f9eb4688e763b1fa07c595dcb43687782fdab3c332fe3d46

/data/data/ir.dariadar.omlet/files/majic.db

MD5 e3f7cb9a14e6acdab4cee842ea49ba7c
SHA1 f1a168b845e68f73953eb964505d20ed32364721
SHA256 4532b28f4c50a40ab3df2befd32e538bb4753d1723bd51a457bbbfa717a2206d
SHA512 9fd6122cecb6a168d21cf8c3c3012fc3d1e618ef019fe624d45be0083dcee1a48234908dbce81fb88f6e870950d4b55c5192028573f70ea929c8a96bb294c0cd

/data/data/ir.dariadar.omlet/databases/__pushe_base_lib_db-journal

MD5 a4b1755fcfd59f98d66987624028eec8
SHA1 66c61ba00726bb002d3e6e3739911be6dac4d4a6
SHA256 ae8840e8609cf9f54b62ad8a7719ab85df9afe0e3f49d788c67a99b680fa4964
SHA512 ee48e1d2499f6db867e4707d0370d1d711ff3828d23556d84b0881f60db321b6311c26fadcf02be217010a59e490f210f25eb22a0491263ce9aa773c53bd4028

/data/data/ir.dariadar.omlet/databases/__pushe_base_lib_db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/ir.dariadar.omlet/databases/__pushe_base_lib_db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/ir.dariadar.omlet/databases/__pushe_base_lib_db-wal

MD5 88cbdbc68421390b7261fc11d2fb59a6
SHA1 e8fe796a8ed874184de46b4751f9fcd2447a8995
SHA256 ed04f4b31b9554ac8d8feb64da59e15e6ecf4455998db134270634e5d04ff255
SHA512 15bcc03eae8441cc8228ea6d123fadc7e8f71833d778f1c84607d86e0d278af589cf3c38bf4587a1f95b88f4c29af7becdef33eb98b16d492bfa89f348263902

/data/data/ir.dariadar.omlet/databases/evernote_jobs.db-journal

MD5 a3cf66f78444cbed569a295d2951efcf
SHA1 6c1623a5baf160ff16acaacaa3f40567f43c4de7
SHA256 bd4a9d5099d880009ed72d6ba9387148a97206fb5cf8837191eb02ae6f8c2126
SHA512 dcf718e77926a06ad1f2f8466b06c7060ee985cad35a489233d81b6da387cbddc7a72fe672cc164012fcd68fff6b9704618259af2b8d6c39de239fd302a8d0d5

/data/data/ir.dariadar.omlet/databases/evernote_jobs.db-wal

MD5 671c542b7c7027fc1541043aa8f2ceb8
SHA1 9d337ee66f079bf33cc3f99b51e792f55e6d18ef
SHA256 5c6af83a335f0971f4cb6b1937138f5adbddb9cbc2eeeca85670c4877541b26c
SHA512 b104d376090eb33da7326a0f1f4d40577e758dc1b2b5a34ac8c4c9304c61c98c58c9006367a24f2f84b4584afd5ea714285df660532c737fd8b3e5356795b61f

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-23 15:18

Reported

2023-12-23 15:23

Platform

android-x64-20231215-en

Max time kernel

2537811s

Max time network

156s

Command Line

ir.dariadar.omlet

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

ir.dariadar.omlet

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 216.58.213.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
FR 216.58.201.110:443 android.apis.google.com tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.200.34:443 tcp

Files

/data/data/ir.dariadar.omlet/files/majic.db

MD5 685e7fb605a4ef14ac4f96324fa409a6
SHA1 d9fa04fb69f17182de1e743b2067313000dabe06
SHA256 ae0eac72a223de9884f1218df077326dcc40bc41b2c8b8897b3533cdf62fc9b1
SHA512 0f2443966150dd0e0bcb331c0d2021fe1afef22c2cb6fd0282864d499cbb351fb1fddef3c827efb1169c2e6d88346de0fa92a963874a6be33f7472a02a6d43c8

/data/data/ir.dariadar.omlet/databases/__pushe_base_lib_db-journal

MD5 f3cfdaa7cf161330dc09c50965f33076
SHA1 ca803593e9e5afca907eb1a50aa245f98b702ecf
SHA256 b3b2ab38f2a5b83663ada0a9582b5ec0e1eec945200e7546dcb42e4c565ac39d
SHA512 08e7844af4aee611b246498d018b5a3a24776b954762a8f110e44b7c640778060939e6718359ccad526d51cc949b38529420f134d1299b1b2542c453163359be

/data/data/ir.dariadar.omlet/databases/__pushe_base_lib_db

MD5 abe9fa56c177c65db8c072e6d81fc41c
SHA1 abe9e9bb6f7294324f549af4435f58578ae69f2f
SHA256 53f09b897033e2496e13f3c6e8d14ec1d1f7b273c2b4d47dacc569594fef0f8a
SHA512 bb1b70eb859448050dd71822652d1976456be07c098ab41f2f75fa277cde059aff0c45629564170ee07028b85d501cc941529ab06753e5be2e710692bfa3922a

/data/data/ir.dariadar.omlet/databases/__pushe_base_lib_db-journal

MD5 08e1c3050d55911d081caa68cc5abf38
SHA1 ac46309294fe9acb0aa5660be85bb85ee2c2c51d
SHA256 a1d156836bebb190a0e116fcc2a14ead44596d7af85cef5d1c854ce4dcb6a54f
SHA512 9b48d6383fb79b29d4c2a27a2f29940da8c6a8c6fc75137c9a6e88c1014f0edecf9aac97b22d589994ac4c876555c99af627a5315136690b902087dea6fa7092

/data/data/ir.dariadar.omlet/databases/__pushe_base_lib_db-journal

MD5 f2327b5a62ca5502deacb51987d757e6
SHA1 142fcf965fd8e7b65d1248a0f7987de56187bb36
SHA256 2e67dcd6af12f5629bc69d1a42ba4f7489a112b264df56c38ec25e5b6abb22a0
SHA512 4d3f1335982dccbfedb4d8d968af32c450e987c4877c34145af51477d7c5d4fdf5cf07a320bd3f6879ecf158c22583b890410767d695d84293e0287a030a83e1

/data/data/ir.dariadar.omlet/databases/evernote_jobs.db-journal

MD5 f85f09a90d668107bb73a82db828c835
SHA1 38d1c57716035d6a098dbd004be65af286a00110
SHA256 4bf46b64c6b6f9552d1fbde3a4564fffcd4cfa6b59f7a21cef754db28858c479
SHA512 9a6ba4aa99be4872f3dac8e0892986bab762cc27ced8ec76a18f0f1854720817d330bca3fb7a22db7e46c69285933a72d575dfd045e2fa9f7ec4f8da3e7657f9

/data/data/ir.dariadar.omlet/databases/evernote_jobs.db

MD5 163b0e3f017becbc89b9d7f330b78f09
SHA1 1ef9cd8ac8655190468d0ccece0a4738634ab0f9
SHA256 cf01452c3b494692386f6c5faac340eb3eb894bd416391002d56645aa8a9ea36
SHA512 6a85a30d16fa58a4fbbb05d469778ee69ca79deaa74316ccb5be3ee07fdf78dde22e95db3edb1b88b18478e8747047445f85baaf9556b9a1e55d9a02a80baffd

/data/data/ir.dariadar.omlet/databases/evernote_jobs.db-journal

MD5 3b525e72270f6c74f26c5cc23d7a616c
SHA1 800a5316e103671fb24c0b0f2ba865822a1f6c8b
SHA256 74804c815bad7b86cea8b907a1f8f17686e1ce6e28d2af50050cb011202c8e54
SHA512 1ce286344cf54f27cda8f468a72fb83eb2966f4f946a2c2c3f69fd626a17d67ae2ba47f7c66d112e044d406abb5b02e3e4d508644d4b9b4e6a6526dd93fa1377

/data/data/ir.dariadar.omlet/databases/evernote_jobs.db-journal

MD5 1795e8cfb2323e53a03e55b26424c9db
SHA1 6a3d69b8092eb7dcbde8e1170e5c8badca6fcbd2
SHA256 e08a2d74ba217a5a3a4924c0e66070fbc021ec920e9ca43274c300cddb957757
SHA512 56143a02570d969e8e598466d9dab29391ce5b1203091bfe04daf7c8d02e256c30a777983b09b3618307f3666990387c084bb962d990416c190853c3727ea1a4

/data/data/ir.dariadar.omlet/databases/evernote_jobs.db-journal

MD5 2937888a96d861dfc20da92dd023fd55
SHA1 2b3138f5191c8c24e1b0b0c908a3e4ab6f5dd52a
SHA256 a0f0bc4dd79df0f6b6bf1b6d04a2a311f3043497dae2164062edb4bd3337671e
SHA512 0dd60bb2bdbadc1d5120976e2fba09d210296c1ade6a3ec1f321f346c51104ea2dd050ff6a894df09bf44d950f759c21d67e2a54987efe47c3af5a8fe4da8852

/data/data/ir.dariadar.omlet/databases/evernote_jobs.db-journal

MD5 d23d9236df8d7beb6b8987fcab41df5f
SHA1 0f680225beab9bfd6da3aa2b9e3740db0fe50339
SHA256 a22fefe08ace1eeb8b33cf6247fbf74e2744e388800ab08b6d0b691fcbae26ac
SHA512 4df8e60881e770f2a7ddea936c9c52bb45b83f938b57ef22ed1979a8f52a7f087f93b25958939e7a25b19faf3cfdbb51f1ad92131d94aeec252d753cd19f2896

/data/data/ir.dariadar.omlet/databases/evernote_jobs.db-journal

MD5 3e8c0b86aecda34317a4f9ae2853f35f
SHA1 9828f5b1ee1f5801a1bde72979f097f66de2ac02
SHA256 d1f627ef008719b296bef3faba7bb11f9b76ac6e78a6c251b4137b3b45cfa4d4
SHA512 32200482048b587fd7b69ce644512fadd806f93bdf50070754b81e8a83810b57de430d728391ce37abd91e873dac304409ddf7979af44c444597e3ab42ee755c

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-23 15:18

Reported

2023-12-23 15:24

Platform

android-x64-arm64-20231215-en

Max time kernel

2537842s

Max time network

150s

Command Line

ir.dariadar.omlet

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

ir.dariadar.omlet

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 216.58.213.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/ir.dariadar.omlet/files/majic.db

MD5 685e7fb605a4ef14ac4f96324fa409a6
SHA1 d9fa04fb69f17182de1e743b2067313000dabe06
SHA256 ae0eac72a223de9884f1218df077326dcc40bc41b2c8b8897b3533cdf62fc9b1
SHA512 0f2443966150dd0e0bcb331c0d2021fe1afef22c2cb6fd0282864d499cbb351fb1fddef3c827efb1169c2e6d88346de0fa92a963874a6be33f7472a02a6d43c8

/data/user/0/ir.dariadar.omlet/databases/__pushe_base_lib_db-journal

MD5 3c4264ebb3734859d00d268877b08afd
SHA1 65c5a35ba7702f6df08f7bf838804b7914d18b1f
SHA256 6598e6ac269bce81764ac8924b613699a3cb9a64765048403fe0e4f2dc42e353
SHA512 307b6e8a9b6befc5c7b96f66eb27b40332863319a380952228a78e67dfbf8ce322e0634433424b6c1f48f0f7e9dfc1eafc1c371cca2b40c1004f1a06a04e4a01

/data/user/0/ir.dariadar.omlet/databases/__pushe_base_lib_db

MD5 2cdf77d5c14dd3f313b60c691579a0b9
SHA1 6a74a7a3170cabead82152871c90749afdd6f310
SHA256 55ba022e5aa9eb87c256026289112e4c0531a41d0d56380fcf845de71ff99ca0
SHA512 eaf21f0acf8b98ac8bf4bce81e66a07d6a501483b141bfb7a2ef476a8dc9927ccd39971f4e0d1f7969576dbf7abb7befb3bec04e40c5a9b28fa7a2f15ae7a98c

/data/user/0/ir.dariadar.omlet/databases/__pushe_base_lib_db-journal

MD5 7450cca9cbb49308f2098c4276b1e4e8
SHA1 d5d28e505103a4b5575b7fedac1221f563e3ff35
SHA256 73edb2b187bc0cc2248bbd54d0381724b7a814ab85137a7e02ec45789971ff67
SHA512 f2c11442f7060e188cd910e3a47e8e771ff6d0b1b2223d0bd4bea361c20aeb2b781300e03081487a12bbdee744d875f04003555d33c13005f0bb8d51089abba9

/data/user/0/ir.dariadar.omlet/databases/__pushe_base_lib_db-journal

MD5 7fe4953929fff705c9d39c34de987582
SHA1 23c24c93fceb74e16d5375719fc6c17058d2cd7c
SHA256 ea1806fb89955f2a0fae0923bc71428412307f6ef31a11dae31dff0f352ff1e7
SHA512 b004d00816aca7a1d69749eab59660611f22b6c1f7312a3e04839e905db72bc6ef8265b8fc76d0a2344ea85e8d503caa2e047f20a12c657e1bdfd08781cbd211

/data/user/0/ir.dariadar.omlet/databases/evernote_jobs.db-journal

MD5 b0abc3dae8140c6d000cd4985c42ee9b
SHA1 1c9bc1943065306675129e0ada92acb7a6615389
SHA256 a25a4b334d22f56838b817bd005f8cfde45bbf9435f237d5260d6b6bdfcff200
SHA512 b84bdb1c730745aea8d2f3717970cde66d801fc0a95aabe78d51e236a876966e8f53f3a9e3ea231a28678599e1fa1f0946841f82b0b6be73aa7b60c888f5a6b5