Malware Analysis Report

2025-01-19 06:47

Sample ID 231226-l83j9seae8
Target sana.apk
SHA256 7d8e12a1999d9ec09e8560c7fa05b9e41fe6def5a94f166ed2e591a376373a36
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d8e12a1999d9ec09e8560c7fa05b9e41fe6def5a94f166ed2e591a376373a36

Threat Level: Known bad

The file sana.apk was found to be: Known bad.

Malicious Activity Summary

irata

Irata family

Irata payload

Acquires the wake lock

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-26 10:13

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 10:13

Reported

2023-12-26 10:16

Platform

android-x86-arm-20231215-en

Max time kernel

2778563s

Max time network

138s

Command Line

com.lyufo.play

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Processes

com.lyufo.play

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
FR 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.212.202:443 tcp

Files

/data/data/com.lyufo.play/files/PersistedInstallation5707052680900977807tmp

MD5 a5bdf6cbf038ce9edf248e152ca89a75
SHA1 b9681772861dd451dd99b3ac8c7deb1c7763483d
SHA256 195588b49f4836554fcc9d1018f596e76a3d15ded63549e592753897bd21d44d
SHA512 6c18dc43cffac98a834fd2d739da716a754df10ce4a63c8d136c59ccfc34cdce7212d403707d0e5d2a7b4b77b28d2aecc8c7c28b5a0f8852e3f220407cf86167

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 10:13

Reported

2023-12-26 10:16

Platform

android-x64-20231215-en

Max time kernel

2778564s

Max time network

153s

Command Line

com.lyufo.play

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.lyufo.play

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.187.206:443 tcp
FR 216.58.201.98:443 tcp

Files

/data/data/com.lyufo.play/files/PersistedInstallation5855776234827058771tmp

MD5 724ff4b477ab38d5c1c3ad8a1d548b90
SHA1 a04a7a791fd703da5c0951f3b05d30517520bea7
SHA256 dd1d8c6f1bd18f5115c9bc0cc2dae104e4b09b4593df01751f5c2a755ef5c2d1
SHA512 726dce8ad540966252415c88b4aab63655186dec271cc608c3bdafca41ed9f888d405de40eab3b8f1339581c0f6325653b45ae5c30b005cb01080c5547d34e16

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 3c1b5f81e0167e2617c9b48d5103c340
SHA1 97d7a526a4834751a226d2e6e9749a754196af6b
SHA256 30707ed88bca0303016c5c77882088702e4f3b394bff8792d926473877840e33
SHA512 8dd4abbb9019685281afb80fa7795070fc0571f6dc9f219656e11df45e5090cbaf90dfd04a12e625dfb9285a366b4a4e3ee06beadb09fb53103bf8e60c8b628e

/data/data/com.lyufo.play/databases/google_app_measurement_local.db

MD5 188c0542bc062e48b614e5ca8c1081af
SHA1 0eb9b89a5c92957cd1fe748cc063b32853339774
SHA256 c1ccc325c2699ed7f556cf171566317f706a911c4d02b1644a2a7908b93da58b
SHA512 62a67f2c56bc3b40d49c80094f160d355a8f67130e1924109426e0481008bc2cd11a9e2675a901abd03cad1e7fe0028031e20d826437edcf35b6f86e2499c2b4

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 460ce28f887f69c0128e0a4e4f1983c9
SHA1 66da1ccd84f4c5cc4ac993a0a75c4443f948d5b6
SHA256 9ecc520413072acf8ddf6c9953abfe3b38c1a24e69a9e37206d7d7bd806d1947
SHA512 8699ef760d2113e349b945384297121ae41e9672908b60a74f0cef71cc6645d5b94a6b973d6ca2cacbb52e49f2f6c19afd99b6d904e7e73d08ed6bf9a090b05f

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 f9b145a8db102903e431fee0f01495e6
SHA1 072b677fc74212c7afd518f0e3a90d00bc310959
SHA256 f2fd075df90590cfec17df8b0bc329413573f1009403aa6119848630010ee913
SHA512 9621a315a7c0def5ad734be25636e3dc1ba37778a13be93ef50b506d335db9d737b04af176bf5357f2f2c4546fd59a47bb5e53b1939d928fdc3a80529cedb4c6

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 a3972bf05408816b90c80799ae82bf05
SHA1 d0492580aa4a4ae96cab2b53396afb797d1aa00f
SHA256 1856f05059305a78433b94b167e09f1289e42705c6058070b5c72d36c9532dd4
SHA512 263b68eaeeb41f90f847a305471f3076bddc6c8be879a54ed4ce12c5148fa790aa17b0e7e621c2f109c9261e74182963c31bb349348b5073095fdcd39282cd00

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 4dc20b37d2e1d279ded2ed96ab10f953
SHA1 9d446573c1b9be32480ffc801f74951f1a2166b6
SHA256 2417368a7c117063c14d8c222769ffbfc8c4e45ab8e38e3f02b93561f0e5f646
SHA512 a4ac182342733a460ec2aa7b07ee67f1fb0ac2b2e82eda90bec63af6832df1cf2bdf7767d0ae34081544cdeb592b6d353125b109b48f419553b3565cf9e394b7

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-26 10:13

Reported

2023-12-26 10:16

Platform

android-x64-arm64-20231215-en

Max time kernel

2778584s

Max time network

140s

Command Line

com.lyufo.play

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.lyufo.play

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 udp
GB 142.250.200.46:443 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/data/com.lyufo.play/files/PersistedInstallation578930424358008433tmp

MD5 55b812d2520a5e669f4f64ad18609084
SHA1 1108c277846467af5d8ff34b9914a27548131ed0
SHA256 bdfb5452188a2dcd50ef1a5b462ac5ad68fc21ccd907c5441e7bebe493501765
SHA512 f733262c984d4e2775653487fd94b8079752f84a3a75c0e9ee92558458a93e18cd874f9e1249d81e18ec85230e82eee90fdfeef17c98ff75a742d0b8eae6f543

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 db06b837fbd21068323608faaa56f6c4
SHA1 e58dff49f98c918e2308e110c30c6658dca902f7
SHA256 183379e9988e3a3d70e211ae1b3db0bf6e98c8b2a0943324cfdbef54bb85d486
SHA512 210e49906d3cfb1dd6047f81288df07a27f257f2bc3470e793421cf37b2aaa8f2afd9a22bd58c9e8a02241b0fa5579488804353c5a89de8fe2617fd234e0af6b

/data/data/com.lyufo.play/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 07c0767ce174df4d836ca53ca0fa5b78
SHA1 aef1d4f0e323c422a718da5b7be708aa6d31b5fb
SHA256 6a1ef93d98cf868c96cd064ba8d8ae764586d38c3b87e5366f19d8d90670fa20
SHA512 8dc807ae68be107aba7861823c8b78ff249a481343a0842cde1ecccb59d6cfdba6c58fcb3e8b0a17123b5ddb19300f5909867258a4e9d92b03ff851aca7318cd

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 022e610e6a9c1ba191d976c5255f3063
SHA1 7a8330d82147bb5e5068289437de5a01c1b69221
SHA256 6d90563116f7ec69602f9f6ea3a8bb8fe0a188bf9bb7fd0a3d6a619c07f73125
SHA512 0646a284cb814959e563065caa2a4b93a6d79707a118a33f3c9de0cc103ea9d547c9ceae3c6209a5eb7eb49ceefdc49be9ab683c3605674d5822ce553b4b06e0

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 7e5add32bab57ef44f776d06efb33728
SHA1 b34d79c21c1d5260f1feb55a509b3e6d1f505111
SHA256 4c661c38489a013c2cf7786c979a0bbd3925ed11281ee10c6441b4d245ec4459
SHA512 b15d42bb9c786f362a8d84f6931b383df4df46fa116875f19b3cbece7f41033dcbb93cefdd784189b11fef782b217bd2d43a033bbc9f573bd958da3460159959

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 a0b4a425ca4ec788f54165452cb9d805
SHA1 f5b4232e3ce8311185250d60be6a388690d53e06
SHA256 2bda52712dc57c73d846f643272aa803a11b81b62b376e517c3414eefbfa7d9b
SHA512 bc1a010e1872b5bf13e4215c3a6a0cef9057e0d748381dae89d5093525db358c42a56be0b60e67ff67946c831068c5a7356844e18c323830a90bbcd4e7d4f958