Analysis Overview
SHA256
7d8e12a1999d9ec09e8560c7fa05b9e41fe6def5a94f166ed2e591a376373a36
Threat Level: Known bad
The file sana.apk was found to be: Known bad.
Malicious Activity Summary
Irata family
Irata payload
Acquires the wake lock
Reads information about phone network operator.
Requests dangerous framework permissions
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-26 10:13
Signatures
Irata family
Irata payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-26 10:13
Reported
2023-12-26 10:16
Platform
android-x86-arm-20231215-en
Max time kernel
2778563s
Max time network
138s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Reads information about phone network operator.
Processes
com.lyufo.play
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.179.234:443 | semanticlocation-pa.googleapis.com | tcp |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| FR | 216.58.201.110:443 | android.apis.google.com | tcp |
| GB | 216.58.212.202:443 | tcp |
Files
/data/data/com.lyufo.play/files/PersistedInstallation5707052680900977807tmp
| MD5 | a5bdf6cbf038ce9edf248e152ca89a75 |
| SHA1 | b9681772861dd451dd99b3ac8c7deb1c7763483d |
| SHA256 | 195588b49f4836554fcc9d1018f596e76a3d15ded63549e592753897bd21d44d |
| SHA512 | 6c18dc43cffac98a834fd2d739da716a754df10ce4a63c8d136c59ccfc34cdce7212d403707d0e5d2a7b4b77b28d2aecc8c7c28b5a0f8852e3f220407cf86167 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-26 10:13
Reported
2023-12-26 10:16
Platform
android-x64-20231215-en
Max time kernel
2778564s
Max time network
153s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
com.lyufo.play
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| FR | 216.58.201.98:443 | tcp |
Files
/data/data/com.lyufo.play/files/PersistedInstallation5855776234827058771tmp
| MD5 | 724ff4b477ab38d5c1c3ad8a1d548b90 |
| SHA1 | a04a7a791fd703da5c0951f3b05d30517520bea7 |
| SHA256 | dd1d8c6f1bd18f5115c9bc0cc2dae104e4b09b4593df01751f5c2a755ef5c2d1 |
| SHA512 | 726dce8ad540966252415c88b4aab63655186dec271cc608c3bdafca41ed9f888d405de40eab3b8f1339581c0f6325653b45ae5c30b005cb01080c5547d34e16 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 3c1b5f81e0167e2617c9b48d5103c340 |
| SHA1 | 97d7a526a4834751a226d2e6e9749a754196af6b |
| SHA256 | 30707ed88bca0303016c5c77882088702e4f3b394bff8792d926473877840e33 |
| SHA512 | 8dd4abbb9019685281afb80fa7795070fc0571f6dc9f219656e11df45e5090cbaf90dfd04a12e625dfb9285a366b4a4e3ee06beadb09fb53103bf8e60c8b628e |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db
| MD5 | 188c0542bc062e48b614e5ca8c1081af |
| SHA1 | 0eb9b89a5c92957cd1fe748cc063b32853339774 |
| SHA256 | c1ccc325c2699ed7f556cf171566317f706a911c4d02b1644a2a7908b93da58b |
| SHA512 | 62a67f2c56bc3b40d49c80094f160d355a8f67130e1924109426e0481008bc2cd11a9e2675a901abd03cad1e7fe0028031e20d826437edcf35b6f86e2499c2b4 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 460ce28f887f69c0128e0a4e4f1983c9 |
| SHA1 | 66da1ccd84f4c5cc4ac993a0a75c4443f948d5b6 |
| SHA256 | 9ecc520413072acf8ddf6c9953abfe3b38c1a24e69a9e37206d7d7bd806d1947 |
| SHA512 | 8699ef760d2113e349b945384297121ae41e9672908b60a74f0cef71cc6645d5b94a6b973d6ca2cacbb52e49f2f6c19afd99b6d904e7e73d08ed6bf9a090b05f |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | f9b145a8db102903e431fee0f01495e6 |
| SHA1 | 072b677fc74212c7afd518f0e3a90d00bc310959 |
| SHA256 | f2fd075df90590cfec17df8b0bc329413573f1009403aa6119848630010ee913 |
| SHA512 | 9621a315a7c0def5ad734be25636e3dc1ba37778a13be93ef50b506d335db9d737b04af176bf5357f2f2c4546fd59a47bb5e53b1939d928fdc3a80529cedb4c6 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | a3972bf05408816b90c80799ae82bf05 |
| SHA1 | d0492580aa4a4ae96cab2b53396afb797d1aa00f |
| SHA256 | 1856f05059305a78433b94b167e09f1289e42705c6058070b5c72d36c9532dd4 |
| SHA512 | 263b68eaeeb41f90f847a305471f3076bddc6c8be879a54ed4ce12c5148fa790aa17b0e7e621c2f109c9261e74182963c31bb349348b5073095fdcd39282cd00 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 4dc20b37d2e1d279ded2ed96ab10f953 |
| SHA1 | 9d446573c1b9be32480ffc801f74951f1a2166b6 |
| SHA256 | 2417368a7c117063c14d8c222769ffbfc8c4e45ab8e38e3f02b93561f0e5f646 |
| SHA512 | a4ac182342733a460ec2aa7b07ee67f1fb0ac2b2e82eda90bec63af6832df1cf2bdf7767d0ae34081544cdeb592b6d353125b109b48f419553b3565cf9e394b7 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-12-26 10:13
Reported
2023-12-26 10:16
Platform
android-x64-arm64-20231215-en
Max time kernel
2778584s
Max time network
140s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
com.lyufo.play
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.234:443 | udp | |
| GB | 142.250.200.46:443 | udp | |
| GB | 142.250.178.14:443 | tcp | |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.180.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp |
Files
/data/data/com.lyufo.play/files/PersistedInstallation578930424358008433tmp
| MD5 | 55b812d2520a5e669f4f64ad18609084 |
| SHA1 | 1108c277846467af5d8ff34b9914a27548131ed0 |
| SHA256 | bdfb5452188a2dcd50ef1a5b462ac5ad68fc21ccd907c5441e7bebe493501765 |
| SHA512 | f733262c984d4e2775653487fd94b8079752f84a3a75c0e9ee92558458a93e18cd874f9e1249d81e18ec85230e82eee90fdfeef17c98ff75a742d0b8eae6f543 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | db06b837fbd21068323608faaa56f6c4 |
| SHA1 | e58dff49f98c918e2308e110c30c6658dca902f7 |
| SHA256 | 183379e9988e3a3d70e211ae1b3db0bf6e98c8b2a0943324cfdbef54bb85d486 |
| SHA512 | 210e49906d3cfb1dd6047f81288df07a27f257f2bc3470e793421cf37b2aaa8f2afd9a22bd58c9e8a02241b0fa5579488804353c5a89de8fe2617fd234e0af6b |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db
| MD5 | d9cf75fdd1c2292d986f6c3d5d60f2c8 |
| SHA1 | 07ecb1d3a26d952ae5fecf54f36699ab498510b1 |
| SHA256 | 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a |
| SHA512 | 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 07c0767ce174df4d836ca53ca0fa5b78 |
| SHA1 | aef1d4f0e323c422a718da5b7be708aa6d31b5fb |
| SHA256 | 6a1ef93d98cf868c96cd064ba8d8ae764586d38c3b87e5366f19d8d90670fa20 |
| SHA512 | 8dc807ae68be107aba7861823c8b78ff249a481343a0842cde1ecccb59d6cfdba6c58fcb3e8b0a17123b5ddb19300f5909867258a4e9d92b03ff851aca7318cd |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 022e610e6a9c1ba191d976c5255f3063 |
| SHA1 | 7a8330d82147bb5e5068289437de5a01c1b69221 |
| SHA256 | 6d90563116f7ec69602f9f6ea3a8bb8fe0a188bf9bb7fd0a3d6a619c07f73125 |
| SHA512 | 0646a284cb814959e563065caa2a4b93a6d79707a118a33f3c9de0cc103ea9d547c9ceae3c6209a5eb7eb49ceefdc49be9ab683c3605674d5822ce553b4b06e0 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 7e5add32bab57ef44f776d06efb33728 |
| SHA1 | b34d79c21c1d5260f1feb55a509b3e6d1f505111 |
| SHA256 | 4c661c38489a013c2cf7786c979a0bbd3925ed11281ee10c6441b4d245ec4459 |
| SHA512 | b15d42bb9c786f362a8d84f6931b383df4df46fa116875f19b3cbece7f41033dcbb93cefdd784189b11fef782b217bd2d43a033bbc9f573bd958da3460159959 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | a0b4a425ca4ec788f54165452cb9d805 |
| SHA1 | f5b4232e3ce8311185250d60be6a388690d53e06 |
| SHA256 | 2bda52712dc57c73d846f643272aa803a11b81b62b376e517c3414eefbfa7d9b |
| SHA512 | bc1a010e1872b5bf13e4215c3a6a0cef9057e0d748381dae89d5093525db358c42a56be0b60e67ff67946c831068c5a7356844e18c323830a90bbcd4e7d4f958 |