Malware Analysis Report

2025-01-19 06:35

Sample ID 231226-mh8h9sehej
Target latest.apk
SHA256 9e80107dd792216e7c4a2a5ffe0a2b866c912b09a765c316c11ad4a63a297307
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e80107dd792216e7c4a2a5ffe0a2b866c912b09a765c316c11ad4a63a297307

Threat Level: Known bad

The file latest.apk was found to be: Known bad.

Malicious Activity Summary

irata

Irata family

Acquires the wake lock

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-26 10:29

Signatures

Irata family

irata

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 10:29

Reported

2023-12-26 10:32

Platform

android-x86-arm-20231215-en

Max time kernel

2779578s

Max time network

130s

Command Line

com.drnull.v3

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 api.cloudflare.com udp
US 104.19.192.177:443 api.cloudflare.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/data/data/com.drnull.v3/databases/com.google.android.datatransport.events-journal

MD5 74618e8028ec365959bf52cac13fe609
SHA1 656235451ed53314931f57e3825f6f6a9264f1f6
SHA256 67a69ee54ae87a85578a188ad129345190e577b6c7312959d66f0f3cb9b69c15
SHA512 47c1a2157ca39a7fd3b0e4d801e5dd46665739fce014c2b2f6dd17c66cf6439d683e30d815056e8aa98d46b06a34477dc2b20a7d8258792e1885756e36c63845

/data/data/com.drnull.v3/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.drnull.v3/databases/com.google.android.datatransport.events-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.drnull.v3/databases/com.google.android.datatransport.events-wal

MD5 a12573f98f2d3d4929a6177b6347c2be
SHA1 cd27e295533996a8d6f0930c65c76d363e1886d2
SHA256 a9784e5b28f757ddda1f0a8787050f8c4c97272e8b6d8801520592f30656fe6f
SHA512 c8e5b6cba5d5c5eee46677cfb815f8af9298d8dcf43308e9b249a6d7c389414ba47aab4f256a505b861fbe5fbe5d7c2aa7fa3b80d9019b442f6e349de69ea744

/data/data/com.drnull.v3/files/PersistedInstallation1739424059369514100tmp

MD5 7653845f51c05b94ecc6899981430e74
SHA1 7b4dcf308fc36b07e6dc258583148cf9f5ede9a6
SHA256 292dc2442f263cc22ae9495a9de4186a9e16ae0cb5f59af25cc2cdaf8f9934bb
SHA512 f3fb89cdba4c213521945ee915f50fd3b772d8b6693bc6f2a7fb8eabb41948fb8ab86cb890ab45ba065c12aae425c5d5cea61a9d661882d753c42fcbcd65e6a8

/data/data/com.drnull.v3/databases/google_app_measurement_local.db-journal

MD5 9b90f505173e56029e6a737d34dff7af
SHA1 22a5b93839f93a26b3c70719a99f1c19fcd5eece
SHA256 44a3d97dbb180882590e6ae1e53dd53b6e1e083cd00a86752c8979366cd9fa99
SHA512 df48d37382fa49d26b652e6fe4296ed5dd0770e8bcba94dc82e63fe5c6d2f8753a3624a30ff541667d42145927a7c1a7232a2fcc929762ceef9a49c7db102d59

/data/data/com.drnull.v3/databases/google_app_measurement_local.db

MD5 7237409e0640cfab7bdbd429bf821a3b
SHA1 4c3da934842f8d4835dfe2a9c275a300e5123309
SHA256 5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa
SHA512 c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

/data/data/com.drnull.v3/databases/google_app_measurement_local.db-wal

MD5 1b0fa31140a9429a87ef296ddc232cd7
SHA1 853bc8b5c923bae8216047ebdf44199124e45a9d
SHA256 5714b0dda51096738dd33d4d534fced80e33e514123ea694744b5dff66c3a4ec
SHA512 df9c62d6b12276bf729c6d7d35d4a7b155d67bf6dd60571e3c47c3cba192c8a28647dbccec86aa65d003d7cf8eb02849d2005db73ddc754ccedebd735e8b22bd

/data/data/com.drnull.v3/databases/google_app_measurement_local.db-wal

MD5 09713de3f616b6396b5a82689656891d
SHA1 8bc24203fffe820932f31492cf73d3111e9531f5
SHA256 2a9c5027737d2d92687d9e17408f3d3dff5d52c998d0d7f9055c6aae8ff39b8b
SHA512 f5b7d5f41c2c1830039825feb710deb3aa63617831ebecdee934db8bf615ab503a0541be89b7b1b7152d4399b6fe4a46070d3107ce77ff83acfa28ad05ffc6e1

/data/data/com.drnull.v3/databases/google_app_measurement_local.db

MD5 5f6d81d4b5601a69af9b0c5e8c7e4402
SHA1 11e5760729dfced28b18b9439e29ec3039528278
SHA256 d0d616a3a51a8e24c5338517247b3d83d95442c904cee6706c29018f26dfd7e5
SHA512 900168113fe9f83034306c148a3b931dbdd4c628f8ebd31e4c7b12484713c8f1a17ce623865fd0422cb75899a43557b105d7f810922f2d09a71c3f3ee53b413d

/data/data/com.drnull.v3/databases/google_app_measurement_local.db-wal

MD5 acfb9334cc91927b1db79bf6cd411744
SHA1 e935a909607830acf1bb9fb07ce573f0df6cea06
SHA256 3368ec8f1a79e0750c8ca40b12f66d71ef3fc33a58499fdcb50f2eb7c18076ac
SHA512 339e3f3b1b7da68e609addbfdf545b96b9df379b4a5ae8c1634605b4efa0b00caee1164380c7d40134ab1e8200debb3f3f358c7671aa369d277ca3a7c4ea9bc5

/data/data/com.drnull.v3/files/PersistedInstallation2522995275291547558tmp

MD5 c50050b87c2a24f9cb4c3e5ba6143381
SHA1 55e4aee5816fae4cf00f0f9a6485cb8584c7b2be
SHA256 34bab7bc4c3f660382ef0269cef5cfab5ae243de1ec2c08a5eeee5cb5046aa86
SHA512 35e4e8d654d230ece8c9f55c0d6c89c3af0398379a6dca777b344034d7a890f26a6706897a4e218918e8ad5888d0148aae1a0db98e606c761a7d965126cc1445

/data/data/com.drnull.v3/databases/google_app_measurement_local.db

MD5 3e07078351f220fb6ecafc7bea6e7025
SHA1 00d5e7c955ae2de1244a4123f71ed2ca3804c2bf
SHA256 9ad4ecf6f548b5dac980996ee9b7f3787b0c32fc8d9ff90bd4260f8ec99d1778
SHA512 a109896fb26284a7612f48035aa7650e69cd2e98b58a880edab4247c27e7da34f96eed5b6c6fe947c9b404f8634d8748c0d37ec562fa80a080fc05bed097174e

/data/data/com.drnull.v3/files/addr

MD5 4a23dc7653346166f07a3c619b97fbf7
SHA1 e1e95b118364bd61ca95dee1db654aa5bda39408
SHA256 9d54cf33ac7b0c08ccc0139b4822f576ac8cc57f9905b1438a2fc29df331bde2
SHA512 4821c97858a849472b1f68453faa6b08e45ee18af23de8a78f00e66c4db180a1f77cfa7dca50745cc6da76fff8ee1640c4d3fd50ddda2be2ae71a7c311f891d4

/data/data/com.drnull.v3/databases/google_app_measurement_local.db-wal

MD5 96c7ba901bebea782325d0ddbfbf3789
SHA1 59aec66896818a4ee569cfd7472981aa60d9344c
SHA256 729ddde819c328fe40b705c4aa32ec4effa25bb9a45e8345201ae0873c079ec8
SHA512 317eed05795ffe57b52a6a177969badd7cbae33eebc522f8cff9b5d58e7d3da5cedd0e87d3a9679e6124d786dcfc13c6514e86c3d624603b6c88aa2cb2739749

/data/data/com.drnull.v3/databases/google_app_measurement_local.db

MD5 4fa616288e7c3fa7ef71a4b991a109be
SHA1 a03f6fd508d81edc6b5b86a150d2ce4127301f9b
SHA256 24d8fb22a25877cdfe0f13ef60eec5585387808879591dbbdc418193137f8203
SHA512 c6bf342795d81d373fe94c7284ce63df50b7eb9b9d1755451bc7468891a077afc39f0b6add8269efefb1cb51d7b19a469de035211c8e05bdb49ba1246b452064

/data/data/com.drnull.v3/databases/google_app_measurement_local.db-wal

MD5 b3046050deab5ece7ae5aa1c8f704fc3
SHA1 e316f1f87c7b640cc0891dc0703c74762f4f7594
SHA256 adfbfdeaba0cfddf963128abea8700eda9c92fb80b5202e5a5cbfecc1c00ce33
SHA512 22f8290b9028b3715497cd355b8851c8bd555aa92df74b851028285cb1a642dd660ec4e3ae41d7a5f27bf5f5e2865ba1b2e905cd083b746bc1e54f45111ec7f1

/data/data/com.drnull.v3/databases/google_app_measurement_local.db

MD5 dddd695a27f9e0dd2241331b4f7e537f
SHA1 531ad313fbc666399e589839ca7ff2b5186d2bd3
SHA256 5fb06f7d039cab32913fd0f3ad355e854970752fd676f48e4ef51ae1a8a3b060
SHA512 bc9b3dc167bab6816e8f5100b0cc1ec706e61b6c85972cf06d354b98b2482cd6869d8c8dd785d67d4ade1be11ca3aa41728c647a2f37562fd77b7358e4562c97

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 10:29

Reported

2023-12-26 10:32

Platform

android-x64-arm64-20231215-en

Max time kernel

2779550s

Max time network

136s

Command Line

com.drnull.v3

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 172.217.169.78:443 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
FR 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 api.cloudflare.com udp
US 104.19.192.175:443 api.cloudflare.com tcp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.drnull.v3/databases/com.google.android.datatransport.events

MD5 3cd9e0f51794ba56c6b658620c4a776e
SHA1 1a4c8b4baebf348297d3ffad7dc164208c50243d
SHA256 501b7371cfad19d926f53de991d54259fa0674618efcf344ccb0f2787d9a21b7
SHA512 36191d3e6b6a1cc90a5bb8cb49eb4269a563fad34c1f523ebb3eecdc98b4783e067296beee01959b46188621c2ba5732ead240c70daecc52fb3bf577e6e4d6fd

/data/data/com.drnull.v3/databases/com.google.android.datatransport.events-journal

MD5 2f5db23ae1693dca83c5b1477e1345ca
SHA1 cba73fc7e0fb27c21e992e302f766efc17c259e2
SHA256 27065df70faa9fecea930ddb1427255ee580e02cc80597c40a8235baa458c6ec
SHA512 29d8431f63dd50c53b839ad1f5cc5c2b656c88c42a48c37462a6a5d8d6762765dbcc2b07585c25ab1e7a292507774ff9e75b9cf689ca4c821d73ff23651f8b10

/data/data/com.drnull.v3/databases/com.google.android.datatransport.events-journal

MD5 de49cd8fc4e92b9e6e58994b9f5b9ba1
SHA1 cde4f67afed61c743845d8c9da682ffb47764ecb
SHA256 491bca1cff36992ab74c5fd9e68f4d63c64f95d48aed81b771b9fb65bd952621
SHA512 cccb3cf1639e2e1c2d6c266f7d920f33bcee4e9078e9c38b3e85b9ab36698f0244abbbf7ce2f2ccafb25c6b6ba4d596146fd8c5f000470fd165dab32944272cf

/data/data/com.drnull.v3/files/PersistedInstallation8388952278167087281tmp

MD5 30580823f61559dd1206085210ea3514
SHA1 9df19fd2c0b73444ba1e3d2377bd6533fea41dd7
SHA256 a95bbd641ae48e303986d359f3ae35998a7520433d4955052400e0726a6b50d2
SHA512 561374262086a41d6764d5b71e2393ecf77717b70ea42d1e0937cbd73e8b853338dbdeaea08946fc4d6683b5081be72e42463e5afb1532252c3e3dc1421a18f4

/data/data/com.drnull.v3/databases/google_app_measurement_local.db-journal

MD5 d3051c83c058e8048bf57b279938be02
SHA1 9b69ac4a48d37d6effe1b891a187c222084026e6
SHA256 10a7f5fc75c4c176dca9cea56dac71c3659707090a835a5e46cc915f1a1d928d
SHA512 8f614036d6c8885b88d06f72d4b36dff8f5346caafa500ac3e66d5d16b434d2651bface6f7a609b7a0fe33e12581d1b31683516764888d3c6b7220a403bdb090

/data/data/com.drnull.v3/databases/google_app_measurement_local.db-journal

MD5 c8767008a21e30d4604c9e07dddeefdc
SHA1 8a88a1e34df0c5e4103f3190f07ec1ddf5ed801c
SHA256 ec004f0cd134f87d982d2a53535bc730265b913330435a2192eca00aa0c55aa4
SHA512 70e41a231d2831280d0bb2d3009b75397817be1d843e8d2cbacb2815f118a5da2f9c77d0add1c87e520cc8fcb986440ac394ecb5502ba92ff49bed55c671d5d5

/data/data/com.drnull.v3/databases/google_app_measurement_local.db-journal

MD5 d7fa143b362ff769175b206bcca65499
SHA1 8538b0fe203f83e1c02177dc60cdca306329262c
SHA256 c42715e38b727e779f7bd2f020bec9de3f2447d023952fa72b9d49a43ba490fd
SHA512 b9d6f8ad5d4238a0e67fed5c2beb36298062e160f667b2f756d75ace380f7596332dd1d372ee9297977b1075cc8ff0b889edbf579f84cfa71c9fefd33b4a6928

/data/data/com.drnull.v3/databases/google_app_measurement_local.db-journal

MD5 a82e89f9e1a9c144e6ef4d6c4f8b8688
SHA1 a9866690a500bff5e3085125ba95b41a51275b79
SHA256 6c76b6001edd581b2be7e3835e0475958ad674e31f0daf71041328a3aaf1c3a7
SHA512 192e59d51c051075180b3f46d824daae98caa2a2d2ce03201f0aaca851244ae4b85987b1e46c135c774f7455a5fdbddfd45deb7dcbcb7b8eb96cf39495c95437

/data/data/com.drnull.v3/files/PersistedInstallation1760888585195233458tmp

MD5 c12324f1df677c801542aa2a0005309b
SHA1 4734dee9a79e70a46643d0a04755abbc34829cde
SHA256 686de06b3ed88427950a422108d4dcbcd4ab615dfb887526c59792be5ea50dcd
SHA512 cfbac46911900f906ccf03f9ce1b7c6d0c9cfa03a41329539f52353539dc9143ac6795f89154548447f1760ae51633a93e098c70c188089ac79226ccf1d1fab8

/data/data/com.drnull.v3/databases/google_app_measurement_local.db-journal

MD5 8a1e9303dd1e66243990658a12d19ebf
SHA1 0c6284ee0f0ae200dfcf3d73aabce86b6bec154b
SHA256 c4f70c94233e1ad3e22313763d0761cfb9631a6f1238d4c0f05786399abd622f
SHA512 edbd830d6ea6f17643ce867b17b776c61b48ccbb2bcb747feaa820a83e5cb4cee96bc07df697487763b84a1f4e31ca1dd30530db1d61c84129e0cf54e2490080

/data/data/com.drnull.v3/databases/google_app_measurement_local.db

MD5 29c8aab1f12f4ab96fe40843d8281e91
SHA1 6394267a67563a7166e64750fef2d085721d3116
SHA256 c7551adc600a5414a48f2179ab859b3c13710df35e2ccb1486103b6ecefbcf27
SHA512 717d8de05fd0e31e189bdbe749768cf6e8bd2d5c2ce5e415635eeaf0fbda7e09a01276c7de9beca992e78f2fbe21d3916fc97106445a6f50708e88b4663654d8

/data/data/com.drnull.v3/databases/google_app_measurement_local.db

MD5 81240db96d51f196061394c37f240a37
SHA1 5c4387ba68755b0ca521bc646645df2f7e13bcb6
SHA256 304f9e3ba8f590595d95bdaf2a93a579a42e23da429cbe82cc353fa1c98be736
SHA512 0da0d542e137a702d4db020a519fee2540d048705e87f84db0e18862079d5cd4e5273740e38f41c02c8fbff05187ad4490576bbb12ec9d9301f1ba152339fcaf

/data/data/com.drnull.v3/databases/google_app_measurement_local.db

MD5 4f12b0190d32274054b47c873593d8f8
SHA1 fde5df06d1db5f34ae6718d46f7d7a96bbc139ba
SHA256 d07465caee33fe651c19aa9215a05d6d610be7451694aba711d5e532dec50ad9
SHA512 a6e08fa44bb0139e900543e965f5204a61bf2d29395c8f60e6362bcd013beefeb54b1110b2d2bba19c81c163988ac12acb1cb7d8a1fada6d99c7d6ff9acbd0a6

/data/data/com.drnull.v3/databases/google_app_measurement_local.db

MD5 955bb742a2230ce2db7a4bdbc4f82430
SHA1 57f2feb40fba869448a606408f34df9be9a51f17
SHA256 48593e2ad9c6f28c08fe335421ff34d6eefa9a3da607bca2052c09bb26115a33
SHA512 9dbbbb16883aa9baf086ee2d3b4a1c64e47ea83ed9073ed20ed2d226f1a526f332498c97917d54cb3eade478d2f32de7cb62699a2bdf1e25dcaa2c140c461124