Analysis Overview
SHA256
2eaa082248a55d8e6ec5d3c5910515e0b1f1a9f371d9afcd8f0493eb6e04d635
Threat Level: Known bad
The file app.apk was found to be: Known bad.
Malicious Activity Summary
Irata family
Irata payload
Acquires the wake lock
Requests dangerous framework permissions
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-26 10:48
Signatures
Irata family
Irata payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-26 10:48
Reported
2023-12-26 10:51
Platform
android-x86-arm-20231215-en
Max time kernel
2780709s
Max time network
138s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
com.lyufo.play
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 172.217.169.10:443 | semanticlocation-pa.googleapis.com | tcp |
| FR | 216.58.201.110:443 | tcp | |
| FR | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.213.14:443 | android.apis.google.com | tcp |
| GB | 216.58.213.14:443 | android.apis.google.com | tcp |
Files
/data/data/com.lyufo.play/files/PersistedInstallation145831620879968424tmp
| MD5 | de85f9f5026b1b17160d9438484df01c |
| SHA1 | 390549fbd4f917ecd95ecceff9fe0c04a71dda95 |
| SHA256 | 90018274cc180c244e0013a3d5341ad90b85ff05a376d771132e7799a7f1c25a |
| SHA512 | 9d8d140f56b891f5d1419e5fd01aaa9333c7c9ba486dc53541bbe18bc2891adc07760b5d361cb7f38fd1df3bd2e17fecaa304ca507cd8edc6228d25e65416b57 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-26 10:48
Reported
2023-12-26 10:52
Platform
android-x64-20231215-en
Max time kernel
2780727s
Max time network
146s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
com.lyufo.play
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.8:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.213.14:443 | android.apis.google.com | tcp |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.187.228:443 | tcp |
Files
/data/data/com.lyufo.play/files/PersistedInstallation5613272374194048788tmp
| MD5 | 4bf2eb8c1b1836a6ca8f12293415d432 |
| SHA1 | fc1d3be4492a33885e954b3acbd6a60988ada0df |
| SHA256 | 1c110d9d58f6d111f8d4f0dbb6dd0c3dbf4661fd414a1febebb1a67b27fcccfb |
| SHA512 | 54925580ff36bfd76ed04509a5f29da3c5e3444fad26daf81a694aebe1aaa99a37b09c4804179e9f462797ee620aa62a2a2ed5b841065bc01159d2259f50fa76 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 6f15cb853af51b4468ec02fee5c40d0e |
| SHA1 | 9a329198472eb261f6114efa9cea934495d62dc6 |
| SHA256 | c9f8ddf3e67bedb2b28c293c980c66eb4df5105e79e6dca3375512f4e3619e53 |
| SHA512 | dedaa80f601dcea3cd7377ae26258a26c0d13566066f296b0742d1267cb33d0a6465de88f6342d4ae4b5db8ee82586d2630664468760d9b1e97ae193a6cfe772 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db
| MD5 | eb52a90bb70b76e946b62f50b6f7fb85 |
| SHA1 | 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0 |
| SHA256 | 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4 |
| SHA512 | b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | ea6497874e12a0a3d8e9b9aff43e1242 |
| SHA1 | b2bcef79a46cfd5cdef2a4ab89f419c847b3ec1a |
| SHA256 | 498838f7be63df8568bd8d94db5a470ac9d6c4dc58d6670c5acc9b22c35d1620 |
| SHA512 | 88e468c506161530e61f4e0a79ffdea00902cbb0afae845a623c116f69c9ba935d2337e37e6bd67eae3b79bda9ea0797ef60bb888cbf6ea195e5a23c1cdaa611 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | a16ae820964c47d4e4bd9bb72c30543c |
| SHA1 | 2b422a38883f799a90613c82708de616645dcc07 |
| SHA256 | dc88af3ea56d56d407f1939cfeae0fa28038c76838a3893a103c1db6f0c0e6bb |
| SHA512 | 140bc55f043bab9eef1e4fbea7cb30ca3aa5ffc20e29f6ca42f6441502a4a5d47a8b304f1508b6b221d750ed99cec4e663657d1f9c18297365f8537596aeb57b |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 148429e5634871a67ef4838157b3865c |
| SHA1 | 2427d8a4386642ba487fec3567097b1435627fd1 |
| SHA256 | 59cd86c725c603032c9f1bb59ff58480301556d741f3d29d426dc44aad939e4a |
| SHA512 | 06b80736c0e216d9790c1d43774ee61a8d1e4d045e6a2d71428c2ebda22afd1236662d2757786149670e0c0981311000e319a2f2533928f37050c42f4e539b90 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | c4df5cc2dcc454312e3c8adcf5b20783 |
| SHA1 | 83f00b6ee06004d556022c68dfbf94133937f43a |
| SHA256 | 77bc512cb85fa9cf0bacb16765e128326b4aa44e6a77587e759d99407880cab0 |
| SHA512 | 10e5ec83ad04ca51189d8add7becb733718cb67285747241d410ad23a56fa8647c5d81ddd927960c97168660d73785bb79517be817fd2acd2724f0a355c4f5c3 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-12-26 10:48
Reported
2023-12-26 10:52
Platform
android-x64-arm64-20231215-en
Max time kernel
2780736s
Max time network
129s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
com.lyufo.play
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.10:443 | udp | |
| GB | 142.250.200.46:443 | udp | |
| GB | 142.250.179.238:443 | tcp | |
| GB | 142.250.179.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.4:443 | tcp | |
| GB | 142.250.200.4:443 | tcp | |
| GB | 142.250.200.4:443 | tcp |
Files
/data/data/com.lyufo.play/files/PersistedInstallation8779862769611533454tmp
| MD5 | 8cf4938ec59663989aea181937fed20a |
| SHA1 | 2866e2563290b8ae8ca1ea5f8e5c55d8dda2d743 |
| SHA256 | 39b25024ff5e63604c66adf9429e75ba879b6a681841fdfa8a2c334f0c94250b |
| SHA512 | e3b2324b111d7eba105b477d1291ab41b7b43be081e826719212d51bbfdd934134f78ff671f94a72642fd0a788096bd619c831a451ea4aa851cc28eb591ae882 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | f6ced4a364f1e83f45d574e72bb0fe79 |
| SHA1 | d43b04618a9d6046d18c769eaa37e158cf46c529 |
| SHA256 | 6b2ec48afaf23ee87800ef702f5f453e64d7e381523ec8138c2acb83c1f1fe5a |
| SHA512 | d33252f5a31339b36ebe8ef9e8270b344f29ed9eec5d0b1fbe56892e878af8fc5d1858d493a61736bd649270656504117cedfd9f580ffbe3bed5053414394c2a |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db
| MD5 | d9cf75fdd1c2292d986f6c3d5d60f2c8 |
| SHA1 | 07ecb1d3a26d952ae5fecf54f36699ab498510b1 |
| SHA256 | 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a |
| SHA512 | 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | ef61549208ef3976f46d15de5569ed07 |
| SHA1 | 94926208c9cf80f11001f4278598cba833b6d53b |
| SHA256 | 76d938c0e7ab211067621c2c1a248a75f2f62600f1c9ed3092fa97a4103b2309 |
| SHA512 | 7da4c691e25decc707400d7c16faa723df61ddd735fa535f5527b4172d13384a4303f3448af4422c1669297c51ef1f69650524d68be403d2eb7e22afafab9112 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | bcbd9e037886570f44577f7765910817 |
| SHA1 | 6484937e03c02654f4bb607e8ec032103f14d5f5 |
| SHA256 | 0cc14c10e8288b945578f54abe56c67f30f2db9d9c8027810dd7b2eaef423455 |
| SHA512 | 5a866822c28ed63d832ee02f740c1a5edaf55585fc67e7074e401b7f42ea7b0cce4895ffddc50afa43b40616acce98db3ec8180853e245c1f3f5a9597991c905 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 7b89b0e45c027427b078deab115cf6a5 |
| SHA1 | a9ccf647a64fafc7584df7c2a489d5ceffebedac |
| SHA256 | b552fbd79661cbea9df4dd263768df1c5a3209ba6070790d988f713673c076f3 |
| SHA512 | ca7687a6aed1b5bcf938c6f130296638952cd5112ede58accb011910b6bdaa1e06f115da4ed4819cd30ad66e8e97278fac1c5d1fcf5c23f2ecf2e59f1b37928e |
/data/data/com.lyufo.play/files/PersistedInstallation7274887105991420157tmp
| MD5 | 528de94f5524cbf409a524ad056b92b6 |
| SHA1 | 78ca8cfffdb2a82e261874eaa33fbf0de6b78857 |
| SHA256 | 499784f8b04d60c5eede97b5d2f369d21a584b56b2ace2a0dcd8111572c85e8f |
| SHA512 | 5ceb549a70590004a4b626f4b563ff2d3a0ec5e5d50f603269d6efccbdda18eb2692b230995df1416c81ba8950eeceebfc9e34ebc51ed268e3c90e7c33d781dc |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 03818cbc6e85048cbc409be03807578f |
| SHA1 | 3cca875c658a258cfcaba508e60d029006dcc202 |
| SHA256 | 14980b5c37e84f3882d2e1f8a94867ae78bc4eb5c22c8bfb60a713eab60267d1 |
| SHA512 | ea30a3fb66e2f32b7863a1f0b4e0b97748933eaf4ffbad793634d27d8d1b080caff1c5bee05317ba73bee76435b8827f07b3020b38f019955de6551d65556942 |