Malware Analysis Report

2024-10-19 13:15

Sample ID 240321-cmfc6sae3w
Target a866677465af94df5d39d72b2c3751ef.bin
SHA256 4562c696b8b46794837bb7e29cc720d3dfa9aa14ef10e5d34b9b138f738996e8
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4562c696b8b46794837bb7e29cc720d3dfa9aa14ef10e5d34b9b138f738996e8

Threat Level: Known bad

The file a866677465af94df5d39d72b2c3751ef.bin was found to be: Known bad.

Malicious Activity Summary

irata

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-21 02:11

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 02:11

Reported

2024-03-21 02:14

Platform

android-x86-arm-20240221-en

Max time kernel

2s

Max time network

131s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/data/org.bax.project/files/PersistedInstallation345759154057769713tmp

MD5 f4ee41cd4254080f7192a910b5dd67f1
SHA1 4af7fa79aa2b985bbcd4fec3c551f0abffc198bd
SHA256 ce60d09236241347a3b5e4bd897fc18ecad543df4c35e81a3f09e93e74c6bbcc
SHA512 759d0f68d0dde6fa99a4eadb0ffd800cf226af2ae0c1e6786de4adf8d12890e49b7bb6ffeb56fc962542c5b878158d97c1b11fa229d4e7800d9d685db7f2399b

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 02:11

Reported

2024-03-21 02:14

Platform

android-x64-20240221-en

Max time kernel

3s

Max time network

137s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 142.250.187.195:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation387943720567497633tmp

MD5 a3921b29dfa13e6a4975fafbb1586f12
SHA1 83854a87995e6b86986ada32512a785178c8a954
SHA256 ab5cb11207b89898bbbe9520a311ee94673051252a7dc8b549a75bc427fc8da9
SHA512 c535d7a844c0ac773a6611c040839da429cc87ebd4a8f59bb76aca13381b125f0ded20395465dfdf2ec88602547886b11f77989da13bb0c976ef673aec5dbb85

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 59e3b155707faa5499034dd14de05a70
SHA1 2324eea6ac1e4da54b3c5f2f0b5edb67b45bcffd
SHA256 d398fea5135d488476e24068dbaf3d7ae36e6f84f9654e59e81276784e06b36f
SHA512 7f31f3e333dd14e9fc1e13944931014ed3ec09fd5c9177714059bf099a481e1e88e4c6c0debd9e04c3c02ffa2885bfdabbb94b33419f07657798c4a0b25aee75

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 eb52a90bb70b76e946b62f50b6f7fb85
SHA1 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0
SHA256 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4
SHA512 b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 3c7d4ac20f3431b9930497c6f7dd235b
SHA1 40408eaf1e2b01f128180d8d461d3b2d728d77d1
SHA256 67e5e90c3a1af22cb1939b3e8e449b7f0e66b6f125c9681a49b6c22b2925d0c8
SHA512 06d2c072541bd142768d2217996c7a929bda28583b80b2f5b1d832781b66d6d863e181f5e7ffd6492c8ab7fadc097cfdcd1e58000ecf3559e2fc47e9cddac9be

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 c3f2fb34468ab6c98c3c93101c45bc63
SHA1 543be88c8d75862723a2a9117d0336bfea3cbce8
SHA256 a2babe69824f1fe7778127f3eeaa0b67ec2e907ad27a83e5125364ae816b0e75
SHA512 4f5b71ee9b6a904e4fc6cf68a35f1a84bfc8647b718d8282c978d5c2cb7e503b7e1f76e8fd8082dfa56d3b34ed6bc22a63f52ce30f6b95b0903f536919ce083a

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 626538efd9b0d57b4210b416ed77adb5
SHA1 3866753f267021336f818f964363193362292292
SHA256 0777780be7fba3e0d757401d0c5ad9666a7a5aa1c8561a56fca5484f083c3579
SHA512 258a026b093916db3590809ce098abd290dea74b6c46a457ec35b4ff7abf611c2e17bd7cfdf7e4973109663059b527606f22b9b32b2bb0fd2792b619ece2e72c

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 5a717745f979cf191472ffb3fca88e22
SHA1 b7ac2c9af95bb74edb3f855d1256e77b3af2b83f
SHA256 b783be4f5dc6ef79b73e38f2a1d80a0ef41a0ec4fb4a1e657c2ebb6d1c17a3a6
SHA512 c13fbce104974a0a1866ce6a9fa992d61773a9b271428035c03066c487f06953170cee780c66e3bd7e30101df100e234e748a46a0b2fc64ff49a6e9f3abef3e0

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-21 02:11

Reported

2024-03-21 02:14

Platform

android-x64-arm64-20240221-en

Max time kernel

3s

Max time network

144s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation604419116442398918tmp

MD5 8807498eda1d869e4f34ffa658fa5611
SHA1 b3b28d6f7fef56682736c2ec3be312758fbb3d0d
SHA256 79cd2ab215bd0338088ac9cd056cbdd9aa01b629d49fda4e7004aa7f06c4a5f9
SHA512 ee075777bf4fe428c33f61a9ad5caca0006bd6b25bfaf2814351aeb483bb406645b17936f060c486c8f531efd9dde5feb23d397ed0a8e800af98bf572e65039e

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 4ca03d6f5e4af28c5dac7dcca98b1d8a
SHA1 4293a01e09b1240462f3670a13a3f824212fe667
SHA256 2e1922e3bb5031350c5c13d5559c810e00767702965d4caa4e20a28cfdad535c
SHA512 8063083edf68cdab475f7568c0f842501f8c47d7833df8afb5e036c1c70f4725689bd061fc677f35d2e533edac8209844b9c46615d993669092329ee2fa4f0a1

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 5a1e185d11b4b0fa8173351076bfb2f5
SHA1 1f1c97a0e5ae4a0fe9294f3f899eec9efff4c135
SHA256 7532a1ef8d7205c0c78c651c28a60456311cc584efeb0ab4a79f91c1784ff67a
SHA512 5b3ea0411b0a3c38aac0ec0d532e1e17d067d14a7212ae4f66ff0646faf41d388f4e5f2f9d8e8a0a9aaf541c9c36f4cabe454c2e8782bc985bcd0d81b0df639f

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 03411190cdbb33fd2a38d6125ada38e1
SHA1 e317308d890ab443e02286862c120307262fc709
SHA256 4aa8d9c2d233cf936534fb706942d58f3a43b1cfe9fbc056972670ebf1f70e46
SHA512 967f4b0b38722d818468cc570ef0c79427ca8c4a38a772f0f81c251c33d125ffeef5c6427c2fdc1bbf87602485223f72d731b3331087ac2e78cfb1641202ca24

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 d44a20c116c715b41f792c4c6af0b895
SHA1 7607a0f6d377687ee4bbaac09d758c5528dd3068
SHA256 4d8c61dd9f3ed544305e977a06ab9cba56860de7d68fccba0eab2a7a20cc50c2
SHA512 0baa5ece2d0e8121fbde47e3c4d792c90a3dd443e8af0b763312e809023e28496d2be6d8c510b11de3bcde75146e0683d6977922099f7af2a1e4d9a1857be8a9

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 3eb06774017b1feb47259ddf2187503f
SHA1 f9be042502256a2ccaddca4cda427f68a764f081
SHA256 5514e2a403f1d47a52e22654eee4f860c8683083ba4ae7ec378f9ed08b8d0fc8
SHA512 fb6b8b853988f7dec29eaaf38ae0031b5b0e15cd5ad2b724c1831a5c2c153292bba17c729e520b6f5c5b2abcece29a36b66eb4e02013941ea4302dddb3524644