Malware Analysis Report

2024-10-19 13:16

Sample ID 240321-hhmjksdg34
Target KissLand.apk
SHA256 05ff22637856bb0edd57cb710afa0d6f944c977fd1045dbd78ea3fb634fa8fb0
Tags
discovery irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05ff22637856bb0edd57cb710afa0d6f944c977fd1045dbd78ea3fb634fa8fb0

Threat Level: Known bad

The file KissLand.apk was found to be: Known bad.

Malicious Activity Summary

discovery irata

Irata family

Irata payload

Acquires the wake lock

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 06:44

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 06:44

Reported

2024-03-21 06:47

Platform

android-x86-arm-20240221-en

Max time kernel

2s

Max time network

138s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

edward.org

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/edward.org/files/PersistedInstallation7875911931552853808tmp

MD5 260b0a8d8c633a6f6bbb2a519f86681f
SHA1 147b8fd6fe113c4ab83de266579aa7fe414a5768
SHA256 55f5644397c4adb88741c5bd02a3646fa234a05c654f1cb1cc1a819fdd257ded
SHA512 b0dff9c578ef06dde39a04a6e789e0ae016b246631991443b7e9a208c0a9b1af69acee56d07f256579c3cb0af6fcc3d0c4d7cc176a63300fb261f42ae76ce5ac

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 06:44

Reported

2024-03-21 06:47

Platform

android-x64-20240221-en

Max time kernel

3s

Max time network

146s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

edward.org

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/edward.org/files/PersistedInstallation7948621223151726513tmp

MD5 1f9ab292d4fab46eac6daede9eb3494c
SHA1 ac3ccf4c2e08dc24e6ecaf1db0d5342e250e6725
SHA256 216a82f8ece4e373da03c4dd2c70ac77a8290822894c1f5cb1bb90c867d8a470
SHA512 4ec291151bb9c996c7f67b28be6cabbc7100b7fc7c58c0c34497e5111deb27215a3551941c44fea606bb9fffa143a80dbbf084cf910d87cd4bceb05c054d5c46

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 7fbb69978898b9149f49542824b65f9d
SHA1 0a1db0390a63bde5123cf6aa71240b87cc498a0a
SHA256 c76c0a18bd3b95b9208aedba1b4b57650fcdc7be7fa592bb03601577fa4f07cb
SHA512 45247d0f6246616e87d078f1d5fa6bf725966c1b1f2e875280a56364f1c5eaa0c0e79e75c6076849f9494cf63baf484dcc37023a02eb111ddf4b3a5d70aa771d

/data/data/edward.org/databases/google_app_measurement_local.db

MD5 188c0542bc062e48b614e5ca8c1081af
SHA1 0eb9b89a5c92957cd1fe748cc063b32853339774
SHA256 c1ccc325c2699ed7f556cf171566317f706a911c4d02b1644a2a7908b93da58b
SHA512 62a67f2c56bc3b40d49c80094f160d355a8f67130e1924109426e0481008bc2cd11a9e2675a901abd03cad1e7fe0028031e20d826437edcf35b6f86e2499c2b4

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 0d13e4c497cd5a44b3b300f7c033e57d
SHA1 09b88ec38d1e7dc092740090e0d06f32cad2b0c1
SHA256 6f98796326ed48c79feaadc80cb4027e785597a02c0e248ae55750074d32e2da
SHA512 09aa172dbcc82ef261198c2df439a6a698912e1bab75053b0b7e11632fc932f59e9d86bae9c7e220334379a54dc7f981d22f4724517b415b5f7eba9d09be971a

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 15aa4c92de118c449b1019fd1ecb6031
SHA1 d5e143d4ad8afffc1039909ecdd0ec4d76faf7ac
SHA256 8be299dd1663c03d43d075a8b233c92c51ef188d165e724bf8468ba6bb00f7a5
SHA512 7bfe26318712a2e099018ab790995608bd550bf1895c0041f90738a624aab058d938282e0be4709ae0673829d0eafe16795d4e5ca717861868386cd40239eaba

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 a26387dbec5c13e019f8285f8e066347
SHA1 8dab2596a84a05f86f2a3f6648f70055791febe1
SHA256 5fd28d2acfb2e24e2006e538c9fa05853f669e20f492a7922379e6b7f2effaac
SHA512 60c04c59e0b65544a995bb5a19b28f87e70ef53a1d0f72b3ecc570190369adf865bed13fd32a752a4866331a2bc533e515b7c995481b9eff46cbf55d2e230206

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 25acee076b0e4b351f191da37eda141f
SHA1 ef8927936c877a16520245429a0a1518e693f63c
SHA256 d6ffb9a687f2a2a811db8bf1262fe3d7c354dd4ed10830c26de7c61a9a0748f7
SHA512 1f5e84ab763ad3d2d853f69dc012300338e18ae5083159d13247abeb099eb984ef9a9c6a3e17fff305654c79501709a0637e3d565afa863d4f79f5fc6f02de0c

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-21 06:44

Reported

2024-03-21 06:47

Platform

android-x64-arm64-20240221-en

Max time kernel

3s

Max time network

150s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

edward.org

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/edward.org/files/PersistedInstallation6648116360390667377tmp

MD5 2b3d152ef53f30a84dcb9e9e45d31f36
SHA1 2bfb1143ef7021db7b0376f9cc298b09f864c975
SHA256 3553f079c8a639f9e0587b34d6ed9d3d8bd0bd36fa1114fc0aac8d2c38a0b2cd
SHA512 5402b9a91f526a0b2d6f71abd40ec7fef8dc96b07519836fb084af271ae87a8877d586e5ae03e70ce951afdf8556dc50328526fd2cfc9853946ed93337b0ba2e

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 eedfecba8b7b3e1e5da5f8dbe67d25ed
SHA1 e6340a9087d67b2fad2da7af05deb836414ce4a9
SHA256 bdf8c0f67cb47073eb86202b6839afb8b295cfc0a84c3686869a32e2e4bda986
SHA512 c9fa7c62bf7dbfb37803d5d39ebef9922f38c2a8a47c16ad4b9741e20b324191b53d2a98cc3983a4a929a548a3636244d538934aa24ed342f8a9818102a3914f

/data/data/edward.org/databases/google_app_measurement_local.db

MD5 73dde037d43818d6392e51665bee0446
SHA1 79d2b7aaad055aaa21aa371d61b05684c2164073
SHA256 d8aa44c8b932aa136e23d352f22689c2173c343125e0e7588bb111fb635b30be
SHA512 95c88a7ca75a3f60fc3715bcac6a0a0f67bcf8a3a9fde5482f15e8da321521faf184548fc7a31df3f6019c48214b97a683b9fd7d0d2b1bd5595e50fb5d80f4fe

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 ae446d2bbbcb01ed625ab22af260b32d
SHA1 a41e7914913fccbf957611b9d46d5504dca8df6c
SHA256 7bde2ec2de3898b046109058f1881019ba17744b2c5a38890b05850d71e0e730
SHA512 d5186481407767d5916963ef14915e3c5dc8002707be97d99088c50b5bdc35a40440032a8961680a6e10fda9434eccae34be5581d73eb759cce34b143964b138

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 bc3064bd7f30def0420a175d8912c0a7
SHA1 a742f5b569cca7c110a7dc5fffd3335d7c88370a
SHA256 40604aae2c03f7e42ed0de565a9ea40176a6e1b5fc86c7ed0a449b9df858b375
SHA512 d80deedcf77f00a9100b9a23ab500e44595e10005a3e0a6895bdf1f1523cfcfb8916bb928bed4595c597f9d6dca54ac84b9e25865e7e7245b6cdc67f01fd1153

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 bd093446decc91502e06517cd490e87f
SHA1 b6273be2db39261137ead87de889caa0c552290b
SHA256 3cf6712be2ef4098d641ba8d18a39eb2c594fb35e77444f9ece2aba52a5cd4ba
SHA512 56e8b19c0e20634c7744efaf287d33b49010904f57670f9b27004dd8a7f5597e7d699da54874446a55a0ff3b2a36f0dfddff1ae316a96c01a6628ca5b4683632

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 cda6f261a8535210ce74736e80fceedd
SHA1 d32c5d8b24373e6e8561e1fcf79d001b729cb9a4
SHA256 5b26869e1f0474f48bd6839bba24527602d01d0ebe1c15c9cfce885d25813857
SHA512 dfa60c152482e0c4a4c8cead131abaaee8e9afdccd117f2356478bab50a60ce1b9e9e4a67854e7ad4e21b9039984ee25bf82080b6b1275d9ea0dbc56421ba8fd