Malware Analysis Report

2024-10-19 13:16

Sample ID 240321-hkr7vadg98
Target KissLand.apk
SHA256 05ff22637856bb0edd57cb710afa0d6f944c977fd1045dbd78ea3fb634fa8fb0
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05ff22637856bb0edd57cb710afa0d6f944c977fd1045dbd78ea3fb634fa8fb0

Threat Level: Known bad

The file KissLand.apk was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Irata payload

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 06:48

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 06:48

Reported

2024-03-21 06:50

Platform

android-x86-arm-20240221-en

Max time kernel

2s

Max time network

137s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

edward.org

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp

Files

/data/data/edward.org/files/PersistedInstallation3116799096114161447tmp

MD5 fcf04e6159c5c6256253f91415aaf767
SHA1 e71f13462c39094ee04969f969526b13706899ad
SHA256 cfe53550d8d9b8efae55babb93c79623c9221d500f23fdbb41b9b16587243637
SHA512 16cc0327c505ef04488f8aab67d1baa2ea8b5cda821dcca0137dee38797742fe440710c71f67b711da587b41568f3b1970bd74396002a4b64a1cb9bb6aa7133e

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 06:48

Reported

2024-03-21 06:50

Platform

android-x64-20240221-en

Max time kernel

3s

Max time network

153s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

edward.org

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 216.58.204.68:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/edward.org/files/PersistedInstallation2804479630721907775tmp

MD5 ee8429cf17db9a463904dc56e4e0b5c5
SHA1 542673f36497b3ac2170c56244482eea7392854e
SHA256 b92fb8b5f115ec1d7bd6e16bcf23177f49782bbfc0edaae64c4405c9e8a38b8c
SHA512 38e3c86b3ac6a4a23e7767bed8b1c8bd1cf5920c75ace096cc3fb69bd8a253d879482a575d4cd90474023f019584dde767313bc3e0d2ef2cfbc3b0d0f4624743

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 5ef91de90da7a6842237f303dbf8f8f7
SHA1 f08f0ae3a9d1397aedd72b8658defc6fc6b91fa4
SHA256 b700e14e670a632218640ded2234d3d67983d105f1a08031e0815a81fcbbb6e9
SHA512 d34e7e32dbbc39b5e1c0cb1cb6e923ee5567e87332fb559b4c83f05f47c72d3668e2c2340dbce9679070794bea448903582da1962800dd450f1f33d993c67712

/data/data/edward.org/databases/google_app_measurement_local.db

MD5 eb52a90bb70b76e946b62f50b6f7fb85
SHA1 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0
SHA256 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4
SHA512 b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 31352abaef192fa5314d0df4d8fc20cf
SHA1 e7aceb7ffe9111e703968cb50c133eb6f5cc5a5b
SHA256 ee3b97a13ecb2a1bf5f08018ee1b481b02a9df041b08fc16cf3beeead80d1612
SHA512 cca44088841651255e90ad90d8f9dce75c0ef78bba96282a08e91f8f3d617ad5d13009f4a491481634fe1c9549eaa8a35738b12a7cc815e995ac76f21529d476

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 ab824c6b3c87d38a8428361dec08dea6
SHA1 119e37d939cf9d37374eb372548032cd6fcbcace
SHA256 afd65998b3aadb32e3ceed23809f9537adc6f35588dfe17e6d6f907eb4c6b135
SHA512 51fa0f1b1e28590e1e3c7f1b94166439aa287e73b8870d05c2b28b3e8ddff82bf4ff3301aabf1244495df046e94ca6a3a42f98d63d09bdcf0593a6ee6e17d2bb

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 0d7f0a14dab59089dabed16baa418a36
SHA1 95ecf33c36f424513db9f2de65b3d97658d42af9
SHA256 6a61f8c2429f095e408b38894a61fd5e221e7b8bab3cbef49cd42c65e5075e27
SHA512 6254b46a44e6eaa66f35e3c16c1db3f88682c50cd9d35e867c1f6b61de3592f6588e6e5281e970417ca072b2947ac7c1bcd7c3feec40864cb396ec8cfe07302b

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 8718bcbfe1e060e5cc7d55c482f95ef9
SHA1 16f71cae6163d22eca07493df321ea6a8b7c87d8
SHA256 a8deda75e63be07879ffcb74f713612b5136431738a5705cb643826c242c59ac
SHA512 556250fb47efd479f31d31ed0a823487bde63cd50ba1d69453501fe5ddb56148e0e8d5534c8cc513b5730042958dce966c8f52e6cdf85c6d80349188ef14db41

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-21 06:48

Reported

2024-03-21 06:51

Platform

android-x64-arm64-20240221-en

Max time kernel

3s

Max time network

133s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

edward.org

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp

Files

/data/data/edward.org/files/PersistedInstallation5544298010870002242tmp

MD5 1f29344ef7aba40011c88d3164af3853
SHA1 d3280c2abf8ba42d383709e3539a96319d5342ca
SHA256 027193cc5e49eaec1eb477386bb8fb4ba55e761bb3bd049f500f50abb461db37
SHA512 afa00157c8f8827f9eec4a9bbc52defa235f594155fa9823dd328fad4c06cd939f2ad1f89ddfbe9d3cffbfdda46758f19532b2c11a12838825ad556c0588f768

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 a70c12088f10e787b0b55a53ec7f21aa
SHA1 d0c00c07722806753f52b00cf48a3aa34593afad
SHA256 9be3e2377de097a1d8a9aa9dfaea77804923d2e25a60cc31e85733923f57f9d5
SHA512 b60051babbec2e2790d0e87d8e2bcb767d67a78ae9489c757329e30f5f6dafe2cdcec4c1428e1ea5e093d8eb5aa6f9cfc481b86e684a38ad14321ec1b8314d33

/data/data/edward.org/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 ebed2247978f5932e22fea060be21579
SHA1 f394c718b864a0ae86c031e68cf6b7e79f29912c
SHA256 f38e83e8ce6cb2a900a333b5d544e2f850247da277f9fe1ea1bcd10e8b532d63
SHA512 5ed94340c9c1fdcd3092245d72c0ea9079f561da8eea67e667e545fd98bdc4cdbbc9105e339cef1a7e5394a96c5ae7e08b595475185bd5d968a161a3fd72e99d

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 3f2ced8bab241ba5666669634aa0984c
SHA1 c937462375ca86e10ff7f99c912baccaf44d5a01
SHA256 0cbbb7fb8d4f6e55f73dd8ffe3c677a6d02ff8332ef6f28c8f1beda67eae45fe
SHA512 47a577a4c61428294649b841d13ab9ca62d16c132da196b635f16ed8f1f71602c36e57c527b6850a2d5e82e50abf20485703c65a45b249af1a45fb0e693de97a

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 3c00e7d4d25c199cd4ecf6ce9499d568
SHA1 c33d8ab848a3734479867f50edd87203b14d800f
SHA256 23a6b72ff58ad03f2289f8d331491f6bf3ef374946554e27de686f0a5ddb6422
SHA512 6145a47bb5503a9be1ec1ce00afe59b1f36f9e08fce9d9fbf73415661a8895a4270c77e9738122c681b5d08af08d5f955ac35dd5c30acb89d9963a78c830cc35

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 a3d9d11adb45c2b21370750a66a7909f
SHA1 3b0f9b1ae60da50f77bde0da27314cdfdd5aad81
SHA256 fdc17106a109e46fb80e01f1f7e2191b95101145ec30687cd9f3577cc251b207
SHA512 d7c5622351751e5018fa8e043e7a088f67e377e987d773d4a5f5675a0496d365abc5667fd8c714e7002ec831b85905ccd212ef6f6f55700ef33dbf61e0225330