Malware Analysis Report

2024-10-19 13:16

Sample ID 240322-cf4gesha4w
Target 05ff22637856bb0edd57cb710afa0d6f944c977fd1045dbd78ea3fb634fa8fb0.apk
SHA256 05ff22637856bb0edd57cb710afa0d6f944c977fd1045dbd78ea3fb634fa8fb0
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05ff22637856bb0edd57cb710afa0d6f944c977fd1045dbd78ea3fb634fa8fb0

Threat Level: Known bad

The file 05ff22637856bb0edd57cb710afa0d6f944c977fd1045dbd78ea3fb634fa8fb0.apk was found to be: Known bad.

Malicious Activity Summary

irata

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-22 02:02

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-22 02:02

Reported

2024-03-22 02:04

Platform

android-x86-arm-20240221-en

Max time kernel

3s

Max time network

131s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

edward.org

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/edward.org/files/PersistedInstallation109252973779557542tmp

MD5 e9c69f8bc1d967a4eb9a98e726913205
SHA1 2b654cdab9dcaec8be08c3e969e85f6a9038b388
SHA256 5bdf2bf21d295410e7fcf6ff779f4a7ef4adc9942e7b115992f06389e64d83f4
SHA512 e0efb8bfe69fa012fdeee8aa350a77980b1ea5ea4489932ed388f78d2efe7ba9462be99dc3bf2822bf9e88067f0258ef88f7030bfd52cdc0a29058a2183c5221

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-22 02:02

Reported

2024-03-22 02:04

Platform

android-x64-20240221-en

Max time kernel

3s

Max time network

159s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

edward.org

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/edward.org/files/PersistedInstallation3779041740180212250tmp

MD5 922d55ab1c2af16315f78ff29452ee06
SHA1 9a28c3d0b9092e75c7e31ebab52ca226f3641f76
SHA256 410ad9ea0dc5b96c9c9e3aa2a310c9fee3feba23a411e26b76a8126964df3b63
SHA512 7203feda6a6d6b651c8321c68cd6f768782c3f050c380471a2b53ee81bb434c54b6a889b1ea5f46439c3a4e25e3cbbd5327047aa19a1c764c6469709d4d187c4

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 bee46609f8d9a1e1429ade38aee1feb0
SHA1 dc067e3195e012aa246f5482787cd4d9a9aa038d
SHA256 966e52006b9bba9fa3ceab8cb35095ed38ce35bad610a74d1dbda1b179732c97
SHA512 d586eefab0742fa0e49691340585fc57226278a72ab2ec79dcf7e18f4ecc1fa3dd4fe913c4c29c8384b84b82ff91ab76da0415db6cfad179c76a5abd2c7babfc

/data/data/edward.org/databases/google_app_measurement_local.db

MD5 188c0542bc062e48b614e5ca8c1081af
SHA1 0eb9b89a5c92957cd1fe748cc063b32853339774
SHA256 c1ccc325c2699ed7f556cf171566317f706a911c4d02b1644a2a7908b93da58b
SHA512 62a67f2c56bc3b40d49c80094f160d355a8f67130e1924109426e0481008bc2cd11a9e2675a901abd03cad1e7fe0028031e20d826437edcf35b6f86e2499c2b4

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 f2f30b156e55ec48298f19be85ce54f8
SHA1 6fb6497e8879adc057e79fa9c5112b1f1dda09d3
SHA256 cf01890de3e0c960a9b1a9548f71c65205c93560b16292b60d41f51ad384807c
SHA512 7d08d61aa3dd66667fb05f7955d40eb55240accaa51a324b766018e5f556d42ead061b6b356e642e863047a526d840cb0517b2912c0479da2bed76699e360aba

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 36cce03937cd59e65226e72644bdb072
SHA1 833365fdd497dca88c69b15e30cb647c414a2d6d
SHA256 43abce5d8f96e20ea96fa50b5f5947b5d326f0a4d9c06311e5265f013b2be8e2
SHA512 034cb0ba517e3221e92bfc6d61b9894938faebe6a69d63709e3fac5e9ba7b7712205f4a37fcb6d652e4f80f5cbedd32ece48c05c53b50d7a04f58ab8fb715b8a

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 fe7a85ccf661a5de151266ceb28cbe3e
SHA1 60a7ca9960b4b05093db2517d913e8479cd0e004
SHA256 8caa5894a47e682f90a2be7cc72c5c07288930d0eb7a6568f1c3de5315d2563f
SHA512 330b126f3f43cbf173e69a69fcabe68181d164b382ff5c1573def1364c0577c71a91bc28082d3e23efe182e40f012bedadbc3eaed855fa7cdb5df925c7311fea

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 6c96ddb3aa9ca6706e514e933fd27541
SHA1 48d79a94b4454b636779200b83f13e441fb0b7a5
SHA256 9a6d8485efd013b1c8cfd16faf7ea6eef1e50159043cbaec12d352109a2c24e1
SHA512 c0359437694e1fa8e08843d67e688dc532e587f51c30275be121cb11aa90d7346d87259aa3ccc996f7a8b7bbc557cc72c12d82d53a9c0bd56ccdd20805a8ed2f

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-22 02:02

Reported

2024-03-22 02:04

Platform

android-x64-arm64-20240221-en

Max time kernel

3s

Max time network

150s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

edward.org

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 udp
GB 172.217.169.46:443 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp

Files

/data/data/edward.org/files/PersistedInstallation791728842917813143tmp

MD5 f97bb34bda983c32ef7fa3ebb41a5868
SHA1 3a3c8ef2701b998ddaf4ded2990324194391c27e
SHA256 7adbcb422cf0da4d914e79a91bddce324d997a078a7db6d6930c11f488ca5a70
SHA512 cd79705396e9fb17d003b49a9653dff9711dbf0af2013578c43e1e3abfb77e4f425da9b3cb85f81c1bb4864351f26ed3c9c62e6013000ee20ec472dd1ca6a0bd

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 576246b7a2ac8bc54fb874987b8f1ee2
SHA1 d7c656687129a236b4b020b742a0a1869673bdb0
SHA256 114f59edeab01c036c2d7a36be03d274f5d124435985e163131461a17541691f
SHA512 a592e8ca0fab299d3d2e78390c5ec6cfb513bcb338b97cda3ebff7d8d01ec1fcf76a61a8efe4cbbcb2960842a8da8d4cb8164781578daf17f939eb5a307f4baa

/data/data/edward.org/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 10e459b5c4df57a85502dd9aa634254a
SHA1 3d1cb215020ae8e1b086f09125dbdf3e68fb4b1c
SHA256 c62ecdd57b98c1e9d3d91760d7b2e469680eff3207d124a559ff3f931bc62494
SHA512 9ba0ce3fec68b3fb9d77b095f1732a3fc838d5b8e5a78804868571604e39ad0be5e418fcbb3a4b1e9028eab7d8846fa3edbb937474cbcbb866595fdf1b312d15

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 1ba226bac628af412a54abf964bdbda3
SHA1 e969ef5e253a10be29c6984d60edddc9c7cb71f5
SHA256 fa234511753ba7ac4d5c7c21236c47df71eaffa3ec2c2e2274f30eba08b191c9
SHA512 a586f5659298a1a73faebedf1451a9f20a31f33edcc5b5dcf974c34b13b702920b67a7f610bb922fe102af3b584953efbbc0548bcda26d76617db76c46e9ebde

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 fc2bb2df8b3560f378d7dea27412c10b
SHA1 c3e8f90f372fdf87c305df2800c6fd100f492ba2
SHA256 3e8490ff43df509d09e931aff16f06a65c759c4fc5ebd25e93284e5ae6c5e3b9
SHA512 3f0e580acd34d9a5c4bccf332f9d6def547c27785df457ff631c7d7ba8aadda264007afaca4138d41499d40b029c1cf9489d894b21bfb75af8313922bc03e187

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 cd023e6c844010fc558486190b3568b1
SHA1 a7589c16880470022c62dfe0771f816c4f81ce74
SHA256 12e75cd5609f72aad56b4ae772cff680879d530dc9c7d5514c316b31e73e2f8d
SHA512 5fc44b4b1b6ce6c4977bc7cc345bfa41a855e79bb2a595497eedfc23cd610d893261119762322bf83d1f26c825f65b9a25c545923e1c8b77b3298c9a3c88d6ca