Malware Analysis Report

2024-10-19 13:15

Sample ID 240325-qdyeaabf4y
Target app.apk
SHA256 c907a1ec336853be4dc53fa3d3a73b24d983e098257cbb3d80bd380b6325ca8c
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c907a1ec336853be4dc53fa3d3a73b24d983e098257cbb3d80bd380b6325ca8c

Threat Level: Known bad

The file app.apk was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Irata payload

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 13:09

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 13:09

Reported

2024-03-25 13:10

Platform

android-33-x64-arm64-20240229-en

Max time kernel

3s

Max time network

40s

Command Line

com.lyufo.play

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.lyufo.play

Network

Country Destination Domain Proto
GB 142.250.178.4:443 udp
BE 64.233.166.188:5228 tcp
GB 142.250.178.4:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
N/A 100.69.251.158:5228 mtalk.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
N/A 100.67.183.12:443 android.apis.google.com tcp
US 1.1.1.1:53 alt4-mtalk.google.com udp
N/A 100.100.218.93:5228 alt4-mtalk.google.com tcp
GB 142.250.178.4:443 udp
GB 216.58.213.4:443 udp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
GB 142.250.178.4:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
N/A 100.86.191.1:443 update.googleapis.com tcp
US 172.64.41.3:443 tcp
N/A 100.86.191.1:80 update.googleapis.com tcp
N/A 100.67.183.12:443 android.apis.google.com tcp

Files

/data/data/com.lyufo.play/files/PersistedInstallation5745737601667198857tmp

MD5 533e9c864c0400c60c7a0bf146939ae7
SHA1 b2354f8608fc74c4dbf89212803bb21e78cb0958
SHA256 f886896f9e5fa3cd6424e58865819de19aafbe35a4533f2b1cfddc6e6f259860
SHA512 0c2c2689baf7ee6a6a3f8aca6aa1cf6e87a43d621587704c8df40b8bbe1187f8ec6c7a8c2be746330e6ab8373a047960f0709d30b3e7430f9bdff31cd2798317