Malware Analysis Report

2024-10-19 13:16

Sample ID 240402-mb5tssfb57
Target 05ff22637856bb0edd57cb710afa0d6f944c977fd1045dbd78ea3fb634fa8fb0.zip
SHA256 1afb76089174b9912458f6aeb7dcb4c91fd4108d42d5e036fa21300b350db44b
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1afb76089174b9912458f6aeb7dcb4c91fd4108d42d5e036fa21300b350db44b

Threat Level: Known bad

The file 05ff22637856bb0edd57cb710afa0d6f944c977fd1045dbd78ea3fb634fa8fb0.zip was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Irata payload

Acquires the wake lock

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:18

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:23

Platform

android-x86-arm-20240221-en

Max time kernel

3s

Max time network

156s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

edward.org

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp

Files

/data/data/edward.org/files/PersistedInstallation1436636918115417827tmp

MD5 f52106fe53436e76a25120463c4b4376
SHA1 86482342759500c4e46eb719efccfb972d882897
SHA256 1a219967f6a85bbd8dc94d0fc4acedb492d003ac54e43b46b45c90ddbf144914
SHA512 da8c8ce2cecfe27c92a3ca7c0aa8b4d5704907493fb94f8a35c5f9585da3a6abaa5b64f88de6ed5058c2f809d5197ac0d106acf5486ea7bf2cc60feca4d7efbf

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:23

Platform

android-x64-20240221-en

Max time kernel

3s

Max time network

137s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

edward.org

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/data/edward.org/files/PersistedInstallation2788302965102145962tmp

MD5 ea3536a86b105bf633dc178428c0768b
SHA1 b412d0498bfeb098ff1526ce661b2c42ae0cf872
SHA256 1bbb089a4391be380e5d196ae8e6f7bd600166f7d7eaab5e8ee2a294e3c2c856
SHA512 7f636f77886ce70d4d20a958043d24ddc64ba67430ee07a5bdd1075dc5e27b615d0bf34ccbe2c3308700ab325fe96d3100a5fc8c2ed9165cc7d6a3afeb8f9460

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 88350a75e2f1c8771c0132d8b86a9662
SHA1 82457a3a97aaa47c8c30150cbf40903c33596385
SHA256 8b8b3e63b87facbb129f014b8d8b122252dead67c85721e9a83167ea6c7ba447
SHA512 cc4656cdef4d191bdd4adc9740ff739aead14788a9983daed6061253b529d7100e053b245931b6f00bf8a44b19251b0348c489cd23ac1664651ab748aca24a9c

/data/data/edward.org/databases/google_app_measurement_local.db

MD5 188c0542bc062e48b614e5ca8c1081af
SHA1 0eb9b89a5c92957cd1fe748cc063b32853339774
SHA256 c1ccc325c2699ed7f556cf171566317f706a911c4d02b1644a2a7908b93da58b
SHA512 62a67f2c56bc3b40d49c80094f160d355a8f67130e1924109426e0481008bc2cd11a9e2675a901abd03cad1e7fe0028031e20d826437edcf35b6f86e2499c2b4

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 b0559c7d4270878c7c209298d8738738
SHA1 9809355795ccd5295283394a68523b4de3288e9e
SHA256 01cace6679c611742ced79e1deb838b182857f8ee661f1b059647bb4a81e159d
SHA512 73bfba5c405a50065156e1bdf407b4bef6350d8b61fbf8a7b144404974adcb69dae684f20b566636591098584af70db710026bb3de4e2782dc061e3b6c4cd484

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 e1744b2257ffcf71c05966fa8f3a3e2f
SHA1 08161eea1fe2e6d4e82d8c2076fa3c1a8590add0
SHA256 beb73f4512d256c95cb3dd6d878092e4b014eca4499a07c095a1ef69ec6081e0
SHA512 a697122141d742ef183ea4b6885a957b2b9877fd4d46b8cf900ecc19933ca6533d014b64e91de5eaef7367fc86fea5cb5b9115580d8fdb109015028c5f6faef6

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 77b2f6d3f583ee669bc372a133f14942
SHA1 b1ac8c6daef04c4a8968c764eb47fa3ce5ff3779
SHA256 7eb6d8405467f5bcdd03a01bd98e59b34185233d05003d4b2938b6125074388d
SHA512 6637461ce774f80fd1748a24cec223fe04e76132b6760f03f79883c2a30b7f5a1378237298fc0f530927f3ff86e56584c741d6a1feb604ea7b38c1939583bcaa

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 c4f0010bfaff2aac1d4ad751e40ab02c
SHA1 50de41cbe29c8482a853ddee4ba455718e1b5179
SHA256 fcfd5e0ec638feb51ecd53b4fb29a23d3ba25d0272fb6961a8bc1e06c7bdc60f
SHA512 463cb3cb14ccddb31b877ea85185722f991ce8c96ad2c3ae70705868281db0440667e4f2d0accde40403aded4d2f69d6720e9fb109893bce220a574b4e594971

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:23

Platform

android-x64-arm64-20240221-en

Max time kernel

4s

Max time network

149s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

edward.org

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/edward.org/files/PersistedInstallation5309993457568720425tmp

MD5 4b08cf2d96d43ba0d6f4436c629d1ec9
SHA1 f82273988e10af1df11ac8560810820ced035327
SHA256 42e7964c360dcd36754821b9fdb63732fbaf4df90f8a87b1c235fe0b923228f6
SHA512 99756898ea5e7a9a8ec1abfa0bf847debe1d37fe19e2669d5a44738a85c8b8b296757c7c241d376b75a0e17579a9ef7c722ffc5f432c4e77dadb167bb3a5e4fc

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 5c07f39a5637d6d958c54eeaca4d0b57
SHA1 9b7be4b3a9e95b495c7b83cff8074b9f9d4817d6
SHA256 a20be0890416f08ddcd54d70b9551c5796b75987be4a33ad443e9199f439551d
SHA512 65ed13a0b8fb4aef8145d579c94c3a1a1a8c0b6a09999bacfa4a0ec849e90ff467a7bef7128c1830d7cbf19b4841a2e7c02b8f922713fc17aaab7468e09d9dbc

/data/data/edward.org/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 6080680315a07267f2bc81b65ad3c52b
SHA1 792845bf71d518f96eb76c1c560292073f3e3caf
SHA256 1fc80a0be8af449ede320325ae2fc43fb2d25fa5244227ba6e59bf5b42889755
SHA512 ad711f0577a6b9bfb6fb5bda7e5781d1d84e8ba546f0c3ac0402454ac2e5fa4dc42f749437bb1f85bfd9f92c5bf61cf9a9ae76527b3bd226fc2708d50f91df2d

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 16d20bcee308606c5f73070f0ec73068
SHA1 bab15d2fd760ac36d7788ad96f3f0bced59674b8
SHA256 0dd57c504c42bb39c959cc2f2e542fdd2b6f24864d4591a7a979fea7286c647a
SHA512 d2470888d25d2ccff1dcc05d16758eb4b54bdd68f9457362cdcef053157259f14458f84c06634285bc51202f2b254ee4c7a3bfac1c11c636254f8c234161d3fa

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 4bc91c69510d7d4fa22837473c3a8441
SHA1 55ee80e2e6278beb9e3c1babdfb4f8f7aacb8a69
SHA256 3fefa52e0a0899226267a8f6d5840d9b896b0bb10651c9a7a28e2ba6a14ce73c
SHA512 98ce12b0ba4418ad2452569695279b95c8bc31e7349d2fb5e369f51f82c87b4cdbcdbbf285db78b6f2834a985a9898bb9e89d8d82e84ab531a186198f8d892fc

/data/data/edward.org/files/PersistedInstallation7794840736388523688tmp

MD5 a8881339a2a83ba6f6921880722e9949
SHA1 60519d6483cb9438d70a9af8b7d86de0b44ec9e8
SHA256 646ae8c2b37291fc1e9bca7ea3a84a51b32e8938f955a6f3da0d06376692eedf
SHA512 763713dc3d589142bc9fddde77229d78460b9e7979b2f0a829735d7ed61803e12d4fe96693ba92bef07db5e85aa4e38c115d071678bc429169dc9b4611ef5ea6

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 46165d4b91683612948bdc4c091e9c66
SHA1 dcb0db002e222666a018f31cecb610686f1b3456
SHA256 a33b88156f0e17e9ac3d5fbbfca38e61f4c5617fd8269bf0a931ba7fcbc251d8
SHA512 e0eef60ec4d6da76262a69ffb0449beabddc96d8d6a946b1b3f71f90abb843f8a628c5bb956729a597bc234730c55f5fc1cb04b591dda346e09e365e539ed748