Analysis Overview
SHA256
1afb76089174b9912458f6aeb7dcb4c91fd4108d42d5e036fa21300b350db44b
Threat Level: Known bad
The file 05ff22637856bb0edd57cb710afa0d6f944c977fd1045dbd78ea3fb634fa8fb0.zip was found to be: Known bad.
Malicious Activity Summary
Irata family
Irata payload
Acquires the wake lock
Reads information about phone network operator.
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 10:18
Signatures
Irata family
Irata payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 10:18
Reported
2024-04-02 10:23
Platform
android-x86-arm-20240221-en
Max time kernel
3s
Max time network
156s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
edward.org
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.14:443 | tcp | |
| GB | 142.250.200.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.213.14:443 | android.apis.google.com | tcp |
Files
/data/data/edward.org/files/PersistedInstallation1436636918115417827tmp
| MD5 | f52106fe53436e76a25120463c4b4376 |
| SHA1 | 86482342759500c4e46eb719efccfb972d882897 |
| SHA256 | 1a219967f6a85bbd8dc94d0fc4acedb492d003ac54e43b46b45c90ddbf144914 |
| SHA512 | da8c8ce2cecfe27c92a3ca7c0aa8b4d5704907493fb94f8a35c5f9585da3a6abaa5b64f88de6ed5058c2f809d5197ac0d106acf5486ea7bf2cc60feca4d7efbf |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 10:18
Reported
2024-04-02 10:23
Platform
android-x64-20240221-en
Max time kernel
3s
Max time network
137s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
edward.org
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| GB | 216.58.212.228:443 | tcp | |
| GB | 216.58.212.228:443 | tcp |
Files
/data/data/edward.org/files/PersistedInstallation2788302965102145962tmp
| MD5 | ea3536a86b105bf633dc178428c0768b |
| SHA1 | b412d0498bfeb098ff1526ce661b2c42ae0cf872 |
| SHA256 | 1bbb089a4391be380e5d196ae8e6f7bd600166f7d7eaab5e8ee2a294e3c2c856 |
| SHA512 | 7f636f77886ce70d4d20a958043d24ddc64ba67430ee07a5bdd1075dc5e27b615d0bf34ccbe2c3308700ab325fe96d3100a5fc8c2ed9165cc7d6a3afeb8f9460 |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | 88350a75e2f1c8771c0132d8b86a9662 |
| SHA1 | 82457a3a97aaa47c8c30150cbf40903c33596385 |
| SHA256 | 8b8b3e63b87facbb129f014b8d8b122252dead67c85721e9a83167ea6c7ba447 |
| SHA512 | cc4656cdef4d191bdd4adc9740ff739aead14788a9983daed6061253b529d7100e053b245931b6f00bf8a44b19251b0348c489cd23ac1664651ab748aca24a9c |
/data/data/edward.org/databases/google_app_measurement_local.db
| MD5 | 188c0542bc062e48b614e5ca8c1081af |
| SHA1 | 0eb9b89a5c92957cd1fe748cc063b32853339774 |
| SHA256 | c1ccc325c2699ed7f556cf171566317f706a911c4d02b1644a2a7908b93da58b |
| SHA512 | 62a67f2c56bc3b40d49c80094f160d355a8f67130e1924109426e0481008bc2cd11a9e2675a901abd03cad1e7fe0028031e20d826437edcf35b6f86e2499c2b4 |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | b0559c7d4270878c7c209298d8738738 |
| SHA1 | 9809355795ccd5295283394a68523b4de3288e9e |
| SHA256 | 01cace6679c611742ced79e1deb838b182857f8ee661f1b059647bb4a81e159d |
| SHA512 | 73bfba5c405a50065156e1bdf407b4bef6350d8b61fbf8a7b144404974adcb69dae684f20b566636591098584af70db710026bb3de4e2782dc061e3b6c4cd484 |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | e1744b2257ffcf71c05966fa8f3a3e2f |
| SHA1 | 08161eea1fe2e6d4e82d8c2076fa3c1a8590add0 |
| SHA256 | beb73f4512d256c95cb3dd6d878092e4b014eca4499a07c095a1ef69ec6081e0 |
| SHA512 | a697122141d742ef183ea4b6885a957b2b9877fd4d46b8cf900ecc19933ca6533d014b64e91de5eaef7367fc86fea5cb5b9115580d8fdb109015028c5f6faef6 |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | 77b2f6d3f583ee669bc372a133f14942 |
| SHA1 | b1ac8c6daef04c4a8968c764eb47fa3ce5ff3779 |
| SHA256 | 7eb6d8405467f5bcdd03a01bd98e59b34185233d05003d4b2938b6125074388d |
| SHA512 | 6637461ce774f80fd1748a24cec223fe04e76132b6760f03f79883c2a30b7f5a1378237298fc0f530927f3ff86e56584c741d6a1feb604ea7b38c1939583bcaa |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | c4f0010bfaff2aac1d4ad751e40ab02c |
| SHA1 | 50de41cbe29c8482a853ddee4ba455718e1b5179 |
| SHA256 | fcfd5e0ec638feb51ecd53b4fb29a23d3ba25d0272fb6961a8bc1e06c7bdc60f |
| SHA512 | 463cb3cb14ccddb31b877ea85185722f991ce8c96ad2c3ae70705868281db0440667e4f2d0accde40403aded4d2f69d6720e9fb109893bce220a574b4e594971 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-02 10:18
Reported
2024-04-02 10:23
Platform
android-x64-arm64-20240221-en
Max time kernel
4s
Max time network
149s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Reads information about phone network operator.
Processes
edward.org
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.46:443 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/data/edward.org/files/PersistedInstallation5309993457568720425tmp
| MD5 | 4b08cf2d96d43ba0d6f4436c629d1ec9 |
| SHA1 | f82273988e10af1df11ac8560810820ced035327 |
| SHA256 | 42e7964c360dcd36754821b9fdb63732fbaf4df90f8a87b1c235fe0b923228f6 |
| SHA512 | 99756898ea5e7a9a8ec1abfa0bf847debe1d37fe19e2669d5a44738a85c8b8b296757c7c241d376b75a0e17579a9ef7c722ffc5f432c4e77dadb167bb3a5e4fc |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | 5c07f39a5637d6d958c54eeaca4d0b57 |
| SHA1 | 9b7be4b3a9e95b495c7b83cff8074b9f9d4817d6 |
| SHA256 | a20be0890416f08ddcd54d70b9551c5796b75987be4a33ad443e9199f439551d |
| SHA512 | 65ed13a0b8fb4aef8145d579c94c3a1a1a8c0b6a09999bacfa4a0ec849e90ff467a7bef7128c1830d7cbf19b4841a2e7c02b8f922713fc17aaab7468e09d9dbc |
/data/data/edward.org/databases/google_app_measurement_local.db
| MD5 | d9cf75fdd1c2292d986f6c3d5d60f2c8 |
| SHA1 | 07ecb1d3a26d952ae5fecf54f36699ab498510b1 |
| SHA256 | 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a |
| SHA512 | 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | 6080680315a07267f2bc81b65ad3c52b |
| SHA1 | 792845bf71d518f96eb76c1c560292073f3e3caf |
| SHA256 | 1fc80a0be8af449ede320325ae2fc43fb2d25fa5244227ba6e59bf5b42889755 |
| SHA512 | ad711f0577a6b9bfb6fb5bda7e5781d1d84e8ba546f0c3ac0402454ac2e5fa4dc42f749437bb1f85bfd9f92c5bf61cf9a9ae76527b3bd226fc2708d50f91df2d |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | 16d20bcee308606c5f73070f0ec73068 |
| SHA1 | bab15d2fd760ac36d7788ad96f3f0bced59674b8 |
| SHA256 | 0dd57c504c42bb39c959cc2f2e542fdd2b6f24864d4591a7a979fea7286c647a |
| SHA512 | d2470888d25d2ccff1dcc05d16758eb4b54bdd68f9457362cdcef053157259f14458f84c06634285bc51202f2b254ee4c7a3bfac1c11c636254f8c234161d3fa |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | 4bc91c69510d7d4fa22837473c3a8441 |
| SHA1 | 55ee80e2e6278beb9e3c1babdfb4f8f7aacb8a69 |
| SHA256 | 3fefa52e0a0899226267a8f6d5840d9b896b0bb10651c9a7a28e2ba6a14ce73c |
| SHA512 | 98ce12b0ba4418ad2452569695279b95c8bc31e7349d2fb5e369f51f82c87b4cdbcdbbf285db78b6f2834a985a9898bb9e89d8d82e84ab531a186198f8d892fc |
/data/data/edward.org/files/PersistedInstallation7794840736388523688tmp
| MD5 | a8881339a2a83ba6f6921880722e9949 |
| SHA1 | 60519d6483cb9438d70a9af8b7d86de0b44ec9e8 |
| SHA256 | 646ae8c2b37291fc1e9bca7ea3a84a51b32e8938f955a6f3da0d06376692eedf |
| SHA512 | 763713dc3d589142bc9fddde77229d78460b9e7979b2f0a829735d7ed61803e12d4fe96693ba92bef07db5e85aa4e38c115d071678bc429169dc9b4611ef5ea6 |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | 46165d4b91683612948bdc4c091e9c66 |
| SHA1 | dcb0db002e222666a018f31cecb610686f1b3456 |
| SHA256 | a33b88156f0e17e9ac3d5fbbfca38e61f4c5617fd8269bf0a931ba7fcbc251d8 |
| SHA512 | e0eef60ec4d6da76262a69ffb0449beabddc96d8d6a946b1b3f71f90abb843f8a628c5bb956729a597bc234730c55f5fc1cb04b591dda346e09e365e539ed748 |