Malware Analysis Report

2024-10-19 13:16

Sample ID 240402-mb6q4aef51
Target 1a7de9eb169540687f99ada534af513f421b6ce708a5efedbd18246eb4cf57db.zip
SHA256 ca66702ff37e589a0b71c649f4d8a02149c46b54fc9ae81b6628e9dd3963a0b0
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca66702ff37e589a0b71c649f4d8a02149c46b54fc9ae81b6628e9dd3963a0b0

Threat Level: Known bad

The file 1a7de9eb169540687f99ada534af513f421b6ce708a5efedbd18246eb4cf57db.zip was found to be: Known bad.

Malicious Activity Summary

irata

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:18

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:24

Platform

android-x86-arm-20240221-en

Max time kernel

2s

Max time network

130s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/org.bax.project/files/PersistedInstallation6723051401893433748tmp

MD5 620bd38fab9620e8b031c961fb9a5efb
SHA1 82cbba10c23912069052ba4cd9d69fd7b80d6d85
SHA256 db468c94645d7984cbf6e728f9875709aa9b794bf882b413f95aa0e96de0209a
SHA512 0620c0e3fc07b76aefea62268e60f06656c6be8e4a73ec6c016962509fb896939c7a2ca19db9481b8e4b061bfbaf845f96539f0a5c8e7a3fa562237e9e7da513

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:25

Platform

android-x64-20240221-en

Max time kernel

3s

Max time network

136s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation9211099868739012007tmp

MD5 4032b9a1ad6df222f016cb458be2be1a
SHA1 cbe6cda4c3a01a41eab49636849bc9b959f12fb5
SHA256 e879e1c3acb0357bd1432d38f9a6ae85781e6dee2e1ac8b32c8c0d4937050134
SHA512 a0d0f4414d08be70696dfb117e66dd93535b625689022d65feaae2c155a651a6c0021cdb0341b45ea4a80551ac834612449d5b3b73ad233036181590729c7ed7

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 7a647e207b452e189aec3ba8c9dd2f90
SHA1 38037120d0aff99a3e21911c44bad1be7764f703
SHA256 e0c26a8433d3479ec9b8260bba1e3fc3e2642e109ef173bdeb1e1ebe7fe6a4e7
SHA512 d1337d631a2fe31f7f5de52eb25be5377c002f4272220a39797fbeb353daca0df91c73d1bc106caf1a993ef33398b146b872284e2589378d0d2941dd2de090ad

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 eb52a90bb70b76e946b62f50b6f7fb85
SHA1 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0
SHA256 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4
SHA512 b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 1817732695f8b07377a6ec2c7f8fe794
SHA1 21b561edd2b6df8f9f3dfd4d38e19f2f382b5802
SHA256 826c33769bd57afb3a1caf59563a63a2974226e517e04a0a61ad9cb8eebc8f83
SHA512 f9b76951c4763e39ec586cfa102b3e47b1fa1282e1afc7d5c6f78f4d4ea64716b5a0f6d62b1c5fc149e0c01a4a7c6487d4192cd0bd0f7e8562603d3d0eb1b2a7

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 f767d9d491521038f0657708b9d1802a
SHA1 7c7291474810304a871e755bee646dd3ec1a0d22
SHA256 19e434a7419b5ed99c89b7d9b4c94db268ddc39ef634fbd7783286e18855b973
SHA512 224bbc587c110334dc7c0da83dc6ea47c2da41208d4a44a0a19bda5be42c501559a12ae93bf38e0e9c7024f653ddf904201aae4bc200c21b4ed602c3d8cfae2c

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 6599db469434c381866cf0340ff556ab
SHA1 ea6058c84a71534780f260dbf42e928e0f770511
SHA256 57d94e83938bdec18a7bd6b4c705d2392505d94a2b4ea00769c0558eea97fe8d
SHA512 43ff2f8df95b84018b2917a62332e1330e41acf5d0fd473d4f878314f76547e4bcdd334fd513eaf40fe0571df4dac559fc8ed1478d0f24992f9a6dd044062f9d

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 4be252b1adb99449d5e2cec98b463368
SHA1 0a5b76ca3f97a4281a2cd8b73e74f30474580719
SHA256 3fcaa3e371e3e3607b8e04962e4af4b03cf301d2f90272d602ec5c0c8f4c94c6
SHA512 c14cf13d50a8654180bf04d58c2196a97fc655e71c373f872cf28d4f3e37378ae94c3479a6f93aad9053e3719015eabc89ae995a348524f88b64ba6095000cb9

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:25

Platform

android-x64-arm64-20240221-en

Max time kernel

3s

Max time network

145s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation6434926844938964835tmp

MD5 7ccf33332d530a8a883647b61b8b6b67
SHA1 1c064cea1dbecf6998e428995ce22443ab84974a
SHA256 ff74ea47a0d4515cda63ee6f9bf0fae6113444ab1c1361c59f471c2d3846ff81
SHA512 699b67ba7e2326629e52954a864ee26cb4576ac336f992064cfe12b80701f563fe998217029c891a8a28ca5abba2061b6234f957d520d9e4986bfdb13bbbaef1

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 4d6ae7447773363975cf7519842c6d1b
SHA1 df48d09d2e2b1fa7094e4a061c5a7a5a6c470dac
SHA256 37d81a06a4aa96f06c1131130cb969bcc6a4add2560b4d6f8a54970e4e02b98a
SHA512 413b9f568c92cd130794c5ca4e601a97141e6d9ec91519cb66efc8a77fcf5bc7519af2da26e576fd1d13bb1a70e7045d5188ed9db18bdc8dfcc5e76e6d6d35be

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 e3f5cca0dd02ad7982cf983098286ef4
SHA1 a222162c12bf92a8611d4569acbc86d40bd26d39
SHA256 e8f2e36763ef4716c6683db584ca8898cedbf82ffff658308a854494f4785ac9
SHA512 b5191f46961af21c780bb558f668f437cc540bced8801386b66ee5cd4d741af01d153aa676224e7164c16a9b605e5f3bbf0d6ff99c051826e0625a748af69aa9

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 b81ed031d66e3d477c58761523e0fe6c
SHA1 87b0788314c3961267cd960daa8ae7b74cfce79b
SHA256 b88de5f7f442aaadda4a350b3336fed8fb4c068bd713364616391a3c89c8eb7e
SHA512 d84f4beda5b53e39a1317fe904f0ef940bc225c1d2cd828f788ccc26edcf17ad35d4e7bf66910c559fc937ce2389aa802088e47bf81421d03506834a554ef649

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 b783a00d337198e514d13c1521d714f9
SHA1 d8dc0e4e51d0f3a04c16a10a31b1f7182243c5d9
SHA256 1983a614a4dcea9aa3396db0179268782a1c8fb6baf1d58f856982d40828ef5b
SHA512 80fada4d3dcec1273665c5d2cdaaa57854e427baf7722fcdd829f74018ad3b1e1af46b2261d4b30d0282769673466431e0cc80fd52b20d4d2c77dab605b00a42

/data/data/org.bax.project/files/PersistedInstallation4840501396980198652tmp

MD5 11f99fadb43df350ef7c0e5715d6fcde
SHA1 d1ebb5d2d3beffb3fbb015cf78cc30794f6bf820
SHA256 67eb6ac4a0a19631a0e79a56e81127003729e5823d014b958cd681e2831c0859
SHA512 24ad6c1d39260448df09daef26ad764d021931103de7657a3fdd424227a3ac82692158ffca504a29a30311eacc88b211ed8c7178ce72cc6f6246e79092e21b8f

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 3e3680ba6c2a385111c1d200ffe3f3fb
SHA1 2d13c9f8fdc15cc239bdac7e489339e63ea60d88
SHA256 763ba9f8480418ec5aaebc990fa24b48b3c16fe295868bde0a8bbb1391f5f528
SHA512 44fb449d41853cabb85a101a59686632c2eaf1c55c92571194ca0792532e4b81a416c1babc8669765c4a534edcdff4b0498b84575b2dff9759acfc5362760716