Malware Analysis Report

2024-10-19 13:16

Sample ID 240402-mb7cmafb65
Target 30e32b40f5fbbc3e81150e35b2bb703832c557c742c80de15140a9272d03f715.zip
SHA256 a3d9af3a503dd47d7e1614438127cb8720093b632d787037f7b2cfb335bd39a1
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3d9af3a503dd47d7e1614438127cb8720093b632d787037f7b2cfb335bd39a1

Threat Level: Known bad

The file 30e32b40f5fbbc3e81150e35b2bb703832c557c742c80de15140a9272d03f715.zip was found to be: Known bad.

Malicious Activity Summary

irata

Irata family

Irata payload

Acquires the wake lock

Requests dangerous framework permissions

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:18

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:25

Platform

android-x86-arm-20240221-en

Max time kernel

3s

Max time network

130s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/org.bax.project/files/PersistedInstallation6006999319805590098tmp

MD5 e1659af3a0056650500dc5322359184b
SHA1 7d77bfb9aae7037a9a6047adb9fea18e6c07a9f7
SHA256 3fcab14a9bcd0f5ea70940f397a5e1eec27792be529bca12518a2a480cc68d6f
SHA512 91ef25e6c8ad76b3915ae221409e57de5490a912e26995f5e038c38ec8618170708d372676735c345f3a3b6f261109f744cdb02787e5b1131bb6d7877c66d4ed

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:26

Platform

android-x64-20240221-en

Max time kernel

3s

Max time network

138s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.2:443 tcp
GB 142.250.179.238:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation194707102747799948tmp

MD5 a0177bc086f4320ad59326e6d6c60fb6
SHA1 070e347523673e4c153c6835e5d19798cfee9951
SHA256 d37ac93165160961e1208771bb46f08dce6915aac62cba28c1ed0b0c4cafdff3
SHA512 3dfa113aa558ad3fb5ebf452f2d5d53f724b0fb5c6b0af8e3ec09ff4d44cbbb87078ba68e175482c5b023e6069b37cb4844afa7256cab2ea77c82b01ac1e9b9f

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 7a740230957380eee9ca25522c13afd0
SHA1 69308db38905501b5ba19b7ad021cd7795b02da0
SHA256 0da5c0c7d07fd92991733d323506f26a8e6422c4d26c532dee6fad1ceba69f79
SHA512 1e9de9d5e96054125e6059b4f07757f513fb3745d7c0acca3699ac6ff40aa3262fb85020fc9b642896a727de96ef7cd68e3903fc7784d8ac1a48dfee136ed27d

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 188c0542bc062e48b614e5ca8c1081af
SHA1 0eb9b89a5c92957cd1fe748cc063b32853339774
SHA256 c1ccc325c2699ed7f556cf171566317f706a911c4d02b1644a2a7908b93da58b
SHA512 62a67f2c56bc3b40d49c80094f160d355a8f67130e1924109426e0481008bc2cd11a9e2675a901abd03cad1e7fe0028031e20d826437edcf35b6f86e2499c2b4

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 43a0bde53144791a71206db3616d0dfa
SHA1 edaeebf64ca1c9397477e857897b597c93b6a27c
SHA256 a248a752f2b24d6a0fac052ec98c1b3d7effdf6d4163c2b9b87fdc898121964d
SHA512 a442d02943c98f2bb734b9450840b6d840d70f4712526204006d2b68104ab7e23c15b043c065356516b28479d3f33bed8330371ae8e9f2a87a3ba701d382e23f

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 c39744bc46760e9ec41a6990f0bc9d17
SHA1 77323fef75c14a813ac6485a30b30a6db9c21dc2
SHA256 4d7d7ca5ffe6b73e1f37ae16e4424a82e2ed6c8825c8f67e1b01695d4c9e7e9e
SHA512 3c47b06ec945caba236e606c33ff36b119959f978392e0b0eccc5d13859172138950562d4a09ba2196664d5f50e85697e72fabeac14753e830888814a36bd344

/data/data/org.bax.project/files/PersistedInstallation5115037497705985553tmp

MD5 63ab7f2534623833be149529ba590a59
SHA1 040fb88d18d22bbe7d5d92109e1beafefd004bc1
SHA256 7d64f67b48eae330a6969c05a5946dde1c328e742e1a430f1d34a99e613d4f41
SHA512 8994146a8bb385f872e300610f0cc0966cb7a2a07f002417116453d2c55b749f18b1ea4f2c02009a034307ec516860b228a0d66f6b8fb534c6c3c84d87aebab4

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 48404ab1738166caaf2033a197bb903e
SHA1 a07247328c002c4a14cf3021b49a2140a26634ff
SHA256 18198d63a7986838570e9bf25af78fa9a49f466cf7723fdf3085cda75b9be3cd
SHA512 1b9fed566020aec4fef7417fed15f46850e9d1cd0cafd07431fa2818c30e84ed5ed8bb3cc86816742d05390e0d529b31f04c8455ef150c34b1665c57eba7960f

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:26

Platform

android-x64-arm64-20240221-en

Max time kernel

4s

Max time network

140s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 udp
GB 216.58.213.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation6647591081611359857tmp

MD5 3fb1e4726eac242946db4b8f98aff771
SHA1 dbb7e8c2e17d79ac5c45e80a452ad9ff45eede0d
SHA256 6b81516fac74be83580cc8adab7fc596f7ee50c7c44f68783ed6ae187b4857cb
SHA512 9d3630b3f257e68ae4145a8f4a7c036b47c88e418fad054d95c883930514089eb5a95a9ced27ca81923397782c55ced1fcbd685fca082f732f7475f419d0444a

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 0b366529a4805d85576875a8d6538612
SHA1 83a3ecebf9e8ce2be643669c919741a1edb8a2aa
SHA256 37f38dd02487c45d055892989a28acb0b9eedd83968ff5cd63610c901338580a
SHA512 8bf3acc99c11420a7ccf6286f0aabe5b3a625097251e3b0a47f0460aa045dad7857f8c54849299014a3632c3e65f42572e706326598a884c1a30d29171aa98c4

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 4e906784995cea407a416c571dcff8cc
SHA1 9ed21d53ef6b7cf8179f66554f8206ae2db710c4
SHA256 327861fa3cecd50ddfae16793e577c61781b2aff6e8eb75399b21c134291bda1
SHA512 874c7805c9bf4ecc30c9fd5a0697492051d79b4d5188c5227a276e31241f45bd7c90b97e3a6028d6686eba86b072defbcdfc77542fd3ff62bb36970fb7028868

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 12fee822f24d801401945c38a9d9df10
SHA1 da936aa264945dc98b737204635ab09ab5ed29b3
SHA256 886535dffd63a0ba94c7e8be9f085a1ae239bc9178c7d6b30f8f6902f4375146
SHA512 91ded9b6ff70ff7ca65e72b10a230777634fce84c92980b29c563656c2e93450c47a857818e0bac1a32402d6bbbba5c83d4de3febec10c94687067f472ebf07f

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 5532c26097fdcbbffd5ed8009c80ce77
SHA1 ab38c62befcf9f984cd91102990da146ddb88926
SHA256 2aee75d587f7fc8fd439d6f210b1497722215cf7006cd56ebc6edb637612f9c5
SHA512 f761ea7cf8b0d93e7a47396d2c207d5e6bf0837724dda48916ccbfe36ac5cfe3d06f991009683ae91e1f9870b732e53fc24f51b89f306795e730e33a3adf9bea

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 30623978771e140fda5ca43f9d1e5698
SHA1 23e866c441b5bffa6ba054e7268d471feb6a7170
SHA256 e2e804bab1613e8a0389087ad0d5d0abe4fb64725a3fdac29950445a5300c446
SHA512 7466f1dd4df87e74a7ec0b2698fb6d0d77d99c9614f8870051470d42cf38b87ead9471b84bb1f52894319cabe8d372d626d56c0b7a39134bed95edc0636dc7d2

/data/data/org.bax.project/files/PersistedInstallation7704769096697778756tmp

MD5 66800d6ac42beb6a1acb1e7536062727
SHA1 c19d3f0ad866d0baa11c8b8c5db2813d36632935
SHA256 bb9aaa0a2e15ab172cd5fdb8e6718f160c955c9365c2a6134a0bc5e3d73625b0
SHA512 a6b1a8f76617738495f45216bc3c8f37a6bf7087335dd0a1658903f8743938d5da5b15be0f6797fd8c449de54f2acdad22d9fbf9a4750e43a71358b157dde101

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 0419d1eeb841441e3fb41c4e4fd13ab4
SHA1 002e1107531fcbf61e78edff2b63532a5cf5e576
SHA256 649193457a59f9765b6279ee8ce07ae868b132208f29649b8be15818c315c8d1
SHA512 24a3c4959cdd7f1fe083b135b42b78ec0a40ce82711202b54786c3171fe0abcbf9c293e814ba068644f905ab62feddb1a7333c436b66a4c12af46d41d57a6f80