Malware Analysis Report

2024-10-19 13:16

Sample ID 240402-mb7ndsef6t
Target 3a91e5ace8cbd8a29968bd400c63f893d4300422a17db9d0df2162f49d1c0388.zip
SHA256 d6869d0862ba76d4562761732b984d87584e64ac11f0688e40a71b356be4ecec
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6869d0862ba76d4562761732b984d87584e64ac11f0688e40a71b356be4ecec

Threat Level: Known bad

The file 3a91e5ace8cbd8a29968bd400c63f893d4300422a17db9d0df2162f49d1c0388.zip was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:18

Signatures

Irata family

irata

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an instant app to create foreground services. android.permission.INSTANT_APP_FOREGROUND_SERVICE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:26

Platform

android-x86-arm-20240221-en

Max time kernel

20s

Max time network

146s

Command Line

com.drnull.v5

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 api.cloudflare.com udp
US 104.19.193.29:443 api.cloudflare.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.180.2:443 tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 af756bb0c71c7225ae84ec0e82534371
SHA1 f28bfc7219c909b2399f9542363064146d7bed80
SHA256 17cfce8e55ee563f1ab0a118d13e5a98816c8469c5d1510b48c4873b310820c5
SHA512 fae59d43b5c1e4a37297a0e44969de0b15104da65993f981e8233c51dcab6688f204db2dac8fb4d8b2ab2f0f48ce477f26c5e05a87948e8ac86c04fbf74ea9bd

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-wal

MD5 81b3f6da713b37b0cd9e4827ddca136b
SHA1 92412276e4f9d86754095ba95eef378280bdb8bf
SHA256 7301fae01880cc5fa82e27c459383df9aa6d99f721a7bac6c55341b1233ea8e8
SHA512 2e16979f7251937c21763b5df8a626745d8ee05e049f30d5fc7cd71231d7e5b13f608226a328c96b7339628184b7323541291e462faa07bf5acf0f4fcf4fb4f3

/data/data/com.drnull.v5/files/PersistedInstallation935546441675840111tmp

MD5 e53f374604a8c2ea8bc56910625e5168
SHA1 2716221750a1f52f5cd7ea38c4a58802b78dd3f7
SHA256 1cda211f8207bfe319c2781d708c06deebd3d32fc196fc533387a5feb2c49bef
SHA512 e88c5236d7e8eaaae59dfac2ea1fde1939051159b408ab8dc99a4efe199719ce4fe7573d58b94b663a3433427f764efc7c84eefff9a6d39b1a45e23a179ff80a

/data/data/com.drnull.v5/files/database.db

MD5 f28069bb5ddbccda5b68e4c0386c7b43
SHA1 271f4f5cae97fa168bb466856d99c964713e77a7
SHA256 01a21955ef8f404843d9522c320c4ec45dd942e6ed2be53233abf8924e38803e
SHA512 8edc563b3c46d2d3328c69a196a5ebd3e3fca09a19b7a16f9121c089e3b597bbd01f232437e883f69412f82eba71e77e3ad78947bd0e846c4a8a43a82bca1158

/data/data/com.drnull.v5/files/PersistedInstallation5795272756152313100tmp

MD5 87a7788f5f7a4711a955685259ecd63b
SHA1 ee4f10817d41fa1cbb0ab10f4dd3ad4dfa531952
SHA256 a24a003922ba12be544a0d2a4b0d604a2ca9e24becda7d09efc9495ab951a592
SHA512 dfe25cd9f4f227df3f76336ccf23338fe3d3994fb52a19f8de30c85167cd026b6024fc483ded71d147c2d097f906bee3d8a51c48382cb30254c6964cd4f07161

/data/data/com.drnull.v5/files/database.db

MD5 90513f73643e631f2b0c324a6acaa673
SHA1 5bb6b81bfeef1c1b70a541d1b56ff2779758fa6c
SHA256 bb2da634e5828d9452897ad58f01833989806ca517af099fca1b4ed2275f8071
SHA512 fadc259b5754aeb33341368a7c9426ae71a0b384311d4fab8f10f9754a8fb2d5079493bedfcf549241f02f4960476ad67484d43bcaf8389b63df491901401ca2

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 71a2513c209c8239600dba4a08f44e11
SHA1 5bbecfe2ceff2e85bf7e6f0dd4b446fd706a7588
SHA256 a9e27277be6cd2059f1fc3a57f92449d56ed7f6464381c3bd402d5bf541aea94
SHA512 d2d6e80c92f079312eb7e049736f93266a5506459b793937bbe191200ef01d1ab80949cd956147bf85c72523a9fc7e23bb1cdb0e1e843e41373d1a6483c013de

/data/data/com.drnull.v5/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 f0ed6333c3271c75c239f3c3465ae7aa
SHA1 d8af6a3bf38a9290f7797997899d4a6d607555d6
SHA256 3729761244ac95ea39d8eb2120ef7eda211a893402a0ae6e67a243f6b2f36732
SHA512 48ad4bc60154d14ccabf248b8079f060039dcdeaec151e3df55ff896e5df6022d896f56b5b6b499b05ecb70264c3f64b9bfa4d1ff522cb0867610b3ed73a954a

/data/data/com.drnull.v5/files/profileInstalled

MD5 467863decdf17868074fa1ce82395207
SHA1 59e6c90e0abd05c70c278a7bb0c96127289803dd
SHA256 9ce4980e9e527b99153eb6930b301bdacf928f45bda9da81f0430681857511a6
SHA512 fa3b2e312fc39a3c735d06052d0e99d6e038c3a56a3e58d8450eabd157f0e726fde24eaf839221c88c586759e25adbc11d08e5c6ae4d16b952c3af4ed7280dad

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:26

Platform

android-x64-arm64-20240221-en

Max time kernel

20s

Max time network

145s

Command Line

com.drnull.v5

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.cloudflare.com udp
US 104.19.192.175:443 api.cloudflare.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 5c214c3dc84adc7a14bc095656ec838b
SHA1 0484d4042f826d279d70abe8d42d53bcd9af6e02
SHA256 adefa82913d952642994aa7a0da6a409c3c8229d6e3a20f1ecbf0d1f0bad4501
SHA512 33388248a6dbcd1ae8dc3fd5c1895c9883fa8c4e12300171aabb7c2654c2492ecb133a8eb4c9c8fa76e642763d6a978017237e32f749f877b8cfedd1a630ccfd

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 4bce3082ee03559d14a512a8740f57d5
SHA1 bedf7a89dfa6a9091d5b42c3b1d46aad6ae3eb6b
SHA256 7f02dea140f292215ebef1af8d9b7db24407780a8e4e47aaf643c8cf23c0ed9d
SHA512 38acea8333f4eee5ec6bb0a1dc9fffe5d923267414bbf91a0cb7ec72834473fcd993cd31c447f6ea9f9b91b45da6c8fe1daec95e7d1bf2acec4f7448e2bd56d9

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 8fb867cf51d243f1df74276111a88ed2
SHA1 90b06693459a640edd38e0d5d0a70a77736bddd0
SHA256 0981fb3d3a425c3bac15f34f7c53f893291991c4b5e9c19fa6381114161f38e8
SHA512 70d653a5b3ed45fa159e059ea5dfdea178e9c25dbaf3ace368fed45db09e778772e033e317de9d598b71f365af9b1cd34e562271af0316c995b68d6362489b5e

/data/data/com.drnull.v5/files/PersistedInstallation2583072934559388792tmp

MD5 9a21a711cf5210d75ac36b893f328054
SHA1 3118e7accc208d20376baffba11ab3fc827984d6
SHA256 1da0d265593cffde8726924fac86da0662a2b4c134730bbd7635ef520f91b48b
SHA512 2d7165bb12dfaef4915968f9085cbe4597e695566665c0f8442a98baf4beb95911313f79b06c121a18b175352a0d766f49e92d9c45299882dcf1bbc29d3a86a6

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 cd947065fe512167dda2f9570edb3be6
SHA1 50afcd8f6eab51c7a7ae55838630ca444558693c
SHA256 451d7e2c155cf9ebdda5b38687286f6fd9e758eff23cfe225faf5aeb2f2d0b36
SHA512 f42d4b160bdeda51c2d87293cc56d8d503bc50acea89d25909dd9dda81862c4b64f4a533f4d59299147cc37199629466d6f90686df2183272015014a084936a0

/data/data/com.drnull.v5/files/PersistedInstallation5135560214534964442tmp

MD5 1dfae99bb778be5e9f49de5ba43aec7d
SHA1 f2dac7d385cde04cf757d99f02f948a24e199328
SHA256 6f0b243eafc863ca4721fe7120de7816435dd0e94cfcf0d86a74ae98c023ee1c
SHA512 0ff96df297c061c1dcd10ca3410a7b3222c5b76f61415e1655632e6b7faf09a06e6f3391b4b331522269e0e7d1ab1659f2b9242e53ddebe3adc0ac64e9369862

/data/data/com.drnull.v5/files/database.db

MD5 98df262e79747727357f6b518101ca48
SHA1 f90bc05c714b7ea577d3d60cf52c4029d90a7144
SHA256 1f692c70f655985b3a00d7280a8b3531684980cbeffc0c30930e6b2d6eb07d74
SHA512 545dc911428ad28dc276f3ae560c61893b34d855dce9e37013483bc0597bb2cd3fd3f947dc52f260c8a3aa171c29b69100146b3615176abdb73465cca247b8a7

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 71a2513c209c8239600dba4a08f44e11
SHA1 5bbecfe2ceff2e85bf7e6f0dd4b446fd706a7588
SHA256 a9e27277be6cd2059f1fc3a57f92449d56ed7f6464381c3bd402d5bf541aea94
SHA512 d2d6e80c92f079312eb7e049736f93266a5506459b793937bbe191200ef01d1ab80949cd956147bf85c72523a9fc7e23bb1cdb0e1e843e41373d1a6483c013de

/data/data/com.drnull.v5/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 26b594b25e94aa65ab4d5a522527d00a
SHA1 718f7b36d25b540f59e108977105267c2faf1ab2
SHA256 f46aa5b3aeeeaa9625d4a87b860a1e8b28ed96a57a2c1d9dab1612de0c384159
SHA512 8f0aadb429ec1ab49256bd4cd772b485891736fd7e16de94f73b119465608ffb31399fa48db51b07843ceda145d319d3ad99271a82456d4a9aa75bd67114f311