Malware Analysis Report

2024-10-19 13:16

Sample ID 240402-mb7y6aef6v
Target 418a4f1832bb257443f24395ffa33f7ab17c308cee40843fb08cf708181f2f34.zip
SHA256 cfa83a8a73df1bb5c1cc81d8528695529ac8004e9076d1677876226fab67bbf9
Tags
irata banker discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfa83a8a73df1bb5c1cc81d8528695529ac8004e9076d1677876226fab67bbf9

Threat Level: Known bad

The file 418a4f1832bb257443f24395ffa33f7ab17c308cee40843fb08cf708181f2f34.zip was found to be: Known bad.

Malicious Activity Summary

irata banker discovery

Irata family

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:18

Signatures

Irata family

irata

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an instant app to create foreground services. android.permission.INSTANT_APP_FOREGROUND_SERVICE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:27

Platform

android-x86-arm-20240221-en

Max time kernel

19s

Max time network

136s

Command Line

com.drnull.v5

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 api.cloudflare.com udp
US 104.19.192.29:443 api.cloudflare.com tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 e1f419133306aeb8f5937fc2f1f5254f
SHA1 9fc7c83a560d4d62dca8fd02d570cb92597d5c03
SHA256 aa9286eb9ac8f5dbe83d515533dfedbc098f7c535a080579fb807ffa35dcf87f
SHA512 81575ff1321fa7906a0d18cc354877d9700e540c0614375d449d311efc6d86bc1af54f473285d8099c586ac1c81015ebf9365d6fc878d5e3f50c664550a3a406

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-wal

MD5 76dcc56c594fb2e9a854da31d0c41879
SHA1 a4dc8cc1cfb87253822b482400aa55c9e320d75c
SHA256 13f5f0f65f28637c7c5537bb7100428b92854da581e8674fe302c1220fe9846c
SHA512 c8d358eee46589e0bb0e0c4344a9128c417bba1c68127dbfffa5a48341011954a56c9eda0f8a9279c9a3b7946813d20c050ffaf23d4a8d376a7930e7b9ab349b

/data/data/com.drnull.v5/files/PersistedInstallation3243934875063097940tmp

MD5 cd88e9e4c9e258bc86c9fd1f98b5ce43
SHA1 47cfaf897837d0867c9875f25b0264fc993fa3a6
SHA256 c644de3be4b35f34ac2ef196e4e16c437df27c3b44baf6002e4dd3aed0c0091e
SHA512 d4d8e5c8e143db71796b48a1743989725194d1950b894324dd6ae9d00515dd1e83a3bfdc10148945b0c951e2fcef87611987fa787a90aa0c297b555e2da7e02d

/data/data/com.drnull.v5/files/database.db

MD5 0ea4a459130898b5361cd7771e1e8ab8
SHA1 6aa2bf32f64bae24974516c9a656fb347c592b61
SHA256 e2d655fa47f7b7dcb764e90e6709d9901f3688ec41d8c857a21ef59ea2006527
SHA512 64711ae6737fe6dbc8a57d50c850f8ff6a15cacbc40b93dcc8d50e1aeabf9d8bd731e7e4601d98120f61d23025996afb6a3b2ab751c471e9b5784c7636a65551

/data/data/com.drnull.v5/files/PersistedInstallation3919001112905101785tmp

MD5 27a8f0d349d7bd84cab0eb0bc77532db
SHA1 4cd0393a8f4b1486db4d393479956bddb8ba4d81
SHA256 5b39cc9cc042a206b2c5659cd9e31eb557ffb09a6acacdd4c678f2bffda3d013
SHA512 0c5639d1bcd868aefe6476c8ac96dcef41474f448e60b11dddded11d05d0f6c390d18db1cd47a672feb8bbef672a2755fe36a0b1a3b1e9ae368b61cd32647b49

/data/data/com.drnull.v5/files/database.db

MD5 8b7620105b6c3983f84cdfeb4fa5184d
SHA1 1836c5fa9726b7c04a031bb554f59c6b2df9918d
SHA256 95f8cea00e784e65ba0a0fe47f2e66f4b616e3e5adfb6951925cc599e1fcffa4
SHA512 f5ce43144e6707668a9470006fc4fb24e928afd77ac4dbd932a77d895aa2f72730ee85fff9fb78996c9e59eec4ae54da36910fab7c636b9066f2cfd0870d3e36

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 f70519e5e968727485de5380d97031e0
SHA1 b8a382fb9299ae2204882f96623d3ede40f4cdc3
SHA256 44707b381268dc9c7cbcc33173cc5edb90e0b989e97e30b5ad94e1c95e541d26
SHA512 88290f75c80871a5752aa3c593f27484c6ff5fff20123e19eb9104801f7f626a9246b43c86c34b6b88978f2d103584a5800b2d4ce5ccfa706ad5bb765eb62cd2

/data/data/com.drnull.v5/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 3ecc5a0320afd270a0daa0134182161a
SHA1 47d62fc4648add9cc3fca8622ece19ff31cc8a4e
SHA256 6c5b8da980944aa54f381908024b0c17c662842ee72313d394fdfb8367c0ba05
SHA512 b26ba30776bdd214fcb5f6ba6ebfcef90e8cfbeeccfbce4ed8bcdfbb4cf843fc729a3a383d6326a58220da5e161cbf5d37a22fe0b4f0ed6a835d7c4425cc7752

/data/data/com.drnull.v5/files/profileInstalled

MD5 60cf68bb7bab975412e8bf0fbf8a88cd
SHA1 2ed527ec5a1aac4ef48663fff42dcc5d40bf3b52
SHA256 f9db3a9d8a9590d5bd1a3f64a38066f6fed0d1508a07ffca3448eb262b903ce2
SHA512 5d860dc0d22b85ad4ded9fe9ee56a6f863d29f66b9989e481c345728d1401b6e61de04e15427240e99b0c7e7217b2c9886210d12eb864b9656c1427d79f47d9a

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:27

Platform

android-x64-20240221-en

Max time kernel

47s

Max time network

146s

Command Line

com.drnull.v5

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.cloudflare.com udp
US 104.19.192.177:443 api.cloudflare.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.169.78:443 tcp
GB 142.250.200.34:443 tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 9ba5b1b21ef2661466f9226ea5c41b7d
SHA1 d284f6fe0cdf530257d3889c9f042ef0f598f1bc
SHA256 ef8df2563ac93ca269a5fd965a6ec44849f7e94d1627b6b76749c18c29bf8b09
SHA512 8ac8f57c92d0c9e262aad86c959c559573e81a4a6adabfb0da7e35282bb34eb0c044828df1ab1d01445ebbe09514bb1cb5945131ee0ff7f8877266a3c4818d1f

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 d086b575cdb0a1e76f7198f698a44ed8
SHA1 ac6c643a0ab963d14f589cbad55a653a1f03168b
SHA256 69a2fbd7c813698f1801fb1c2ad3ab92e7eee9919d6df15dc0308a36da9177f3
SHA512 431428a07d26d53ef8f1b56c06ea1104b6a16eb94be23da4eca020fc6e6851a0aa348a69d3efdc5c8fc14cd727e228450e3bd7af6304d47f7021a456d9b3e7df

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 237265f77e7f1a6dc21de556c4585e38
SHA1 b510eba4b12e01cd3e52866bd46067210c96b10d
SHA256 c5ef35dc270c1fef2e7f4b68593778a60343d48e883a6ed4cfbf11c0c3d97c3a
SHA512 d2650b0216e00d931cb64e8df4f733759df402315d21bc2c9438b1384416fe086fb44e6188b5751a88dc3be1a0ce615d9954d9193af44ff1ba9f99dc542ce9be

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 409691c8561068e32b5b382383b0f37d
SHA1 55638a9806e248a9b71efe64140a7e0ec93434d1
SHA256 3e6d2697bb59d72b9d79d74dd7f539b3ab6a2c05379f88fb38f1d0f013562a04
SHA512 0048ccf9ce2f7b4e934b2ba06a5dd6972efb984f16ed5ed2b059fa38501de6314672de39736ce72fab22d5f67c8051239d198b3cc1fdcf6b77b8f6a80e8f7b35

/data/data/com.drnull.v5/files/PersistedInstallation6055784034184445019tmp

MD5 641e05cb141ebfcbe61a7bfc224dd8e7
SHA1 70f40da97c54a53284e7fc4ec7dd96620006ed2f
SHA256 c8cf2b0d0a28d9278eb87db9d3af88d7e5f0bc0038d0053ced16d0bdd2017a75
SHA512 b0097f5ed369004a051e55416b6d8229ca4c42299b829b22ddee24e37a9c62cef815e6552c3e65fba8722b073a7d65e2f0430a22019f19c329e9b8cf0b006034

/data/data/com.drnull.v5/files/database.db

MD5 d5c16fdc793905eddffc148899d01c0f
SHA1 37de39759e3bff99ace82033d0bc6a85fd5fd72c
SHA256 ae70ba0c776494703b5994068fd737a23fc7db1c6e755a50800c3068d91eb49b
SHA512 75d71bdf474d238a1f01ff4a9468d5c34e53b7872d65aa90041a92fd05e6a0a360cfefaa1d75f2956c955fdb1f7610e768f8011d8a9a188a7e87f273ccfada13

/data/data/com.drnull.v5/files/PersistedInstallation4113969988993647735tmp

MD5 49e289a5624878c01e0d0f6c7e87ccc0
SHA1 75f6937310d0df837afd57c8bbbed595c7cf0913
SHA256 47b7318dc99b7386a8eae310d08bccae76c27d842210f2a59334f1c88a82c971
SHA512 9997215a1837ac43643ace4bee6859db12d41344896a4de7b4bdb6cf4eb49f98b7ad1219f09315ac88be687a62fd64c575e902c0632640f7e261c4354d8eafc6

/data/data/com.drnull.v5/files/database.db

MD5 cdea8e3ba79b209c954b7618e2f2a0cc
SHA1 34b023f217c5d55ca75edf84fc66a015f77bb3f2
SHA256 c55c8212e289c707974164a053da4b4127167165380d862c0c9bca0ba6639e73
SHA512 96cc2636398f3071fae3f412c9fa3e5756996b1782551659c8a64b4ee487f98616e276ac90bb11cde8dbe98bb79777162aa1a95d90ccd1b795f39ed7fdf61e74

/data/data/com.drnull.v5/files/database.db

MD5 5bf35db451d960c08a0b15cb0065f3ed
SHA1 de546b4d758e7ea0671f42171bfeae4970c78965
SHA256 a7b7e3ec7ffaa267d759541ff5803397fd2afd0d6ec2dd7ff20bf6e7079ceba8
SHA512 d4d702fec83f61866ea9e6e0119eb20d6e99af6074a36d4089201e7f00ca10913bd4889292fe169c0c770698fef409aa71d6855d3923b5b541d83a875f3e0e83

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 f70519e5e968727485de5380d97031e0
SHA1 b8a382fb9299ae2204882f96623d3ede40f4cdc3
SHA256 44707b381268dc9c7cbcc33173cc5edb90e0b989e97e30b5ad94e1c95e541d26
SHA512 88290f75c80871a5752aa3c593f27484c6ff5fff20123e19eb9104801f7f626a9246b43c86c34b6b88978f2d103584a5800b2d4ce5ccfa706ad5bb765eb62cd2

/data/data/com.drnull.v5/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 602286109c31c21f0ae4d418b591cd55
SHA1 e028343cf1759277e2a9db689ace80cf921ee597
SHA256 24ac348248f50680bda95553ad3abda14e2b9b24d8eb529e50b0d06413a96c58
SHA512 18caaa8d9d51fe8f4066f33c2ef060edb22a030ee0e517bbde0eb8d6acb520cc8cf6c25d055e85d207d72c553737ff00a414f89f17c60dba327cf94ff18ee551

/data/data/com.drnull.v5/files/profileInstalled

MD5 e31832d1bd69477088c47bf9c3f1e159
SHA1 56a25f7b43a1aa72405df5ca32bee4f8f947e945
SHA256 c0744ac4835648f12d71bad4eecfcbdefe2f79fb42cffb6c6eeb5cbdd89ecc5a
SHA512 32067bff7d16f0868814e34b07743feac64d9aa6f6c45bb63535c6d5d3c5390e9149432e4d6806126d4328035771a892ffd8cb3e9d625dadd562d86958f8d4c7

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 ee12ff02b8ff934addfca7eca02d3d97
SHA1 cc13c46c12b8155fde3ab5c69f042e34a2cabb58
SHA256 fb70a01af42661b632af1e2959e404af1594d4d324a029b5923f162ebb4c97f3
SHA512 5a74bcb211e784f41bb319a04dbc5c67604b23124403e0b42b72bc159803f092cac2b74529a4b47335f6fb667b77ca83974d70f7637b1821f4f6285bf872b0e5