Malware Analysis Report

2024-10-19 13:16

Sample ID 240402-mb8kpafb67
Target 56b3bd0ae685c1a8ed23c4b9748c5ab588362dd10c2362ee6c7025616122f5c4.zip
SHA256 4a289a291306f0247ba1467b9c7771dc9f99ad82e716f5cb490fa04ea6d47149
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a289a291306f0247ba1467b9c7771dc9f99ad82e716f5cb490fa04ea6d47149

Threat Level: Known bad

The file 56b3bd0ae685c1a8ed23c4b9748c5ab588362dd10c2362ee6c7025616122f5c4.zip was found to be: Known bad.

Malicious Activity Summary

irata

Irata payload

Irata family

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:18

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:28

Platform

android-x86-arm-20240221-en

Max time kernel

3s

Max time network

148s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

/data/data/org.bax.project/files/PersistedInstallation6827625673906067394tmp

MD5 8dc62e9acc85a5a8efdccae287e4422e
SHA1 670c4df25ea8f3450908482332b767abce67efa0
SHA256 5ea20f5f0ad6e304ac4f542091f2d1fec3f8e4c494a96af8a50dc7aad08e6dcc
SHA512 48b6c0f749a641bdb2aea17e9a3a702995e112d0d69b6df8da918bc818481293beb85b6d89851625447e3f132cacca0a465b0a57ebb958029d2539eb2a5e7c2b

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:28

Platform

android-x64-20240221-en

Max time kernel

4s

Max time network

138s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation8971839122739373885tmp

MD5 b354d1ec901167fb60e2b5b36971f3bd
SHA1 82ce5ccde3ac732c7e23feedaa426552bbef68ba
SHA256 0d90c851b631b09c7cad163a00baae8980e4edc271daa68ad6899aceddb2a1b0
SHA512 10fe5669b6b7e5c5eb680758166fb0df3331622c73e2418ab0886b7f0565ed1701f216e033b13a5679c35c417cd14f539843fc3d23fa0522d1368e0c68fc1f34

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 1e1c502bec1484a25ffb0dae63f0b6ee
SHA1 e586b07cd6b2d26601be97ad1afbd311b4e6cfcf
SHA256 2b1ac52d598a955c5ba8f05dbdea40f05d8637d342694149e2035d01a03ff8bd
SHA512 cb5a71c36724ffda7a20ed0eac2eb317cc10496537dbec9b31bf7fd90c371d99d23c19362ae2e37ff249dd3642caf2550af50f5e88502110b345e90a8154a11b

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 eb52a90bb70b76e946b62f50b6f7fb85
SHA1 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0
SHA256 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4
SHA512 b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 9aeb90ddeec7333d9ea4b5aee02a79fa
SHA1 0e07bae8cb0c846239d73715551b0de5a8562839
SHA256 361894f9924b5db458fa798ce41be7994617f6e7b47912952303f2e07dbce978
SHA512 a23826356b88a7b871af4523e1c6b1ea0394a440a0b8e351426d3fa17dbab97b0f469f7c51daebeed83c2df499b74850746e26550cbb79e89813d6b9db1befe1

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 f80a6e28ae0140c9203871c9c8e1363c
SHA1 3b1530eacf33073ec0e6f4a8d666fb6b31784e4a
SHA256 737d57416edb03bebbb907616832b2612e02766091076816b204d14910dfb9c6
SHA512 9b63ecf169cd6a48ec3e4725d8d66e20b4a13097d2a077be0d611259ade8a238cf4926a76d46201cba6a54c1c75a12796c462703fbb7fa2c240ba23d36102550

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 b9e48ea6c483374c1d85dc829b0171cd
SHA1 cf83739ef35ea5cbd611cbf0a17ee92aa6439108
SHA256 0dbb04d970b75659a3618d6a9ac47e8f9effc0a4d310fb68ad4eea01530727cb
SHA512 a76f27e9bde1941978b90a8a725a876ebfa6338960e9138d63c04a28ef09ff6a1a729d86d4ac3561d43a6eb8d09a4b872f3709558d0ec8fe9827717549f6015c

/data/data/org.bax.project/files/PersistedInstallation5831861547123313048tmp

MD5 d5ca7e7c2104f01c7ff3cfff2407c005
SHA1 ddf597e012b348be928ba75a1bece24dc7856914
SHA256 ef84e6dd6af00667cb7f6f2b256e387ca15c341bfb49a598e52cb40d6a8a0d3a
SHA512 d10c73faf30446880a9633710c92bc9f1d1bd7cc2b3a6e38d75d50df0c778a345c7fc1639708f4fc4335a32009983b1274ee3fc3cfc6c91e8cfaf719b267a8aa

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 a262eccc0715ec71a3fb93dc3f6ffde0
SHA1 1d71042459c2d1bc4a26f5e3e5351f1330f5cfac
SHA256 ee7ba0ad702cab0c726f556d2d1f5c002aef13c307eff5dfeb2df968f5107dfb
SHA512 fce2b2ecb89cd9d421afc5cd59c1f31d4d8f97a9fca23dcbddda89237340885ce97eceebf24af1df3e2949c6790616467398871c138de83cb4ff970eb235e6b7

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 6984c53e39fe7a11b5b647ac1f3ae7cd
SHA1 d49995adc4d99baf7492e83d7a075ef956b9e75d
SHA256 9a9fd1bb7daab2c4f30361dd5e915c571e01c5b90f410232104c6fed3f9374fc
SHA512 0903aee041c57b7ae7e85ee0b9bf1f57a4eee09c6a30d46bc6c954a25ad8a11bcc39cd69deffa72f88d8bbb434dc1c6cfb35205d68f486dbc45575bcb97beca9

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 d97e617c52b35059d9f485fcfe20de1f
SHA1 d138f33c262752ced40f29eee588f510d1f6d780
SHA256 a84c524202f43a02f677cfe8351eac10bd3a31fbccd63e48a296dd3f2f41e10a
SHA512 223e520b30c649ec5e5eb9467547d584388ccbc989da472df71d542f76620dd2e25cf9e0fbaf0ea83e0aa28ed4fc3041aebe7c3413fd83fff0ebd76858bfb83f

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:28

Platform

android-x64-arm64-20240221-en

Max time kernel

3s

Max time network

143s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation863034596681126460tmp

MD5 7319bd00735686c6df78faa4d778cb8a
SHA1 5077cf5e4dfe4b686cea973b514a862fc48c203e
SHA256 4d4a1562f58e62432c16ec5103210753fb261be1ce27c03761c5125a08697128
SHA512 3192c5c618ef3a5d3129358e116dc4b0d4be16be30530e001aac2621f9c880c975a0b16aaaff1d7fb478ab3eb86e68426591d876096760c07187592e6c79de7c

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 61b6911ee9d94dfa036438c80c85ddbf
SHA1 7280e24218f8f236ae0a904227c6fc156f0696b3
SHA256 115006265af273e3f09d2ecf336a80256a1b9bd34b065e4bc9703ba262e09a2f
SHA512 b93b8b87a1b2ddf3c4cecee5bd89cca06718b6538651dc3478d4c19395afcc66ef3562dcd03e844c3ed356b1302060bd583b52bc40c67cb7c3bbc400bb08c323

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 7cdc2357db04418b2c552a64e8480159
SHA1 89e46ac1211c94bd550618ac1cd87485e4c14fe2
SHA256 1960ba6499755f9576a6530c309c7e5dd3bcc1b83ae92039e403ced77a62684d
SHA512 6bca57156a716ae1823882021817e742e52be9da8281e0451492e35b717ee75b523ffe33ebf34dea41dc8313f5e6cbdbf01b553a03b90edd4a83b7df24ff5c19

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 e902673965be87af58519cdfb74198bc
SHA1 e666a6af2bba665fab56c6baac607acb5c27a3d1
SHA256 2604a3e01247602418a4d4d06bf66ac33b1534e856081263229656658e608f4e
SHA512 297baf9c2fea383560461efb4de09dd29ed5fd2b115e124e0189e285ce76260a17dcfc6b519736438c7eeb6ff6f44fccb05f6834f323bda410d6afb6fc71bf85

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 02c03ad0551d625200cfff61b234af27
SHA1 6e3ae691e0d41fa809920d4420db588cc21a2efa
SHA256 fe5fe32f2a9c0bfadc8c2309a8cf0de1b520f41968cefa1e0a48e922b85f6797
SHA512 52790d480c8b64ac1da61986d2ea85a4c568311fd877b7248623c0efabb754e61fc2f7fc13214f5224cf4f21e036e51d48e5fcb419618895df516e25a578581e

/data/data/org.bax.project/files/PersistedInstallation6522718225992788501tmp

MD5 cc3584d1bd5f9256c05dad61089e48a1
SHA1 691173c4d9347bd62c1e95897c78f79fe652f73d
SHA256 15bd42d681cca791ac2cabd40ee9cd40d4ba69fc4d878ffff3b5667930f97603
SHA512 bfabe10f2d6291b584165e161788a5670a0862ae4cbd12869345e523ab268cdb1b53deb9603db35bb7b6f48158c17124f357e82483081f8ebfbc7f9641a4a8e3

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 8a1920233fa16f47c2cfbcc13f8df16b
SHA1 10f24903c9338954bd47a2adf0a2b1b4ab1c896c
SHA256 3800323ceeab82dfb789efd80dc36658d653ef6016a22885d443641871bbf51d
SHA512 5c348d91ec16cddd98ba663a2a5a0d607babf3651854d6474d5396d5e51698762cabe80f4b3cce7740fd7c8a9887c7b7567ea8bff27f8044e7e42343ac358b39