Malware Analysis Report

2024-10-19 13:16

Sample ID 240402-mb8kpafb68
Target 590a24580b0e521e5a508b65ac5843e0724cf3d2ecac4356d2423116ba891e71.zip
SHA256 90d40e206c39f2f27eaa187e77bb88addcfdddd7cee8f64060bad70d61aad215
Tags
irata banker discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90d40e206c39f2f27eaa187e77bb88addcfdddd7cee8f64060bad70d61aad215

Threat Level: Known bad

The file 590a24580b0e521e5a508b65ac5843e0724cf3d2ecac4356d2423116ba891e71.zip was found to be: Known bad.

Malicious Activity Summary

irata banker discovery

Irata family

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:18

Signatures

Irata family

irata

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an instant app to create foreground services. android.permission.INSTANT_APP_FOREGROUND_SERVICE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:28

Platform

android-x86-arm-20240221-en

Max time kernel

20s

Max time network

137s

Command Line

com.drnull.v5

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 api.cloudflare.com udp
US 104.19.192.29:443 api.cloudflare.com tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 718a65675c8e1cc2640c11cf6d826a48
SHA1 9f022f962b7a2dcab8fa63693bb103fde4457ff5
SHA256 0ce8c74bb2641a420aaf112a876e07314bdf6b5e5831ee1000e5cfc4070cc603
SHA512 bec8571bed58e3d4a331f79d7e0d6b6e5bef4ffd5ed69e673f1604478f96e19ce657b45b520c06d4e707ca876ae52bc0eb0a06830c56f6aef2d432bda5da770b

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-wal

MD5 aa5f91ac52d743d53098180ad948ad5a
SHA1 093e05ee732e727cdbab7f0c45574a8eb6710da8
SHA256 590cd465d983cf16484a63aa5b1b551c977a878fe205d9d44f6c9b16eba52f6a
SHA512 16f1395bc7444a3cd178c82a05c8d6075c404b6b49d35a0f8552e97c7b3e5ce04c18cc1ce6d1fc525d572b902d1e462b6c18f549c8216327379d0b56c7cfbe58

/data/data/com.drnull.v5/files/PersistedInstallation349981840221474443tmp

MD5 fb02f19d2b00a5ad14db907bba594d49
SHA1 17cdd3bce54da47832b17b6618ac729950a07e80
SHA256 4efa5334937f824363bceec603ea5c53cf9c1f75a73053879dd8e27cf06f15ba
SHA512 48422411f5710a7c511adf340197d6b5384d6fa2d171eaf7e52fb25406c4719addd9544c17e21973a02cf61c730e4e19587a2eb37a837f5d90784b01487ccc82

/data/data/com.drnull.v5/files/PersistedInstallation1031499052356435147tmp

MD5 fbea9afeb7fbdaaa4e065c14371689ed
SHA1 69bc3bc235a2947f9438474c826487e7dffbfd8d
SHA256 f7bcc9e074b89155645ad1e6291907a2d06829b532e7d66d3e6d10f4a2c05693
SHA512 7f48b75353e097fe1c82d4e92b879d97381fd91c643942f3a1387c6691b69033cc71b8b9a9b75ea10b2e4fbe7f7768c1f8114925417dc50e510e7acd932f7532

/data/data/com.drnull.v5/files/database.db

MD5 f236ef87a5b8f280d1aef2f022eb9e7a
SHA1 f599822f45eadc27d31d78113e593b9b4045947a
SHA256 987c7be02a42d5ac0ede02fe4f387d99506162f06f49fc14a021411120b16842
SHA512 4b8e7fc3b30cc7eb3a05742422f1ad1dab977fb2ec3d8ddc67e72beba471f5afc954d772a15931acce5d34b698d9dda974232f04b790956f3d9803c6e58101ce

/data/data/com.drnull.v5/files/database.db

MD5 662382639dcd7480ae68247e196d5a1d
SHA1 7b5178bb66e6b8822b7f636230c3ea29855e755d
SHA256 e8515bc6fa212364be59f0279e961a269a2b66941aaf942257cc5011383a83af
SHA512 e96fdb178047aadb6307587781fff55538db67269ffcbf98b850b1fc93cfa78ddc28bef13b9eee85611b833d8ecc3c573ce909e8815628c1abfe4070e50815ea

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 3bf4327df6b1fcec0de5399a885183ed
SHA1 4f2ceeb901b71d3f3c5d56ee9ac0430c94088308
SHA256 87964145ade7a79f223cadc1c48ed417d86ac1872b5f6d533814312da485e6ba
SHA512 5c3c3416af07cfa265043ee24909c59ea99d482f8e77f18a33b02cb0dfee6e48587341ee575dbd687fca82d249a00130c047b754994cfff9f9a4275724de4043

/data/data/com.drnull.v5/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 c4d0470b5d6df82eb6c081770c7d32cb
SHA1 c522792f58dd11b3883a3fd56544bec4cd256291
SHA256 9eab0c7a6571809b32e63fd02ea459a69daeb0176933809f3594d804727e9e26
SHA512 44a29779509aa02aabc6d2b6f45138c84b0cfe16580696e52f3c25e8ba7364e3fd054f04bab3c73367d648a362c1d15c773eea6ba40d8654c71c51182afcde4d

/data/data/com.drnull.v5/files/profileInstalled

MD5 3a542246cea14f2813f87f06ac3b0fab
SHA1 db27eced38b491d34082482984342b1f4f02fd4f
SHA256 6378e0a2f7e79ad69bccbfad060b5578e632d27e84d10a25bd63e0dd352238f5
SHA512 5df9630fdc77af88446998a2c3b51a354174d0e84d881c7d8a3f0fc0fb133984fcc4c7df5b77b538806f455986898b760ce28d35b1f015a7c9dd410a3d8587af

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:28

Platform

android-x64-arm64-20240221-en

Max time kernel

22s

Max time network

169s

Command Line

com.drnull.v5

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.cloudflare.com udp
US 104.19.192.175:443 api.cloudflare.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 36a8daf7d0ed10f57b9a0c7c4650df2a
SHA1 edf6d483c9772b87d8aaa15caa0c4d9cc9dd0f11
SHA256 885163a8ebda4172fbc69fa41f2b8c0448deac2941a444d8166bdbb3fe23ec06
SHA512 9ce34140f9866026ab55491d106ea3caee97727954b689b98bb7a49b94ffceab0da96abf1b4c5b2bd4f45a6a12d4bc14ede2f4a9f180887c40c403d16ab7019a

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 dffa5419e19cea13f055b5e4d294f3f2
SHA1 2d94f483c4f461b26ce56507fd43a3be4658b10f
SHA256 3026cf000880cedb26dbb71b235d6230b1d721467662404977a251a3aac2eba0
SHA512 84fb891a78b32b198da52f55d80b43ff5a2df2e6d6c7fa947b8990e78cf7c0bbf10c491d2b9e08c5573a99666563c355a8a3ea309c1430b14a7cf6a56b356a70

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 ec6f993eb1f675ec732320fa1445bd51
SHA1 3a3a9f7a598878fe616d633cc45cb5f42c191931
SHA256 ba5e40e281b88e78ebbac0114f29b5f78de41e81965949f404ee16cbca3e115b
SHA512 60bee8acff160390db67dfb477542949d3e996a634cfdffecd0659f5a776fd8d5b6d65bc154b68f4f5016ad20c81a0a52b1b5ee476513d17b01f08c12551462d

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 dc7c18f8d76facf587f781262b58d083
SHA1 0dac46003f5f28714e1a5db91a4c862f5e5558e0
SHA256 cdb138ac81fdb2737afe3c6acaa9fc7189a5b89b2f30d1441ed45a6a6365a792
SHA512 2f1fb1f2a34173d981d68820647e505cbd528b71242b5c42fa2ab4014ce9377bfe14231deb3adf0b2e5b11a0349556330169933443691ed62b7c64fc46749f61

/data/data/com.drnull.v5/files/PersistedInstallation6393805134888853627tmp

MD5 72e111c4a9debaff99f54c266d98c293
SHA1 fa192da426340b0ef94a4bc897cf537a3a4d8457
SHA256 84f4de3e73d858468df80d2fca47c0189d860636a8c31353b064a58bd581aee1
SHA512 cb47ed2aacd2d5f1f828cff3ce323a9f6d68509d025784a4a016d70e3724f29c3c738eff7b17e633172355650d7adbcbd2bfbc7cb0cba504181d4e620888814c

/data/data/com.drnull.v5/files/PersistedInstallation2679139945809069859tmp

MD5 b5761ef8cb9802462e77f30df94fd159
SHA1 cc9e2cc19e3a31d9c905ec71580c5a3846ed105b
SHA256 95a6d377d2b9f1e12eafe8537a9753110732eb00b9380337f81e6325dfc1442f
SHA512 5455ce88caa82828bdcaf1c509cf651831fb41309bc5cfb71e7dc6766f274d42a185b550174b7b99b2e4015c0c694925eacdcf7f99bcbe914d3f419e80460f97

/data/data/com.drnull.v5/files/database.db

MD5 d906d00aa0b5846744a2c7cedc81f05e
SHA1 5f07cd30c4e762265bac0e2791d94e4bf4c2b9be
SHA256 a3212fec1e0729e799454741a21236f213e0c930791fc7a5a685b913053d173d
SHA512 f1834e68ceef42283ff0467221e22ae35f132a8805a355e73170c057fbb89ff75c009a5734cc27d8ea7af91164e4a96398677b824a04551907b29b47c22c98b9

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 3bf4327df6b1fcec0de5399a885183ed
SHA1 4f2ceeb901b71d3f3c5d56ee9ac0430c94088308
SHA256 87964145ade7a79f223cadc1c48ed417d86ac1872b5f6d533814312da485e6ba
SHA512 5c3c3416af07cfa265043ee24909c59ea99d482f8e77f18a33b02cb0dfee6e48587341ee575dbd687fca82d249a00130c047b754994cfff9f9a4275724de4043

/data/data/com.drnull.v5/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 9a1f8d92463cf96d078b84178cc2c900
SHA1 071c2eadf117107a6962014481d4c98ad18b15dc
SHA256 0082d3ba5c9a4d9f26507dd5e3e87bfaac1039ca4e38805c5f67aa06423fc86b
SHA512 aa2226935ee00c707b12b40c5b3086c2bac21ebaa59097a27f087df55f2a6e6482fef1d7c51580a1dab65cbe254e0eeb15eb6705bae0bd8a18fe048e9964eb25