Malware Analysis Report

2024-10-19 13:16

Sample ID 240402-mb8wfsfb69
Target 5bc930ea8c6d53a3f9d4081a99d604bde58b5503aaa937c969a26c01d0f86c05.zip
SHA256 3f7843d02a0047288a616def41455120f294927ddda04221453b56abd7095e08
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f7843d02a0047288a616def41455120f294927ddda04221453b56abd7095e08

Threat Level: Known bad

The file 5bc930ea8c6d53a3f9d4081a99d604bde58b5503aaa937c969a26c01d0f86c05.zip was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Acquires the wake lock

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:18

Signatures

Irata family

irata

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an instant app to create foreground services. android.permission.INSTANT_APP_FOREGROUND_SERVICE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:28

Platform

android-x86-arm-20240221-en

Max time kernel

47s

Max time network

138s

Command Line

com.drnull.v5

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 api.cloudflare.com udp
US 104.19.192.177:443 api.cloudflare.com tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 a814e745a4d313f98c760cf51137c1db
SHA1 af8dd9a4d9ead92eaedf4725930486519a475b03
SHA256 c63c363a95ed8b28c328b83dbd51eef1099cdae7e650aba3b94a69b104846f01
SHA512 bd83600a6e6e294f0c1b296b673f04ae9cc691f5f78862677a24f3190390b3d4d970d27c051625f6e82449611c18c025670e62cae42a58a782ead1644e2b7b72

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-wal

MD5 11b5d6881ec7dda065652e9699c3af33
SHA1 44241e7e7ba7e6e30382b72751be58c1e9cc7df9
SHA256 d52cb63e272f2bc3e4b2707a02e4c0b49dd98158d2835a008a88c09a90cee1f6
SHA512 be009db91c791c4c5b3e505f899efaff17220dd10d6e101f78af7858b297112dadf0a068618362be9b6f74c54a271867a5a8fa6aeda4cacd4f053a6ab74b6476

/data/data/com.drnull.v5/files/PersistedInstallation5734464043669077707tmp

MD5 fb3865d64c3bbe132b1ae2365b15fc6b
SHA1 cb0b3521039c42c34407ef491e40960d05918ab4
SHA256 4b4e8021eeecfb0bcc6504d3563eb2c3d0b32f80757c5afc4c7484139da5946c
SHA512 bfa4f5ec4dd9e6aaa02769b00012653f3ea7dd76ae972109cef7069741a481691b8083c26954a651f84cbdc111c59635fd44d793f82cf4d09eddd675175ebb85

/data/data/com.drnull.v5/files/PersistedInstallation3810164248227378949tmp

MD5 a4cf3b0c4d83be269522156c048c79ca
SHA1 d8fcb0d28aa0cbc46f6242d0860247f2ea089c88
SHA256 498c349cf9f4b64c9795fa2fb3d3d64c0dc405dd54811a2dcd6dd9c0de1e03de
SHA512 8a847a765e3249e0199fb61c776e5ae9a1bf2d5734b05fc0840dde1abf3795620760d528bd818041acf2793b2459d1eb20e542bd2e7b2d21c24e1211f79b5f83

/data/data/com.drnull.v5/files/database.db

MD5 99d9d59a73073400a61c31ee619e5bdf
SHA1 bbad9c3bc0acfe31c9df6ee807b5b4af26dc97dc
SHA256 707441992930c576a5759b42d9ae791a060c4271e529ed12a6a20a486f4bc4c0
SHA512 ce158fa9fc94981b84df10b12b1864d27c006cb43e1e43a1134281a6203fc887e502c7206150673c9e0e09ab1d1ea647d17a69dc16fefc14c8ebacc88f2f53e6

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 e73468902801114589f5c95a7422a74a
SHA1 e003863c86a297f02dd3720d02d840cc1d55a55f
SHA256 a2db0b849ed4dedd5bf1a55a374f86e8f13cb28ca688100df9012eaaf9f2559f
SHA512 ae4c1d4aad965f70ca97207d04873305265ac13c579d9c031318207b2799c3fbaef5868d459aa3df37a67359731f8af0475a7cc452212ba3a8b987ed7fbf5ca2

/data/data/com.drnull.v5/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 63d3bb67b8912bb875cdfb76d3d8d5c7
SHA1 1984a51fd21789f66144aacf039bc91466c6f640
SHA256 c7a4a6f9a748370c6cad7fc88982815b0fb2a59750da6f1e7410bc5acf96a39b
SHA512 f50fc7d62d0d86c33d4fb4279c4944fc541a06b3805836c8d39924b99632014e85e8a50c7e4f275220244a03ced0b0305a94c1796d39ea49cc448ffb16f204d8

/data/data/com.drnull.v5/files/profileInstalled

MD5 08afdbc2e652e1aed2c62ec98ec35d1b
SHA1 67e8b09b3457c68300ebddc3dc8d836fa03612c2
SHA256 0eb59e3cd25d6842f679062611d418552107242e4f5e1248e50a312280efe326
SHA512 6b4dc5c96664dcc8f7ccb699ac69c76814cf45fe4ceb3aaa7921a185364c04f473f4b64cdee3e61fdfd31cf94860eb8c2b04d2ed2a90a7f13a73193c97f5daee

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 6840c6b791225c759ee1c08ead35d97c
SHA1 fdc40959bfdcd836e9acdf8b58c996c195f0096b
SHA256 30c497864042208927959cfe1802d261007aecbf49f5b9a370a8930ed26e5570
SHA512 dce898d7a5ecb7db760ed44d13ab8297616093402c8f823e12a0ba8d302320e96fe7261f5fa8c917bd2f1d002beea8542c00af306fc02ac175c476f7ae09a087

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:28

Platform

android-x64-20240221-en

Max time kernel

47s

Max time network

145s

Command Line

com.drnull.v5

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 api.cloudflare.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 104.19.193.29:443 api.cloudflare.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 216.58.212.202:443 tcp
GB 216.58.204.66:443 tcp
GB 142.250.180.14:443 tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 40788aa7860a9ebe92d93f4c08c216a4
SHA1 97dbe8ccb7c58605d43b4e4db145f9ee38f5b9d6
SHA256 4e6a0447af93ec11dd5d71a3abe72371ecc434d8332229bd75a846448449ac0a
SHA512 27c454177f39474f08c3109ea8bcb2a762bcebad8c63e0197ae06eebcaabc85972e844aaf1611a76492099a3b61c0c0e210edd5d97c2f238a3ddab2d1e5229b1

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 475b2532c3cdfe9b551dd64523cfd693
SHA1 fa02bdb8beb13a6b509aabcc95e49bd1e2657363
SHA256 c7ab02d9becf8416cb8641046de9126a0b19a958778772c624bf4243a2ef5951
SHA512 a7ca97f8c77eb3bd6ce8a247ee827c44061975910369ac9d469facc94c13660b0e7203d631214f3b404654918226d404e683ff796129d00cd5d14c643c7bcc9f

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 0d3094b8248025867134ca7ac07387a6
SHA1 2e2a6febe8d6f1105df6bd534be4c705fe740084
SHA256 c947b809632092ddaf830d0a110e1de3756cae8fd802003a60cb5981ac9b2db2
SHA512 230f8870b517b7b53bfefec6cd66782f56922aecc238fe369c7e642f821bf807f84b0924cd9a057a1e1a23256ed339aabc4a5ca8223b275561523db808195e71

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 fdca9b35ae78f3df0d55d3128e68b504
SHA1 68a98bfa47470a73687d2651c7106832fd496f29
SHA256 2143bd16c284252751956800ad7f9e84c274d25598ff77175533deaeb7da2a9a
SHA512 359bcb52d1b5e61b12829e22c184b75271930b855b4b0e1a80340d9ee869c3717501859f78679f7087849122224ba040624a1a3d96af1c1728c6fdf8e0b1dc58

/data/data/com.drnull.v5/files/PersistedInstallation7016102065492942831tmp

MD5 406c148287b9987670c4e74ad2e9c9a2
SHA1 6071ed137fb9616549e97188208b552846188fee
SHA256 92005979190c2abb7a5f75bf25ffeddfb804ed89b15713c2f2303104902a4fa0
SHA512 967c86b6c7ee13b26defbe49681c1eafac0d287982712be4963fdab61817b0abdf68f86e1003b5e806ebdcb2610ea7346af0ef22a3c470d30356055b7783ea58

/data/data/com.drnull.v5/files/PersistedInstallation36667351693814887tmp

MD5 3d444c0070e4008b4ad83a7ea875a24b
SHA1 4f4118a13764914833972d40d396c6194ef18da2
SHA256 2df5764e3b34456f6c5d88857cb9d0bbc8c440081d8130ce68ea91cfcb428c8b
SHA512 8f2c23a1559fa8d0e7592209dfdfe7ac99e3d3b28e5f69f84926b53987080bdb459a34e8d78c2f123aa112855acf1a2276bba9032bf390dffdfc2f2914df9c23

/data/data/com.drnull.v5/files/database.db

MD5 d2c090fa3b3b55c0620d8f50e50af975
SHA1 24f9c56064baaeecc6834b0778d1b57c1fac1a93
SHA256 b16fed232a9972a8d427973f86c8f954f6ac1e171925b8a4f02f57ce836dff90
SHA512 c60a1e528e56766ce0228a06efd5eb7144ab5779488bb61cff5e73842c0b1c29a646bd602b2bd01bcfd1f97ba8aac698e8d147a247e91d3008923163af4bf32d

/data/data/com.drnull.v5/files/database.db

MD5 e2eac0657a2e5e4f2a98b402ced5cfe1
SHA1 62415e0c7a31e10e9309ff2eae5d96b3dcd96175
SHA256 20865104ea421420b50a09183fce9436a9c4432c964d93430c096c37c1279770
SHA512 2d54b826f31eac1050d45d7e58a3812899d34e7c9deff1c5649256db32860a5ea4b7768dfe569767c45d209fe1033a84520c134349714247af8b7b777bdde7cc

/data/data/com.drnull.v5/files/database.db

MD5 6072bdb60b0e0557dfd7e30ae44562f2
SHA1 47ff14fcc8bd8c7593693c26b7d6fa262580864a
SHA256 d3f8d0100be0e3e512c2f3687769cfb97c4aab7099ba6728aab7e146eabce5c5
SHA512 c6e89d0aba8b2ee243deb57518dd73e7e7dc9509cad73ab3f3866213c9859be70b5e8fb6aee576dc7e12a97a7e802842d92acc28d5227ac38cf0fe9e136f48cd

/data/data/com.drnull.v5/files/database.db

MD5 c23e6a938daed232ebd7f16b5609bdad
SHA1 44cf03af203cd171ad76c3b666285d98ffdb28ca
SHA256 73ce23548eeb7b6a0f27acf54a9c26ec36233c6842f1ca3417d49c12cc81be05
SHA512 b2ea8c72bbb71eb57e7740c2e728eb79baf3c6081bed202bb9833719ec96952d0f2a0649d0630d9e959f749b4987f222ad0b87d2e864aa019c2cc2de0f256c71

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 e73468902801114589f5c95a7422a74a
SHA1 e003863c86a297f02dd3720d02d840cc1d55a55f
SHA256 a2db0b849ed4dedd5bf1a55a374f86e8f13cb28ca688100df9012eaaf9f2559f
SHA512 ae4c1d4aad965f70ca97207d04873305265ac13c579d9c031318207b2799c3fbaef5868d459aa3df37a67359731f8af0475a7cc452212ba3a8b987ed7fbf5ca2

/data/data/com.drnull.v5/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 a9c6fd4be567d262b692651bbd262ad5
SHA1 9ba93e4adf5360cfb560868fe65ff33398609c4e
SHA256 a006569354897e9e4910994b889aa99b3357c5d842dc94782317b43fb229f7ea
SHA512 bb2a252f4ac168ab108af5ad4c051bc74cd674d1281bfa0995f4e9883a4da212adcb4699536f3143213a43ff5504a509527b0eae03910e05a8142f9b08147b27

/data/data/com.drnull.v5/files/profileInstalled

MD5 a1ad114d758114341e06f26f0a9e2674
SHA1 6b2911ffdda63be88d0ce3c32751394d8886c009
SHA256 144e442b10a162cf699b71accea9dbe27e5ab14cb26d2a9af7d213db08ab40cc
SHA512 63b98d719907502e5d33eba328e5ab1394f9d6268d416ed469fa16cc0225af746a10ebedc5209095222af2d62fb633a3f2d386109138a08e42543c0d17051b52

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 7f49b25d2189e3700c33796a4022a8e9
SHA1 c3f4d173b7338c04c9d490e9155a9e54586e55d0
SHA256 2688d0618860447b21768e0657b912f9cb7789e811a7c152bff0abe10c223a51
SHA512 a5789d6aca691d9799cca86b4eb31b49c6697d8846372b14900588b59cff036ef8fa6e6efcc8da367e1affe7ec1a62676246f1acb023a20e02220b193bd1a9e1