Malware Analysis Report

2024-10-19 13:16

Sample ID 240402-mb8wfsfb73
Target 5bf740d33b8654c1888b6ff6f2f2d32895cdfd9b205be5acb550e3d15cd705fd.zip
SHA256 45f956a3eef5517b7341c119f62cc970c7f2dee4e906481148a1f716891105c9
Tags
irata discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45f956a3eef5517b7341c119f62cc970c7f2dee4e906481148a1f716891105c9

Threat Level: Known bad

The file 5bf740d33b8654c1888b6ff6f2f2d32895cdfd9b205be5acb550e3d15cd705fd.zip was found to be: Known bad.

Malicious Activity Summary

irata discovery evasion persistence

Irata family

Makes use of the framework's foreground persistence service

Acquires the wake lock

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:18

Signatures

Irata family

irata

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an instant app to create foreground services. android.permission.INSTANT_APP_FOREGROUND_SERVICE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:28

Platform

android-x86-arm-20240221-en

Max time kernel

19s

Max time network

139s

Command Line

com.drnull.v5

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 green.whatsyourfavoritecolor.xyz udp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 7da3bc644173eb8c94738b04c767e3d1
SHA1 45550f69e0a882562717ce854b9129531b8b0e36
SHA256 ad1c726467c01177ebe8ea6a0ea2e4437e5ae0e012f5cfc291b9a9b833778913
SHA512 50e594f121c8ce8213d0919b8244575b70cab3acb49cfbc21098d6e220afcf97caabc77e384e8ff29bb143f3df4727eebdb00ff34e8b6562ab233c6419fff51c

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-wal

MD5 d9b3444371192667075e0d5b426f760a
SHA1 88f987f0b03b30839777e1d8a9d961b8aca79b18
SHA256 a9b1a04e137b769d9acdb73f8a70a52946e046fc636ef206c83e86a4c2ed4e05
SHA512 9b4b2741ec27f2aaf0b38c224278ec4c18b3155a040b48dff96ab8bae8ea00c63845aa5615925312c7d37e4b85c06fc55a4db26b0e71db1e27c779c2a0caece3

/data/data/com.drnull.v5/files/PersistedInstallation8733788213177138127tmp

MD5 1472e73c7843a392d62fcf417f617d26
SHA1 38c89e5dc779d3ba72aa003dec814f3527317e8e
SHA256 c6fc088935cecce00424acaec3e4f2fec6805f71abee05114ebb9e0860406551
SHA512 e65ebd6c7fd3d7787517fd04959442d56b1202e2b1d66c1c55ba21a7fcfa9d688bcda75daef02f12e249475272319c65fb514625a5d1f3ee5da9a23f416e2cb4

/data/data/com.drnull.v5/files/database.db

MD5 e9b728cb9252a6ac9198e4f3bb053180
SHA1 9b5867fc433b9258fc4a32f0f11c537741e73879
SHA256 f4e63bfe6fe1ca610d728b428d2a15707b0e1d314c03777425221ce5b371176d
SHA512 9dd1d46d619dc45ded01ee718ceaa2e950c210152661526233e8ed33a9afb8589a3e2f9ef4016edd1e38e2748e8839616099283b15a9a70e3dfdd94c0a3a935d

/data/data/com.drnull.v5/files/PersistedInstallation5636089357122676549tmp

MD5 fdd2c3c686714ebac1937b7d78d1d38b
SHA1 e9bc61fe31cdd59fa1a7fada11b0a31e39044d21
SHA256 46644ceebacdcf54cfd222707273441b98957fb0ec5e1bfbd66f4e67e11875a3
SHA512 83b95c6733dcc502e7365bc9252596e378139bb18a21a16a301e408477630eedb2eb2fb82eb00a260700d3980709d3f10009c458a2c4533e8c2410eba58cf1a2

/data/data/com.drnull.v5/files/database.db

MD5 a78ff3dca3cf6f37556dd3e2576db1d1
SHA1 dd0c86addb2630512bde277a5ea1a4b899b12cba
SHA256 24cfaf85623d1521caa7f3d2cd6dc2e9a004c7b8ae2e71c6cc04083b06221fd5
SHA512 3e619bfde1dc8523610dc3a54952fb0080f5bd06e04f4ef13d9a50c843f6269f93652a05b061619cc07b7e714cd646c76f61dc7dfe96fcec2685ff0081065065

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 622cb5612f87a316f2a3bed0eafae54e
SHA1 44ae60d1b0ca6942d37d3bcb662e0c24db451100
SHA256 e1526d6960592512b30665a13f4368b5b58a56c410cb7436844d0de9927a5982
SHA512 30766946d3708ec5cbb9a7d0300ca636f9614fb2de7313d07a577c57e17de7a4ff80e00e7a627ddc030df5c189f58d7a08b64af3f54a56d7e644781e84716709

/data/data/com.drnull.v5/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 5c1275f21b69bf954d437038c8d1e66f
SHA1 1f29a47c4ddd256738607327e1091026068dddd7
SHA256 54baab9e3f28f8b17a37ecb0c139f90d5f5c33bdafd93b9612ff5385a0ed0a22
SHA512 e981284b531b67f2db13d06406b26a2963754135936964ad028f75611344357fba77c7679c59f8581039f342c92ec8722b634134e6c9f4126d7e54bbee2836dc

/data/data/com.drnull.v5/files/profileInstalled

MD5 4b04c283b25fb9f2d557852fc79f3ba0
SHA1 f92a56508850839243b6a870d7cd2e1643b4feb1
SHA256 bb50ffe4ceee49e06fd7e5d5a93414995aab7dd8ea313a58978fc5f1bce3b63b
SHA512 015a29bb3e519987e4c744a2a5769ab045cd01afbca756bb948df26985cb3d9b845af37a2488b37b1940bcd2d83ebfce48a4add1719a05bf11cfbf4304c4feef

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:28

Platform

android-33-x64-arm64-20240229-en

Max time kernel

149s

Max time network

160s

Command Line

com.drnull.v5

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
GB 142.250.200.4:443 udp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
GB 172.217.169.74:80 play.googleapis.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 green.whatsyourfavoritecolor.xyz udp
GB 216.58.212.227:443 tcp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 udp
GB 172.217.169.35:443 tcp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.169.35:443 udp
GB 142.250.200.4:443 www.google.com udp
GB 216.58.204.78:443 android.apis.google.com udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 0b72defb0a50a9e1e20e58bd848bf73a
SHA1 550c9b2d096ec2b471c43dbe447a123e785fdc60
SHA256 376e508285d9e5f595b1d4166d6240934a7a0e9dc89f733c259222879b7f46ae
SHA512 3abda90ed5adbf9f17805afe285b0527f09e1a5f6301782d3b6d61c38ca87152e26c2dbdba4cee391a6a78b8c4590329586d64e7a695af9c50ea5f1f9396130d

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 59763f1a48606ebcd691340687c28ad1
SHA1 397e5496bf8437acf59720da01ac0e570ee5b399
SHA256 8fa65d6c4f128997af0e4431dabcb567a2ab4d4aac97fcbb14617b70fc87fed4
SHA512 69aa4b36fb07a3ce08cd72a2f17fd67fe6b104cdef304a4820e6d95f131c761ce506bfa739fef2525db20fa3b2742a8b78c0ed75215eaee7273e7cbed22524fc

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 84c3ef7dfc553ca92b32b4986ab04b0c
SHA1 ac4213231e65301a0dd1642f5e6feb4e5d769706
SHA256 ced36dbd8c3413626af53adab26a27bdd058d14a817fae2b994101dc89206982
SHA512 bb7358ecb06daf9c2e0814dcab40c36a446226385b7dfc0c423b7fdfb1dc7dd7ce48e4976052ab00bf03169b06f1f0baa4d12bd894d427a183a62acdb9d8799b

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 dccb687ab25785690cac697f5f0f357f
SHA1 257a9d666638625a5d5a13dcb83801e7ac5ad50b
SHA256 abc2d2dfd167bd0763e3bdad6e624d0d4dd1bc95c545a2aec72e35364422dc11
SHA512 083c0458895af4f5520fb51a279a5ce771dd2678ea1ab55b210669a7f793b482deba0fbe65bdd58028410cd52138eca0fb2d73954c6352ce913f4cf62bcef783

/data/data/com.drnull.v5/files/PersistedInstallation3429380572420220838tmp

MD5 1bf1b1933b93245aaf3d3fc258bd93ac
SHA1 ba41b775baa0c7479641b12c7fb80105aa8dfce7
SHA256 796dbcf516f2d6d09e5a55a7a0ce8243a4d421ed0ae4d767c9f4d68827b3cc54
SHA512 a0bf266914916fe6015ad6031ccabfda6b05719d1b6ddf3f5f6d0b2a7fce3d1fb0d9537e7b5039e3e718b0826f64b4112503d07f511cfc80da8f7ddd41d2d392

/data/data/com.drnull.v5/files/PersistedInstallation8188976780099589498tmp

MD5 b5c0e3db430f0e674435c5ac0bee1473
SHA1 799f032a729d1611453710aa3817ef9203834d78
SHA256 f4e8be40485ae60742453b12deccd5adeb2ddc4d7c6dc8585d0fa900438f3faa
SHA512 f0c96f7dd3e8d992ada0dea12772ac99d3390d6ceab57b311509141dfcabcbaf3457cfed9f213c9a438deb99bec4b33ee7092b88dc8ecffa76ad936a548f26ca

/data/data/com.drnull.v5/files/database.db

MD5 2b5565f8343fd4bc2014f6c4835d40a1
SHA1 8142725b859921c36f37d6a7b37711e923bd2bac
SHA256 b8d5a4a379f9fabf06f4e786c6fdb563d4f929781ff261d91ddc4e6a675ab599
SHA512 5c202d5fcf166d8dbd700df000296a2d845f67429f76f0ae9ac75d4549b7723508d3b6e1593576e4dc6dfe29ae713b5df213aa152c544119e316e2398af0f223

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 8255f8b3887bc62c0428ba3433575605
SHA1 1700097464ae3df04be80fae140834d0cd212e62
SHA256 4e700878914faa5c93aba25c36957c9f61aea5258fd98d056adce2048c2877df
SHA512 cf56eb0605a59b54056c1149e0deeaa2d43a61f9e79d59fc40d96affe0f8b8ded02e7357c90fbdb67a17128c4cea8ad29b5d18519032cc0617e3b329e5382909

/data/data/com.drnull.v5/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 49586eb0039d30a2913a7e15c0c02ccf
SHA1 131388bccbbddfd065814a37b83d47f09fc36e72
SHA256 1d33b6a60c0a73b74e8c8089c95b36d1ef0f0b4649b95d8f6861ff6cf67687e0
SHA512 23a6845f7516a370fc72e149b10c44c7b87fa65dbe8f17e4ba0ef41021da43b7f76fc5aca4193f7ad1e523f5d1ae6fdd841bc174a536e3b6a5fa9eec7a88cbd0

/data/data/com.drnull.v5/files/profileInstalled

MD5 7dc9bc589435f05d0550e70365c3c00f
SHA1 3b4118458b3f64084feabd86571c760e9d151d66
SHA256 0875029a0d62577aac0b9f74df18378dc0f1345ddd910ee40fb33c890a6abffd
SHA512 a7376dfb0ab3c71489a5d0220b8caf4b49676983b94acf62fa01592611d0eff3a7574122d67635a07c0a27e89bb3e34a79a44a8955d9e8d0a8f6610b622f1d8e

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 1a9a25237b89c70e41d681bbb8f21671
SHA1 076db25c8dbf58ee7819d43edc6ad50372bfa1c8
SHA256 9eb55f8793ad17cae62858688c7ab3d4747323d1c85137e0cabc04d07e2761dd
SHA512 0f30ef542b56367088731a2a0bb9d432cc4d25d12a2d5af400880e3dbfbf3612352f216e329965083333b5335e68a52ab1a4a07a80ac0894e9bdc3518b1da671