Analysis Overview
SHA256
f9b12f47f3d6269998f4f4b93f4e7c8936a4f1546d1f6f8d07a6b020fe042d5c
Threat Level: Known bad
The file 63f2a545be1cc0cba6fb103f5429c5b9a7470e2939c57fc04810811e01f77ccf.zip was found to be: Known bad.
Malicious Activity Summary
Irata family
Irata payload
Requests dangerous framework permissions
Acquires the wake lock
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-02 10:19
Signatures
Irata family
Irata payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 10:18
Reported
2024-04-02 10:30
Platform
android-x86-arm-20240221-en
Max time kernel
2s
Max time network
130s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
org.bax.project
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 172.217.169.10:443 | semanticlocation-pa.googleapis.com | tcp |
| GB | 142.250.200.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.201.110:443 | android.apis.google.com | tcp |
Files
/data/data/org.bax.project/files/PersistedInstallation8648887834769150667tmp
| MD5 | 7b21536c00054bd8a2b0029e17ed459e |
| SHA1 | eec5044bbc0cd4978ab36892ca615dc483b96dc3 |
| SHA256 | 687dbae3efa0a9699a32d0fe7ac492ebd3e9338392feb4abdda51c63568ed82d |
| SHA512 | 4dbbeff3821a47e9a4ed3ff52ad3a64ee4201b44ea198a8350e596eb78668bf57b78bce54ee76566ff187624b9449f5d87d3a169d806e443bd858ceab4564472 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 10:18
Reported
2024-04-02 10:30
Platform
android-x64-20240221-en
Max time kernel
3s
Max time network
134s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
org.bax.project
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.213.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/data/org.bax.project/files/PersistedInstallation1719028344232892005tmp
| MD5 | 69dec538e63123d3e458d95e31e40464 |
| SHA1 | 12a590c6d21e6f46d98d543290b76b36d475817e |
| SHA256 | 9b48cb55c21955a251732d821e95f0e4bf02848ae11408c8d0d2aa42961a41f8 |
| SHA512 | 62853d84914d5ff68c2971752b84048120aca2bee684e1b368049a6bb5e0f61f4444af44f1d2dfd754ad04a87577010f971d4e5937ce1d4881717d202acc2159 |
/data/data/org.bax.project/databases/google_app_measurement_local.db-journal
| MD5 | 6e361fbf50f4e75b3d397d1bf9a2fca4 |
| SHA1 | 9dc89f05eaed027a8fd1945b34e95f4bf0c70b52 |
| SHA256 | d0a50ae98e0e5c0fb94577439d5fa6450e22b78e788f1714500ccf9350bf172f |
| SHA512 | 2aed0417049a863748515b6c2a0ff76fafc8e1a215fe3b75a330eba34bc0792c10f19fc5eb35cebea7509f861a343a2be06d9a1db83f880e24886385642b28e3 |
/data/data/org.bax.project/databases/google_app_measurement_local.db
| MD5 | eb52a90bb70b76e946b62f50b6f7fb85 |
| SHA1 | 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0 |
| SHA256 | 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4 |
| SHA512 | b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c |
/data/data/org.bax.project/databases/google_app_measurement_local.db-journal
| MD5 | c3abeb4ce0ea793edd9b1c0ba09540ad |
| SHA1 | ccb3450f6ae94d78c19305c73354a459d592e8c1 |
| SHA256 | 885267f9206537217b74f9f2fadf63adc33aaadfd98402d4725162b2259b6e89 |
| SHA512 | f03b02d2d0a9d0cd4ac246562de10dd3cbbc75dd8e55f49ed450d511d52bf889a5367701bf6b4fd54c54d1fdb8f3ec41b36c97d2536bfa4fcb21e58e9d3f45e9 |
/data/data/org.bax.project/databases/google_app_measurement_local.db-journal
| MD5 | ecc9c7e0773fc2301badb13ea111957c |
| SHA1 | ca53188af3763b7825601476486e952c677005bd |
| SHA256 | 73d0e12acf5f7c4216b7f2b12de5e9d22befca1ec76798cc94421cee031a92f4 |
| SHA512 | 550cd4c8b0a2d7adf03a5798447297aa79886dee42accaae6ac9000a0c59565d279d6fd3fc6e64493a99111ac7514e865df5d549753aba46f62d597238a83ffd |
/data/data/org.bax.project/databases/google_app_measurement_local.db-journal
| MD5 | 41f012c4703d8e12d2475eb61d99b520 |
| SHA1 | c2783973cb433fd11298983cca4d822f27cfb651 |
| SHA256 | ff65c9004220a60fdb9442474e01455c2fa1bd347147643f441c1fd38391c119 |
| SHA512 | 5b8df4341fa34acbb97f670766a595983f04ce447fa946771bb84cfe14917d93749e930071b74adef3e67477191064903fe48e1ca66a7fc4d218ba4b9fa1ea3b |
/data/data/org.bax.project/files/PersistedInstallation931006170103457975tmp
| MD5 | d10dee9022a463c4366f134d919d768b |
| SHA1 | 65a5a942bba0549f1389fb059797fa417607bc39 |
| SHA256 | e829a3bca2ee5140bb9f9f7d0b01cc0f300cf17912eec995562712b77ef9bfaf |
| SHA512 | e758ed3074c0f8dff5c25c04811b72bb567de27593a13f89611cf7758c698cd49b0453877b50f50bf918f3c6b9115267f04a9d7d6e81ac6b8828ed7ec2cf7a9f |
/data/data/org.bax.project/databases/google_app_measurement_local.db-journal
| MD5 | 4c2c66cb92dbf5e6ff40b1877b67df57 |
| SHA1 | 3440ca1e568d4ec49f850553ed1b26a15325491b |
| SHA256 | c792f2ca39b80db33c79152f71a8cd1d4f90e8da9de56bc9fc33a3debe563046 |
| SHA512 | 8d4f69385ca3244df9e511d60d41dd2dc3c1f890e358a90491d385b0e0a5a2b4027ad8f343013e16192417f6e7356dd2572296edf525b22567990811da802f70 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-02 10:18
Reported
2024-04-02 10:30
Platform
android-x64-arm64-20240221-en
Max time kernel
4s
Max time network
144s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
org.bax.project
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.10:443 | udp | |
| GB | 142.250.200.14:443 | udp | |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.4:443 | tcp | |
| GB | 142.250.200.4:443 | tcp |
Files
/data/data/org.bax.project/files/PersistedInstallation1394251406094572647tmp
| MD5 | b83876490b5ff072c6d911c3d02fdaf9 |
| SHA1 | 69a76154bef71328edd7615cbfadfa9f4f5644be |
| SHA256 | 8a12fe9b3337b437f851f3acda258c35dd50b1f0c2dccbad63fff17568622adb |
| SHA512 | c784d9fd03f46d979b537da89af0d7881dfc4a5a9d96eb09d2e748f71dcce99b4d3c22adf4a10954b1a478e1860f0c0e7448041c0b84c8618b5ccf91e3f10655 |
/data/data/org.bax.project/files/PersistedInstallation8708939056611171884tmp
| MD5 | beec70997bdee182541974664d3e44af |
| SHA1 | f4dd4fe46a991b3be0d0c696167f7c6590710448 |
| SHA256 | d2ba45f6b45b598148906050167bdafb3be50fb956a9c15198777ec99d620a36 |
| SHA512 | bfbae8b54cf5183b6679d93cb437fb53d1b1e6bba430feefaea4d8ce676289a3fc7ca00e4dd4816f50df8abc04abbaeacc31b191ba06c66cbdb32ff304ebfd4d |
/data/data/org.bax.project/databases/google_app_measurement_local.db-journal
| MD5 | 770d59d44dd2f6541b898a29782f2878 |
| SHA1 | 2c663142a5e898bb61890004b661f8b65e3a0b0d |
| SHA256 | 46884c5a7791ff89e8cb66229ea9d432fbde41a03657ca0b74607a9cfc24784f |
| SHA512 | 3cd73db7a701dd86891213028f5865907759d79745b48085e42bc1d2232983d6795583bf0f602eb8cf3518146ed914d6490dbffa6d5471ac8d8d146dab4c0736 |
/data/data/org.bax.project/databases/google_app_measurement_local.db
| MD5 | d9cf75fdd1c2292d986f6c3d5d60f2c8 |
| SHA1 | 07ecb1d3a26d952ae5fecf54f36699ab498510b1 |
| SHA256 | 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a |
| SHA512 | 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb |
/data/data/org.bax.project/databases/google_app_measurement_local.db-journal
| MD5 | 707c241e0df4cfb8d10da092cbaa19af |
| SHA1 | 4033d151be60b1daf2397884ba17879cf4c35351 |
| SHA256 | ac9a198d1a98bbddeb26d46a89cd1d4814e1249a9f7edeac367729e4332b5569 |
| SHA512 | 261634557409d5f15ec468b8f7a8c55b11478ee96b841737f309effb06f7cc345f1e691c2ba73cd0a26fb84d26422e06b2770cc8aafa0ec8a9001af1dce0ef87 |
/data/data/org.bax.project/databases/google_app_measurement_local.db-journal
| MD5 | ff9d9a2c32d14aada5cf8eae65c64b01 |
| SHA1 | 18487aa12c8bbcb16c6ff111ad26dc4e36827de4 |
| SHA256 | 6d97c3774f93882e446625a48af7f33149c3182fd2fed0e8325a61a931c48d6e |
| SHA512 | 0ea26ea2da1bc16e4ea65e5bddc30eae57eef047c093c4bfe2d2092042c2a4c3cc5e5118ab919a6caa61e3169d767d823a2f46cdc878f7713150ba063966f08a |
/data/data/org.bax.project/databases/google_app_measurement_local.db-journal
| MD5 | 54bd8dc013745d18c605641f8206cf40 |
| SHA1 | f0ae8b188d0dd9cee1cbca108a05c3fff51f7c5d |
| SHA256 | ef43f96d69f5f200c8fbd48f555e978cb07ce8e3f1d6fbb0afd50995f4487213 |
| SHA512 | 4029ecf6058877bdb0993ad39832fd4789bf6a3fdc7185d4734470e04befe21ff4260fcb91cd9f9d063dcea5f7427c74ecbc0760111a65d80e37997883d3ca35 |
/data/data/org.bax.project/databases/google_app_measurement_local.db-journal
| MD5 | cdf83a9598bfdc63ee32d01c248ae2dd |
| SHA1 | fd0990d1a8a65269aaabf23834a4cf01462f2ab3 |
| SHA256 | d0a0a7e9a4076ca09e4af7d3f161d6a2c9c69e7abbbb6e343e591ad936ad5391 |
| SHA512 | 969f8880cdcd96e0729c7837173998d1d8426ee5b18d37924d1d10110a9646bf43a4725c70e2940000b96a459cd66a40b3b3edba72c48a63a867f1c17288ab07 |