Malware Analysis Report

2024-10-19 13:15

Sample ID 240402-mc4ywsfb92
Target cb0cdb1ad01fa87c11eacbbaeef9f646206ec99046c32f3b3e467bb7f6e265f2.zip
SHA256 2d5a2beabba87097607784faddcd920628b0c1e27d84ce3bfe3d1c1043a0a1d2
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d5a2beabba87097607784faddcd920628b0c1e27d84ce3bfe3d1c1043a0a1d2

Threat Level: Known bad

The file cb0cdb1ad01fa87c11eacbbaeef9f646206ec99046c32f3b3e467bb7f6e265f2.zip was found to be: Known bad.

Malicious Activity Summary

irata

Irata family

Irata payload

Acquires the wake lock

Requests dangerous framework permissions

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:20

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:20

Reported

2024-04-02 10:35

Platform

android-x64-20240221-en

Max time kernel

3s

Max time network

132s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.74:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation5860908435944592545tmp

MD5 e8f94e14e9c3e0cdebed4c901d3e3cc5
SHA1 825d823724ccb4f454254d488fdeacc63b47b95a
SHA256 92f4a4173bc599cafabd1460df0b2398dffcb1eceb2ed3327f1a59b2fdd86665
SHA512 5d049a205d81c8318dbd3c94cba93b5cc054ab76f38ffa5849deb7033b7db0e73f4801c709075e593b03a09ea4803054dfdc4fb8688328ebfa9707453eace692

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 5b0e0668299adfc38dd7f2315c3b0015
SHA1 4a2ea6e03d5ef30425fae817537c5859f9de6605
SHA256 9f4cf89e15bae9fa999e97279bb9b390c38277dea11fb609dded8ce322dd5af0
SHA512 2eea5020c5b7542fe741b943308f7aec99a42fce1c1c44ef0c6ff918387b896ad4b47b1b79091cb2231a994ae4b7ef129da091a08c8edbc8e32c4d1d267377e4

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 eb52a90bb70b76e946b62f50b6f7fb85
SHA1 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0
SHA256 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4
SHA512 b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 0af018c849db5824cdc4c3631fe532f5
SHA1 78309ef5e8a7e1dea453e83d3319342b1c6353e3
SHA256 cd673f046ba09d50379fc343a14128a9e444beb9158431fac96523dbe3718a19
SHA512 8d2f49012a854c28f8a9880f45ea80421abf1e151bae23f478bf5ef5bb653be33b889749426192eb4bad509796899de6bdb6995453480e75a1bc5432f4fc28da

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 b9dffd5664b5b716c8f381738ba3adf4
SHA1 6588c35c290684d2049cfa06c97173263d2c487a
SHA256 75b922c7dec5b414bdc1058e334007ec1b47cb4529c46afb3b9dee9ffb952023
SHA512 9d0221925690eba110a820c40f5fc739ff2fd4c588f529feb5fd88e4e75fda62feba9f340c0fa32ce6c77caa5b139f07c95bc462cf8f45366d45cbea25196157

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 743d6e8f0ac1da6cef389f7f5d7b1c65
SHA1 b75767a7554c03e9482bf27cd37d97efdc6b4956
SHA256 c10468144b3af8009e54f0acc63c7e1b3ca9cbecf0055a0c216c4041769d0971
SHA512 3a3af883292272f50e320b018c55920ae1c0e9f564c6913cc973e63cabbaa40b84fb0242c05fe1112c0112c66d43263a9ae031d7dc9f2718e4e9f1d6763784e1

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 629342d374a28f8f02a26ed4c7d47399
SHA1 c85e610263371670e60c1d1910e86bc5abe6a08e
SHA256 64940c3eeb9cea12de04cb5c855da355b7bf2e9b3c4f1b5846b7a5ff88340251
SHA512 89a2cd215fbf43e4144825809aaa2b3326a47f95b8618ebfbed4cfed2ddbc2e9a2bed54e4baee645de0dc2ae8613e9f4292e6d04cf74cd6069a736bd8ad2539f

/data/data/org.bax.project/files/PersistedInstallation393281800808562768tmp

MD5 87089c7d5b1bd6acddba62270fd22659
SHA1 f06db62a2db541c4df986873c00235f109718b60
SHA256 0aee103721da950e937c1bdc4548232eff9187a07143ef919cbc137c66aceb49
SHA512 f5446bde9ef0c0f6399e397b7bfd8811951bd2c1de1caf70d0797b162e76d45f076d0e048b995c5170d62d9d9e7206228b5692a2fbe90bd80a7707caa95b0fc9

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 28c8c1951cccf6fd22be8a783ecf717b
SHA1 2fc61e21b5014fa0adf3567ee1b6ac07705e9804
SHA256 2bed8f4285c59a7220e7d9709a16bb11be68adb19621da403aa9233821728cc0
SHA512 59ad4e8b82f5769de83e165a99fc848d5b83076c8e4ff68ae0ceac809a15f7fe9458adc2a506b43a9ba6d85b6673531dc6ed23b5ee0297761d90f95413045bf5

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 62cff69655e85e2601667c409989cfd7
SHA1 11914b8d4d3f6647e2b3c73a93633d9a0cd59698
SHA256 b14899a7b3acf115d484feb82c5bd72a03a9f8a25bad80a298a28a53bdfb65bd
SHA512 e2a379ad706c7c647532486aba73c6ca0016b69c30ec705b400b47fb6688bdb28e00e55ad32488dcbe5418bc0c452223190d5d89181e441f1c693c720b4e3858

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-02 10:20

Reported

2024-04-02 10:36

Platform

android-x64-arm64-20240221-en

Max time kernel

4s

Max time network

145s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation884794285952954157tmp

MD5 b6c9a4193db21641ccf5f8301f7e8caf
SHA1 aac7b7aa9d05198c8ca0b6bd2a55b901d0af314a
SHA256 a90a52c4b7c6c16c04b3a9d29f6f438fd60704999759517cc39e9bd9ca252b78
SHA512 d9cb181fd7c6e0dccee3759cf8fa0f23c734aebc30b7e7f10ec884011353e3faa047407e1f0d8e718a2d83fda8494c595d2f6d6dbbb5618d0e850451e02d0a9f

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 44951a3127fe8ab66cd99bfd510fa53f
SHA1 e684880f891f7d9e208f663a4ced14fd307e6899
SHA256 5b80d7612b7a7c6da534308287b33f0c6506b2a0803534dda155630a768dba11
SHA512 5bac099458398a9244892c314b5f6e9aa4a95a7cd34f05f8be77455fb45cf2cf0d749e6be5ffc78e402457a42608a687e6dee16395490d6c6c599c5818849c06

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 40b98c7588619182c98aeef326a736a4
SHA1 8af26f263f5d9a7f133fbf6fef46df2cb21053d0
SHA256 cd321c1cf62ca0a5560639f7a151d9d0589c6c59bdd556214650e68107a8c78d
SHA512 3056376bb4beefa96bf829d1cea84a3f064c42b06770a4e39b1db344bd66c028cb97fef3a9c75b77832d33bbb004c8ac16ca253f5be2561e4fd43187e0fc996c

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 894a6a93a9656f1568aba692cce74d96
SHA1 5c5e79987212d51d7cffbe7e1194494be68f0791
SHA256 e35e5028c0a9f918c12293d1816198e267683014b151d4c6db4af3abd9773134
SHA512 6ed9a2629de2991d4331194226fbc8e296cd50fe96a482740a17366dfb32305e25c0833f427d19faaef661c61f901b19990d311c5693947ddcffe60dcb7be415

/data/data/org.bax.project/files/PersistedInstallation7283459414855111134tmp

MD5 50c277ca47d55cace54c52506742fc83
SHA1 71ea51778f9164789db36378a14f7b81d7ef1dfd
SHA256 7a66be6f6fc45eb366830683d56a64ba66df6a72e02b239d0262f9369777d009
SHA512 7200bce7fa9233485ace9863b55ab670f30b73c07ecca7c866e0f0ed555503bf187712149f60180f1e1d2db69e9c70b07a0f9209f6c79ad1a115cdb07cc65e62

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 3d63ffd2a06f5427dc5952d72c84970e
SHA1 9253e25472dd5bb2ef7402faf636acabb89ffaca
SHA256 5d6b90f8d0b1e0174a586946b67a45fee01f1b2562ed25c897816ac98c88ec8b
SHA512 9d7c56edc8da55256070443905b28b830963594501c68c1fda5666d8274844ac09a73b093afb744ab168f17d4b61c041741ca09ee25c2f7bc3a89121b41cd9c2

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 f916fc22620625ad8b502ea019d5d44d
SHA1 252a1b7b81f3ae4b2fef017a955eb9b2c470d8c8
SHA256 fb835f239590c31c031379cc3abe07d181f9d438974cf4e5fcb2dcaf99f36d36
SHA512 8034e73fc270c14f02e140fdd30c2930f48d19c5e402952a970fafc933b71f19c352f12344cf5c2f04e3cd70e2c7f5bd5a8978087650c0689716cb8cd876ba3d

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:20

Reported

2024-04-02 10:35

Platform

android-x86-arm-20240221-en

Max time kernel

3s

Max time network

133s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

/data/data/org.bax.project/files/PersistedInstallation6584630590008412377tmp

MD5 dc4ad5bd7ff223283a8900ab1149645f
SHA1 a778fec87a70018fb14d9a293e4ce69a80da5a7f
SHA256 ebd679e3488d4cf562d586afa37e89748561b68c865d43195df2156eb96cb71a
SHA512 a9548e49efcffe4da36aca98e1a6d5887f9ccca3cfe151386761a1205ef1460c399fc2c6ac83c14436622c4fc680e2fc89922ee5a23ab866ae6ab41199b26024