Malware Analysis Report

2024-10-19 13:15

Sample ID 240402-mcdrpsef61
Target 7fa3d58a0056e8492a84894a6fd3b3d0d87ff1f9656f5e54b10580b9a4a4fd6a.zip
SHA256 08d589322bf236d7d9e7abf392c15d7625e36047ea35d669323612ef15942eea
Tags
collection evasion persistence irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08d589322bf236d7d9e7abf392c15d7625e36047ea35d669323612ef15942eea

Threat Level: Known bad

The file 7fa3d58a0056e8492a84894a6fd3b3d0d87ff1f9656f5e54b10580b9a4a4fd6a.zip was found to be: Known bad.

Malicious Activity Summary

collection evasion persistence irata

Irata family

Irata payload

Makes use of the framework's Accessibility service

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:19

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:33

Platform

android-x64-arm64-20240221-en

Max time kernel

152s

Max time network

159s

Command Line

com.caixkdopro.app

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.caixkdopro.app

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
IT 213.109.192.177:56897 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
IT 213.109.192.177:56897 tcp
IT 213.109.192.177:56897 tcp
IT 213.109.192.177:56897 tcp
IT 213.109.192.177:56897 tcp

Files

/data/user/0/com.caixkdopro.app/files/loading.gif

MD5 7b38720a0352dffa26411726c72dd2b0
SHA1 b15e687f42abcdc12427f146a3115ef2259211f8
SHA256 2013f490d45638cada331b3474ed65b9a43cec60da773accc98332e58c06336d
SHA512 0df28f87da4f9beb3ca8c108f54021a2a1a1434771abbb5ba67a2736097f2287b05e5220a33e92c42ee13ecae1144714a422b986763712794f69e65bc44c83e3

/data/user/0/com.caixkdopro.app/files/db.db

MD5 0f846d61a922fcd3852c7241f99dc9bc
SHA1 2198433f3a500dcf88048096d0dbdb9f26b7ce47
SHA256 39ced8a590d3e71780b7d787db9b98065d9cd7a9f987dda085fb837a012cff8d
SHA512 d2380af9ad7c68ffdca1745f6dc3f747cc5ff5622ad1c6a1b1af79267c8d3d1f28fe6e01c435797a77309ec31ce085a3c6866503b01bc9850f679ffb34ea3c08

/data/user/0/com.caixkdopro.app/files/txtscreensize.txt

MD5 1b65c10c6215685f9d621d797f911373
SHA1 cc50aaed5cd521a62ec8cf9fe0413153ec90f265
SHA256 2230c2b2787663a054c47450ecd1718f0296853ad768b8e5d306ecb912685e89
SHA512 5a9139f295dbe384b1584eff5c11f3f86759232f7b661b75f27fe92b996b4cdc0552e315f79b26f5f2c1f91756d9ae04cf0c3675b6172e91a3d373b9b314496f

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:32

Platform

android-x86-arm-20240221-en

Max time kernel

149s

Max time network

156s

Command Line

com.caixkdopro.app

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.caixkdopro.app

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
IT 213.109.192.177:56897 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
IT 213.109.192.177:56897 tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
IT 213.109.192.177:56897 tcp
IT 213.109.192.177:56897 tcp
IT 213.109.192.177:56897 tcp

Files

/data/data/com.caixkdopro.app/files/loading.gif

MD5 7b38720a0352dffa26411726c72dd2b0
SHA1 b15e687f42abcdc12427f146a3115ef2259211f8
SHA256 2013f490d45638cada331b3474ed65b9a43cec60da773accc98332e58c06336d
SHA512 0df28f87da4f9beb3ca8c108f54021a2a1a1434771abbb5ba67a2736097f2287b05e5220a33e92c42ee13ecae1144714a422b986763712794f69e65bc44c83e3

/data/data/com.caixkdopro.app/files/db.db

MD5 0f846d61a922fcd3852c7241f99dc9bc
SHA1 2198433f3a500dcf88048096d0dbdb9f26b7ce47
SHA256 39ced8a590d3e71780b7d787db9b98065d9cd7a9f987dda085fb837a012cff8d
SHA512 d2380af9ad7c68ffdca1745f6dc3f747cc5ff5622ad1c6a1b1af79267c8d3d1f28fe6e01c435797a77309ec31ce085a3c6866503b01bc9850f679ffb34ea3c08

/data/data/com.caixkdopro.app/files/txtscreensize.txt

MD5 1b65c10c6215685f9d621d797f911373
SHA1 cc50aaed5cd521a62ec8cf9fe0413153ec90f265
SHA256 2230c2b2787663a054c47450ecd1718f0296853ad768b8e5d306ecb912685e89
SHA512 5a9139f295dbe384b1584eff5c11f3f86759232f7b661b75f27fe92b996b4cdc0552e315f79b26f5f2c1f91756d9ae04cf0c3675b6172e91a3d373b9b314496f

/data/data/com.caixkdopro.app/files/db.db-journal

MD5 8c0d41f70461a7cdb46797d7e1b837d3
SHA1 d64418e60820021a538fcef603a6a400248f1c32
SHA256 87103f6b1fa83188d424e8bbfd7fb93e6b19209276cb6dce5ea337a0117ff919
SHA512 c0ee1138608c043f1ed5db65059341d7f22e4dde5d6ae644060bb716cf67a141d8e6fb9e00f3887bb363f01cc6fddc660a3650df4bca72d2ad0ac5e1f4ee83d9

/data/data/com.caixkdopro.app/files/db.db

MD5 32d50418eb9cc48b26054a251a525252
SHA1 312ecef70715199403f3064a023bc5096e91e7af
SHA256 997ea84efb161887ea79b89a23a421bf2be0b3eae61c3c0e273cc5be4c8482e4
SHA512 e5ebdf900167404a1e742db16df6323858139eda2ebf02cb7927941ab82167e3a44ec02022161ba517d4a8fc71bc54c0c4618cb9ae517763e9f3ab8e343bd41e

/data/data/com.caixkdopro.app/files/db.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:18

Reported

2024-04-02 10:33

Platform

android-x64-20240221-en

Max time kernel

21s

Max time network

149s

Command Line

com.caixkdopro.app

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.caixkdopro.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 66.102.1.84:443 accounts.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 1.1.1.1:53 thkfscqhgwqu udp
US 1.1.1.1:53 cesvbeegstdze udp
US 1.1.1.1:53 xordebz udp
IT 213.109.192.177:56897 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.200.2:443 tcp
IT 213.109.192.177:56897 tcp
BE 74.125.71.188:5228 tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
IT 213.109.192.177:56897 tcp
IT 213.109.192.177:56897 tcp
IT 213.109.192.177:56897 tcp

Files

/data/data/com.caixkdopro.app/files/loading.gif

MD5 7b38720a0352dffa26411726c72dd2b0
SHA1 b15e687f42abcdc12427f146a3115ef2259211f8
SHA256 2013f490d45638cada331b3474ed65b9a43cec60da773accc98332e58c06336d
SHA512 0df28f87da4f9beb3ca8c108f54021a2a1a1434771abbb5ba67a2736097f2287b05e5220a33e92c42ee13ecae1144714a422b986763712794f69e65bc44c83e3

/data/data/com.caixkdopro.app/files/db.db

MD5 0f846d61a922fcd3852c7241f99dc9bc
SHA1 2198433f3a500dcf88048096d0dbdb9f26b7ce47
SHA256 39ced8a590d3e71780b7d787db9b98065d9cd7a9f987dda085fb837a012cff8d
SHA512 d2380af9ad7c68ffdca1745f6dc3f747cc5ff5622ad1c6a1b1af79267c8d3d1f28fe6e01c435797a77309ec31ce085a3c6866503b01bc9850f679ffb34ea3c08

/data/data/com.caixkdopro.app/files/txtscreensize.txt

MD5 1b65c10c6215685f9d621d797f911373
SHA1 cc50aaed5cd521a62ec8cf9fe0413153ec90f265
SHA256 2230c2b2787663a054c47450ecd1718f0296853ad768b8e5d306ecb912685e89
SHA512 5a9139f295dbe384b1584eff5c11f3f86759232f7b661b75f27fe92b996b4cdc0552e315f79b26f5f2c1f91756d9ae04cf0c3675b6172e91a3d373b9b314496f