Malware Analysis Report

2024-10-19 13:15

Sample ID 240402-mcmdvafb85
Target 9334d10838e3482cb33e6130ea8397c30cc9edacd9597f1c21aa321d736cd80f.zip
SHA256 19a121a5d544cdd1d5a6839f81bf9dd005ae73fa3b9d6f56ea179fdb746c9547
Tags
irata banker discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19a121a5d544cdd1d5a6839f81bf9dd005ae73fa3b9d6f56ea179fdb746c9547

Threat Level: Known bad

The file 9334d10838e3482cb33e6130ea8397c30cc9edacd9597f1c21aa321d736cd80f.zip was found to be: Known bad.

Malicious Activity Summary

irata banker discovery

Irata family

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:19

Signatures

Irata family

irata

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an instant app to create foreground services. android.permission.INSTANT_APP_FOREGROUND_SERVICE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:19

Reported

2024-04-02 10:33

Platform

android-x86-arm-20240221-en

Max time kernel

47s

Max time network

157s

Command Line

com.drnull.v5

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 api.cloudflare.com udp
US 104.19.193.29:443 api.cloudflare.com tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 f744ac7ab2ea57b7ad998132494c2752
SHA1 17a17aea18534d192caa320e86746310e6f3454d
SHA256 f89781d78827ad651f5bbe042346fd0b9e9f7d68fc5b3171805fe13ea373aa59
SHA512 8dd93868a670ddd2116818ddfbc9552be16cf658876811aa33e9ef9d70bb1c1dca57ce96a8611637b63b139206b4e8bc7bb7b5f78d445c9789f55c38e09ee39e

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-wal

MD5 aca1e0427d1a517cae172e2311b67ee7
SHA1 5a9773eb97709d183b5ee71984ff428b79fe1cc9
SHA256 7a58c4f0f5b299bcc655708780a2db43ad7b966dd75e66a0b75cf4645775b5a4
SHA512 60ab1bfad0a853a3baac24c7867033545aa452e781f41ccc47ab53f9b86d1c92f4f790cf4d3f31d8096928791b3aa22daf86e8f1e62eb3df5f09d1da53b52de1

/data/data/com.drnull.v5/files/PersistedInstallation1110346185455495822tmp

MD5 201f41c53768cd8d1cd521ca05abb7c9
SHA1 ec6f564bc89d5b9a3723590f2c8ea7e6dee73ce8
SHA256 a4fae8f051a65d7a06b159fac827500b024e06795f581361b52c80a34c7a084a
SHA512 5235ff7fcd594fd5ea67d807725802417afc67ef887603b399251a771e4a08303f2f40e41ea4f541d60305ecd1b7c4dce13b61bf78a2ddcad50fc4d136c61c6c

/data/data/com.drnull.v5/files/database.db

MD5 9b4ae79099259604a9d8e77fe1223929
SHA1 b20b6f067bf72d05eb7f8f7405caa44b80c5c9b0
SHA256 0ccc8f0e8b9ac053cd55a9cb191ce2dd3a3a845df8715234e177c526cf6af162
SHA512 92a53feb91deeaf024062472e56bc950d2545d080bb9305ab7cc5af6fcb7ad3fa7bb762efdba248a6b08f19874c6f23897a0a50f27b9980e991d14afcaa2cef4

/data/data/com.drnull.v5/files/PersistedInstallation7711894318381623850tmp

MD5 01f38fa083d3fab66339769617bb1dc2
SHA1 54e47e36f3c685d28a2e997b3a1abc9e6907669a
SHA256 9c7b7ea73fa3620323eeea9dd8d4d462e57c90415d4b690291e7f2ffd119ea66
SHA512 d8eca07e54cdee7df0d0fdba16ab7fe223b29087512b20dab1056e99c27f852c342fdb4946b53a2033d42c4a7b150dcc615da0293677860f8d0bc26384363f51

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 3bf4327df6b1fcec0de5399a885183ed
SHA1 4f2ceeb901b71d3f3c5d56ee9ac0430c94088308
SHA256 87964145ade7a79f223cadc1c48ed417d86ac1872b5f6d533814312da485e6ba
SHA512 5c3c3416af07cfa265043ee24909c59ea99d482f8e77f18a33b02cb0dfee6e48587341ee575dbd687fca82d249a00130c047b754994cfff9f9a4275724de4043

/data/data/com.drnull.v5/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 090b44019cc81b455da2510d419f84e6
SHA1 7b81013e0d440b5dbc4d1ccded8cc6a5ffd50af1
SHA256 359e7250f6737112d56518eb153c3fc1f833152532827e48f58568c45c82164b
SHA512 6155fb30bdafce7f0dfbb335d7166526ae05e170bd7a593c1517f5d80bb2eb968f8b85b75062fb674d3aa3a1f30261d3dce0ce33e89450b38e07629b74ac5a62

/data/data/com.drnull.v5/files/profileInstalled

MD5 44dd1f3ec4d23f6513d4bc082e3ab77b
SHA1 33f8b864343774da3a398c2e5d8dceead0d1afb8
SHA256 de012a48040a2b87143d184dfbe798ecb0ee30ad30b006928417634ef679658d
SHA512 dbd3ae3039108ee4557e0a9df87a04493c0dc56545f513ed40eba475ff033b0908350402da7d32426af46405877828021f5fb1dea950958926680db39f96f2ad

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 c06bfed114611dafd0eb0f46cc1d16b1
SHA1 37e9b5acae1ed6ca8ef94047f0147514d86fb4e1
SHA256 dbc6e5af4ca02ff2f254c88b30b423b5e65fb4fa9a1b0460562b4e2ad5c971f2
SHA512 fba4fcc5309b99d70719203d407d2115a82194faa787f8726f2b6855d51edbe751f42a2d61b0d72c4c68ccd69835922aec979c42519c2144f481d16e6a5552fd

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:19

Reported

2024-04-02 10:33

Platform

android-x64-arm64-20240221-en

Max time kernel

21s

Max time network

149s

Command Line

com.drnull.v5

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 142.250.200.46:443 udp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.cloudflare.com udp
US 104.19.192.176:443 api.cloudflare.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.187.226:443 tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 8661259821087f1c27e0a81a4a8a05f5
SHA1 6a0f00f2b7fe41ace004a7fda0fc2c6d0cc201b2
SHA256 4e28661e5acb610dd30353c6ff159201c90cdb8f5866af557feff8de90723963
SHA512 c9985be4c81158eca37e66fd9e6af0234fa686040656a59bd346d6c6160dd1c1262b5bee827547fc08ced71279f447c302fe63146bcd6242aab4a24d735e279b

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 a0c4f56fc8f2f393bb45417a085dcf1a
SHA1 5413436ca5d9331a88ddcb4434ed4f34d0f22809
SHA256 41384cbf6db238918e615241d5ff15de0b53ea493634f3156f3d00e5e25ff0f7
SHA512 b63cd56a48da1ca7391221697d045237f508da961e0c249293080c30af99b83ce84e2dc63937b69a2086abe0ec2101238c4566198a812c81d2bbccc7ca435fed

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 601c7892aea9fc14bbb5de5e710f1fb9
SHA1 edcf38006c31854793ff79751849fc645f8c0bc2
SHA256 95f715a9dc5c713f068e52912e061eedaf25c1f73e3cd024ab509bffd4fe8738
SHA512 0475c362802368c92e775da1296177563b194f6585ee1cf7a36d4b74f611d26ef840ebe304a878bf86ac10614827255a10a2befddd9ef6ba07c74d3b84889dd2

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 58e9b82a4ac7037614f8c755ca6fbfbf
SHA1 3b0df9d4f32d12fb8a06656d7e592e36725c1d8e
SHA256 99d7665058c5d61cfec333c76a4ea6eafb1422c70bfdad68affe8b78393b63e8
SHA512 7b6d29a1d65e59926e92313d90d57fa9e3820b4ec649f0aa3ee0bd6b6521c8914454922daefb6600540f69ef214f6e81dbfea4c87ffa6e2c33e8dc6445236f03

/data/data/com.drnull.v5/files/PersistedInstallation8796360870629065376tmp

MD5 90073e4273b2eec12c800c73d1adfd28
SHA1 67f3285581c9b35f44b1572cb6e95d9fed15e29d
SHA256 d3e76b98f7e5fffad275d98cded2b2a32eada86506de8db14b70c9d175074541
SHA512 eeb1e8d5218ae2e21e6b7a6bbfb800a1a6ba454df0122164bda9ad6f2ecdc246d52325902cfedda5edd86404522df296482a79738527eedfe89b0ffd87ec4d0b

/data/data/com.drnull.v5/files/PersistedInstallation6945151358202307989tmp

MD5 3d50c195948d09a13acc28a6406aa4b2
SHA1 eff5b56369358b784f862cdbc1268e41e212b19d
SHA256 c08be325d657edc52fe79820dcb467481d9cffc529df25bb25c09bba74f4dfeb
SHA512 2bc02147c31a66afaf58a083439efa9f41befb3276c04b34ab5fe2d1c5cf15938ce141de877565a17267f904fb309094d47cc8d9002969de6c1a06dee7a46aa3

/data/data/com.drnull.v5/files/database.db

MD5 cd2469850e19ed116352f29a617f7f82
SHA1 777ecf190df5cf0a0f7aa5afab86320cfa7795b5
SHA256 48adcc97a3ed023e43caaacc38bcd48db5142d1d8c83a09e5d597b5bbc4a8860
SHA512 e94b7369051e9462ed79726a4b85106d15c0e0bda3d6cce7a7ea32e768c62a68aea963844fe90a8b9d5e15c0fb514890d07c4adef0ca4d9f36f12d74b6ee106d

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 3bf4327df6b1fcec0de5399a885183ed
SHA1 4f2ceeb901b71d3f3c5d56ee9ac0430c94088308
SHA256 87964145ade7a79f223cadc1c48ed417d86ac1872b5f6d533814312da485e6ba
SHA512 5c3c3416af07cfa265043ee24909c59ea99d482f8e77f18a33b02cb0dfee6e48587341ee575dbd687fca82d249a00130c047b754994cfff9f9a4275724de4043

/data/data/com.drnull.v5/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 b6a7ad2fe9607677c4b598a94a522ed4
SHA1 cf1e3a282d5d4811329532dc156d584c26100520
SHA256 03a6c705af00f803044dbb60e999477c13eeac8af3c308b873bccda13755c96d
SHA512 8f9bb05491ad420bf2df1055b0929050f448e5b718d4b869b09b6d1fefbfbf934fd77fe7464d8ad78206d2e2c7ea35f0efb92c1af1e9f26ffca5c928b8ff2db0