Malware Analysis Report

2024-10-19 13:15

Sample ID 240402-mcv1zsef8t
Target a7e6348f990e0ab400e7a5710922c5a3b02050163e68403175524197bbbcdbc4.zip
SHA256 dc38116ac7cf6773634d75096d321fb8088cd25fc82ce27d031acad8ce668225
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc38116ac7cf6773634d75096d321fb8088cd25fc82ce27d031acad8ce668225

Threat Level: Known bad

The file a7e6348f990e0ab400e7a5710922c5a3b02050163e68403175524197bbbcdbc4.zip was found to be: Known bad.

Malicious Activity Summary

irata

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:20

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:19

Reported

2024-04-02 10:36

Platform

android-x86-arm-20240221-en

Max time kernel

3s

Max time network

147s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/org.bax.project/files/PersistedInstallation6701562048134340319tmp

MD5 e5359ba84a3e459e584ac53e792ff668
SHA1 b389c4493b3f02c206d433c2de85d6d584cd877d
SHA256 652157db5e62b06ab494c8aec7f9db4fbbdd606d60500caa30aa5c2ad03c6ed8
SHA512 59cd72c4809a1f0a45480f0730713c7b7a816a1d25e637ef03b5c63fb895e1feed8e4eff7f4e0432fb0124e23cba43be6137c61e6fa608ab53e709afb812ecd3

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:19

Reported

2024-04-02 10:36

Platform

android-x64-20240221-en

Max time kernel

3s

Max time network

135s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation176100407309691309tmp

MD5 5f24d59acb15d2afe4213b839d82d59d
SHA1 d4beaafde8eee71c9e8ad701c2716df69fab125c
SHA256 12d5d9b076eec361bdcf5bb2dcca55420764f6f9728f23ac1929ca652f18f305
SHA512 dc35ada17c461b787367dbf65091d9aeb9bd25b5ab7c190b09c652b49e50dfc971429a0b9937c8b93fbdb0e2d5aeb08dbab63f473b4fa124acc63ef645c355b5

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 ca0b242348ec3e602a76dcea1a980f7c
SHA1 1d2539b022e4ea94fe8b2c6a0354544577c09b20
SHA256 9d232290aa6d41b8724ed9eb256701b457e226eea568d244e93e4bfe5b6231ef
SHA512 05feed23086f647ade516e8940cca684c5faefd123b5c6b17c13a04589f568709258f25a360737ce347bdaeb71eb23982d14d0d1d8d1c3ad18413d575a73dcb8

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 188c0542bc062e48b614e5ca8c1081af
SHA1 0eb9b89a5c92957cd1fe748cc063b32853339774
SHA256 c1ccc325c2699ed7f556cf171566317f706a911c4d02b1644a2a7908b93da58b
SHA512 62a67f2c56bc3b40d49c80094f160d355a8f67130e1924109426e0481008bc2cd11a9e2675a901abd03cad1e7fe0028031e20d826437edcf35b6f86e2499c2b4

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 f3df210ad81e114f298d603661c485ea
SHA1 4370e8ef362cf0501f04232320ea77ad0106e2a7
SHA256 8b0755cb922ec9f604e238aa647d39842eac15310a30181e31b6032506fe4988
SHA512 654a5a9921514529955b02b3931619e81e1ce9a60f698f7e26dd3d6777775125061a1cecfc8d27c896a4697ddf4a1be7f7228764b32f74d03da73b8a58449142

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 b1ae77edbb352d0ee373d8bc51f4d75d
SHA1 e76e2d3158d8ea01b86cfc9abbb12aacd8cb1567
SHA256 fab6d628e890988730ee7a0f7ebdaf1a69743f0afda91de5390c1871671089e4
SHA512 66eb13c2ac4a9fb3c5528425716c2201fba6f9a6e877ff8d55d0554820cd1b5a0d7a5e261cb3b6c6746dc264dd506074ba390d882e7323093b2f15a8782ec7e9

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 d5cb8c41278b0d5f05a6ab55c8e2be56
SHA1 1bdabc743b0ad63583916e8e77ba938cd92637f6
SHA256 f6e1c451d695537b72d0368fafe6677d1a48c617c86fa8e3717871adfedf1434
SHA512 710e8f03171d195f9f364153237c2f0e8abe9cfbc30736bc42b888c47f0eeb6459227366c2723a468d6a0d07b5ec0ef749a057bf2aa8a8529c069dd9c7e3fe32

/data/data/org.bax.project/files/PersistedInstallation4470375404869842071tmp

MD5 c6b8f908869bb4b1d874f00237aa5feb
SHA1 13775d6d0f926240ae56126a2f057b254b1a880c
SHA256 0c790d7bd23cc3417ccd10ab6d7ccf1c8aaf4b965ad7433fd22006dbb9ab918e
SHA512 ad773a6531df9f12e36fb61e60c44636f0fec992856a81801ac9d8e748561f82c2cfefa9e92a3d140640f1671f6dad97dca90ba4f180684e828f549efd4f222e

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 84efb280623f6c82a2511b367c6e41c2
SHA1 60d9d7f1ef900e07382fd5c8ac1e674fc7731762
SHA256 23ea42474aef0d2aeab61a1eeac441b21b3a18a68bc8afa38bb16f1d541c2d27
SHA512 3aa5acc3f90298896872575e22585d6b44679d9abe319dd2e6758fd5ce0448b672cf1eb6a394d6cdf50fbdd4a6ebe3ad0c58bcc31d3a21016e5cbeb79c9d4e95

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-02 10:19

Reported

2024-04-02 10:36

Platform

android-x64-arm64-20240221-en

Max time kernel

4s

Max time network

145s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp

Files

/data/data/org.bax.project/files/PersistedInstallation4865849837843548768tmp

MD5 c240c17c59378c82c01d82fc71331a69
SHA1 bdd2fd646936d1ad0d06c0f0525e142b3d8bbe16
SHA256 8bf966b4eb839a21accb412afe831f30a67289c66d6bd47707efdfa89a072939
SHA512 a07009dcefcbe5079076755593020e538ad8fcf538e1850878a4446d0353b1e20ad86b02095b6bbabc199a4de3b5ca650c3c12bde63a05a0c951020cb1629092

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 7e5d0720b32bcabc50fcaba28a0e9f78
SHA1 3e337d4c09841377ebe8b6c61e50758fba23b388
SHA256 54a8099fbcd40aab38e96b1eb8729f7cc5aeece778b9aee023060c496e20b257
SHA512 2ccc4f32b67c46a17a195c4d8e162fd514244816b8cef69db83ce0bb54e9c511854fa267ab046a22d76ac71e22a41e268f8e905ac9000ef0fde932db5ea6d338

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 3a128eab39adcaca8cf9627a9ebf6390
SHA1 56fd1ab56fe2e98b7f0d4e1d5d187bfbbde04dea
SHA256 664ad73f9c0c8539cb9e8f32541fca197ca281d88e81571fbf6c37b6f21f3f05
SHA512 8ba3bd1f30a8d1355869862e17c578e15ec3e707c17f6942688ad21ab8cf2ac0af128c54584899bcd5e2253d74dfe0d6f3e4d003d40b36d68bf69414931eb015

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 c48e58338721d7e9341ab6cfa32cc3b3
SHA1 9a5f87764ff869d4a749624af235e4d8dee2bc5a
SHA256 ed18ae6195f831df13afc4b74bd6f16669d6e3353ae42afc07cdf8ef29cc7db6
SHA512 5c5ce083d8e4af72e59f611453d9dc1ad4b83e7fa6caac42601dac4abaafd50fe5ea205e8f275ce51f514f3c9ced78d6a6c84fc1047179e476ee8f11ef1a504c

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 4751c558618490e463aa2f6457783398
SHA1 ef0b3120892f394ce2890ab6db911eca8aff72de
SHA256 5e06e0b6786e14ab899a29969d70c4c4a27c9260dd11684fa4a5a87aee755179
SHA512 53a63315385b838a2f84a2344868328fa9825627533882dd0586aca73abe6b422a4d6275ea786aac5192a6a91d9cd8203232b4afb5712b905f22aeb6756c6d1f

/data/data/org.bax.project/files/PersistedInstallation7550919598926581425tmp

MD5 25474f27696584085fb354b6c6b2f598
SHA1 de3968ae0396903c53f1aa6ffe97041d7f9c70a7
SHA256 73fc9ea94e331c3d494d8a5db390f8e1bae518ad5535f06b679007b4b4334eed
SHA512 5fa2ed389d85b640f64bae7646934f1535249d9819b0cc4e002c8a12a755f6629af10406315a1836af856a7680f1b6c0ca40afa18d00ec44fb3b44cb24f1a77f

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 18c74f714495e4258558ef481baf86e8
SHA1 7403645ebe5b4eb2fc51fc80631803bcea10e5ad
SHA256 fbf2560f9e4a391a96677cf981186dec17ad73d264bf33e48d9746a514105b74
SHA512 3f226be074ff3b4caeb89f538e5d6960851fea89e16ce88d1bd41a566a009b4395df89066edab8405e3b0be3bfb6f1d13367d2aeb1f72309a1d90fa788bf1c01