Malware Analysis Report

2024-10-19 13:15

Sample ID 240402-mcwmhsfb88
Target ad3e12c568548b28c0856586a92460150175344403a00f4f023ad229f3c14b9a.zip
SHA256 87bd5dca6830fa4e79f6be18b3ee94d32a304ebf96a4cff4a979ee051d392492
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87bd5dca6830fa4e79f6be18b3ee94d32a304ebf96a4cff4a979ee051d392492

Threat Level: Known bad

The file ad3e12c568548b28c0856586a92460150175344403a00f4f023ad229f3c14b9a.zip was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Acquires the wake lock

Requests dangerous framework permissions

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 10:19

Signatures

Irata family

irata

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an instant app to create foreground services. android.permission.INSTANT_APP_FOREGROUND_SERVICE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 10:19

Reported

2024-04-02 10:34

Platform

android-x64-arm64-20240221-en

Max time kernel

21s

Max time network

151s

Command Line

com.drnull.v5

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.cloudflare.com udp
US 104.19.192.175:443 api.cloudflare.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 568f391174bbf7e25b3cab152c592864
SHA1 79cabe47714df45612ab86603cdd7d64138554d4
SHA256 a1570d8b63e130aacb9b9f419e21a483b959d7b8d2daa8a7dbbb3d181004625b
SHA512 4cdd500e4ed8e10439bc74c80847fd6259236d3d1281eba6ec1c3e23a9cf09162e66062f26a7e450baf6d58f1942b96e03dbd3afb9db1f70a7c083569d79a302

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 9cb5ce692f4024f27b0040b0f12e9f62
SHA1 41855f5b1cfd58edfa6c9b12fbbba691480feed9
SHA256 32fa5d66b77f79edc992a20fc76631c51a6ac64ba2bf6db2caf0624b400bcadd
SHA512 5f3375b628dec5a8f87a9735c89f23a0a4a1d407b4a0c63732686ec2179a47a2385c868b4fbcce085597d287acb9b51e02c133783cd7dbc60ea0554329d85ae2

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 cd7cf5e81354cd7d2a894e14d1beeb57
SHA1 e8d9574e92b6a2a6e90b949997cac186ccfe258a
SHA256 53bb76d7e913b6c70821b274cf863fa16d3299b27bb228dcd12a8ce1fe7e3040
SHA512 3e3956c7734007cb4debfc91448e2c8bd7f01f9e0334dbbaced3e20cd496d14036a0835ef8b29a5b3b56d1dccba8e88b9be4f5128d4a844e5316ee06d85fb7be

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 45d4b776e045f05c0084e32612e0832f
SHA1 e0338d14d35a0922abd95e37dc296bb1b69edc0d
SHA256 6ac2eb12d7183d972d65bf2da46b921e0a25adddf28f88769ddad785eb04a751
SHA512 03203cc607529decbd129c9ab242b2988a7e2dce348f181812d3a9f9ff30dd74027f9115eea40c063676c960f44f27ea0466c0096c46c241a30e4d60ac925131

/data/data/com.drnull.v5/files/PersistedInstallation1698827919192209515tmp

MD5 f88a330f420be9dbefdbcdff2772270f
SHA1 6cd62db0d9db4f5cee9f33a25c879315015c27f6
SHA256 e7fa397482e8bc5b9097c8865a89735c9da77604acc168ecc25a5c75e85079b9
SHA512 cb1bd2dadae8c9daa726297aa7739f770950f5599ac763b2d09e31daf13199db64c0a52826b98a700fb1ad02fd231123a252f47a6619fdf98d0ced246b86c109

/data/data/com.drnull.v5/files/PersistedInstallation1778620881807047690tmp

MD5 0b0227a584a1c74af1a2751e2d0c9f0f
SHA1 c860f2b390d70656fb373721db665f6a7386b6f0
SHA256 f327c7677d6978a4b548b3e34857f47d27bba14397af3c3d8a3a7967b466bb13
SHA512 192970581dab6532888be8f6503d70b33cd0d9d4f2a1574a2ab0aceaa4bb6369856bab275d72083f69d54dd2e27207abd4093f5e4480925aedeb9a9dd195b9ed

/data/data/com.drnull.v5/files/database.db

MD5 894ff4653866683213f8c305cd3fbb16
SHA1 28c66d09f1e0ed53d8c9436a25e367054586cf78
SHA256 ba36fb2a653b6afc3c35b89587bc6907670c7c10e854503152bf4ea82c67bfe6
SHA512 0b94926faf5df93ad34fc193458c1a99db2382857444c690b4bff81539934d490dd2ff7331952ab4a6bc7616a99df925ab24b4ac01cfde863ad921d324fb0420

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 71a2513c209c8239600dba4a08f44e11
SHA1 5bbecfe2ceff2e85bf7e6f0dd4b446fd706a7588
SHA256 a9e27277be6cd2059f1fc3a57f92449d56ed7f6464381c3bd402d5bf541aea94
SHA512 d2d6e80c92f079312eb7e049736f93266a5506459b793937bbe191200ef01d1ab80949cd956147bf85c72523a9fc7e23bb1cdb0e1e843e41373d1a6483c013de

/data/data/com.drnull.v5/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 e2e8571aeac1b88975ebd03eb71e386f
SHA1 30cefaae8fe1933940825ef5eb316967c7dfa9a0
SHA256 515af62ffb85951d9bb469f055dbe75524fa29b052254063712e6f6971bd82df
SHA512 51b997ff4e1a315f504a26a1cd942dd3a155372ac352b7ba12b11a1e813a141c51255d3ec3004024f873280e0ee4f4e695d7e89bc104ed6680b0bc2ef79666f4

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 10:19

Reported

2024-04-02 10:34

Platform

android-x86-arm-20240221-en

Max time kernel

20s

Max time network

137s

Command Line

com.drnull.v5

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 api.cloudflare.com udp
US 104.19.192.176:443 api.cloudflare.com tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 e05696493982489c83596bf5d572d698
SHA1 06278805d19cf43a82f4f0b177a1f0d5de69acb3
SHA256 6dcaf7eaf29447a8c0b1feb39d347a95696b26a30c36855bee5752a69f9972af
SHA512 9e64e3590e403b5027cd5851bfeb065b0195e8074adb3c9816eb59600ea31f8d6ad69d85fac0f706ee39d5f173abf1fc9be1ed9d20360b0e4b9a79be4abf14cf

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-wal

MD5 0cb1da819e07456eff6ce6de21c0b473
SHA1 1815fdde897691435cc2b27dbf972d8fab1c223b
SHA256 b23fd020a53fdfdfb40a868de498c54a128c65acccc41b19d11ce8290ddf03e0
SHA512 4acb58a23fd21ae227d0190c88f41680f8c258c040e636d658adc1407234d27df96b85adc3706c674870ea9546f743ecc148135aead35892cca2109a82f9fb4d

/data/data/com.drnull.v5/files/PersistedInstallation8267500192395534968tmp

MD5 1ccfdbb7f400e806c03e5e99d8e5314a
SHA1 0dd2e70c97f71708b3b7e0f3db9bd30b82a151a3
SHA256 53c01acb90a75049ff3b56c868e92507603acf62ea1f7128ce9f53c5ebbcbcd3
SHA512 97012311ecde7850a444b01e26d518126b68d96aab19d6dd5a4a1b81bd82d9b478cc24b2c0e17fe3c1f2ef30975587764950ab3560d0887544c304f700154ae2

/data/data/com.drnull.v5/files/database.db

MD5 357ef681702a129157cc5aacf56aa8ee
SHA1 7fa285b1a84021680ba093a165db692cd6c5f781
SHA256 48cf3746b3d8f56db8063e24a4ba76ec3479cda33f2e26211685182e9ab23190
SHA512 ae31f1f6d610713559b3dd34333080b2925dd5f2b4d67b646ff009d27dfd7c88dc32792f8d329c3e5af09760e28488590698fe7061e9d2c47051542e38d3c98d

/data/data/com.drnull.v5/files/PersistedInstallation4678348019975339722tmp

MD5 32586a30ed2c5dada36f8088815b0e1f
SHA1 cc2d5f7dc71834d4dbe12ad6048857b869e70e2e
SHA256 2e49162268d250c62142a17c364bc5bbb0bc540f627e197c0c84e15d7f9e2b22
SHA512 c525912b4cb4206f8168a9fdd9990c23c4bd4afc320209c77c9eb63345206567dca82f4431a1f3b7217338557f63b2862d98912a3f21406a0becfc40414aae0e

/data/data/com.drnull.v5/files/database.db

MD5 a1697cdd8a5da81b4862c07e189232d6
SHA1 aa5d73619b0519c07b81805d3221141a28712316
SHA256 3076691be929a5fb075832aa375566c6b18d716fc08aed68412cccf42a55e508
SHA512 c1a7ef7bb1c55cee49d3469b19b1941c94ccb3cbf871ea88537ea06e141130a225f89790f150134a51414e9000e44789c5ad14a0a1d19ba84baf9ea4455470d6

/data/misc/profiles/cur/0/com.drnull.v5/primary.prof

MD5 71a2513c209c8239600dba4a08f44e11
SHA1 5bbecfe2ceff2e85bf7e6f0dd4b446fd706a7588
SHA256 a9e27277be6cd2059f1fc3a57f92449d56ed7f6464381c3bd402d5bf541aea94
SHA512 d2d6e80c92f079312eb7e049736f93266a5506459b793937bbe191200ef01d1ab80949cd956147bf85c72523a9fc7e23bb1cdb0e1e843e41373d1a6483c013de

/data/data/com.drnull.v5/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 42a8cea1a24c70ea29077859e00eccfb
SHA1 71f18929e3014e1d05a821ead046f01176f281ad
SHA256 c3a1c9c58b665718e7f064f9610bfcec29e9c38bea2ecec65f0957d0a2add20a
SHA512 0daeb9454ec7dca5553a3e0b7e09fbf445cb3688a916a3c194f998e89be34359c762ca140318fe0139f63b40d9c36462a87548a982a7e699ef398bd95b5271f6

/data/data/com.drnull.v5/files/profileInstalled

MD5 43248ea1208390c3822b5848ad119556
SHA1 7326a744fc94001d41477daf8135937708e07a3c
SHA256 d7f4e5f9917a63db55f4e7a34d9c4661949abef81be57865898abe15f5edc6ff
SHA512 422009e6961c9f035b4ae4e3220cb1ee5600ffb3f301657127e948a50e1de091369557f32cf96d69cbb1b6da49992dd1450cde0700ecb2276c9cd3c0039e2138