Analysis Overview
SHA256
f95773e8a95f52babbf28ee44b17d12a5af6b2f1983b89a4b479675a1b177992
Threat Level: Known bad
The file 4f9b84a780b172905aa3bbb23797dc21.bin was found to be: Known bad.
Malicious Activity Summary
Irata family
Irata payload
Requests dangerous framework permissions
Acquires the wake lock
Reads information about phone network operator.
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-04-16 01:20
Signatures
Irata family
Irata payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-16 01:20
Reported
2024-04-16 01:23
Platform
android-x86-arm-20240221-en
Max time kernel
3s
Max time network
132s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
com.lyufo.play
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 172.217.16.234:443 | semanticlocation-pa.googleapis.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
Files
/data/data/com.lyufo.play/files/PersistedInstallation3956629286005080016tmp
| MD5 | 46768007adb832636075e0939b382dbd |
| SHA1 | 8bc079e3f5816d1eb710f6498a5efd83a682ff66 |
| SHA256 | 4fbf3572ae3bd37faaf612422bbb3c4c82710c7d8e3c88fb5e1a697a2e5ea088 |
| SHA512 | fc74f30348cf5bf1bf822421cd609cac85df8fcc1a1f0b363b681d6122f373676e40f40e76cc259ca733db7aee1b9856471a55529f6052f1c4000037ad141055 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-16 01:20
Reported
2024-04-16 01:23
Platform
android-x64-20240221-en
Max time kernel
3s
Max time network
158s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Reads information about phone network operator.
Processes
com.lyufo.play
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| GB | 142.250.187.196:443 | tcp | |
| GB | 142.250.187.196:443 | tcp | |
| GB | 216.58.212.202:443 | tcp | |
| GB | 216.58.204.66:443 | tcp | |
| GB | 142.250.180.14:443 | tcp |
Files
/data/data/com.lyufo.play/files/PersistedInstallation5301751217091447089tmp
| MD5 | d4684bde46a1d7a957e62f2f7a3fe2c3 |
| SHA1 | ad785c7760ba2ee0363f65bf12dcbe0576212473 |
| SHA256 | b2d4810c720bae775c7a8958df9fdd7e5ce73d170da1a2e4fefe126db92e49c6 |
| SHA512 | 782bb96dfc22164e701f650f4b432492c62c35df3d2c13616feab64dd634a577ec8037d33c55ffc2137999fcc46fe953369eb40960c478c3fe1916557caa16cf |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 843f2a33996b505945310fcb65cccd94 |
| SHA1 | ec32db04606754f17bbf135bd5a4e282572b634a |
| SHA256 | cc3bf34850d495fb1f1c9cc0a817052fda45032d499a02a60805b55dad0f2e77 |
| SHA512 | 9e9345ae2227de5f238e2a84eecbc3088555c5fb64683824a06ff15cdecfe092810b7617642ec1fca7fcf17a00a9075272ebfafb76b41df42d9ac6c176ae7143 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db
| MD5 | eb52a90bb70b76e946b62f50b6f7fb85 |
| SHA1 | 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0 |
| SHA256 | 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4 |
| SHA512 | b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 883e1ac8e1d5490b67eb70d6e4a0f4d2 |
| SHA1 | c63417bc73c519cdad4eb2af931d0585ddd8b0fb |
| SHA256 | a648b7acc36b94fdef741ab4e30fbdc87098ffd0e90f9181da67a613b3255b5e |
| SHA512 | 38f1fc9e3b7db9209949637b68e530bde6deb63a62cb4f0d6f8d64a92cb383347dd2a6aba8ce6027afe71711fdf364fd556817b47ee6ba73946903c555329128 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | e87cdc89d568dbf6d5b278e055d67ebe |
| SHA1 | 1a2b545e0e3673d6ae5dcaf66ea86100a84af34d |
| SHA256 | b6e0912b89f7596673ee61c36ea159f68c4691c62d08785e37c40dfe8dc4d732 |
| SHA512 | 4c41b18f86e8902a41fb6379f92abb397e3168b2e7a758f3d61de26f8628111661ba6338e6864db15f1d0e7e71636140cec981310a6708315c50cebbc836d6f2 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | e0357c3e310d4b4d8abb0d39116dd41b |
| SHA1 | cbe564544fd1245aedd59471777d7670bd4aeef7 |
| SHA256 | 69deac6d2b9c072a146a2a5b520cd1aba1fe2cc3a6a60cb56e8380ba923f0c7e |
| SHA512 | 906f16aa893cdbdef912c941d4061387ea7c3308b20c8c5f890d824899b2df88b36f8182ab681e63afa72f5420b3496507db12ef3103803c09883517fd60f47f |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 6dcfe529dec7b80e6de3a49297060c85 |
| SHA1 | 613433dd0486d05e82175be9902ab3acad131528 |
| SHA256 | a4a493573853a2aed1d77f1bf205e2da9dff72bc8e7d6f66fb011bb5be6828b2 |
| SHA512 | 86088e8a9c91f647a0ac1da994f5eed3d0373c681378645969c12c0ee9638abf411e06241be4c84703fd18d28015d2a9613487657374e8384e1588a764662815 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-16 01:20
Reported
2024-04-16 01:23
Platform
android-x64-arm64-20240221-en
Max time kernel
3s
Max time network
147s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Reads information about phone network operator.
Processes
com.lyufo.play
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.213.14:443 | udp | |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.200:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.169.4:443 | tcp | |
| GB | 172.217.169.4:443 | tcp |
Files
/data/data/com.lyufo.play/files/PersistedInstallation5252176699116086768tmp
| MD5 | aad6ea410bb7585b7fe34845bf332fdf |
| SHA1 | efd6a7cf72914d0e5aca06a34a9b842fe267c4c8 |
| SHA256 | 07d8990bdafe85a67d94678d4515850fe8d2f53d141b378087451ea347d37c42 |
| SHA512 | b69164314c483c3558fcd38362b5ce7642181cbb613cccba2d6d099e3ba07d47973fa295b489833b44c0da94607aff8cae44bece446d156b5d5063e913d96354 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 188828738274a1a7b50526e06a51852f |
| SHA1 | afddc05418b254a0004ea13dac7eb65122c39212 |
| SHA256 | 3f5789bc41424576fa92a876f9aa520c2eae7c40791c2f0315342b991a189819 |
| SHA512 | eb0619dfc9910f4ce569cb236f288e7073e8a4bba788bb754c472ab4592e39f5f2af0a0cbcfd653fc7852c8bdf4aa114ab67f97657d50ca029c060b73f38c0f0 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db
| MD5 | d9cf75fdd1c2292d986f6c3d5d60f2c8 |
| SHA1 | 07ecb1d3a26d952ae5fecf54f36699ab498510b1 |
| SHA256 | 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a |
| SHA512 | 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 474d48a0fb6fc2c7aea77ed38c3e0078 |
| SHA1 | 89aa90b78c01844d56cf33a89fcd39a2472de637 |
| SHA256 | 430411db67404d8ccea8e5b1617d4ae32ff5f67891967fb6eeeb04c2fb5083bb |
| SHA512 | e43750f27493b223d2ab6fec95eecf650656cca0e3a22a59a858e96c13eeb8a06200443a9efcff238befeadb8bb6b4295547541d9d644149a7540564bc2a56e8 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | a78f79653ff92d9fa30ce0d086dae825 |
| SHA1 | 42ca6b71754a7ee7f5dfaad1d471271156386ab5 |
| SHA256 | cc53aa9caa2ac27e7f2372fbb4b597e1f6b3b09b5b0c19c4cb2adb182048864e |
| SHA512 | ab392cd6d2e5b0aed711f518cf27f9cf243d38c28381131199b9dd2b902575bac7813e418fbe5e7253c8436a6061f68149d26b5007fbdd63681f856bf844f577 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 689061dd8d6b29ecb49900d873cf5280 |
| SHA1 | 66fb52665573fb3d9a45b8a0c8bc60eabbd5613e |
| SHA256 | 65928438998ee2fbb12caa580a5623c8cd9ae30099a901385b50f187ab129516 |
| SHA512 | 7f2a9819b5dfd87af3ec272d71533778e7529cbdf94ea10fd59b17f0b58849720915c2738cb718fe0dbdadb12d4740c5d71ce33bc53464a812f04bbba5e3d3e4 |
/data/data/com.lyufo.play/files/PersistedInstallation8058692220805089061tmp
| MD5 | 95b952ebf48ce89f9bff0fbf7b382764 |
| SHA1 | 7a1fcd6b0b67335ce9f4ef9961b821a838a35e61 |
| SHA256 | 2ba9f4732792ff433c2040496ab28758dc351385f9f023c95c7ace07d8798f06 |
| SHA512 | f0eb48229014b41e39eda667bcf807c557c0bc9fd04777df0060b0b52293847311e6b01cb3f6fc804778cc4611d5b065a0d0171673d1a4f65b2adf4ec2a59e45 |
/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal
| MD5 | 470f18ead9b4926e4726689c534ce503 |
| SHA1 | 4128db75c2e0809641e00656808baafa96e7a5ef |
| SHA256 | d3a7c46db815dcb7bf2100ed94e25dad9324998457aee35e5ed29e97fb4272f5 |
| SHA512 | 293168033b4649afd07934ffd0de70884eb9afe6e71b30a9687791233ad4e87e92990b622af8d95cdf001e626fbdcfab3d3c541079f97dcac5440a2f874ff8ca |