Malware Analysis Report

2024-09-09 16:13

Sample ID 240416-bp9jcsdf66
Target 4f9b84a780b172905aa3bbb23797dc21.bin
SHA256 f95773e8a95f52babbf28ee44b17d12a5af6b2f1983b89a4b479675a1b177992
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f95773e8a95f52babbf28ee44b17d12a5af6b2f1983b89a4b479675a1b177992

Threat Level: Known bad

The file 4f9b84a780b172905aa3bbb23797dc21.bin was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-16 01:20

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 01:20

Reported

2024-04-16 01:23

Platform

android-x86-arm-20240221-en

Max time kernel

3s

Max time network

132s

Command Line

com.lyufo.play

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.lyufo.play

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.lyufo.play/files/PersistedInstallation3956629286005080016tmp

MD5 46768007adb832636075e0939b382dbd
SHA1 8bc079e3f5816d1eb710f6498a5efd83a682ff66
SHA256 4fbf3572ae3bd37faaf612422bbb3c4c82710c7d8e3c88fb5e1a697a2e5ea088
SHA512 fc74f30348cf5bf1bf822421cd609cac85df8fcc1a1f0b363b681d6122f373676e40f40e76cc259ca733db7aee1b9856471a55529f6052f1c4000037ad141055

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 01:20

Reported

2024-04-16 01:23

Platform

android-x64-20240221-en

Max time kernel

3s

Max time network

158s

Command Line

com.lyufo.play

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.lyufo.play

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 216.58.212.202:443 tcp
GB 216.58.204.66:443 tcp
GB 142.250.180.14:443 tcp

Files

/data/data/com.lyufo.play/files/PersistedInstallation5301751217091447089tmp

MD5 d4684bde46a1d7a957e62f2f7a3fe2c3
SHA1 ad785c7760ba2ee0363f65bf12dcbe0576212473
SHA256 b2d4810c720bae775c7a8958df9fdd7e5ce73d170da1a2e4fefe126db92e49c6
SHA512 782bb96dfc22164e701f650f4b432492c62c35df3d2c13616feab64dd634a577ec8037d33c55ffc2137999fcc46fe953369eb40960c478c3fe1916557caa16cf

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 843f2a33996b505945310fcb65cccd94
SHA1 ec32db04606754f17bbf135bd5a4e282572b634a
SHA256 cc3bf34850d495fb1f1c9cc0a817052fda45032d499a02a60805b55dad0f2e77
SHA512 9e9345ae2227de5f238e2a84eecbc3088555c5fb64683824a06ff15cdecfe092810b7617642ec1fca7fcf17a00a9075272ebfafb76b41df42d9ac6c176ae7143

/data/data/com.lyufo.play/databases/google_app_measurement_local.db

MD5 eb52a90bb70b76e946b62f50b6f7fb85
SHA1 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0
SHA256 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4
SHA512 b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 883e1ac8e1d5490b67eb70d6e4a0f4d2
SHA1 c63417bc73c519cdad4eb2af931d0585ddd8b0fb
SHA256 a648b7acc36b94fdef741ab4e30fbdc87098ffd0e90f9181da67a613b3255b5e
SHA512 38f1fc9e3b7db9209949637b68e530bde6deb63a62cb4f0d6f8d64a92cb383347dd2a6aba8ce6027afe71711fdf364fd556817b47ee6ba73946903c555329128

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 e87cdc89d568dbf6d5b278e055d67ebe
SHA1 1a2b545e0e3673d6ae5dcaf66ea86100a84af34d
SHA256 b6e0912b89f7596673ee61c36ea159f68c4691c62d08785e37c40dfe8dc4d732
SHA512 4c41b18f86e8902a41fb6379f92abb397e3168b2e7a758f3d61de26f8628111661ba6338e6864db15f1d0e7e71636140cec981310a6708315c50cebbc836d6f2

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 e0357c3e310d4b4d8abb0d39116dd41b
SHA1 cbe564544fd1245aedd59471777d7670bd4aeef7
SHA256 69deac6d2b9c072a146a2a5b520cd1aba1fe2cc3a6a60cb56e8380ba923f0c7e
SHA512 906f16aa893cdbdef912c941d4061387ea7c3308b20c8c5f890d824899b2df88b36f8182ab681e63afa72f5420b3496507db12ef3103803c09883517fd60f47f

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 6dcfe529dec7b80e6de3a49297060c85
SHA1 613433dd0486d05e82175be9902ab3acad131528
SHA256 a4a493573853a2aed1d77f1bf205e2da9dff72bc8e7d6f66fb011bb5be6828b2
SHA512 86088e8a9c91f647a0ac1da994f5eed3d0373c681378645969c12c0ee9638abf411e06241be4c84703fd18d28015d2a9613487657374e8384e1588a764662815

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-16 01:20

Reported

2024-04-16 01:23

Platform

android-x64-arm64-20240221-en

Max time kernel

3s

Max time network

147s

Command Line

com.lyufo.play

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.lyufo.play

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/data/data/com.lyufo.play/files/PersistedInstallation5252176699116086768tmp

MD5 aad6ea410bb7585b7fe34845bf332fdf
SHA1 efd6a7cf72914d0e5aca06a34a9b842fe267c4c8
SHA256 07d8990bdafe85a67d94678d4515850fe8d2f53d141b378087451ea347d37c42
SHA512 b69164314c483c3558fcd38362b5ce7642181cbb613cccba2d6d099e3ba07d47973fa295b489833b44c0da94607aff8cae44bece446d156b5d5063e913d96354

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 188828738274a1a7b50526e06a51852f
SHA1 afddc05418b254a0004ea13dac7eb65122c39212
SHA256 3f5789bc41424576fa92a876f9aa520c2eae7c40791c2f0315342b991a189819
SHA512 eb0619dfc9910f4ce569cb236f288e7073e8a4bba788bb754c472ab4592e39f5f2af0a0cbcfd653fc7852c8bdf4aa114ab67f97657d50ca029c060b73f38c0f0

/data/data/com.lyufo.play/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 474d48a0fb6fc2c7aea77ed38c3e0078
SHA1 89aa90b78c01844d56cf33a89fcd39a2472de637
SHA256 430411db67404d8ccea8e5b1617d4ae32ff5f67891967fb6eeeb04c2fb5083bb
SHA512 e43750f27493b223d2ab6fec95eecf650656cca0e3a22a59a858e96c13eeb8a06200443a9efcff238befeadb8bb6b4295547541d9d644149a7540564bc2a56e8

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 a78f79653ff92d9fa30ce0d086dae825
SHA1 42ca6b71754a7ee7f5dfaad1d471271156386ab5
SHA256 cc53aa9caa2ac27e7f2372fbb4b597e1f6b3b09b5b0c19c4cb2adb182048864e
SHA512 ab392cd6d2e5b0aed711f518cf27f9cf243d38c28381131199b9dd2b902575bac7813e418fbe5e7253c8436a6061f68149d26b5007fbdd63681f856bf844f577

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 689061dd8d6b29ecb49900d873cf5280
SHA1 66fb52665573fb3d9a45b8a0c8bc60eabbd5613e
SHA256 65928438998ee2fbb12caa580a5623c8cd9ae30099a901385b50f187ab129516
SHA512 7f2a9819b5dfd87af3ec272d71533778e7529cbdf94ea10fd59b17f0b58849720915c2738cb718fe0dbdadb12d4740c5d71ce33bc53464a812f04bbba5e3d3e4

/data/data/com.lyufo.play/files/PersistedInstallation8058692220805089061tmp

MD5 95b952ebf48ce89f9bff0fbf7b382764
SHA1 7a1fcd6b0b67335ce9f4ef9961b821a838a35e61
SHA256 2ba9f4732792ff433c2040496ab28758dc351385f9f023c95c7ace07d8798f06
SHA512 f0eb48229014b41e39eda667bcf807c557c0bc9fd04777df0060b0b52293847311e6b01cb3f6fc804778cc4611d5b065a0d0171673d1a4f65b2adf4ec2a59e45

/data/data/com.lyufo.play/databases/google_app_measurement_local.db-journal

MD5 470f18ead9b4926e4726689c534ce503
SHA1 4128db75c2e0809641e00656808baafa96e7a5ef
SHA256 d3a7c46db815dcb7bf2100ed94e25dad9324998457aee35e5ed29e97fb4272f5
SHA512 293168033b4649afd07934ffd0de70884eb9afe6e71b30a9687791233ad4e87e92990b622af8d95cdf001e626fbdcfab3d3c541079f97dcac5440a2f874ff8ca