Malware Analysis Report

2024-09-09 16:13

Sample ID 240418-qnf8rafd6z
Target 0c41a6b7c502d2b21d3a42817339dcb64f4d00ce94941d7b951cef899bb9e68e.apk
SHA256 0c41a6b7c502d2b21d3a42817339dcb64f4d00ce94941d7b951cef899bb9e68e
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c41a6b7c502d2b21d3a42817339dcb64f4d00ce94941d7b951cef899bb9e68e

Threat Level: Known bad

The file 0c41a6b7c502d2b21d3a42817339dcb64f4d00ce94941d7b951cef899bb9e68e.apk was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Irata payload

Queries the phone number (MSISDN for GSM devices)

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-18 13:24

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-18 13:24

Reported

2024-04-18 13:26

Platform

android-x64-20240221-en

Max time kernel

21s

Max time network

84s

Command Line

android.upgaraa.shah

Signatures

Queries the phone number (MSISDN for GSM devices)

discovery

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

android.upgaraa.shah

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/data/android.upgaraa.shah/files/new

MD5 7215ee9c7d9dc229d2921a40e899ec5f
SHA1 b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256 36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512 f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-18 13:24

Reported

2024-04-18 13:26

Platform

android-x64-arm64-20240221-en

Max time kernel

56s

Max time network

92s

Command Line

android.upgaraa.shah

Signatures

Queries the phone number (MSISDN for GSM devices)

discovery

Processes

android.upgaraa.shah

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 udp
GB 216.58.213.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/user/0/android.upgaraa.shah/files/new

MD5 7215ee9c7d9dc229d2921a40e899ec5f
SHA1 b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256 36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512 f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-18 13:24

Reported

2024-04-18 13:26

Platform

android-33-x64-arm64-20240229-en

Max time kernel

71s

Max time network

98s

Command Line

android.upgaraa.shah

Signatures

Queries the phone number (MSISDN for GSM devices)

discovery

Processes

android.upgaraa.shah

Network

Country Destination Domain Proto
GB 142.250.200.4:443 udp
GB 142.250.200.4:443 udp
GB 142.250.200.4:443 udp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
BE 173.194.76.188:5228 tcp
GB 142.250.200.36:443 tcp
GB 142.250.178.10:80 play.googleapis.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.36:443 tcp
GB 142.250.187.202:80 play.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
GB 216.58.204.67:443 tcp
GB 142.250.200.4:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
US 172.64.41.3:443 udp
GB 216.58.201.99:443 udp
GB 142.250.187.196:443 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 udp

Files

/data/user/0/android.upgaraa.shah/files/new

MD5 7215ee9c7d9dc229d2921a40e899ec5f
SHA1 b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256 36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512 f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-18 13:24

Reported

2024-04-18 13:26

Platform

android-x86-arm-20240221-en

Max time kernel

79s

Max time network

82s

Command Line

android.upgaraa.shah

Signatures

N/A

Processes

android.upgaraa.shah

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/android.upgaraa.shah/files/new

MD5 7215ee9c7d9dc229d2921a40e899ec5f
SHA1 b858cb282617fb0956d960215c8e84d1ccf909c6
SHA256 36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
SHA512 f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768