Malware Analysis Report

2024-09-09 16:13

Sample ID 240425-1x5yksfg56
Target 093f84e85835034c769563a8674bf7e93312b3621d5a2303e0de2b375b7ad263.bin
SHA256 093f84e85835034c769563a8674bf7e93312b3621d5a2303e0de2b375b7ad263
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

093f84e85835034c769563a8674bf7e93312b3621d5a2303e0de2b375b7ad263

Threat Level: Known bad

The file 093f84e85835034c769563a8674bf7e93312b3621d5a2303e0de2b375b7ad263.bin was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Irata payload

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Checks if the internet connection is available

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-25 22:02

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 22:02

Reported

2024-04-25 22:16

Platform

android-x86-arm-20240221-en

Max time kernel

2s

Max time network

138s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation5260847278335972396tmp

MD5 64c5ab74f513438f8e07f92988530946
SHA1 e5c783a5bd9c169ddb19304043ac6d7bbcf68cc2
SHA256 fdc4823aa2ce5a3c0c44c8a5ea34ae81b4aa33876b07a8f27136657a9a8f89aa
SHA512 123a67134792a0fff83d1e2b3f43ed139c2d0b527e926b08165c85735bc588c10186516f022e0ce0b3530b7da0659cf010a2c61b8057884466a91f9e9ea6478e

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-25 22:02

Reported

2024-04-25 22:17

Platform

android-x64-20240221-en

Max time kernel

4s

Max time network

136s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation588419345680247572tmp

MD5 aec83c376568ed9dd347235d286a4c5f
SHA1 29c1b55173cb95cf8159761770a845563f7d1a84
SHA256 8f9c2aa5d47432d4612598d91262c8782f8b65019fdd9fb62b7a36073604b52f
SHA512 ddb3425c232adf3d773da165355426a358a463fe9f0f403a634f08ccd679c642b13b0835e4bb45298fa2c475d8d877be9998071750d6a12487dd9f195e399b1a

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-25 22:02

Reported

2024-04-25 22:17

Platform

android-x64-arm64-20240221-en

Max time kernel

4s

Max time network

140s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation4630395071806085303tmp

MD5 0ea597b360c3a4633cb20bb1d0744054
SHA1 4f6e5810d54834b89102e3a38a919508a593cd24
SHA256 4fa1bf40183d15fed2edcfcd8de69e24a219452e11a49e4e7d5bb06ec3b094ce
SHA512 968b7c58346a5584f9d29f1005d7b297b968a07a94d070f61793aca59c9ebfb7769653396a2c1efa3b20e7b722e3c4e047c5b8d7bcaff1e9c84dff00390a9d62

/data/data/com.temptation.lydia/files/PersistedInstallation1130315957384704913tmp

MD5 4b73e5abe1777d6a12342994f0c32287
SHA1 d7c19c512707e4a48db774ff960311ea64adc4d7
SHA256 e7ccebd41f892fcf2cbead5caef2a297daade95e9f104c1add0c4d419f1c8f1d
SHA512 9472155000dff89cdf71590c18d0a48a61519d6fdbb5da726f32c33335fbd59e41af61cf33f8f1e53a4f563c57266f4d7f7e469b010427bef311e548bd63cea5