Malware Analysis Report

2024-09-09 16:15

Sample ID 240515-1vdfjsea8y
Target 41369.apk
SHA256 2d3e3491b892018302d45827b3bf5cb09699d933f1b13aa19abc3dd18fa75be0
Tags
discovery irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d3e3491b892018302d45827b3bf5cb09699d933f1b13aa19abc3dd18fa75be0

Threat Level: Known bad

The file 41369.apk was found to be: Known bad.

Malicious Activity Summary

discovery irata

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

Checks if the internet connection is available

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-15 21:57

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-15 21:57

Reported

2024-05-15 22:01

Platform

android-x64-arm64-20240514-en

Max time kernel

3s

Max time network

130s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation9105401958608912630tmp

MD5 944db2e9a80ec70f462af6f30318c6e5
SHA1 1e03f0b504965f19535fa446c5224998db555556
SHA256 13f5c538e6768a923c8fd6c682fa37198d339373eedfdebb8bea823b3e9b8bdf
SHA512 d95bc8294a28d4cdbee8f74ca9502f0d418d2e96d7417a48a2324973b26dcc018c042ae45abcc3f1fb3eacf63501ad9d100e7a02d1aaf1bc3d10b11cfe135d08

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 21:57

Reported

2024-05-15 22:01

Platform

android-x86-arm-20240514-en

Max time kernel

3s

Max time network

131s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.227:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation23050975786416030tmp

MD5 3d9af86c8280b7cb948c524de685c5b9
SHA1 80756a9beffc7bce2ef6463a8dd5811b3039bdc1
SHA256 655d097ae52971c0581cc21c4f8ad2739f422bae99aceeff5813fbf9bee9b0d4
SHA512 3b445fd0f8048e8d80d27d5011541580b39960ec0033611025c9c2f9245c3673281c5c2ca90736fba7d280e3ce0b4f326f734d14420b7b04fe159b207c5c3f0d

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 21:57

Reported

2024-05-15 22:01

Platform

android-x64-20240514-en

Max time kernel

4s

Max time network

145s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation8027683199277514979tmp

MD5 ec1309059d487f02e1a24fc89a2bc4bf
SHA1 538f99879fd20376a7ef33f388027d7bb17c3e32
SHA256 000fbf9bf26d211f549c037340a7819e2b0aa7bb915dc35d5e95408b2ad90b33
SHA512 4a78bc0c1814cace6f658f03b963c2bf5c82eaa1e5883e0629e5ef96d6aa06bbfffe2c40293b1132aebe8fd2a343edc5202a9e11da5b07cc4eab508e07d6c534