Malware Analysis Report

2024-09-09 16:15

Sample ID 240515-z7a1hsce5x
Target app.apk
SHA256 1ef0c4d0484f9c859cc0e61223d71579a817736bf741bc6001dab472a95c56b2
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ef0c4d0484f9c859cc0e61223d71579a817736bf741bc6001dab472a95c56b2

Threat Level: Known bad

The file app.apk was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Irata payload

Checks if the internet connection is available

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-15 21:21

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 21:21

Reported

2024-05-15 21:24

Platform

android-x86-arm-20240514-en

Max time kernel

4s

Max time network

144s

Command Line

com.mycarroll.app

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.mycarroll.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 google.com udp
US 1.1.1.1:53 238.16.217.172.in-addr.arpa udp
US 1.1.1.1:53 irnadl.com udp
DE 94.130.217.114:443 irnadl.com tcp
DE 94.130.217.114:443 irnadl.com tcp
GB 142.250.187.206:443 tcp
DE 94.130.217.114:443 irnadl.com tcp
US 1.1.1.1:53 i.ibb.co udp
FR 162.19.58.157:443 i.ibb.co tcp

Files

/data/data/com.mycarroll.app/files/PersistedInstallation4602034540091940447tmp

MD5 22a8d963ae417a3b6a33dca42ab4bc37
SHA1 70c49eac6de4cfec6b30a5e2161bb5a11887eff7
SHA256 48adb0e979469474e042c295dbf4d34dfcd9f387649c7189a217496eeca15afd
SHA512 5f422b3c759cb0de64bf304105ba6dd3cc988bfe7fb2aae3efebb4daf3d1949cd63d85d1c6025121b48c06588c0ec195105323fa3545ce0bd4bc520013d33761

/data/data/com.mycarroll.app/files/port.txt

MD5 b143bb9b14c916972f31e4ce92ce9fb3
SHA1 9d365fb5be0934e134cede71eaf6c29e5170f656
SHA256 bab3ce5611fdd6dcb48e24c4a8f7d34e2f0b2eaca95418ce0c26152e8f2a844c
SHA512 89993f29ebad7daee5fe55c460082c86eab646647666d2d6113dbf8c7739bd42425857f539b1c071dba7047c590b4ae11b95b0da2f4de3ab9a95639046453ed2

/data/data/com.mycarroll.app/cache/~test.test

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

/data/data/com.mycarroll.app/files/PersistedInstallation6168216280106235365tmp

MD5 928223248db972e32835a18f5bd8d090
SHA1 302ff9ddc7f29d7aae8e3f82803afc449a2fa7b3
SHA256 31ac47c5c857228b283db955e56a917e48bd808527e854a28895fceaaa2366ab
SHA512 d9aff4b3d5218bbbd1aacfb9fd012f8e2faddb76df7fb0e95a2661ffd4d79c0adca4f6b49f29c23164e3e1950793e1ecc14b1151b67fe7a53860b927d2e4af65

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 21:21

Reported

2024-05-15 21:24

Platform

android-x64-20240514-en

Max time network

180s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.10:443 tcp
GB 172.217.169.14:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-15 21:21

Reported

2024-05-15 21:24

Platform

android-x64-arm64-20240514-en

Max time kernel

6s

Max time network

128s

Command Line

com.mycarroll.app

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.mycarroll.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 google.com udp
US 1.1.1.1:53 46.200.250.142.in-addr.arpa udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 irnadl.com udp
DE 94.130.217.114:443 irnadl.com tcp
DE 94.130.217.114:443 irnadl.com tcp
DE 94.130.217.114:443 irnadl.com tcp
US 1.1.1.1:53 i.ibb.co udp
FR 162.19.58.161:443 i.ibb.co tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp

Files

/data/user/0/com.mycarroll.app/files/PersistedInstallation2665323359734617776tmp

MD5 e7aba0830a5b8d6935d00bb7a5cbe7bf
SHA1 9d603f56d184d9b713a9e824b09a24c88cdbe961
SHA256 540530c55e72dc134dbf89b358b2d59b5978d7f1133361199607ed10b70d46cb
SHA512 3989f99b6aaade67cc09abdf2fb5a4545020fb53254d34f55df5a1540b0fde677f38f0c3f183a929189d04d3b3835392a2f10115e4e311e5186f00cc4d287084

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 55c8364cdf1a3ffbfb47dfd4dfbaaa62
SHA1 b28286069be9d0a4c819c95e6ae3dcd7a7c11cda
SHA256 85d33ce55b4d32213fa0ae569000823931ea84ff1777b7af3b1fa542f359199f
SHA512 a1329dcbae292af98b4051b9e613ae67c8f50996b221828853b255ec7417bf61482de32cead7201b269820d90e5eb36a453be22b645859f10ca3f3894cc21f45

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 0699793e899c07b4b8351e3737979f9a
SHA1 44db4666788042d4a6ae0c58e0c7b15beace5bcd
SHA256 85cfce0732d96e5dd8c12728168a606a7905665742951d6d159321ef14b75fb5
SHA512 7a191aee3558cd90a40cf8ff59dc97e0d5a5d7d61c7dedc6f7e6c1cdff8c67e3d0f86978f014eb2b0d1bd5456626b271311b67f8a5983346e61c4ceb98446815

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 aee0b35554ec3b64273fbd98ccdb9920
SHA1 4f25b36debcc79d11f4fa4f5a5b2979964f1b713
SHA256 62f5c0d2188521f897350ce7f6d48cbefb82f571e7d907a35fabe7796ca3fbe0
SHA512 30b0ae4d5bdfebb16b6c02e2232bbcef3c3aa08878f08d2368582bd39c338b86acc99c5dabd1aba48ddef2453d87a865a09866da09e134d370cdcc9430baeff3

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 cadbdddf9cc978012ebf0d2f8b95ff70
SHA1 bff50fd30339624e1778ca0a1772e9376c9c478b
SHA256 0055e308263e5a44d40a08e1afcc4dd2c433ce5c3204a0b55c8885b2e4521c9a
SHA512 6b9aba6c46a8336c306f930084a5381eeef19a6382462deabcaf83209a9138d3c50153810a016fdef26a0452679cded21bfa9ea8eed8a5502d27b6d6ca4ba0fb

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 44e42d4c3bb559d1e9d7fa87232d8276
SHA1 6f263d22c8646078e02d35744389097d801c083c
SHA256 ebbb2cd229567d99c7267cfef78b7240fadb4d697b7c04448bc47451d4e95ed1
SHA512 ef499f6caf6c63fb77adf880feec5b57c9491e5adfdd3262e6c9327e08e926d71dacf80c83a36b8e4d71adb3522ce00da7f06b560e451c2b45ce1e83f4de5277

/data/user/0/com.mycarroll.app/files/PersistedInstallation6855783397491405560tmp

MD5 94ffc7a23f2496b09405f463af8aeccb
SHA1 0e34d6f92b04b6ad4184e883f4f6b5defaf4c097
SHA256 2c9dd39b54630f69d2be80768c184e6b053d71fa111313f686173f62dbdeed6b
SHA512 874e83423ca301f46cba7f8abeb3643ff672ee41ee3c0d2b47167204373bc642445e9944b922aff10635cf1673a12f089bf8482391c18eead01bb5b84574da76

/data/user/0/com.mycarroll.app/files/port.txt

MD5 b143bb9b14c916972f31e4ce92ce9fb3
SHA1 9d365fb5be0934e134cede71eaf6c29e5170f656
SHA256 bab3ce5611fdd6dcb48e24c4a8f7d34e2f0b2eaca95418ce0c26152e8f2a844c
SHA512 89993f29ebad7daee5fe55c460082c86eab646647666d2d6113dbf8c7739bd42425857f539b1c071dba7047c590b4ae11b95b0da2f4de3ab9a95639046453ed2

/data/user/0/com.mycarroll.app/cache/~test.test

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 d0899fc5af90c533f54cd289ae625db0
SHA1 bbb634265d273ff0fb080b7c34cf9e4770c56f3e
SHA256 a10dc7e0dde54586b4a636bc48b820fffbf54eb5dbe5c377ce818ecda4dfe625
SHA512 c90e9c73cf281aabc8c246a722b949d42369f40d40872c2fa5590139ef317c3ba4ae3f4e5571273ad35ad658606372341bfb559e8289f3be7bf4268ac697efd4

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db

MD5 15afba73770703a1ec7395bc6b71a483
SHA1 d3138483699d51fd6ab08bb504ecdcae5f1a0db4
SHA256 5dbf60b47f7d3efd353bd3e865d8cfe3198fe010d2cc8bf118e9a4b7a007a754
SHA512 82f993e45edb0c0c9e3ab60ce0d6f41316a9da1a114ea285759153f2e6d79ee8e32e0fceed64c40b82d06280a3c826bb9ac2064310523fed572a062b1faba7cf

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db

MD5 cfc0d0c729c2fb2c5014d4d970dd7e4a
SHA1 3686191998715d387e1b59f087f81bbda59d7a02
SHA256 7d39566827bcd46584165c4af081874fbb1b24afdd038cf4664236f156860732
SHA512 a28650360c510fed310d10265a798e36cdc7644e0b85bd36eb5a70cc698d182b984778679d807040822aae051ea7e5b3a3707fd4965b25e18fe5b7ece3eb5e0e