Malware Analysis Report

2024-09-09 16:15

Sample ID 240516-bkt8wadg36
Target 2d3e3491b892018302d45827b3bf5cb09699d933f1b13aa19abc3dd18fa75be0.apk
SHA256 2d3e3491b892018302d45827b3bf5cb09699d933f1b13aa19abc3dd18fa75be0
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d3e3491b892018302d45827b3bf5cb09699d933f1b13aa19abc3dd18fa75be0

Threat Level: Known bad

The file 2d3e3491b892018302d45827b3bf5cb09699d933f1b13aa19abc3dd18fa75be0.apk was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

Checks if the internet connection is available

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-16 01:12

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 01:12

Reported

2024-05-16 01:15

Platform

android-x86-arm-20240514-en

Max time kernel

3s

Max time network

139s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation3502968653401232652tmp

MD5 040ee434f71d2f8e275dff40b4dfd3dd
SHA1 404b24febd51484e8024e57f886efb3f53cfcc72
SHA256 a3430a98ccecbf8cb76738239bddfe0a99d7dfb0bd3bde9c3a7782967adb21e3
SHA512 5c3355a663bb26c72bf01e8dddfbe9cb80ede76ffda4496be2077764abc136b0a176bad8857e5ca624614b7579b23b325cd8e67bf56836c6c9b3075b0f59b032

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 01:12

Reported

2024-05-16 01:15

Platform

android-x64-20240514-en

Max time kernel

3s

Max time network

148s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.226:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation2843627553591522140tmp

MD5 9189c75a5a29a564d4badfe1d2e233b4
SHA1 cec7aee589e05ed01b71368b9e62f15c8bea6185
SHA256 7a222844fbdf2f5020447206321ac05485149c9a132ba7c314f389f75ce2a90e
SHA512 53ee29902800719703d311c73d08c27e39cc45ba289bee0199146084852596f34962821baabe8c59f66f563a5362ff9c67896598c7d6871cde9d61d5fbddc668

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-16 01:12

Reported

2024-05-16 01:15

Platform

android-x64-arm64-20240514-en

Max time kernel

3s

Max time network

132s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation5553701227249367711tmp

MD5 a30ae276de3d5adacc46d8400a7633dc
SHA1 8532c2291f22caadfae3f0a5bbcce807d29525ad
SHA256 eb9ad21ae68398cf48c57e618030c22671df4eb758b09ee9f2655c4ed5179234
SHA512 3a95d848a1248e8f551970f00b329d253249f7574bebe6e5b84224f56e2aebf30475ee22fd0583849db9cca3fd4bdcacf8ee13be19a890e8e7ac81785a7687ea