Malware Analysis Report

2024-09-09 16:11

Sample ID 240516-kxla6sda8s
Target a1a1fbdb6070ff388642974b1616d1955c2a89fbb8702caa02fa6927adbdad6c
SHA256 a1a1fbdb6070ff388642974b1616d1955c2a89fbb8702caa02fa6927adbdad6c
Tags
irata collection credential_access discovery evasion persistence impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1a1fbdb6070ff388642974b1616d1955c2a89fbb8702caa02fa6927adbdad6c

Threat Level: Known bad

The file a1a1fbdb6070ff388642974b1616d1955c2a89fbb8702caa02fa6927adbdad6c was found to be: Known bad.

Malicious Activity Summary

irata collection credential_access discovery evasion persistence impact

Irata payload

Irata family

Prevents application removal

Makes use of the framework's Accessibility service

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Checks memory information

Obtains sensitive information copied to the device clipboard

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Queries the mobile country code (MCC)

Requests enabling of the accessibility settings.

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Requests dangerous framework permissions

Declares services with permission to bind to the system

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-16 08:58

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 08:58

Reported

2024-05-16 09:02

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

186s

Command Line

com.aramaslat.newapp

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.aramaslat.newapp

Network

Country Destination Domain Proto
GB 142.250.179.234:443 tcp
GB 172.217.169.74:443 tcp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
GB 216.58.212.227:443 tcp
DE 159.100.20.184:52997 tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
DE 159.100.20.184:52997 tcp
DE 159.100.20.184:52997 tcp
DE 159.100.20.184:52997 tcp
DE 159.100.20.184:52997 tcp
GB 142.250.200.46:443 tcp
GB 142.250.180.2:443 tcp
DE 159.100.20.184:52997 tcp

Files

/data/data/com.aramaslat.newapp/files/loading.gif

MD5 7b38720a0352dffa26411726c72dd2b0
SHA1 b15e687f42abcdc12427f146a3115ef2259211f8
SHA256 2013f490d45638cada331b3474ed65b9a43cec60da773accc98332e58c06336d
SHA512 0df28f87da4f9beb3ca8c108f54021a2a1a1434771abbb5ba67a2736097f2287b05e5220a33e92c42ee13ecae1144714a422b986763712794f69e65bc44c83e3

/data/data/com.aramaslat.newapp/files/db.db

MD5 d5d190e1180c5e6858c40a93f7526f12
SHA1 0d054f2e34776c8d5bcfd54d743831b9919618fe
SHA256 274fe3e82fc2630d99809afd6a1c64768a77ed69c04b33e0df6a292a5a042203
SHA512 0d58df37359d6e35f02ef95e4edcfb05fac6c3bc57d1c3e56e49fa7b6c66aef3f99b383cb14dc5a01b52bc6a0d4685f275fb30279aa26e8339a5e0b8416ba85e

/data/data/com.aramaslat.newapp/files/txtscreensize.txt

MD5 1b65c10c6215685f9d621d797f911373
SHA1 cc50aaed5cd521a62ec8cf9fe0413153ec90f265
SHA256 2230c2b2787663a054c47450ecd1718f0296853ad768b8e5d306ecb912685e89
SHA512 5a9139f295dbe384b1584eff5c11f3f86759232f7b661b75f27fe92b996b4cdc0552e315f79b26f5f2c1f91756d9ae04cf0c3675b6172e91a3d373b9b314496f

/data/data/com.aramaslat.newapp/files/db.db-journal

MD5 f8a8c3448d90ff5f2debe1457bfb8fd0
SHA1 8a6627e83f26242a228aac1a25a385c71ea4aab9
SHA256 ac4fe590866a7f9039b09fbeb97b37495b852b6c1af2931c460a4d5e0a2264ec
SHA512 90b1148418c0d9ecd46756399e9d617164e9f60cd4de68341ea75bd97a66ba24cdc0de0f2454d92293ea87fb0649d6dba71711bdf8ae8eaacc1e22883abe50ce

/data/data/com.aramaslat.newapp/files/db.db

MD5 2c6fe773f7cc42d162630d93a98fa91f
SHA1 a0d76f9403df661aea3017a0d912de03c415e3a9
SHA256 3855acc95e1e3648649a16c91abdcb1e2eb81826ae6171a0ab25c5b74452f186
SHA512 20436ab982d11ec32d69267c93c378e4ad92d8f840f5b412984af5aa0240f0eb8df757fdfde5ab95a2649c6f9862d9b633cd8dfcab5c07c1a4533072600c39a6

/data/data/com.aramaslat.newapp/files/db.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 08:58

Reported

2024-05-16 09:02

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

186s

Command Line

com.aramaslat.newapp

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.aramaslat.newapp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 172.217.169.14:443 tcp
DE 159.100.20.184:52997 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
GB 172.217.16.226:443 tcp
DE 159.100.20.184:52997 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
DE 159.100.20.184:52997 tcp
DE 159.100.20.184:52997 tcp
DE 159.100.20.184:52997 tcp
DE 159.100.20.184:52997 tcp

Files

/data/data/com.aramaslat.newapp/files/loading.gif

MD5 7b38720a0352dffa26411726c72dd2b0
SHA1 b15e687f42abcdc12427f146a3115ef2259211f8
SHA256 2013f490d45638cada331b3474ed65b9a43cec60da773accc98332e58c06336d
SHA512 0df28f87da4f9beb3ca8c108f54021a2a1a1434771abbb5ba67a2736097f2287b05e5220a33e92c42ee13ecae1144714a422b986763712794f69e65bc44c83e3

/data/data/com.aramaslat.newapp/files/db.db

MD5 d5d190e1180c5e6858c40a93f7526f12
SHA1 0d054f2e34776c8d5bcfd54d743831b9919618fe
SHA256 274fe3e82fc2630d99809afd6a1c64768a77ed69c04b33e0df6a292a5a042203
SHA512 0d58df37359d6e35f02ef95e4edcfb05fac6c3bc57d1c3e56e49fa7b6c66aef3f99b383cb14dc5a01b52bc6a0d4685f275fb30279aa26e8339a5e0b8416ba85e

/data/data/com.aramaslat.newapp/files/txtscreensize.txt

MD5 1b65c10c6215685f9d621d797f911373
SHA1 cc50aaed5cd521a62ec8cf9fe0413153ec90f265
SHA256 2230c2b2787663a054c47450ecd1718f0296853ad768b8e5d306ecb912685e89
SHA512 5a9139f295dbe384b1584eff5c11f3f86759232f7b661b75f27fe92b996b4cdc0552e315f79b26f5f2c1f91756d9ae04cf0c3675b6172e91a3d373b9b314496f

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-16 08:58

Reported

2024-05-16 09:02

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

185s

Command Line

com.aramaslat.newapp

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.aramaslat.newapp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
DE 159.100.20.184:52997 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
DE 159.100.20.184:52997 tcp
DE 159.100.20.184:52997 tcp
DE 159.100.20.184:52997 tcp
DE 159.100.20.184:52997 tcp
DE 159.100.20.184:52997 tcp

Files

/data/data/com.aramaslat.newapp/files/loading.gif

MD5 7b38720a0352dffa26411726c72dd2b0
SHA1 b15e687f42abcdc12427f146a3115ef2259211f8
SHA256 2013f490d45638cada331b3474ed65b9a43cec60da773accc98332e58c06336d
SHA512 0df28f87da4f9beb3ca8c108f54021a2a1a1434771abbb5ba67a2736097f2287b05e5220a33e92c42ee13ecae1144714a422b986763712794f69e65bc44c83e3

/data/data/com.aramaslat.newapp/files/db.db

MD5 d5d190e1180c5e6858c40a93f7526f12
SHA1 0d054f2e34776c8d5bcfd54d743831b9919618fe
SHA256 274fe3e82fc2630d99809afd6a1c64768a77ed69c04b33e0df6a292a5a042203
SHA512 0d58df37359d6e35f02ef95e4edcfb05fac6c3bc57d1c3e56e49fa7b6c66aef3f99b383cb14dc5a01b52bc6a0d4685f275fb30279aa26e8339a5e0b8416ba85e

/data/data/com.aramaslat.newapp/files/txtscreensize.txt

MD5 1b65c10c6215685f9d621d797f911373
SHA1 cc50aaed5cd521a62ec8cf9fe0413153ec90f265
SHA256 2230c2b2787663a054c47450ecd1718f0296853ad768b8e5d306ecb912685e89
SHA512 5a9139f295dbe384b1584eff5c11f3f86759232f7b661b75f27fe92b996b4cdc0552e315f79b26f5f2c1f91756d9ae04cf0c3675b6172e91a3d373b9b314496f