Malware Analysis Report

2024-09-09 16:15

Sample ID 240516-yb7h6sch71
Target 1ef0c4d0484f9c859cc0e61223d71579a817736bf741bc6001dab472a95c56b2.apk
SHA256 1ef0c4d0484f9c859cc0e61223d71579a817736bf741bc6001dab472a95c56b2
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ef0c4d0484f9c859cc0e61223d71579a817736bf741bc6001dab472a95c56b2

Threat Level: Known bad

The file 1ef0c4d0484f9c859cc0e61223d71579a817736bf741bc6001dab472a95c56b2.apk was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Irata payload

Checks if the internet connection is available

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-16 19:37

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 19:37

Reported

2024-05-16 19:41

Platform

android-x86-arm-20240514-en

Max time kernel

4s

Max time network

183s

Command Line

com.mycarroll.app

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.mycarroll.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 216.58.212.227:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 google.com udp
US 1.1.1.1:53 46.169.217.172.in-addr.arpa udp
US 1.1.1.1:53 irnadl.com udp
DE 94.130.217.114:443 irnadl.com tcp
DE 94.130.217.114:443 irnadl.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.180.2:443 tcp

Files

/data/data/com.mycarroll.app/files/PersistedInstallation2335434412101332753tmp

MD5 00a37aab053fcadf7d531d1b901179fe
SHA1 d0c879d5c4476fef719b7de462b10a6ed0e8b57f
SHA256 5c112e72fab20ea5d5d4dc5206813589b1e576a9fcb4c8d1cb6d70b438c89d21
SHA512 5788fefd36cf55266397850733fb9880203f3b881cafc5969c272e25a92436000dda39e0b33f5b10041d9f9218020d5455b39a77f0928716b4f3237cfcf2a2e0

/data/data/com.mycarroll.app/files/port.txt

MD5 b143bb9b14c916972f31e4ce92ce9fb3
SHA1 9d365fb5be0934e134cede71eaf6c29e5170f656
SHA256 bab3ce5611fdd6dcb48e24c4a8f7d34e2f0b2eaca95418ce0c26152e8f2a844c
SHA512 89993f29ebad7daee5fe55c460082c86eab646647666d2d6113dbf8c7739bd42425857f539b1c071dba7047c590b4ae11b95b0da2f4de3ab9a95639046453ed2

/data/data/com.mycarroll.app/cache/~test.test

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 ead6b389b40c383257535d44e7d26654
SHA1 af638877001d5f97176a8c554a2bb3cc2f34541f
SHA256 a114326e2bcdb29065cd9a0e893a114efc6eacf34816dd322cdc7226fbe9ef97
SHA512 084752771f705e4cc333e32cbfb81cb1491f6143e496a3f2a0821149b912255b3167ddf346255bd08ec4be0a7ec8f0487ec644c880efd6d99d033c2f1068d7b7

/data/data/com.mycarroll.app/databases/google_app_measurement_local.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.mycarroll.app/files/PersistedInstallation7078199946587208054tmp

MD5 3f2080752431c5f73ea199ee0072bc10
SHA1 9d57c4991ee05da0e3a9c244eb393db2dbac9705
SHA256 7b19229634829eebd216000a949c86f7354a082ab54a49f6fb1d69dfd64e066f
SHA512 24a090e3c23f83dca02d99db948df730b6862f86160fff900b9adbe2f38dc79b1264ffc84299a0447e105c70f4c01a3b686dfc02139e5c0d4e4678e5e86a97e0

/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-wal

MD5 fc941d0e9a58d744903acc66268a03eb
SHA1 b7b0e2c46280ce79c5211a09da6e8470451947d7
SHA256 68667a2f8a91ce7cd869f46d99bd8d7090be3b4e0004dd20baa5ce1bcc7a791f
SHA512 c8952bba8da49fc0404c6310e88ac00b22bf80db7896da685704a511fcc6de9b792621742321aa21ece23f4027be9748034bcaec84f5cfac077e21340d0a62c5

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 19:37

Reported

2024-05-16 19:41

Platform

android-x64-20240514-en

Max time kernel

5s

Max time network

131s

Command Line

com.mycarroll.app

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.mycarroll.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 110.201.58.216.in-addr.arpa udp
GB 216.58.213.14:443 tcp
US 1.1.1.1:53 irnadl.com udp
DE 94.130.217.114:443 irnadl.com tcp
DE 94.130.217.114:443 irnadl.com tcp
GB 216.58.212.194:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/data/com.mycarroll.app/files/PersistedInstallation993617447448333936tmp

MD5 5597498142a3d09cada924266b4eb794
SHA1 7902a4a6491ee954c8db78c21edb6e0d22f3cdad
SHA256 225457cd2b049d19c1771e558ad98159dfccef10d1638d464ce7043aa090a5ed
SHA512 85a92ff36a70a394e73d5a9c818c2967c9083cd4b6465d405c6c67c4457f4777830084b3ddf814fe2d306b404750a90a55a44c92d1dfde55c2fc8d5ce45fe0fa

/data/data/com.mycarroll.app/files/port.txt

MD5 b143bb9b14c916972f31e4ce92ce9fb3
SHA1 9d365fb5be0934e134cede71eaf6c29e5170f656
SHA256 bab3ce5611fdd6dcb48e24c4a8f7d34e2f0b2eaca95418ce0c26152e8f2a844c
SHA512 89993f29ebad7daee5fe55c460082c86eab646647666d2d6113dbf8c7739bd42425857f539b1c071dba7047c590b4ae11b95b0da2f4de3ab9a95639046453ed2

/data/data/com.mycarroll.app/cache/~test.test

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 a24cf9dd0a6eccc77df6d84fbe6c3f91
SHA1 4b2c37277ba2df55158dcd473103d5ef11812f57
SHA256 70fae202a970bc7501ca474d2c32f70e3e58e1187bd405c4c12674f31af0ce97
SHA512 91d8c99a3f5b6f96357c6ec0b4547ad29ea72073f3b9eaa7cfe45d94f69ab89fa1e2ab7a56ddb2b89a044edc47e46dadc0c7720c611adebea642f0d7b6bf3e37

/data/data/com.mycarroll.app/databases/google_app_measurement_local.db

MD5 eb52a90bb70b76e946b62f50b6f7fb85
SHA1 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0
SHA256 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4
SHA512 b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c

/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 56f9fdfd03ffba17b3ba4cde3efaa60d
SHA1 ef9d80e6b8f4b76bb091abd28b34059ecbf963bc
SHA256 5edef69ff24e9a03a940bf84fdc941e0c0eb44105c417468cdae504b1011ba8d
SHA512 b699f9ea362889244d053e1612dfe8f85e96e479ef96f318224f3b64ec0a308b9116f0fce560a7c2d0995b3e337daf11190ddb1a3872f4bc1ebae0d879fa8d84

/data/data/com.mycarroll.app/files/PersistedInstallation5282036813171328461tmp

MD5 a22bd3002b2a0b41757b4fb507ed8fdb
SHA1 99f5596acfc8ad0bc13239daa1102a4fc22f3d56
SHA256 b7e048807231648020d6600af9fe2e5758abea1de5d087d69f7ad8968cc07ebe
SHA512 5ab231188f83efc1df5e0e5a41e7a7c43bae957f1097593490b886ae6e6a711975ac7b988a25019313bc275d8d57d58cec128fe99db7377010e89a961f476f42

/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 5851ae1fb773adfd7024ddea42194ecd
SHA1 22f7b8aa2c023f43821e5044f2bc97146ea956fd
SHA256 e1bab172836a664cbfafb98d6951eca77eb7b34c035e46b0054367408fabb16d
SHA512 937fcc48b5299f8e237d05cbc3df6e371dcd46a216cd41d3c1909c59a9a48797ed555f4247e012bff475bca2e57a3789c1449a3d240c66dc464bc37423bd81e7

/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 25453aa44d7cca286533332294af9964
SHA1 0570798efcc9672378add8a4c5b215985b0085ab
SHA256 ccf33bbcaf398a082fb66d71dad3752d9a39e72d17c36b91e1b1bf2715b769fa
SHA512 aed2387e0d7070abd33577dc461774508105dc81e1a4ba4738a2b6d5e42bba8d277c13ff1f27f489fbcc062cd63111654c1396ffe53b12ddd93120181b1d476b

/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 9f363de175b11ffe625245fca6fc469f
SHA1 eb84832de77577db87bbd01c91b50cb5aff2285e
SHA256 3456c0fec75044d36f3b715dd295d5a2422651792042d4fb0e28e329919ba19e
SHA512 2e79ded51ec1acdde51c6eafdeb54fc08b796e8ea1a3c1baf648db754e710ed7d81bd900170c13c67c66c08666ad4b600a0c9299f36d4a6af4198cf308cf6300

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-16 19:37

Reported

2024-05-16 19:41

Platform

android-x64-arm64-20240514-en

Max time kernel

4s

Max time network

133s

Command Line

com.mycarroll.app

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.mycarroll.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 google.com udp
US 1.1.1.1:53 78.204.58.216.in-addr.arpa udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 irnadl.com udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
DE 94.130.217.114:443 irnadl.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/com.mycarroll.app/files/PersistedInstallation2824569658988199453tmp

MD5 b4e655f3a583e44ea70edf6b2edd4fe8
SHA1 2eb7e8912be4fc179a8d8d356391b3e6d0bf6e6b
SHA256 8f209dfc18dcac9bb4814aec25037ba527d3bdbbb4794fe99f8951acc49a1f59
SHA512 53977fd5cd655d702c07a9df99714f88ee5b190faca4ac007533ba5608c3a4deb94f27655ce9c7d2eefc35470be38cd537d8781e5bc6f273cc9011361d8c538e

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 375eae567ae94131c1e5ccf9b24a3b15
SHA1 215dad3bfb62db122559f413533f843a779a3519
SHA256 7419f38cc3a56f6c63a2f5a41d598f14b6276717f099c8beff8a685366af8e1f
SHA512 9c510c489346aab221445e39b9130f7ec48b414cd65da57c93fbfdf59ea929fc388487d926ecb58a1119dc502808e433c8304539585d6a5227ace68f1f4466d1

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 7fae6948dee14b7f7a912de850e07be4
SHA1 5045520062d3021d881af3112df2ac1e78526c50
SHA256 b2ff4021ea948be42f25eecb70535c4da8c1d2a42c78bcbc515e4a511d1e0986
SHA512 1f778d893d82d936b5294f4ebc5b3a8b1ea9f4ca1b75dbc5594738ceda04a4748df63240bc8c92edb067f0fc3eee79d742dcb22f08d14e1a7ca1e7c73c197e1e

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 64d2020aa10285d3800ee08956f6eb8f
SHA1 ac89c83fcfefce49c5e1b0641a31a2fa2d570f6d
SHA256 69ec9f007a7f24bba1373498cb1084e74529072459c8e46e4da0cf41efdc21ca
SHA512 0dbbcfc2a99a91c74b1e95bc550e922f326f687b9e93f653ac9d1e15149836b777d3fec8d15b966ea987dd42c75dbc69459a372a19834f7169c5926e649a26bc

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 9b6767ef68be574af1c240fab59aefdf
SHA1 7d6a42b0bf6df04b80e129cd01cc6e11939b9721
SHA256 572715b4c70d547a80f694573935e5fa67d55eed3a7e1992eea312c6243d12dc
SHA512 f7a5e4cacc6259a5918af7a189024bfddb5b05f630e5950f29c9d1e81d935b610b125fbd514fb11b0afd0e393d98fce4859a96ba98ad6b81ee195ca6095cc446

/data/user/0/com.mycarroll.app/files/PersistedInstallation7953289985119801816tmp

MD5 57c16fd0747f6c2d0e660395965867b8
SHA1 b465a357413fd222e41bbff06359ecc922d4b349
SHA256 2d0ba2c418754a69ed2a2ba01d659cf13d965fce0de3418e27668c7543e920ee
SHA512 4db63de4a7636f5e3fa5a256cf3f5bbc948b7663e638666703b9c030758e1c20ead3d3713dddef206129479ee0892f83af483594442cce1bac74341048ad3452

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 848d4055ee7ef22cc21c631f00f91d9e
SHA1 f2dadd1f453174f660423d114a8cd9e982ccd05b
SHA256 a008a5cbd61c5c7828abaac6158563c1aa79c5bac4fe0c5f7a4083f5eee4921c
SHA512 3c830a1e57b37e1b0501c44d8e41bf32ec25d3d39b45c1c94bd2e28448c52de38766c86987e7115437e78f05ec757360a5df68350926ffb6e3fa1be377e19204

/data/user/0/com.mycarroll.app/files/port.txt

MD5 b143bb9b14c916972f31e4ce92ce9fb3
SHA1 9d365fb5be0934e134cede71eaf6c29e5170f656
SHA256 bab3ce5611fdd6dcb48e24c4a8f7d34e2f0b2eaca95418ce0c26152e8f2a844c
SHA512 89993f29ebad7daee5fe55c460082c86eab646647666d2d6113dbf8c7739bd42425857f539b1c071dba7047c590b4ae11b95b0da2f4de3ab9a95639046453ed2

/data/user/0/com.mycarroll.app/cache/~test.test

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 f7b5cc12b4d47bf07020e315b29244ff
SHA1 24e5969107ce0f999da48af0cca1ab85bac2b7c7
SHA256 d0dacb15ad0a10e0e4c1bf45c049ac19885ab19115fd06d6a3f3f15ab3612653
SHA512 59bd3cc69573ecf5618cd88aafa1b8321434f8ce2405cb9b10269ac1ce04869d272407ce2b9ab4b68a7ccfb616440e7935fe48b7641f49f04e70e158f612aeb5

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db

MD5 235b5450bff4d1e1e9ea9f9830b6594d
SHA1 efc3988b58aa3d875d78be8fcce108736e78d2d6
SHA256 d758e70069f473d5f8c957fe0a6dfff8d94f93928f8bbe6c1d9ecd68c9273cb9
SHA512 80ec9dcecbe1e4ae58683bae0bce74a2ad1e38629222d4a3e33d59f3fb7ca902312718f6f90053bf5f4b54dbb4a99b52095f87aaed558e4faf39ea113c105bc8

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db

MD5 2d8e32f5352a1d7e5ebc61f34b8616d3
SHA1 cc35c11581237d67bc3506c551c0d795e2b1db60
SHA256 1317d6ab850d0bee9478f0af11521567ae771ee1ec33ae122cccb7c77ed6de86
SHA512 019d81b480befbc111066e3d963ff786a12a85abecc368f861d38a317341ebaddb8d08be1bc3f869aa2ed495b5dc1c4f1b53ad2c839df3bc33f373391d56497c