Malware Analysis Report

2024-09-09 16:13

Sample ID 240516-zdjessfd2x
Target 2d3e3491b892018302d45827b3bf5cb09699d933f1b13aa19abc3dd18fa75be0.apk
SHA256 2d3e3491b892018302d45827b3bf5cb09699d933f1b13aa19abc3dd18fa75be0
Tags
discovery irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d3e3491b892018302d45827b3bf5cb09699d933f1b13aa19abc3dd18fa75be0

Threat Level: Known bad

The file 2d3e3491b892018302d45827b3bf5cb09699d933f1b13aa19abc3dd18fa75be0.apk was found to be: Known bad.

Malicious Activity Summary

discovery irata

Irata family

Irata payload

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Checks if the internet connection is available

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-16 20:36

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-16 20:36

Reported

2024-05-16 20:39

Platform

android-x64-arm64-20240514-en

Max time kernel

3s

Max time network

132s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation1411389257265320472tmp

MD5 10458e2e9e3cc4d697c7d61840ec69ca
SHA1 6c52d1bc79515ab1802a4fe29c919397f3941a61
SHA256 5c07fdbda9abf1ee106cad474b96e028812b613662fa5be89b0fe81f22d2518a
SHA512 a77aba08227a785a02aa7734ea1fe561fd2e424c8c05b7d64395d7b7c54d7f81d6b19c7cd99dd379edced425f672db559f3ef725391fe93a57e0791cec0e2a45

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 20:36

Reported

2024-05-16 20:39

Platform

android-x86-arm-20240514-en

Max time kernel

2s

Max time network

139s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation4584092612196842060tmp

MD5 af1f14d83f8bd4ca436142989fc7764b
SHA1 5be45aa93dc6a40294d71e6d39ecf687dfb5d9a6
SHA256 2d1f9a57326ef449ce3d3c06b4a8595b7079e7926078882b4155787b97eacb3c
SHA512 d604fec8cfa937d30df7645d07d84651bec9f41373aef20a6eb3165ee5658811bc3022de881cf9a025f0aa0efc027414c12664974c0b6bd506fa9fd3ada2d3b2

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 20:36

Reported

2024-05-16 20:39

Platform

android-x64-20240514-en

Max time kernel

4s

Max time network

131s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation905729169621677900tmp

MD5 cdfce9b7d647d5b9524270b9368a5c77
SHA1 0927d092baeb7b5806a7c30ae5248d9bff7f2c2a
SHA256 7ca7f0234969d82e14e24571a5dac7811ed0365636d5e29b100321d237e44439
SHA512 6a19b999a9ebc0baa9cfc5208dd3044fa71d36119e38871be069df08c402d2d3c2e87a05a7cd90570b5b1de7bb4a2ef3a7c1f2a7c95aa5c412273f0c8eaf4bb7