Analysis Overview
SHA256
654e2cd54529f03d48dd196c65051db18af984e59f88c48a5f2bd8c538581bcc
Threat Level: Known bad
The file 654e2cd54529f03d48dd196c65051db18af984e59f88c48a5f2bd8c538581bcc.apk was found to be: Known bad.
Malicious Activity Summary
Irata family
Irata payload
Requests dangerous framework permissions
Acquires the wake lock
Checks if the internet connection is available
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-05-17 01:32
Signatures
Irata family
Irata payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-17 01:32
Reported
2024-05-17 01:35
Platform
android-x86-arm-20240514-en
Max time kernel
3s
Max time network
132s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
com.mycarroll.app
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.200.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | google.com | udp |
| US | 1.1.1.1:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 1.1.1.1:53 | pishro_phishing | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
Files
/data/data/com.mycarroll.app/files/PersistedInstallation1875901984500618313tmp
| MD5 | 2b375fd249e09fcb94a3d110d3bf7418 |
| SHA1 | aa9048846cce4e1f6312cd251a38cea06238b93b |
| SHA256 | c1b48013857be5ae6febd5c2220a04f0eb520e82f9eb48874f4f806fd5f6092c |
| SHA512 | 1a22c4b8b6000fcf43cab3b5528aee62c2eb9558bd4573d12a20f2c15efc8a5cee9fab1580890af4ff898d532c8fd1828bf33e09848726a260599184d4797af1 |
/data/data/com.mycarroll.app/files/port.txt
| MD5 | 4f030a02e1a1b7c16733403b65164e5b |
| SHA1 | d463a841c6ddd212bedfb1e68c7639426e354f0f |
| SHA256 | 46fde00bfa275b287932e1a651e072c36a0a43c50d41f922f5ed72e9b3734441 |
| SHA512 | 902d226fbdbad3178c7f9390c0762620cd31595e7f582b926a552edf5d3bdaf379ca4cc53f6263b5a8fc305a3dd2c805280ebb1d9ba79213d67b87d3c13e416b |
/data/data/com.mycarroll.app/cache/~test.test
| MD5 | 098f6bcd4621d373cade4e832627b4f6 |
| SHA1 | a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 |
| SHA256 | 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 |
| SHA512 | ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-17 01:32
Reported
2024-05-17 01:35
Platform
android-x64-20240514-en
Max time kernel
4s
Max time network
170s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
com.mycarroll.app
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | google.com | udp |
| US | 1.1.1.1:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 1.1.1.1:53 | pishro_phishing | udp |
| GB | 216.58.212.226:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| GB | 172.217.16.238:443 | tcp |
Files
/data/data/com.mycarroll.app/files/PersistedInstallation1659426584330749732tmp
| MD5 | dbd542e9cf1bc871228f11bba70ef406 |
| SHA1 | b09d029b315e575228eccd28396bbe8251f3b20b |
| SHA256 | 27a99b91fdf6835f1cf3ad84b340893e0fef783fcc60a839af90e172c52ce1e0 |
| SHA512 | 61c522cedf9a3b1cbc3e5557f11a8bd2c904904cb5beba2aba871364a02d2975108a57fc2633ee8ce7615d22495017bdc87f5201620aa0f89eb4263e6ffaa833 |
/data/data/com.mycarroll.app/files/port.txt
| MD5 | 4f030a02e1a1b7c16733403b65164e5b |
| SHA1 | d463a841c6ddd212bedfb1e68c7639426e354f0f |
| SHA256 | 46fde00bfa275b287932e1a651e072c36a0a43c50d41f922f5ed72e9b3734441 |
| SHA512 | 902d226fbdbad3178c7f9390c0762620cd31595e7f582b926a552edf5d3bdaf379ca4cc53f6263b5a8fc305a3dd2c805280ebb1d9ba79213d67b87d3c13e416b |
/data/data/com.mycarroll.app/cache/~test.test
| MD5 | 098f6bcd4621d373cade4e832627b4f6 |
| SHA1 | a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 |
| SHA256 | 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 |
| SHA512 | ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff |
/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-journal
| MD5 | 549f5fe37ef6f4139b5c14aa8b4d5ca7 |
| SHA1 | 8ecb0827498b1ac78df7aa44da50978ab486030e |
| SHA256 | 8ccfe02e76e5b9a387e43b2ff41097162e0d3d5556a6a2deaa13a331bd3cbacd |
| SHA512 | fa49bc21b2ecf63d0574b3e27bb7bd0b02fdba786e2ea2ab6e74c033497e50803bd94f5988b664d0f99068f3f9ec62d7092a335e22bbd5fadb71d1735759508d |
/data/data/com.mycarroll.app/databases/google_app_measurement_local.db
| MD5 | 188c0542bc062e48b614e5ca8c1081af |
| SHA1 | 0eb9b89a5c92957cd1fe748cc063b32853339774 |
| SHA256 | c1ccc325c2699ed7f556cf171566317f706a911c4d02b1644a2a7908b93da58b |
| SHA512 | 62a67f2c56bc3b40d49c80094f160d355a8f67130e1924109426e0481008bc2cd11a9e2675a901abd03cad1e7fe0028031e20d826437edcf35b6f86e2499c2b4 |
/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-journal
| MD5 | 655d17d06bcd50dd05d147db90cc6857 |
| SHA1 | f8cdfc38c4bb0336dbabbd6ae19687624aec0ac3 |
| SHA256 | d65a8367e72bc43551331dd731a29a65828471036ae7b20c01c3b56b49bcabc9 |
| SHA512 | 33b71ea94d95573b87bf1b53e961d5fee2ddc0556abcd4c7f039c66502d6896ea6e82ef123c4e5b413c060d74aebbcea9c4cb08aecdca189383fe1afd013a745 |
/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-journal
| MD5 | e46941ce317efa0be5a3dba7c16e2e57 |
| SHA1 | efc94aafebea08c82e7c9e73b2dcb979a77725de |
| SHA256 | 25e4c341d90b36e8661354a45abbf8a0a411e38b91211e5b7bf816e5fd96a37d |
| SHA512 | ea46e4cd08e58878a98b94630dbcca625ce4952b653e05d56c5972e5c202cd252fbef5510e4ceb347481d905c26037dc012e57245bd0e4dd93f2ae18aad6557e |
/data/data/com.mycarroll.app/files/PersistedInstallation6855205223254721673tmp
| MD5 | 097ed46ab12871a66f7bd75120c66b93 |
| SHA1 | dc78e5e33cdbc9fe771087202fae4db999c14518 |
| SHA256 | ed26f5dc2bf5a1105a2661cc134b30b78592ef915c00ccc2a24f566685c13482 |
| SHA512 | efadb74ea549aa71bdc741ba78f833ae077f9c69356bf47ed9337926b0c0a0697824c01de4573874b912d00ee383af62445ebc84848624d0a83fb3cc695cd4da |
/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-journal
| MD5 | ca82794f336b86c5246f1c2466a8018e |
| SHA1 | d179c45027f6a8c06e463b9ae298a683decf2780 |
| SHA256 | 00cbd31c1bf9cd0a42b803b8d36835ee81688bc9ae7a4785c7164d6850e0583a |
| SHA512 | 647d8bdc00bae8258e88af6646214c21649450001d89bc71de5c443f8d570132ff0078f5ce48317b23b90b0da9416a502a3af9ebe527549498e9d564c2f6084e |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-17 01:32
Reported
2024-05-17 01:35
Platform
android-x64-arm64-20240514-en
Max time kernel
4s
Max time network
132s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Checks if the internet connection is available
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
com.mycarroll.app
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.234:443 | tcp | |
| GB | 142.250.179.234:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | google.com | udp |
| US | 1.1.1.1:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 1.1.1.1:53 | pishro_phishing | udp |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.200.36:443 | www.google.com | tcp |
Files
/data/user/0/com.mycarroll.app/files/PersistedInstallation7016713713791362894tmp
| MD5 | 642e13e2ed5ac1a55bc809a912049435 |
| SHA1 | 67195d8b573c60d731508199cffa0cddff66e333 |
| SHA256 | cdb2647dc84588644c56cce1ad0794276f204b2fd0ce04d1d180b80d06f78250 |
| SHA512 | f6701dd1d8328f29fb463fb72b27460455572e9c549f10a71d793696a7c5b5639f80e64afc6b71673d7028363e0938f8205a2caceee6fc4d63bf79a7f3f71795 |
/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal
| MD5 | d956ffb55ada49cba2882dee1ca706aa |
| SHA1 | a20486e616525b48e0e52351a1a9eedd31b587d8 |
| SHA256 | 2df63597475ada861378af72bc7cd40ba88d7766d23fbb8af799a445ba8780e5 |
| SHA512 | b89fe938feabd6d571c583d951b6400a369564debd6a6411162305e625d228b89630cc24b1f61b1c66cf065af1c5b8fc1f24b77f80d28e7771a27c0b0737896d |
/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db
| MD5 | d9cf75fdd1c2292d986f6c3d5d60f2c8 |
| SHA1 | 07ecb1d3a26d952ae5fecf54f36699ab498510b1 |
| SHA256 | 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a |
| SHA512 | 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb |
/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal
| MD5 | 63681a901d89df5abad81836aae08ab3 |
| SHA1 | 2554ff2e45bbb8e0d74ce48c2fe98255687bb7df |
| SHA256 | a05e0eabe2886e39f1947a966f35c6e2f5d2f82c3279326a03cc566f16c92e13 |
| SHA512 | 44e04b0f8a0544c9854f3c8b7b9241b0827058af21820ad65143f219f80737fcc6cf4c494e36b90d8a502de67f9dd552b8413132e79b0ce4a6318e54dce0f4d2 |
/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal
| MD5 | cfaaed48cde8cbd3072924cacbc0ec0c |
| SHA1 | 2af3588d9fe8aacc121b505ef80246c2e719fa10 |
| SHA256 | 572282a56c4b9da90364c1cad91baf474b5d9b93dde48ef33a173d910e8f3d9d |
| SHA512 | 6797ce85faf1668342909946e8c2cd932bd832cec94b8257c3b1406174a1ad5b5a8baf250150ba4f1af956526b91e19398ad831fb761a3e76e0b0f401650cc15 |
/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal
| MD5 | 19f708769ee6d03b2ba5292251bb1da7 |
| SHA1 | beb557465b44c074f3a6feff09a8dadc7ca275a5 |
| SHA256 | 2555fde6cb89300e70cb8f1c8b7f6459da1a2745620dc7f075902c61bf138a11 |
| SHA512 | 624dcfc07f6043853461ca11a9a6b83f4634a019fddf5aa2ed35bb57c0958325f9d1675513fff1986eb83281abca7dfe6ccc6e88a21f251e565f5300dd6f6928 |
/data/user/0/com.mycarroll.app/files/PersistedInstallation1560466221458577482tmp
| MD5 | 2a9bbfca766ad88bd8310fbe9b028c0f |
| SHA1 | 999e7ac789c7fe68b49e582385d33c7572f4c1e1 |
| SHA256 | 2d9b9a01cb582c4410936506670977c08fe7715ef195067566834b4d879ae428 |
| SHA512 | 240a8409b4f59c3c8a516ba84bd44ec4c0257304b1a966dcdc09518de0c3a59974b1ced7b030878ea5e691f214d6fe969625c4d86c30b301ac4c222084c33528 |
/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal
| MD5 | 38a36bbf3a84efe428589e6511601172 |
| SHA1 | b0fce82f17c0d06f1d26ef1d1eb1581dc90b9926 |
| SHA256 | 13836669d9210f8c7e3b9c91bc365e1a7b1ba1abc0cfb3d1b88337abba960d4b |
| SHA512 | 7957b128d4d15acee7cff040c447a1f5c2b7f0dc93089e427083001661823fe033e6c0dd40c3d9e38e087edc8c73aa2ec1725d1ad442603aa67a2cda348e0cf2 |
/data/user/0/com.mycarroll.app/files/port.txt
| MD5 | 4f030a02e1a1b7c16733403b65164e5b |
| SHA1 | d463a841c6ddd212bedfb1e68c7639426e354f0f |
| SHA256 | 46fde00bfa275b287932e1a651e072c36a0a43c50d41f922f5ed72e9b3734441 |
| SHA512 | 902d226fbdbad3178c7f9390c0762620cd31595e7f582b926a552edf5d3bdaf379ca4cc53f6263b5a8fc305a3dd2c805280ebb1d9ba79213d67b87d3c13e416b |
/data/user/0/com.mycarroll.app/cache/~test.test
| MD5 | 098f6bcd4621d373cade4e832627b4f6 |
| SHA1 | a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 |
| SHA256 | 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 |
| SHA512 | ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff |
/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal
| MD5 | 5e2f2a0a07305eba485273b61aaf6a59 |
| SHA1 | e12352e859ca015dac8517d9065054a57fb7a30d |
| SHA256 | b93001b5ab14fc494c1635b66bce29209706b864b58b7851a4a37c6841d44749 |
| SHA512 | e12423d1fb495dfef8221701c87d71ee6055570c44fc94d10a0f0067cf00ceb2c6e488301c2f84a40addb10dc5b79ed39df9d619844382ece8870f6e73fa5bd1 |
/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db
| MD5 | 7cd49cfa7b44e960ce7c3f5303881f36 |
| SHA1 | 24738ebe7531dfdb80e739e0095aeee5d0e62f05 |
| SHA256 | ac043ee977ece0d5b0d99f7296961414ea522f57cc50badd450b0a57f15e0fca |
| SHA512 | 1638105f0b50b6aec95316291f693a280baaa3ebb169550dc251b6d2ec2e53dd66498b9b94fac41afeb8c17933b8380e6ea267e8b995dad8159ec6427cc6a2e9 |
/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db
| MD5 | 79fd5531fa4cde52e21e9b946882e731 |
| SHA1 | a67e4c7357cafb68a87540ed340e71d892a0541a |
| SHA256 | e332982e9c0402ac5f2115c620c5800ee6b656869e70e97b0282fab595b03640 |
| SHA512 | 93f2d8712e69c2a4104f77268503a1342f6557b73b24aae03e8aaeb65d45759a48e23451bc18f0901319fe899bb6fdc9ad4a4fc16e917d86c14f4abeb230781c |