Malware Analysis Report

2024-09-09 16:10

Sample ID 240517-bx4cbaba9x
Target 654e2cd54529f03d48dd196c65051db18af984e59f88c48a5f2bd8c538581bcc.apk
SHA256 654e2cd54529f03d48dd196c65051db18af984e59f88c48a5f2bd8c538581bcc
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

654e2cd54529f03d48dd196c65051db18af984e59f88c48a5f2bd8c538581bcc

Threat Level: Known bad

The file 654e2cd54529f03d48dd196c65051db18af984e59f88c48a5f2bd8c538581bcc.apk was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

Checks if the internet connection is available

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-17 01:32

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 01:32

Reported

2024-05-17 01:35

Platform

android-x86-arm-20240514-en

Max time kernel

3s

Max time network

132s

Command Line

com.mycarroll.app

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.mycarroll.app

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 google.com udp
US 1.1.1.1:53 110.201.58.216.in-addr.arpa udp
US 1.1.1.1:53 pishro_phishing udp
US 1.1.1.1:53 android.apis.google.com udp

Files

/data/data/com.mycarroll.app/files/PersistedInstallation1875901984500618313tmp

MD5 2b375fd249e09fcb94a3d110d3bf7418
SHA1 aa9048846cce4e1f6312cd251a38cea06238b93b
SHA256 c1b48013857be5ae6febd5c2220a04f0eb520e82f9eb48874f4f806fd5f6092c
SHA512 1a22c4b8b6000fcf43cab3b5528aee62c2eb9558bd4573d12a20f2c15efc8a5cee9fab1580890af4ff898d532c8fd1828bf33e09848726a260599184d4797af1

/data/data/com.mycarroll.app/files/port.txt

MD5 4f030a02e1a1b7c16733403b65164e5b
SHA1 d463a841c6ddd212bedfb1e68c7639426e354f0f
SHA256 46fde00bfa275b287932e1a651e072c36a0a43c50d41f922f5ed72e9b3734441
SHA512 902d226fbdbad3178c7f9390c0762620cd31595e7f582b926a552edf5d3bdaf379ca4cc53f6263b5a8fc305a3dd2c805280ebb1d9ba79213d67b87d3c13e416b

/data/data/com.mycarroll.app/cache/~test.test

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 01:32

Reported

2024-05-17 01:35

Platform

android-x64-20240514-en

Max time kernel

4s

Max time network

170s

Command Line

com.mycarroll.app

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.mycarroll.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 google.com udp
US 1.1.1.1:53 238.187.250.142.in-addr.arpa udp
US 1.1.1.1:53 pishro_phishing udp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp

Files

/data/data/com.mycarroll.app/files/PersistedInstallation1659426584330749732tmp

MD5 dbd542e9cf1bc871228f11bba70ef406
SHA1 b09d029b315e575228eccd28396bbe8251f3b20b
SHA256 27a99b91fdf6835f1cf3ad84b340893e0fef783fcc60a839af90e172c52ce1e0
SHA512 61c522cedf9a3b1cbc3e5557f11a8bd2c904904cb5beba2aba871364a02d2975108a57fc2633ee8ce7615d22495017bdc87f5201620aa0f89eb4263e6ffaa833

/data/data/com.mycarroll.app/files/port.txt

MD5 4f030a02e1a1b7c16733403b65164e5b
SHA1 d463a841c6ddd212bedfb1e68c7639426e354f0f
SHA256 46fde00bfa275b287932e1a651e072c36a0a43c50d41f922f5ed72e9b3734441
SHA512 902d226fbdbad3178c7f9390c0762620cd31595e7f582b926a552edf5d3bdaf379ca4cc53f6263b5a8fc305a3dd2c805280ebb1d9ba79213d67b87d3c13e416b

/data/data/com.mycarroll.app/cache/~test.test

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 549f5fe37ef6f4139b5c14aa8b4d5ca7
SHA1 8ecb0827498b1ac78df7aa44da50978ab486030e
SHA256 8ccfe02e76e5b9a387e43b2ff41097162e0d3d5556a6a2deaa13a331bd3cbacd
SHA512 fa49bc21b2ecf63d0574b3e27bb7bd0b02fdba786e2ea2ab6e74c033497e50803bd94f5988b664d0f99068f3f9ec62d7092a335e22bbd5fadb71d1735759508d

/data/data/com.mycarroll.app/databases/google_app_measurement_local.db

MD5 188c0542bc062e48b614e5ca8c1081af
SHA1 0eb9b89a5c92957cd1fe748cc063b32853339774
SHA256 c1ccc325c2699ed7f556cf171566317f706a911c4d02b1644a2a7908b93da58b
SHA512 62a67f2c56bc3b40d49c80094f160d355a8f67130e1924109426e0481008bc2cd11a9e2675a901abd03cad1e7fe0028031e20d826437edcf35b6f86e2499c2b4

/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 655d17d06bcd50dd05d147db90cc6857
SHA1 f8cdfc38c4bb0336dbabbd6ae19687624aec0ac3
SHA256 d65a8367e72bc43551331dd731a29a65828471036ae7b20c01c3b56b49bcabc9
SHA512 33b71ea94d95573b87bf1b53e961d5fee2ddc0556abcd4c7f039c66502d6896ea6e82ef123c4e5b413c060d74aebbcea9c4cb08aecdca189383fe1afd013a745

/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 e46941ce317efa0be5a3dba7c16e2e57
SHA1 efc94aafebea08c82e7c9e73b2dcb979a77725de
SHA256 25e4c341d90b36e8661354a45abbf8a0a411e38b91211e5b7bf816e5fd96a37d
SHA512 ea46e4cd08e58878a98b94630dbcca625ce4952b653e05d56c5972e5c202cd252fbef5510e4ceb347481d905c26037dc012e57245bd0e4dd93f2ae18aad6557e

/data/data/com.mycarroll.app/files/PersistedInstallation6855205223254721673tmp

MD5 097ed46ab12871a66f7bd75120c66b93
SHA1 dc78e5e33cdbc9fe771087202fae4db999c14518
SHA256 ed26f5dc2bf5a1105a2661cc134b30b78592ef915c00ccc2a24f566685c13482
SHA512 efadb74ea549aa71bdc741ba78f833ae077f9c69356bf47ed9337926b0c0a0697824c01de4573874b912d00ee383af62445ebc84848624d0a83fb3cc695cd4da

/data/data/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 ca82794f336b86c5246f1c2466a8018e
SHA1 d179c45027f6a8c06e463b9ae298a683decf2780
SHA256 00cbd31c1bf9cd0a42b803b8d36835ee81688bc9ae7a4785c7164d6850e0583a
SHA512 647d8bdc00bae8258e88af6646214c21649450001d89bc71de5c443f8d570132ff0078f5ce48317b23b90b0da9416a502a3af9ebe527549498e9d564c2f6084e

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-17 01:32

Reported

2024-05-17 01:35

Platform

android-x64-arm64-20240514-en

Max time kernel

4s

Max time network

132s

Command Line

com.mycarroll.app

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.mycarroll.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 google.com udp
US 1.1.1.1:53 238.187.250.142.in-addr.arpa udp
US 1.1.1.1:53 pishro_phishing udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp

Files

/data/user/0/com.mycarroll.app/files/PersistedInstallation7016713713791362894tmp

MD5 642e13e2ed5ac1a55bc809a912049435
SHA1 67195d8b573c60d731508199cffa0cddff66e333
SHA256 cdb2647dc84588644c56cce1ad0794276f204b2fd0ce04d1d180b80d06f78250
SHA512 f6701dd1d8328f29fb463fb72b27460455572e9c549f10a71d793696a7c5b5639f80e64afc6b71673d7028363e0938f8205a2caceee6fc4d63bf79a7f3f71795

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 d956ffb55ada49cba2882dee1ca706aa
SHA1 a20486e616525b48e0e52351a1a9eedd31b587d8
SHA256 2df63597475ada861378af72bc7cd40ba88d7766d23fbb8af799a445ba8780e5
SHA512 b89fe938feabd6d571c583d951b6400a369564debd6a6411162305e625d228b89630cc24b1f61b1c66cf065af1c5b8fc1f24b77f80d28e7771a27c0b0737896d

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 63681a901d89df5abad81836aae08ab3
SHA1 2554ff2e45bbb8e0d74ce48c2fe98255687bb7df
SHA256 a05e0eabe2886e39f1947a966f35c6e2f5d2f82c3279326a03cc566f16c92e13
SHA512 44e04b0f8a0544c9854f3c8b7b9241b0827058af21820ad65143f219f80737fcc6cf4c494e36b90d8a502de67f9dd552b8413132e79b0ce4a6318e54dce0f4d2

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 cfaaed48cde8cbd3072924cacbc0ec0c
SHA1 2af3588d9fe8aacc121b505ef80246c2e719fa10
SHA256 572282a56c4b9da90364c1cad91baf474b5d9b93dde48ef33a173d910e8f3d9d
SHA512 6797ce85faf1668342909946e8c2cd932bd832cec94b8257c3b1406174a1ad5b5a8baf250150ba4f1af956526b91e19398ad831fb761a3e76e0b0f401650cc15

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 19f708769ee6d03b2ba5292251bb1da7
SHA1 beb557465b44c074f3a6feff09a8dadc7ca275a5
SHA256 2555fde6cb89300e70cb8f1c8b7f6459da1a2745620dc7f075902c61bf138a11
SHA512 624dcfc07f6043853461ca11a9a6b83f4634a019fddf5aa2ed35bb57c0958325f9d1675513fff1986eb83281abca7dfe6ccc6e88a21f251e565f5300dd6f6928

/data/user/0/com.mycarroll.app/files/PersistedInstallation1560466221458577482tmp

MD5 2a9bbfca766ad88bd8310fbe9b028c0f
SHA1 999e7ac789c7fe68b49e582385d33c7572f4c1e1
SHA256 2d9b9a01cb582c4410936506670977c08fe7715ef195067566834b4d879ae428
SHA512 240a8409b4f59c3c8a516ba84bd44ec4c0257304b1a966dcdc09518de0c3a59974b1ced7b030878ea5e691f214d6fe969625c4d86c30b301ac4c222084c33528

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 38a36bbf3a84efe428589e6511601172
SHA1 b0fce82f17c0d06f1d26ef1d1eb1581dc90b9926
SHA256 13836669d9210f8c7e3b9c91bc365e1a7b1ba1abc0cfb3d1b88337abba960d4b
SHA512 7957b128d4d15acee7cff040c447a1f5c2b7f0dc93089e427083001661823fe033e6c0dd40c3d9e38e087edc8c73aa2ec1725d1ad442603aa67a2cda348e0cf2

/data/user/0/com.mycarroll.app/files/port.txt

MD5 4f030a02e1a1b7c16733403b65164e5b
SHA1 d463a841c6ddd212bedfb1e68c7639426e354f0f
SHA256 46fde00bfa275b287932e1a651e072c36a0a43c50d41f922f5ed72e9b3734441
SHA512 902d226fbdbad3178c7f9390c0762620cd31595e7f582b926a552edf5d3bdaf379ca4cc53f6263b5a8fc305a3dd2c805280ebb1d9ba79213d67b87d3c13e416b

/data/user/0/com.mycarroll.app/cache/~test.test

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db-journal

MD5 5e2f2a0a07305eba485273b61aaf6a59
SHA1 e12352e859ca015dac8517d9065054a57fb7a30d
SHA256 b93001b5ab14fc494c1635b66bce29209706b864b58b7851a4a37c6841d44749
SHA512 e12423d1fb495dfef8221701c87d71ee6055570c44fc94d10a0f0067cf00ceb2c6e488301c2f84a40addb10dc5b79ed39df9d619844382ece8870f6e73fa5bd1

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db

MD5 7cd49cfa7b44e960ce7c3f5303881f36
SHA1 24738ebe7531dfdb80e739e0095aeee5d0e62f05
SHA256 ac043ee977ece0d5b0d99f7296961414ea522f57cc50badd450b0a57f15e0fca
SHA512 1638105f0b50b6aec95316291f693a280baaa3ebb169550dc251b6d2ec2e53dd66498b9b94fac41afeb8c17933b8380e6ea267e8b995dad8159ec6427cc6a2e9

/data/user/0/com.mycarroll.app/databases/google_app_measurement_local.db

MD5 79fd5531fa4cde52e21e9b946882e731
SHA1 a67e4c7357cafb68a87540ed340e71d892a0541a
SHA256 e332982e9c0402ac5f2115c620c5800ee6b656869e70e97b0282fab595b03640
SHA512 93f2d8712e69c2a4104f77268503a1342f6557b73b24aae03e8aaeb65d45759a48e23451bc18f0901319fe899bb6fdc9ad4a4fc16e917d86c14f4abeb230781c