Malware Analysis Report

2024-09-09 16:14

Sample ID 240517-wa6t5sba69
Target 50b31094574176ab12d7a32fe9066d43_JaffaCakes118
SHA256 def02d3f63d1c787762e099678a7d8369dd391a296433ef0880a5f5ba16b6ddb
Tags
irata discovery persistence collection credential_access evasion execution impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

def02d3f63d1c787762e099678a7d8369dd391a296433ef0880a5f5ba16b6ddb

Threat Level: Known bad

The file 50b31094574176ab12d7a32fe9066d43_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

irata discovery persistence collection credential_access evasion execution impact

Irata family

Irata payload

Requests cell location

Queries information about the current Wi-Fi connection

Checks CPU information

Checks memory information

Obtains sensitive information copied to the device clipboard

Registers a broadcast receiver at runtime (usually for listening for system events)

Acquires the wake lock

Reads information about phone network operator.

Schedules tasks to execute at a specified time

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-17 17:44

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 17:44

Reported

2024-05-17 17:47

Platform

android-x86-arm-20240514-en

Max time kernel

22s

Max time network

139s

Command Line

ir.naderh.iran2018.walkietalkie

Signatures

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

ir.naderh.iran2018.walkietalkie

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 17:44

Reported

2024-05-17 17:47

Platform

android-x64-20240514-en

Max time kernel

25s

Max time network

147s

Command Line

ir.naderh.iran2018.walkietalkie

Signatures

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

ir.naderh.iran2018.walkietalkie

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-17 17:44

Reported

2024-05-17 17:47

Platform

android-x64-arm64-20240514-en

Max time kernel

100s

Max time network

134s

Command Line

ir.naderh.iran2018.walkietalkie

Signatures

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

ir.naderh.iran2018.walkietalkie

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 31e9479c25cb4e25b64e8195a679312c.s.adad.ir udp
BE 74.125.71.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.196:443 www.google.com tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
GB 216.58.212.196:443 www.google.com tcp

Files

/data/user/0/ir.naderh.iran2018.walkietalkie/files/unsent_requests

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/evernote_jobs.db-journal

MD5 f198453ffebd18ab2ee5a5d479e4f798
SHA1 0dbc369b058bf3eede99dfbc6c246f3115ae5b4c
SHA256 9294757b85a21b8ec36379585eece55cac7a2a09516ee62e6e511926c1f9b073
SHA512 b62a5b6964ea9fbb3550394bc2e86fe0d528b13acd1cd21cdf90c92f01fe326a02d310c81b1fae5e6a40206d022dd6620fe0ed62c4b82a104dc705ed03e1b4dd

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/evernote_jobs.db

MD5 47080e3bfcf2db9b8620f2faf6c5857a
SHA1 6f63c1851255e0fa99567f047382074b086d38bc
SHA256 dc4f8a73f49d2a6b41ff425fd08b85c1eba5280c438a1a1ff9832e91dfa56cbb
SHA512 e757043d82798926a5ddd716457accf6616894ad1ad79ec832293a1f662910b663239f899bf05a5c8d90fed5bcb093c5529e5bc842fe9003c1d5902f9ed84473

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/evernote_jobs.db-journal

MD5 88d813c48eaf021f883cd57883aed3e6
SHA1 88193e0ea3aef5ebbdebd0a1bdf39db27fe4abfb
SHA256 9f2e33bed49ea374f509b82910352c45645f9ac4cab8c39725754c92963879a0
SHA512 6704e8862aeb2ce74d0d491146c689f1677119ff19d19f1b91adf543a776fd75eef65d2bc767cba64798d71bbe420828fdf3ce0762bc43205cf85ab9cb6e7263

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/evernote_jobs.db-journal

MD5 78a604fc95144528bd26c096d290e919
SHA1 d7e734a910ca2e967f99a06894489b1ed01a85d1
SHA256 bd8f38c5e95294c48ba71c3c4c4e8559e18e397e941cc06563ed1dc6b3cbf696
SHA512 9454b199fe32dcdfdf976fd430294fec206f0fc28f4405f6e25d97ff7c3693ef79f1544a4100a9b0e92675bbd1b469bb0f70b273a172bc015dae7bb170d7c5f3

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/evernote_jobs.db-journal

MD5 a07391e2e359003189c13455cc679d10
SHA1 442aa45a68dfeecbd1c3a80a18d8aa7fa5585eba
SHA256 a9a28dc04a8c4fc4bd728b135211c76fce6bab0569256f277de49881fbbfd45a
SHA512 19f06f5c7e3d5c542ce088e7e4237ce3ff522f95f9f25e41a0df0a147162c7831562b969a60f3c3e572e24571c514d39f63ceff69ecdcd0ca00e969b50e02dcf

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/evernote_jobs.db

MD5 25164aa717b922d7ca9990c5cf46e889
SHA1 a888b641c8a11c7f97dbc620f40916ddb1c0bdae
SHA256 4a35806a697ccae82f2b29154cb6649d5b06b959042a234e2ad1420bfb700541
SHA512 bc2c848fead4da0d8d0f03eb71fa59f3d0d00bc73ae13ecf8cac80b3506626b316d5f3ded1701a4270561fcfea71aeee0939e08a45dd2bb93e0529121a555879

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/__pushe_base_lib_db-journal

MD5 ea6fd301a5a776d53a7f55cd90a9a138
SHA1 1c0f30efa228abdd405df40751c47b4f1f9f98aa
SHA256 66e6702d48e16f9c597ad94314fa792c9569bb1104a1ab821cf76e1d1d680d34
SHA512 5bdb541501b107cd3352d8a9509c3a738611b81141d0b0cdc516a70381b11ef78756b1e537397fec79f98610d8bd57d413bb37c715e6cad0ca77d2fa599e5a58

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/__pushe_base_lib_db

MD5 5ebbf2da59a359130ddec2aa7b6395f2
SHA1 acd3ddd881f4008dafebabc43ad5eac6a1a22311
SHA256 e9906f016d21019db121da5ec2beef247a8b00106b44cfe802ede801b82a52e9
SHA512 817b20d5361f52192488a4906f605bc385b7bced58fee58216fc5173e8ca70892242f7a6e466c25a061a105c49b1e4d065865e101377608d73b142d5f86361b8

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/__pushe_base_lib_db-journal

MD5 336923e542d7bddfee587d6a39492cbf
SHA1 bc9a19bd50a7d27c667ed8f2c683011d4bfba713
SHA256 93febdb5051158b0baac837cb176c74a73f087e78c476b795723088c60500541
SHA512 38d03d77992ccfb3a4d1a1c2d932740572adc4e13abcd50d9fe1db62f7b0e67200224dd4fe3201986ee6b1f9498b978c3a0face8724ba6c3e5e3a4a09cc49f46

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/__pushe_base_lib_db-journal

MD5 30a00e2818793c599be19934a35e2e4c
SHA1 5ea1ccbb57903edfd111b3c9c2ccd6b99c76b594
SHA256 8f449e756a83e50e89bbef6339e2a7ef17d40f75fb9c6169e239f081d1345ac0
SHA512 f08a6c677c74d9dea1ba93541684ada16c722802f5ab9bd541bb1f3f270102a5d3343d1dba0160a9f9244e55c98e7d1ddb36baf0d642d170dde359c584643086

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/evernote_jobs.db-journal

MD5 ba90f7d53c6ec94e38cab8e89588cdb1
SHA1 e79ca10edb6451d6126c2cc8c787157b5daea7bf
SHA256 73884596571e20a1b9effdf7922bc98152566b698ba83561e8bfca620546e02b
SHA512 d49063822512c66f8865892903301c9ff31c048712111fdc3b4283cf1321f5dce5d14f605046eab4e02cf83e68b839da098c1e53a09b2929b5f69ed9dc8fcbd5

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/evernote_jobs.db

MD5 88267be05d8d1452ce467d1db69b0be9
SHA1 2101ae1fcfb18a7c05f8596431998b1aca4bf906
SHA256 85132df83bfe02acc8df1a343878897033c679887776f12fdfb44d7add6fc5f1
SHA512 82e9479c0c2cca3d5ecc70449924d0a6686e131fb53ef0486da3fbe56b965c7744daad1fea45fddfcbbcf96e65bd0f3c99bc40b311bb4d2970b717e7dd62a383

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/evernote_jobs.db-journal

MD5 01d20bd3b1de49c5f1abd0e2f7953215
SHA1 d59dd4d3a8032d89be03dc4a8052eb1c8f20e2a6
SHA256 f99b8d8d3d7b981e2b55892b60694398918baa34b2218b55dd7008a9cb258a8c
SHA512 01bba3e3176664b16c92e0d2d7ed6c7e744b22ebae559a0087c59b4ca8a357f83dba3224acdc9a2e63ebbd9c4159c0ea02423fbd4b8203adb39f73cfde75a41b

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/evernote_jobs.db

MD5 378799b91450a1c883d55793a0edb71c
SHA1 ebf615cf12cc8f6560583368161e0c9c45d32423
SHA256 1f0b64e047bd9d8ba58f82760ed3d1f216106fa870ac2f1c4c2abb1e7eea0fa2
SHA512 b35ad44a5b889d2222a9518a04bbe5bcea99293d4cbeb978804488278d559c964715c7f2afdda89a2c1460e55555255807780e97e0a59a0c54a75c7d1b34c67b

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/evernote_jobs.db

MD5 116eeaa5121fb610009f1927ade6290e
SHA1 6bd329c08ca79a926e487e275507eaaf19e95e54
SHA256 8a746093fdf0fc51eae52c091a7af4aab96451b3553194ceb14206698ad1f585
SHA512 b43d92409158e83b703af5035c74ab68079873640f649a3f54c96339014107a9a0246256ae267b6457d8f95d28ba60bbe231a354b81541df9d86ba14777a368d

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/evernote_jobs.db

MD5 c083a1d67763b9656547e062a7bb83e4
SHA1 e2f01103ccc9dd1036009b8edc5bc2245debaf83
SHA256 3e70eb6a806a6002851979c52bbee675adf0b0ca9cc08c19217ea276eccecb33
SHA512 dd083bd40bebb9479aa84d81a2ae9b791a986f3e2d69a866d1d4087479862338a9f97081d10288d59119ef895d841d668701de71028418b4c791a33fed83302a

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/__pushe_base_lib_db-journal

MD5 d66285ec078e14ac628fe86b10849982
SHA1 97d37be9d17bb1870ed62ae81a9440885528723b
SHA256 1c839d70caa6f8d485ed3e4b635887144c1c7344d773b211620a0078b7ff9665
SHA512 f552a8f3c4831738e18e8ab50ae32f89171a16904389db03622dd42481a1430d00446fa24885b29d2d6cd3fa30af97d2e196affe3deb985f89a6c29eda1fb7d9

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/__pushe_base_lib_db-journal

MD5 885ea96caafc60b6607515eaa9d0c398
SHA1 42c940227358284fbfd0d6e79dfa8ad5940cd3a0
SHA256 b0043dda93d2def6b1f6abb3de62c6fd1c129281ed0982998bfba6cdee8e3ac3
SHA512 9f7d4725466f3cfd9ff39fc0725efe2aab98ae12f4fcb37d987e3c6a7130acbdc193dbc14d876ac7473ab8265b429d623474f7251944e150ead0baabfeb9f96b

/data/user/0/ir.naderh.iran2018.walkietalkie/databases/__pushe_base_lib_db-journal

MD5 29cd71bf824e2f82906f3c0d1a879fc4
SHA1 05beef2b5709eaf8219d6b2d6a32b11685da1291
SHA256 259030e360ac8a37bb42cfe7980cd75497c6095209b9d2e328a672f32d4a1a62
SHA512 46ed1186dcea49b0b857ec21a724dc2c685c3b4baa2a787bdf4af6a960c6c12f6c5d94855696ed4f49761954f65742f80a999e571132a5d432040ba6b68b8cb8