Malware Analysis Report

2024-09-09 16:10

Sample ID 240521-g3tb7aba55
Target fc2cbc8d925ee585cdc02e99bd467c8f943f891f377d3605a1e1329d33c7178b
SHA256 fc2cbc8d925ee585cdc02e99bd467c8f943f891f377d3605a1e1329d33c7178b
Tags
irata evasion persistence discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc2cbc8d925ee585cdc02e99bd467c8f943f891f377d3605a1e1329d33c7178b

Threat Level: Known bad

The file fc2cbc8d925ee585cdc02e99bd467c8f943f891f377d3605a1e1329d33c7178b was found to be: Known bad.

Malicious Activity Summary

irata evasion persistence discovery

Irata family

Irata payload

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 06:20

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 06:20

Reported

2024-05-21 06:24

Platform

android-x86-arm-20240514-en

Max time kernel

174s

Max time network

131s

Command Line

BSS.Absensi

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Processes

BSS.Absensi

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/storage/emulated/0/Absensi/ABS.db-journal

MD5 f0a2c7e12c1da0e516401a5d28193873
SHA1 e90fc848e1cb04212938bd5f6d4726634235b222
SHA256 ff8925b62f0e6d4dcc7e77dacac9afe061dcb64ab3886e66cbea831caf5efe2c
SHA512 eb012fd3a6cac09aa88282d2478c4c3dfae47674a9af737440a84eb8aa72ca63613cb98822d3a580f966ffe2d6b3e4b8fd2e3928c5083cba1f41e64a91f3cd1d

/storage/emulated/0/Absensi/ABS.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/storage/emulated/0/Absensi/ABS.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/storage/emulated/0/Absensi/ABS.db-wal

MD5 2184873f20c543475fea34dd40fd5bf1
SHA1 f99f12395e683f36669e7fa3ba3441a562492cab
SHA256 370871730fe729af9def5c8b89619c81998a26bdf60770b1c84471256ccf5fe3
SHA512 74d9e1b7fb7a0bd79e1b2d51c6235a0fe024a7866005dfb6a7ce94a910038fd9ea5e70d8d901c5dc44fa755f1b2283512ae45e3346a27912b6f8a0036e7a89f7

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 06:20

Reported

2024-05-21 06:24

Platform

android-x64-20240514-en

Max time kernel

174s

Max time network

148s

Command Line

BSS.Absensi

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

BSS.Absensi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp

Files

/storage/emulated/0/Absensi/ABS.db-journal

MD5 e751bc82019ade996a993086c438b7c0
SHA1 c4acf3c24ef134b9705598486dfdf08f9a2845a2
SHA256 54022c2ef5094a72f43ed3b243729a47038e275a97fcdea12879bc0126393e59
SHA512 b7592052e3f600c34b2d0cd5175e1b4bf0331ab4c4f0a5aac7b5e2684c3d4b624e99e1a2186e6dbe0645ace8f003ea3e546fffa26cd36a8309a3f2fbd6e30a88

/storage/emulated/0/Absensi/ABS.db

MD5 94d878dfd9a2d68ccd03c38321c2c374
SHA1 6703b2feade9b4d50f80e4418b90951c896c7165
SHA256 dacbe7641ea297b9a67eaf915225ab79be59e3089eeb021ccdf59bab81edece7
SHA512 88d55d65dae687837144b8c753b5f9a61bd2c1d3d89aa2817960bdd3d292a657e69f4e4f351a464569efb9297e1f1d471db946ea6b353218e7403ef60d075929

/storage/emulated/0/Absensi/ABS.db-journal

MD5 6832f9d4409fe827159687efc468513a
SHA1 8aa11b8da6074a106b5e71d0bd8a35a3dff92d21
SHA256 e2e03b80ef9fc0b437d91e2ee2a0d551011cb7d336c4ca23ca0e52fad42c39db
SHA512 0c99e810b69489d6df0503dae15f6b1f9f2f3b90ac6d12f3bb5f8d9fa7171a109d328057f3a9a1f6fb9b33ba5ac9b2c57ec9812442319fca6bc978935f1c4672

/storage/emulated/0/Absensi/ABS.db-journal

MD5 6cca89f0ba62acdda83daafbe740533d
SHA1 c0482521785aada2acec7803601777fa73e2f5bd
SHA256 8cf89a01660bc5859450d8c3c82dec18bad10a6e7c503fa48ab6ff626255b9fa
SHA512 737729d0ec80b193544181e4f5a35ef6b92b00d0cd4f3d7b05b4a82add3b114411bc3b0e114776f84d1cdde07123b4f562c45a8829b9a7e5e8d9250c4015cc33

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 06:20

Reported

2024-05-21 06:24

Platform

android-x64-arm64-20240514-en

Max time kernel

174s

Max time network

140s

Command Line

BSS.Absensi

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Processes

BSS.Absensi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/storage/emulated/0/Absensi/ABS.db-journal

MD5 66029c99db2e59e8e314fa344e7f89d2
SHA1 336a88b6dc4e0331b882839bef4b1ee7674da8d1
SHA256 5f28f1ce6dd148587443d253e2ea6fb6b53a96bd035c12375af11d98a65458b1
SHA512 43e20ff19d0cd007cb37314c43090269b8559b1eed17b87992e4a1abf7418bfad1a5d0f728078977650f3df989331f1d5f70953bb5785adb33da02fe7489d3b0

/storage/emulated/0/Absensi/ABS.db

MD5 1a602ad4804987d4e7c74cdc76d486a9
SHA1 82b3a65cdc4ca1dcd9eb889e0d94b1958bab510f
SHA256 f66992933c1ab753caa3da75ff814b113809cb7c2dcf3cbd51d327c2571da0d3
SHA512 6674c6677f936d8063638ae1a5508a552310171fbda367ea7eafa6fdccded540826c50b304fc74118e29f185dacc2b48430155c4acd4b562b92fd8164fddd113

/storage/emulated/0/Absensi/ABS.db-journal

MD5 3f3605d0b960a6f8fc83753dcb081ec1
SHA1 9b46014b6ce336a37baa226e643a44852a7fef5e
SHA256 aea6da9429595860df9ed55c97fad3d356041ee195c5d2e13c63c964e061d630
SHA512 e523faff7eb3b6f5214d7a9b4950c996350a6599dbb53b52f87ce5f140c4ad9e01642901a4bcf84a8f0684802b02670d2fbef2fc30cc00072b1ce4f0fe832869

/storage/emulated/0/Absensi/ABS.db-journal

MD5 514ca2e08b9b10daf89dbfe57b916cd0
SHA1 1e2727200a01f3181ccf0ed37caeee7a16b783d9
SHA256 9d4f2c20bfc9cf98653fc30f3a1312a9ca982555e17c5bbdafdc199466aad0c3
SHA512 6a6bb0d8a032192809a421141bba9473a947e0a4bf4326da7a375d4b219a67f4c122620e4bc26e281805116d9bb82b357d004704d3436c1469c94ba75916cb73