Malware Analysis Report

2024-09-09 16:10

Sample ID 240521-gbnmmadd63
Target BSSAbensi.apk
SHA256 fc2cbc8d925ee585cdc02e99bd467c8f943f891f377d3605a1e1329d33c7178b
Tags
irata evasion persistence discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc2cbc8d925ee585cdc02e99bd467c8f943f891f377d3605a1e1329d33c7178b

Threat Level: Known bad

The file BSSAbensi.apk was found to be: Known bad.

Malicious Activity Summary

irata evasion persistence discovery

Irata family

Irata payload

Makes use of the framework's foreground persistence service

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 05:38

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 05:37

Reported

2024-05-21 06:15

Platform

android-x86-arm-20240514-en

Max time kernel

174s

Max time network

167s

Command Line

BSS.Absensi

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Processes

BSS.Absensi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.178.3:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/storage/emulated/0/Absensi/ABS.db-journal

MD5 af21fe12b5fcfeede8bf26bfd950279e
SHA1 2a49323651c6dd4553a337661de1a39207713a74
SHA256 7ac64a81d1426072dd26f28fec24e840ef685be72388da5e853bf95631a06d19
SHA512 5e368fc10950a0d3ebb0c610545a90bc95a35dd06c1ed57fda6bc8fe782464872b9cdb71826ad94294d8f2e3b39d292b7b1f5c28e754632950048b5f21ff642b

/storage/emulated/0/Absensi/ABS.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/storage/emulated/0/Absensi/ABS.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/storage/emulated/0/Absensi/ABS.db-wal

MD5 685921a7e4984fedd00ac95fc9144229
SHA1 64d7ae161d1c50c9617842530adc1b566ae8edd2
SHA256 5f13d7bfb2419d47a847ceb706073ca47d7a24c3fcbec4fd1e9c914fc48e2f6b
SHA512 90478905139bdd74a4b09cdfb74805c944a9a6c34be3e59c4c0e57002f2adbbe83dc47235211d3c9bd4e89d95c05227f245546b1ae3087189914459ece769def

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 05:37

Reported

2024-05-21 06:10

Platform

android-x64-20240514-en

Max time kernel

175s

Max time network

147s

Command Line

BSS.Absensi

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

BSS.Absensi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp

Files

/storage/emulated/0/Absensi/ABS.db-journal

MD5 f6d44fed3d92f9ec871da9301293145d
SHA1 a5140897ba875d0a2b6be75fa1ffe58dc3bd1c10
SHA256 bc6df80be0483f7256e3f64e271c3b5a45bdffd19384b0004f40d1fa027345ff
SHA512 cddb1853bd911ebaaef26f7da58a1443d27d60d9a855da2ea370908a737eb897200db1c2faecc90a2ecfe8a4738ee489344af7b0d6987d02ad865c50ddbde7a0

/storage/emulated/0/Absensi/ABS.db

MD5 94d878dfd9a2d68ccd03c38321c2c374
SHA1 6703b2feade9b4d50f80e4418b90951c896c7165
SHA256 dacbe7641ea297b9a67eaf915225ab79be59e3089eeb021ccdf59bab81edece7
SHA512 88d55d65dae687837144b8c753b5f9a61bd2c1d3d89aa2817960bdd3d292a657e69f4e4f351a464569efb9297e1f1d471db946ea6b353218e7403ef60d075929

/storage/emulated/0/Absensi/ABS.db-journal

MD5 9b22c7c181f83def4b71ce97ed05f0a5
SHA1 5e92559ce0cda053b81de20668c664d3a3a3b1c3
SHA256 9272a595eba837ad2a3b5fc34059e244cfed1d799d1414e42747d29c3dc2a0b9
SHA512 bd2c5d754abcdd3262ecec8ae4cd5bff9fb4478b81170800cd9e7f8a394f424efa179f2b6bf4e41ab54d14f8fc941334588ac0dd0de61e046133e858eb34b0a9

/storage/emulated/0/Absensi/ABS.db-journal

MD5 ccd8da9317f0957e4e7ce006b5fdd8c9
SHA1 0cd72389a399ca34e79f652a6a82e1838a62acd9
SHA256 bff1579db05cd31d1d4689db07afca645ccebaeb00f633e44ffa10c0b660d7d9
SHA512 557ebc039190b6be08dafaa0e844d0912eb5f89c0fb543d1f270caf20573b64fe5896b17b1e27bf8ab8eb7f2559872c4c0cd85bba6f6dfb958741a6244c891f2

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 05:37

Reported

2024-05-21 06:10

Platform

android-x64-arm64-20240514-en

Max time kernel

175s

Max time network

137s

Command Line

BSS.Absensi

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Processes

BSS.Absensi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/storage/emulated/0/Absensi/ABS.db-journal

MD5 6e27671d6a2e78905616e518a6a4768d
SHA1 2d27f96e01c740e7fe9346e2abf8322c0bff5b94
SHA256 969b5f819a34b131962a571f4498e63a7e5234fc6e9daf2b2fead12908f4636b
SHA512 8c4a3789b4333061ac1d39dc25298a6942e83c084ad18f887a8f2a4478f4cd5c1d063132bd53a420aacfa0e4a55a8471ad455fb2d43229c778ded15baa80b55c

/storage/emulated/0/Absensi/ABS.db

MD5 1a602ad4804987d4e7c74cdc76d486a9
SHA1 82b3a65cdc4ca1dcd9eb889e0d94b1958bab510f
SHA256 f66992933c1ab753caa3da75ff814b113809cb7c2dcf3cbd51d327c2571da0d3
SHA512 6674c6677f936d8063638ae1a5508a552310171fbda367ea7eafa6fdccded540826c50b304fc74118e29f185dacc2b48430155c4acd4b562b92fd8164fddd113

/storage/emulated/0/Absensi/ABS.db-journal

MD5 8d9d8954fc40eeab56128cf5a6da6fe4
SHA1 22a9ec015542c6ee1b933ecc98838ad5583c7181
SHA256 e7202dcb0011a39efe962c544864fd094690c8fbe3253668dbccd035695b6b03
SHA512 b7203e507060f927e800e7b0f2a0eda5c102d4af56994d6078048fb3450bdf76135aa0b017a3ead1cd5eec32cb3b35ad337f650d572369c5823fe6df05d782d4

/storage/emulated/0/Absensi/ABS.db-journal

MD5 eb1dd238302685f718b2b809884f58b4
SHA1 0221f0c2ed4cf97f86004654a2211293ff673c2b
SHA256 8b8be483b9dd86d99320fe97009849fa37f34833b450992f08173da7b8b69a41
SHA512 00cbe40038a8d29069d89314c0626f5ba4abebc26a1cb3cfc2ced8f631b0071187c80a671dd3dfd1b2f4413dda0a5324212f0d6d8ef647d84419d7d92c27669d