Malware Analysis Report

2024-09-09 16:13

Sample ID 240522-ntmllsdd7t
Target appp.apk
SHA256 93d421b18af345591cb8b3fc3e995f5a9e78221deb0fa1e0474b2b942623d5b6
Tags
irata persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93d421b18af345591cb8b3fc3e995f5a9e78221deb0fa1e0474b2b942623d5b6

Threat Level: Known bad

The file appp.apk was found to be: Known bad.

Malicious Activity Summary

irata persistence

Irata family

Irata payload

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-22 11:41

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 11:41

Reported

2024-05-22 11:46

Platform

android-x86-arm-20240514-en

Max time kernel

122s

Max time network

131s

Command Line

com.sistemapegasus.pgsmobile

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.sistemapegasus.pgsmobile

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.212.227:443 tcp

Files

/data/data/com.sistemapegasus.pgsmobile/files/pegasuspedidosmob.db

MD5 bc89434270b2c1420b1977fd478f81d0
SHA1 7035c7ccdd56b74ba0aaccdc3030725387700119
SHA256 1f521b2e833a0278f287606e87f402818cb05bfae9907ef042c15c0f966a7a86
SHA512 6a6e5245efccfd98cb326697c0f5d5e0906098e722e1773c9f83f00f7e166ca86318c98615fba268a447bb951f64683fa8bce87581809dc478a47ba83ae6c3db

/data/data/com.sistemapegasus.pgsmobile/files/pegasuspedidosmob.db-journal

MD5 5927ecef9af8904bbcdc50d8ea632fa4
SHA1 a02f145893d0a4c6b465021145480d8192f03995
SHA256 99a110876d46c8da271dd1360407bf7f2a1d1d6564856339a383e3a9f9229365
SHA512 1a9f2ecd633944bcb2c113262269d276f5539c2eb90c437cfde77536ca8706db627aaeba8af0ada9668c43cfc43ce4d6853e9ee93c1a64f1a91c71d2ccc57b6d

/data/data/com.sistemapegasus.pgsmobile/files/pegasuspedidosmob.db

MD5 6108783ffc9223052b7f2a45047d86eb
SHA1 88c2b26e50fc82117b4f75af8cbfdcb628805765
SHA256 addaa33114268f8da7799dd9e4caf99bc4dc158cdcaa43c2d7891b49b196a47a
SHA512 bea40dd3d504a8b3eb75bfde30c6d16a81c6f459b31c72b477506adad629432b01fe79b4f547c04346cdcb2269e90059b20db6473db103fb7a1dc7a6124bbf99

/data/data/com.sistemapegasus.pgsmobile/files/pegasuspedidosmob.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.sistemapegasus.pgsmobile/files/parameters.json

MD5 e142226b21e2dc8df43f8d339bcb1a93
SHA1 362a9f77a62af474a42cf2f641497d248fa68f1f
SHA256 b48d0c107d2a2eb3c3c6ea368e0f5140be15cedc97ca28fb6f99dfd7eda3c038
SHA512 c1be5f81b790417a8d6ac55572d03cf813cbb523dd601ec09b7c5bfc1aa69cc38cc2e6558897a66ee4cb9d8d2114d1897da1b4c6027e3e9501c44d700eee1f04

/data/data/com.sistemapegasus.pgsmobile/files/parameters.json

MD5 fb9488ad10b8cf6d146cf88d273e0872
SHA1 2d2177f36f64ef63fa0977e312e4db4dad7cbcd4
SHA256 0e0ccc3eb67c8e8ad984dfea24733d9d7ddc6eaf52da4f25e34c3165dea37c14
SHA512 7f68897a1490617bb68831fbeaae82ab7a87db601c4c8f52e292729b705e78f9bb8ac56658a3833794fa21aae560e83b9e983933cc4b157f9ba0a4bfad3f233e

/storage/emulated/0/.pgsmobile_NO_BORRAR.raf

MD5 fbee88d44ca8a5f7c4bba1877190ac02
SHA1 fe7dc4f58e96bcc5a3fc42a4f15f712a2f43c48d
SHA256 83d8025611ffc8c9e7bc3086e3b541bfd2f6b80e5c443e545349ed629f356477
SHA512 fb984b9de18bc0e68b4a9e2aabba08cbe46e4c5c1b4d7af775a70f6588d35864ab225d7c8770d16ad09d6d5a209475eb210249642cf39570c54d38b81d950135

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 11:41

Reported

2024-05-22 11:46

Platform

android-x64-20240514-en

Max time kernel

124s

Max time network

150s

Command Line

com.sistemapegasus.pgsmobile

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.sistemapegasus.pgsmobile

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp

Files

/data/data/com.sistemapegasus.pgsmobile/files/pegasuspedidosmob.db

MD5 bc89434270b2c1420b1977fd478f81d0
SHA1 7035c7ccdd56b74ba0aaccdc3030725387700119
SHA256 1f521b2e833a0278f287606e87f402818cb05bfae9907ef042c15c0f966a7a86
SHA512 6a6e5245efccfd98cb326697c0f5d5e0906098e722e1773c9f83f00f7e166ca86318c98615fba268a447bb951f64683fa8bce87581809dc478a47ba83ae6c3db

/data/data/com.sistemapegasus.pgsmobile/files/parameters.json

MD5 8a48e5c67c4491b2e10faecbe8ab2ce3
SHA1 68d87a088deed86ec89f6e62323298be260671f4
SHA256 c6873a8793a2bcade9336c13406c3b01ce9537a5d65d632627ccbf01ff8ff32a
SHA512 f373eb50d5acdd46213948c389337d9b2676963777feafd60394c407a3916b458b50bf5c605ce22c4767c46819e20ef9d12f81dff1cabcacc4e9f7ae79b93507

/data/data/com.sistemapegasus.pgsmobile/files/parameters.json

MD5 37a9b9334f17e9859fae61ef7fb2600a
SHA1 e17b1663b9cdc6cee2963be9a08107ac0ae05f14
SHA256 cfdcfd2df7f942f555107413ec6adb1d39e8decbe0bd92a6b99eee8a2ca68b60
SHA512 a8325dbe4e8bf7656c8bb0c2ccae37362c4f27301098de2ba362f8e380aaebeb6d2c25da30dc0a2ed5ceeb28da52616a53ef31159a261ec296bd0b74f9e6a035

/storage/emulated/0/.pgsmobile_NO_BORRAR.raf

MD5 b73b6355e6969ab93403554e71cb7ba0
SHA1 78ce896bc7a3e916770dbb9d1dcda80def8609f6
SHA256 047ebdad0e510dd7bff9b43f06180a9d727d8db46b02f52bfc7aba602c12161b
SHA512 adf2ad985c1fe00531d12535346247d102daeb4804283e9a3935a4f2ec0041f89d1aa21b2e129205f2eca7a88086b8bab9f8814ee9e7a4d5a15a32962837f522

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 11:41

Reported

2024-05-22 11:43

Platform

android-x64-arm64-20240514-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A