Malware Analysis Report

2024-09-09 16:09

Sample ID 240530-2l4f2sdd34
Target 86fd0b4a0731cbbe38241ba277f98a4c7c3f88a2585c4ab88dba80fdf9418b99.bin
SHA256 86fd0b4a0731cbbe38241ba277f98a4c7c3f88a2585c4ab88dba80fdf9418b99
Tags
irata discovery evasion impact persistence collection credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86fd0b4a0731cbbe38241ba277f98a4c7c3f88a2585c4ab88dba80fdf9418b99

Threat Level: Known bad

The file 86fd0b4a0731cbbe38241ba277f98a4c7c3f88a2585c4ab88dba80fdf9418b99.bin was found to be: Known bad.

Malicious Activity Summary

irata discovery evasion impact persistence collection credential_access

Irata family

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Checks memory information

Queries the mobile country code (MCC)

Reads information about phone network operator.

Acquires the wake lock

Checks if the internet connection is available

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-30 22:41

Signatures

Irata family

irata

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an instant app to create foreground services. android.permission.INSTANT_APP_FOREGROUND_SERVICE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 22:41

Reported

2024-05-30 22:44

Platform

android-x86-arm-20240514-en

Max time kernel

5s

Max time network

131s

Command Line

com.drnull.v5

Signatures

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 c0a7cdcd9a2222a096280f40b85f1110
SHA1 c2a98c70e5a2b3f136e19a164aec5047b722dfac
SHA256 cfa662eebcf2f11f427631dad67ea81c1ebc5f24c2f5802a3b9f9c555911e1de
SHA512 314088eefbbe43f42921a65d586ce951786f1f08b0fbcca91e7f615b9bdffd43372a93d0bb72061f100e9eb8657e92204320a9e25d547097dcbe67d79247bc1d

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-wal

MD5 47dedbf0b3aa802c958d75d39dab8ee3
SHA1 9e929bfd8468f5f55bc0fbf2d49bdd844892c79a
SHA256 5e23c8d8b24a873ea18062a73242e69cb8445a8248b47245f025f76842560c14
SHA512 5ba740f789ad429d5bb853dad4cf89e7ea6f62d5499d68a77195cb6cdd2b6562b2013700386b2f058de7a12c715eb2a9d47f659ecf609ca91ef0f2c32674214e

/data/data/com.drnull.v5/files/PersistedInstallation9147971146995082509tmp

MD5 7076ebdc48a4b40ad026e7687bf9a3be
SHA1 c116d4b4e51ed95ed86e2060b1aec598cdeab6d2
SHA256 d0b94f3684cc73bd2c0684ca4f7a92a812fad7378b292cce1e084522a0217b12
SHA512 6a090bfe75fa9d065c45a71d302303fdc737990a10469bbd2ec5897b3ea23176f976968aa97a8adbfa3824dc00e850b98066fd1bbb1b982bd243e94611faf8c6

/data/data/com.drnull.v5/files/database.db

MD5 7d921420d6e77c32f5e1973782b412e9
SHA1 1eb13a7e8315e4d6a530dfabf5f66dc8e4844bed
SHA256 ce6aa7bce6bd7cb926aa99bb663c82ad6393b2cd73f6d66ca7be128905d30db1
SHA512 e3f421a4e4a88a1703b993ad01cc741b4e2c78701cf89a21a23c0e1b925be5e057a45590a3f6a78413e5941804aab98b1ead254e38697b254714827db4b5bf29

/data/data/com.drnull.v5/files/PersistedInstallation4237883834700861723tmp

MD5 01ff130e90291447cdad1e26cca9a493
SHA1 a2cc18708601fca23954d1612e2769f2ca9ca13f
SHA256 4c02971e7dc92da92c0240555ba36ff02909733191f9a82ff6714f09a6283a32
SHA512 233d434ee3a1b15d325b6f968d608bb6614d01904596653d5234eb687aaa18f7ac63df3e35f615916c9295dbce4d85965fcee412b73fc2712efd3af75510b329

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 22:41

Reported

2024-05-30 22:44

Platform

android-x64-20240514-en

Max time kernel

6s

Max time network

187s

Command Line

com.drnull.v5

Signatures

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 16ff89a7748bf67094e55418aed66a04
SHA1 98357400f39400d1a8b558909dc7fe1d34beab5d
SHA256 92e44a8b3124db4557b1a383719b2440ce4d4d9b9305b36b3bb4e4684cd13358
SHA512 a61ef610bed78bf386f487d3211b7db63b3ee2a785a1c1b4864515d04467cf8405d7693ee739118b91b0cdc174f993f6c40285fdacb727c2a40c6f39937ec705

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 7c6889fe3ad60d80bf7f3c08898ddbcb
SHA1 525ab82a6e6d99324228cd13ba80a69a3c7e0b18
SHA256 f58c9164d05dd772510eb00751e8b8d707612c042a10dd9486380b925783a4af
SHA512 0d68466083b1cec5a6528964fcf645b0252447e79f9038907b6dc5817f4bc874bac0a9263779f96a905ede72da9a02759176811d68e766577a1aa0460e02d681

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 eb89b4f537546691f82128a2c8b8cb3c
SHA1 d30a61d45b2ea3cb24c40f319464dcf2bff4c7f9
SHA256 c8ed36a0a21419a93327ca58a28f52f56525b5dbf4120d3505bfc9e50bb10944
SHA512 6f87e5d53ad5f7a2fdc03446f47745af45c0345923da87901005a692b583dcd5bf60f86276ae14533c00d678d24043108d6da534de3f43a94301cce29910f2d5

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 ef34121406a3aa783416af0483679f52
SHA1 528582df41f23f2fa57e48e1d72748914913270c
SHA256 7fa896b8db476a0b0237152fbea1e73b1f472be943633f423a3e69734023ec50
SHA512 438da33c4ef04fd5501d94b2491faeb687425afcc031dbe0f4b9fe05234e3b970ac48f8cac8f34bc9b2b8502b8e1a414e95dcd39d61d3c17458547361ea9171c

/data/data/com.drnull.v5/files/PersistedInstallation7136898187527235708tmp

MD5 8af725f8f2344d0bfc6aac45f5ffc233
SHA1 7a80e663141dcef94b00b8c8f25d43250f07240a
SHA256 da29a3f6a8e7164bed5cfa5744d7c3a9470f65866802c4c22e852891f68af591
SHA512 c4ce2b197b0f9152bee2142c4d37b34cea61f32f3832dc21b89ecea83c34992c3ddca14082a079b096bcbda5b90b10983f62a3648a373fbce3f1b0e685fd8703

/data/data/com.drnull.v5/files/database.db

MD5 5a6330c4fbcb24c7bb9eaf3eefb5c604
SHA1 57a9f02464d2f3c3ffc7978dd235c68dd25cd21a
SHA256 d205e275d914933eb3ed18073d63467229cfc71321350b2e8a416684de28ae5a
SHA512 4a6a0b747d1ef93974389855928a877226986f99d5a11b36a869eb738af7db9d229904b70915dd15353397eed7e90733555aba57bbe67fe61496843cac964317

/data/data/com.drnull.v5/files/PersistedInstallation8019419225932855509tmp

MD5 7f2cb25eb138fb3f3ca9ef7460e76506
SHA1 5b1e6de8be2e1e739fb626933d58cc80594537b8
SHA256 c705181030c19d0aadcc545e3e1925991861ac9f40265f6822b4b694b4dafc5b
SHA512 4be08e42d67eacadfb227350bb8871e435d8f21d3c69773bf12f6edc60da6fc576b5fa10ae12acda1387439f4a068629f9dc4c045a3510fb6c4ef4e5d760d4d1