Malware Analysis Report

2024-09-09 16:08

Sample ID 240601-wpnl4sbb49
Target base.apk
SHA256 278b1bb652f2bb7297d55f2ab4f4404d28f35fdfa5ceab0fdf66979c99240285
Tags
discovery irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

278b1bb652f2bb7297d55f2ab4f4404d28f35fdfa5ceab0fdf66979c99240285

Threat Level: Known bad

The file base.apk was found to be: Known bad.

Malicious Activity Summary

discovery irata

Irata family

Irata payload

Acquires the wake lock

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 18:05

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 18:05

Reported

2024-06-01 18:09

Platform

android-33-x64-arm64-20240514-en

Max time kernel

4s

Max time network

132s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
GB 216.58.204.68:443 udp
N/A 224.0.0.251:5353 udp
GB 216.58.204.68:443 udp
GB 142.250.178.14:443 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.195:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 udp
GB 172.217.169.35:443 tcp
GB 172.217.169.35:443 udp
GB 216.58.204.68:443 udp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.213.10:443 remoteprovisioning.googleapis.com tcp
GB 142.250.200.10:443 remoteprovisioning.googleapis.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation5786015401071921623tmp

MD5 ca71260a54a7c42a3db62ee48c4f1d6a
SHA1 4db53e316ce6e022923ee985b75d9c8f9955ed92
SHA256 fc03ef75145717b5788344064efb42d5f02c3c6c70f4991810cdb45513998340
SHA512 c396cbe40019a5669780b67528c2ebfc8228cc1403c07b62df47bb92ce133c264e2ecc317d7cca0988bd4a1d9eb27164d4afa61254c687c1e38f1ef06ca06aa3