Malware Analysis Report

2024-09-09 16:16

Sample ID 240601-wxk6ysbe25
Target base.apk
SHA256 278b1bb652f2bb7297d55f2ab4f4404d28f35fdfa5ceab0fdf66979c99240285
Tags
discovery irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

278b1bb652f2bb7297d55f2ab4f4404d28f35fdfa5ceab0fdf66979c99240285

Threat Level: Known bad

The file base.apk was found to be: Known bad.

Malicious Activity Summary

discovery irata

Irata family

Irata payload

Acquires the wake lock

Checks if the internet connection is available

Requests dangerous framework permissions

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 18:18

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 18:18

Reported

2024-06-01 18:21

Platform

android-x64-arm64-20240514-en

Max time kernel

3s

Max time network

131s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation916560048377740950tmp

MD5 5eab52c7e2a65a48492769b80075fb05
SHA1 af8373303cbe7411977b2f9b4da13802780ebc16
SHA256 16c74e5eb4cdfe13416be613597474f12c55532401a3513e68fdc0631fb69888
SHA512 8c337ff2d18bedd83d42d6ce900a3d73f6991b94297d4eac15d05ed0c048244d3ac97ec2415689a1764178e9605a425a6139f7d48be8ab7eb44d99a7f5214c3a

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 18:18

Reported

2024-06-01 18:21

Platform

android-x86-arm-20240514-en

Max time kernel

2s

Max time network

131s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.212.227:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation1335775568100170946tmp

MD5 4d234780ceabc78aa7ad0762e7893dfa
SHA1 daadbc890c7698906fd41308777da40e19f3a81f
SHA256 f585f350ab11bc1dc0059db1c631d56f12647cd9a6fc20725dfbb7168f55326d
SHA512 bc0ec4d825d4e29a2c8734119d1e0b33550e7cbc9bf2b1eee747a6e08cb322a818bccb557799d97dfcdc42f84fd17af2a3fe8c739691edee057bd7135fdca060

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 18:18

Reported

2024-06-01 18:21

Platform

android-x64-20240514-en

Max time kernel

3s

Max time network

136s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation806980706833015989tmp

MD5 02b45afcea72b624dab4412580d3bd13
SHA1 0f729b4af27d37b36c56e7203734d79ff279d1de
SHA256 74a3d66c42ee743a651a1ebee05893bc3489c09dd67614cffc1e587ef2860d92
SHA512 0ea6719a50711fa8e2dbdb49f4b8c6033a75e55e4d4f8266469306a61d97581c64dcbd49fe3c40c151acd57dfd9369055487676047fb88e6e20ee0dc45c1073c