Malware Analysis Report

2024-09-09 16:16

Sample ID 240602-bgc57add9x
Target 278b1bb652f2bb7297d55f2ab4f4404d28f35fdfa5ceab0fdf66979c99240285.apk
SHA256 278b1bb652f2bb7297d55f2ab4f4404d28f35fdfa5ceab0fdf66979c99240285
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

278b1bb652f2bb7297d55f2ab4f4404d28f35fdfa5ceab0fdf66979c99240285

Threat Level: Known bad

The file 278b1bb652f2bb7297d55f2ab4f4404d28f35fdfa5ceab0fdf66979c99240285.apk was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Irata payload

Acquires the wake lock

Checks if the internet connection is available

Reads information about phone network operator.

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-02 01:06

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 01:06

Reported

2024-06-02 01:09

Platform

android-x86-arm-20240514-en

Max time kernel

3s

Max time network

143s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.206:443 tcp
GB 216.58.212.202:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation4988787687837360021tmp

MD5 aa960e215d37ba6e8d87f1058e46938b
SHA1 e066f395982f165b7b676192f7f9f0fef83ad3ef
SHA256 087f1cf5d1908295af2a3c9b2f766d87f04c18fbb45731e9a9bf407c8883d599
SHA512 2f51455025cb6fbaed2e61a10939e42d57953f82612aa5fab2847a46fd568aa9e2c05e34988632c3e8ee72974ff170577cb70ac9717df0e8e32c831ece18a55c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 01:06

Reported

2024-06-02 01:09

Platform

android-x64-20240514-en

Max time kernel

4s

Max time network

131s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation811430958229470522tmp

MD5 5ac33e5a2886b18178d0384a726256f1
SHA1 67f852374935e97425fd70d33c63fa1d69567207
SHA256 e4bd8977e91befb797fb558400ee8964d2939da0020a50624648afba54262af5
SHA512 895e89e16984717865da55e8755bf6562c8a65a2eb143134b29d3182ba65bb01b8a9b50c41c381d146d26f0139a8b7882f8c8e93e9035be1c5dc8323fa2bd9e1

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-02 01:06

Reported

2024-06-02 01:09

Platform

android-x64-arm64-20240514-en

Max time kernel

4s

Max time network

146s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation401614935808213040tmp

MD5 3d81eceffa72dfad67cd8aba617574c0
SHA1 0ab0127d5215366c7d81de2a1d4f6998e207da4d
SHA256 0fd1df1c24b64784b866e84859a7470444e783d513def5551cfa9e3d9d1afe6c
SHA512 615f75465032a793b857b28676713582b5d020727e75068a9e878ea6cc806787555322aad905c49644ea55d619c966337aecc3ec00d7b4f5e3c17f3645bfef7b