Malware Analysis Report

2024-09-09 16:09

Sample ID 240602-kej1dsgg89
Target 278b1bb652f2bb7297d55f2ab4f4404d28f35fdfa5ceab0fdf66979c99240285.apk
SHA256 278b1bb652f2bb7297d55f2ab4f4404d28f35fdfa5ceab0fdf66979c99240285
Tags
discovery irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

278b1bb652f2bb7297d55f2ab4f4404d28f35fdfa5ceab0fdf66979c99240285

Threat Level: Known bad

The file 278b1bb652f2bb7297d55f2ab4f4404d28f35fdfa5ceab0fdf66979c99240285.apk was found to be: Known bad.

Malicious Activity Summary

discovery irata

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

Checks if the internet connection is available

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-02 08:30

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 08:30

Reported

2024-06-02 08:34

Platform

android-x86-arm-20240514-en

Max time kernel

3s

Max time network

133s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.67:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation8178405017054607648tmp

MD5 fe49b4c55aa6c1ad804a2bc4198a39bc
SHA1 6ede406406fa278ba9f6f9ab6203c8554c317514
SHA256 bcccdf649a2f1244ff6c49772407bb0406bf1e124b3e879ded3ba52a020fdbea
SHA512 b02248a2c1e15cec21884ffb19d8704ef82adf5d9156863096c242cad90fe5623f2ba1f9cd13b2c179a6e97557a32f3365a1cdf6c73d98d7360eb53b2a16747c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 08:30

Reported

2024-06-02 08:34

Platform

android-x64-20240514-en

Max time kernel

4s

Max time network

133s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation3632421690796778768tmp

MD5 ea3d83b1e705e305b2700f85678ff4d9
SHA1 0ec062f19490637891f06ceda3aa2e04e3e09b6d
SHA256 a67e65cb14cfbde8b83be347aa4baa864e5882ece1cf6e27220abea50be197b0
SHA512 a14f0792f5d90e86b8aeaa48daa27eb85625e147396fe2e37ebc6359876f2cc7361988a5ceb7a48079beaeaf9fd86b443cdf52d51cba0c175568d5ca657476b9

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-02 08:30

Reported

2024-06-02 08:34

Platform

android-x64-arm64-20240514-en

Max time kernel

3s

Max time network

133s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation3073882118744407618tmp

MD5 e9a4662c8234a9a064dbe27563d189e7
SHA1 b9f2cc274296f3618f1bdf9fe3a5ec7d9c0963e5
SHA256 8833ce9936bd697c344a9abb11d59c9ec883fe4b2b2e3c27112f3b14bb4f6674
SHA512 2cf042b2cf7ff999aef2a862c5f7191a425dc7e7773c79e72cc71036484436dc3b5f6a05bce1176a9044da469e517a05a9730c5a60489232c985739046cf30af