Malware Analysis Report

2024-09-09 16:09

Sample ID 240604-btm6xshb62
Target 2e241e2b34d2a7f4c7c108eb9fa9bfa4.bin
SHA256 1118439f95ea8f8d88f067206bb030eb0e06cd8ec65ea604c166e67303423977
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1118439f95ea8f8d88f067206bb030eb0e06cd8ec65ea604c166e67303423977

Threat Level: Known bad

The file 2e241e2b34d2a7f4c7c108eb9fa9bfa4.bin was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

Checks if the internet connection is available

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:26

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:26

Reported

2024-06-04 01:29

Platform

android-x86-arm-20240603-en

Max time kernel

3s

Max time network

131s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation360659129708259744tmp

MD5 c2b171476f8b842bc9b5d4c6a88cb810
SHA1 29dbaf7eecd2bfcac6ecf763e0b2bae0a3650dc8
SHA256 81fd73eea17ce063af72e5c62c7a1c246484cdc9a98c27dabbde15bed513be8b
SHA512 52de09945faddc939b397a39b2dcd4a6801de6da852bcca993f87e757b5f921659aabeb2502a025770236c0e4031df66c2d69aec057670e6f9a0af1eef5d85c3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:26

Reported

2024-06-04 01:29

Platform

android-x64-20240603-en

Max time kernel

4s

Max time network

158s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.200.34:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation2772450423514381741tmp

MD5 8106a237d86cb82874be84b443aa391f
SHA1 2d4205c8ec2f5e7e01c8dc50454069cc30c2d28b
SHA256 323e41e37f05fb932c69da01511e8c956ffc9c429b53f1f54047e0237c403255
SHA512 0ecc334a07c5ec82f8ed6cac6855bea49001c751e67900a4f68fd8e3be9f20eb45ddb4c9d4bbdf5980ee163b47321e85a8e8b5151785f0dcf9534307d66b6bad

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-04 01:26

Reported

2024-06-04 01:29

Platform

android-x64-arm64-20240603-en

Max time kernel

3s

Max time network

132s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation3678011629984209731tmp

MD5 73402cf186db1681b150bb342052cbc0
SHA1 46701b418f36f99bd65d2e6f78d35636e04f9297
SHA256 7ece99d48112a8bb820fdf32db83aceea7938b0b1ab46f5d305baeddf369e650
SHA512 a4685cdd82819759c679e3ba539343283ca2701da96d194f56ece32423f24f14a9c60a5e5a0604e571989ccc162bff4f2b404dc66cc6d778c1a3a0b035939911

/data/data/com.temptation.lydia/files/PersistedInstallation4231269092269829400tmp

MD5 bb2f8dcbd41fed384d08a30e05c77ff1
SHA1 464c8e39a580aed16c18adfc6523c7fb25c03f43
SHA256 a0bfe0f5e732de89675dfa94ecafd8a8ccae34c638e0d7103126d74b7e16b58f
SHA512 c9a331a15f9eade2c3fb009488cd35e55c3ec6bd2befb762c7c06f0ad8ff56f04bd1a6e479f6a98caf5cfda3bc1eea4930fed9300d77f02483153dbf394b33b2