Malware Analysis Report

2024-09-09 16:07

Sample ID 240614-sl4mdawckb
Target Application.apk
SHA256 f8dea4cd9c869a5d35c613f2e0beabbc724fb2d61b4a9909d9b08e26844fc952
Tags
irata discovery impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8dea4cd9c869a5d35c613f2e0beabbc724fb2d61b4a9909d9b08e26844fc952

Threat Level: Known bad

The file Application.apk was found to be: Known bad.

Malicious Activity Summary

irata discovery impact

Irata family

Irata payload

Queries information about active data network

Requests dangerous framework permissions

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 15:13

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 15:13

Reported

2024-06-14 15:17

Platform

android-x86-arm-20240611.1-en

Max time kernel

11s

Max time network

132s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

/data/data/org.bax.project/files/PersistedInstallation6267707643886664764tmp

MD5 5521636c21bee2b870dfc44fbaa4eefe
SHA1 676bfacc2de8b824d710f2b4fc8620fcb66b9366
SHA256 ddbf11ae9b2293e9b03ceb9ce4be7c9a5546f7947fdec447388ae1cf9f2fb890
SHA512 26946d5e40b478d40265c88952ee1e0b3464a60abcf69ec88905e67e2db89682ad083d8055064a050128f244a0a9ebbcea6ad75cccd36a0400be7769ae08eeec

/data/data/org.bax.project/files/PersistedInstallation4110527581081192586tmp

MD5 f0a613f619e72ef094b865ff160825d4
SHA1 3d948ce7884588310b20337eb98a73c6d1371d48
SHA256 def6633e5d98b18e880b8e9658e096a9299fdfbfe386f79445d0501ad256d2a6
SHA512 0938c865cc22fbde22217b4a7e3bc23b8e48918997c17cc4293a75daef8c516c9290176f2d402eb3c01077252ba78a47181f305944d700e5fa2cad7c3ae19d19

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 15:13

Reported

2024-06-14 15:17

Platform

android-x64-20240611.1-en

Max time kernel

9s

Max time network

148s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation7427751373100030872tmp

MD5 f32eb24ef77489d702fd339a581647ef
SHA1 dd456ae1c7426e9d29ee427a36739ce0bf319e85
SHA256 cf61e8d3d811ccd5c1824028f1fc945751d23d5b835e1c4e277c24e439de14f7
SHA512 6ec726adb5a5be43187232e3b9f978ce809eb50e3ab1474f82273834ed1e533354c4a169d5a578ce1a0847a1e8f9ba8e45d9455d670e42a74cfe88f27fb81d49

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 15:13

Reported

2024-06-14 15:17

Platform

android-x64-arm64-20240611.1-en

Max time kernel

10s

Max time network

132s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation8151539339835258858tmp

MD5 a57431bbdd3d933b705b9db6426d23ee
SHA1 8e400deaf9cc15a717892b0f122e7ff823dd1c06
SHA256 07648122abb6063eded0b43cb14628711017d4c2e1ec0edefdc333d513b819d1
SHA512 83317f99c524499b937f94d6f62de227f07ab136142dea45d9d4a4e129a800f4fcdaa89317226b09baf520ce1def4f71fb430c5bc453fec2dc0996c6f5715db2

/data/data/org.bax.project/files/PersistedInstallation1065845671743391199tmp

MD5 3f15bdf14250b6ebe3569311670d5c49
SHA1 6ced7f709aef5a0a54aa5ea21c024fcfe89f2a10
SHA256 6cd789f562e38ba388022b2add1bfe36412af019b38aff75b34d41d839b14712
SHA512 1f581f001d7a157846445002f2452c75a3aaf232a4c95fcad933d881c577c2ba59ca2f4d30bc332eb9147c116dc31f2e1130258c77e0404266f8fe419907ab8d