Malware Analysis Report

2024-09-09 16:08

Sample ID 240623-at7d5asarg
Target 6a944ca56981593bbe69ce973705fd9b65d3d1c1b7452dd3b3080f48cd7c65c0.bin
SHA256 6a944ca56981593bbe69ce973705fd9b65d3d1c1b7452dd3b3080f48cd7c65c0
Tags
irata discovery impact persistence collection credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a944ca56981593bbe69ce973705fd9b65d3d1c1b7452dd3b3080f48cd7c65c0

Threat Level: Known bad

The file 6a944ca56981593bbe69ce973705fd9b65d3d1c1b7452dd3b3080f48cd7c65c0.bin was found to be: Known bad.

Malicious Activity Summary

irata discovery impact persistence collection credential_access

Irata family

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Acquires the wake lock

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-23 00:31

Signatures

Irata family

irata

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an instant app to create foreground services. android.permission.INSTANT_APP_FOREGROUND_SERVICE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 00:31

Reported

2024-06-23 00:34

Platform

android-x86-arm-20240611.1-en

Max time kernel

5s

Max time network

137s

Command Line

com.drnull.v5

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 b694e4a8c044eb94d9a2c3640f992b4d
SHA1 246739de022b9ecb88e3e86908e884f98380adda
SHA256 997643e221ffa6cf0e6f5df372dbc906277e9986fcac6ffef64575148923033f
SHA512 573f29014c2a9da336a236d9701d304267b0bd3aa11863c477147dd201598a2cd36821ec2be848c099d9ee5d5c87a71a9df9933e1939c486082945515fd426d3

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-wal

MD5 d7e7707b0487f8449aa242bcf2fda892
SHA1 a5bc05eb9d08f2d67bb6681d5695775866797747
SHA256 8a30772390656afae2e581f06826d74ca41d234c4d24d543fbf9fc3daa38ebb7
SHA512 fec4bcb808cf2f648bd654635cec616403c2f73abc49a80dad700770cc3032da14aab18407581343cf798c7a29addf3b6df059d6eecfdf912a1aa5beddcf915e

/data/data/com.drnull.v5/files/PersistedInstallation3982521037690819734tmp

MD5 88a15df18135fa72e83852bed2f8ea6c
SHA1 45f13fc669d159cd5f42075e93956a8bdd1d8c17
SHA256 c1cfdd0ae9a0055f8e9cbc4ceb562105d9a7c78b07ab9da6256a93a255bbb96d
SHA512 da4d738f7571f40b3b4da4d6d534d88ae8dd5abf31a6da931bff4ffaedda1407e48d8a8b29724e2099307899aaf0a263d14bba4285e7273ce5525eb04468115f

/data/data/com.drnull.v5/files/database.db

MD5 327d550bd7bb1037cecbcdd268dbff5b
SHA1 caccd83cf7952d5d835881b66f815e394c5f5dce
SHA256 0370299e37230d2d0df3884666e5523dce6275ceac5f0ba3ff2cd55ef56e2602
SHA512 9c6e1a849573a1f95c61e8f52a62772778a1a931bb3ec5c899729f2faa4231f057da223da4abf2dcbb4b923ee1b889cef366793c57e7710898f8e411d9d85ae7

/data/data/com.drnull.v5/files/PersistedInstallation4720048523951226213tmp

MD5 173133b2d5b00ab98135f4cb411cb96d
SHA1 549500528378b4a92dfae80cf867e7f40a76fd82
SHA256 dd03194c73ba513c6b6746a83820d27a975f0596dd1554c8b5e4dd13e83fb9a5
SHA512 82d613eb45782b83cdb2755e9a9c75957932f7b336c032a1177cbc54eb70316b1caa6f29a20d3a78e8722366eff5c10d58b5db94febcabbdd268131c1161a3ba

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 00:31

Reported

2024-06-23 00:34

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

8s

Max time network

132s

Command Line

com.drnull.v5

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
GB 172.217.169.68:443 udp
BE 142.250.110.188:5228 tcp
GB 172.217.169.68:443 tcp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 172.217.16.234:443 remoteprovisioning.googleapis.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.180.3:443 tcp
US 172.64.41.3:443 udp
US 34.104.35.123:80 tcp
GB 142.250.180.3:443 udp
GB 172.217.169.68:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 8b73f8d4e9471cf38ff221f971adeb64
SHA1 8dccfed1248ddf079a86480fd66b93a47e493292
SHA256 57c0343e9f9fd4afd6ef5eec369eeb6e5542b9ff5f67a6d5874e440e794c2d21
SHA512 5a07463140bee71b1cfb943f41ac52062b98b648940e9de5eb0c7491ef1f40f972fc27d9a3f26369c8d57ec61884cc287083928319e19d12caedfa16dfa78b84

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 8859ec16aefc92b343749216078694f0
SHA1 290466447b74d8aca76d6f2b28e7d18ac17acac0
SHA256 fd6ca2299282e4b99de92a030b0c47f49957da32fb885c06381f7f8d03a4aea0
SHA512 3f6b973024e31c338cb02c83865b33800d43019b42be4423e4916f0a8777466e1fb0232c8efd5215d1481009c065d2f8c00c7acf3392c7806ea29078b0f29114

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 f1765208c6ab8d5788f637cfd8753eb7
SHA1 0c0f16d7e02f6ced9225e60291fd7b8b04d2a134
SHA256 1b95e3201f4ad226f76763599e4b8607e90a20b366a541f77602605cdcd582d7
SHA512 6f60e2d5bac7a68c20dd9a0245e51e40da7ad42995d23813d31fc8dc417317c4a98731f961c9cb682f96d8602476263c0a6de2fb613fe7b38fce4a60c10a1d57

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 762087e3c2813b48b66235f6fab6e5b1
SHA1 e2308629bbe8e5100c3ef23f4688c2bea6992867
SHA256 aa6505a89f7353bf3a29d8396de2b5e6c43214e9d8995cd03547f35c3c83a53c
SHA512 8ed184496c364b2a118dc233b857be72404fbc4aa474ac9402470416b76da47e9783b3883a7f670024f9f3392bc5f51e78d65116e7aa5279018669fe2111b49b

/data/data/com.drnull.v5/files/PersistedInstallation5654834791709532223tmp

MD5 f357c41de9131e2bf16c2255b97da7cd
SHA1 06076771b3133d1d3722e7bdaae0e0647d149bed
SHA256 5d34b079d536dd02597f8cbe2a58f271136e1d8af1b9936f42eca108844a7914
SHA512 c69f76bed59780a8e50b3d758b3e4993024b09f9e8d065fe13b21d1504d2daae2d49b1002f2238af4f1bc9723cc087ebf6e1c42aa6498f55461b3a025a6ca2df

/data/data/com.drnull.v5/files/PersistedInstallation3047339848606866946tmp

MD5 96fb9ea3da4893bf3025e77c02f7fa5c
SHA1 646f22a0be4b76b89ab85747a28ebd3225c8307b
SHA256 7679f89b2a2becd0e65e2631427d12b7b5b480e8b095c7c926ae826b308cdc7a
SHA512 c4c2a6b22d0740b3e73e448c0536e00e4065868bc7e35087fc8d4fae0d27851323e1b7f18a997d9f076557e7861550b7b44ac00e84bfa0a952bc839e56d255d2

/data/data/com.drnull.v5/files/database.db

MD5 57073ac7eba1780038cb8716f8b2269b
SHA1 1ea0167ec71383ed3a7773d5f2c56e2f97773d41
SHA256 c5b185e895fb396720928a714ad0a4256e5d1dbe5ee7f429e160fe9eb8fa3465
SHA512 9729e3004bd3e6f4d1c93a35c9eedca0d85bb1c325f75aec54405be4a9af035292503965786eb3207fab8fa8c1b708fc851c12a55b5784a8c969b78b6544ba9c