Malware Analysis Report

2024-09-09 16:09

Sample ID 240627-a7gqmawepl
Target edlir.apk
SHA256 ba52d0bd1826ecaf674d68130b209e86e4297a831b181e95a9da16a4ff838772
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba52d0bd1826ecaf674d68130b209e86e4297a831b181e95a9da16a4ff838772

Threat Level: Known bad

The file edlir.apk was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-27 00:51

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 00:51

Reported

2024-06-27 00:54

Platform

android-x86-arm-20240624-en

Max time kernel

2s

Max time network

136s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation7731939809932641710tmp

MD5 db93f02690ef856873a79dfe16400a7f
SHA1 035e8f841dd841e50a159b7a140d05c4614bdf73
SHA256 a38358f281f5651ecb1aa6a7038dc7ccf53f2713b8e1cb16368085e4510cbd0f
SHA512 5d5ebe03c67a9fd73bec8b649da4f13a5ac3bd04aebf617e34f9815823ef2e66b9fc7e842cf3bf899fe105661fc7ca3003eb7381fc73fe60aab81c0ac28046de

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 00:51

Reported

2024-06-27 00:54

Platform

android-x64-20240624-en

Max time kernel

2s

Max time network

135s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation8090528826866887447tmp

MD5 a0c3f1f51cefbfad3001ad3a7173362d
SHA1 d22024921017451d62ee92553524a92ecb51a17f
SHA256 5cb4845ba6a854a4381569eb539b503d009d80e48edf1ee25d32275a5ae362a3
SHA512 151ed2227af2c6298a7901fdeb47d1e09fa429af24b12c4ca1b142feb9eda9ebd63793d7f9a0eec4842434fd876812fadd620fc846753e4d66c3effdc2da70c6

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-27 00:51

Reported

2024-06-27 00:54

Platform

android-x64-arm64-20240624-en

Max time kernel

3s

Max time network

132s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation8297220252616141174tmp

MD5 8c4287b29773815b041b7e981029193a
SHA1 058b7a11a7c27fd1e44586dbe394f3c00d9c87ab
SHA256 b11b07f1de6aff676f4f185e2e7600b7ad040e00da813b0a048a646e1ee0ba3a
SHA512 5722752e4c119063009150407a257fdc14995e06ef946d0424fdb547b90251095cb4f2a366539ec523b355f80765abb2a9ecdf8abf94ae50fb06fc47e4b4050e