Malware Analysis Report

2024-09-09 16:09

Sample ID 240628-1z2zpstcjc
Target 1e6cccce8a46aff2c607ee4092f5d2c778e3b0b6d7ae0ed7ac673e5702d0ddec.bin
SHA256 1e6cccce8a46aff2c607ee4092f5d2c778e3b0b6d7ae0ed7ac673e5702d0ddec
Tags
irata discovery impact persistence collection credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e6cccce8a46aff2c607ee4092f5d2c778e3b0b6d7ae0ed7ac673e5702d0ddec

Threat Level: Known bad

The file 1e6cccce8a46aff2c607ee4092f5d2c778e3b0b6d7ae0ed7ac673e5702d0ddec.bin was found to be: Known bad.

Malicious Activity Summary

irata discovery impact persistence collection credential_access

Irata family

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Queries the mobile country code (MCC)

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 22:06

Signatures

Irata family

irata

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an instant app to create foreground services. android.permission.INSTANT_APP_FOREGROUND_SERVICE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 22:06

Reported

2024-06-28 22:20

Platform

android-x86-arm-20240624-en

Max time kernel

4s

Max time network

131s

Command Line

com.drnull.v5

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 a14e61b424b618e0ce518842fe3ca063
SHA1 a586a3054570dc8c2c4479021616a918740250cf
SHA256 689fe75d48f97a631fb7f4a6180c69fa73e5fcbef3480f131e9f38cb1000e409
SHA512 d29a8c809cbacf462f9306bc233247e26412ea7b14616eff6b6375a8d02eff4d369cfbfc6a2755bf68986c4da0ed495ea82c8d686a59f2a374c216c1d2c97903

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-wal

MD5 013805fcbbcaf3ffd536f473dcdc43d0
SHA1 1f012f18c496adaacac34025860a66a3d364cd86
SHA256 7aaa54ef821abdd8e0bb35ac96e45920c800a31ae59430ebd6ac4578b460c3dd
SHA512 2fda0a887ddc1f40b8b126283839d5c97a269b8c4e38e6f56c23ed4e613e244a7e1763e63416d278ec315206a71a2ecc35c6a4bddac36b7a66d2443948993ada

/data/data/com.drnull.v5/files/PersistedInstallation274192167816487542tmp

MD5 9750123e9c296b09d5a8650d65dc3925
SHA1 1cceb308e01c1e631d67b909c607f613aa8bd4e2
SHA256 5f94b8d94f3aa361de5577f96f49b8a5399fb1c3c413af7da3e3f1eaeb5eee03
SHA512 c42a81af2f7ae5d424921fd4f7e08465d6bd0cfc385ec37851b09ef94a677473a32635e0090f83d8b0d1fcdebe14fb8d456cd1aae4baa1f352ba854c7090a987

/data/data/com.drnull.v5/files/database.db

MD5 1794e2ed4d5fced9d0ab7b976a02b9d3
SHA1 017ac8570cf473e4c0dc723f470d010cc3579cbe
SHA256 6e55f4a5d30a56fabfdb1b75e93a68e3dbf8424342c086a4092d74fb0ec86d48
SHA512 b5ae11f69c86fb76b0f14efb85dd9905bd0423161979062e245a55cd1488d66c34bb9a2658a54073b4e54f485b14f1859163df5f032e1514dcb552a0875a5114

/data/data/com.drnull.v5/files/PersistedInstallation9045562974478837566tmp

MD5 9001c307718516e8c73a59924ca93c08
SHA1 813f8df4b32b141c213744954c31dc16a496537f
SHA256 8e4bf644d9e3302f9257ad0cf1e320d11d5d9e2d84e788b200818a13e51703c1
SHA512 d7266358aef56a9e38e19d6e7e550a0fc2a9aa29606a43011f6f294d758efc113097896db8e1520cc74ed7301174988cc8d4e1246e9fe6af8d9dd6fc8771f3fc

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 22:06

Reported

2024-06-28 22:20

Platform

android-x64-arm64-20240624-en

Max time kernel

5s

Max time network

132s

Command Line

com.drnull.v5

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 9ebc797ab10d708c3d274d65483aa8f0
SHA1 a6846f2c18eb6b866e30aa82238f3af9687ccd4a
SHA256 834d6515f2337fc774666eafd61a49ce326dd3653adc459d1f9e0889729b5864
SHA512 d409d1f7bd36a3954f12525ea891f20b76529d5026ad70c0cb8aa9db6f025a892690cb24e023be5fe3b63ba4b9f2594797eb8c2ac1c0563b3d1adfd1b0d75c59

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 e33078906b0e56528105ca39058f3030
SHA1 90ec97559cfdfaa67764dab3f1d0da3b5909f02a
SHA256 130964bcd08d971753e6eba87980ba6b6d4ac4b61fc4644dd80896a1653ff8d8
SHA512 4d8537258e23ada1ba2f2580b70c3083bcd18a8d48954617f450e76dbd6fedc6e2dbb9c77f9a66c5d9a201887c08b84e0a5a0674d585531ca1409eb4d1f00135

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 a296c582b55dfd122d7a0dae925a23a8
SHA1 dbdcabc44640c84c1c77d511c29ac60704cac5f9
SHA256 1dba073735fda759cb8202b38d3354707074f6c74d8e103d48e549210b8243e3
SHA512 f2ad6bdc849b26c51fbd8d663330a7bd54fce63ff80b8769edfb0ee8c299800e7b4f70f534c52b6f0240bb7e372049ae7bc4d5eb615a416c2c68a70df76a5d50

/data/data/com.drnull.v5/files/PersistedInstallation426461025295228060tmp

MD5 b03e131189b09972ea1bf5709756ab6a
SHA1 20622dbeef5e532d1cea04c3ddd986f8049849e3
SHA256 3ee336181c5a297aa282c2ee37dad777b00cb230be83c58bca24e10bd006c251
SHA512 56ea2ed7eb069e40e587bbcb7ce96ffa28b7ce98da0ddc79844f6957955d4b074488fd7ec233451dfbceb969cf2862a54f63059df2ce30dbee5e85f26d4d4c6d

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 3cc6ed59a663502b9c8e26a7a9fd7170
SHA1 2b014a87803bf5f63f2be76317fcabe6296b05ee
SHA256 fbf8bc324c78e8369ad6a9209b6a20083a092f893eed62df928977b8561dda0a
SHA512 c6dfc11034c5d89d7a1bf71bc33853d2f2e9fa5010fa5c6aceba90ac32edd724798d976d50bad26e57df6a398c9b29a31ae1510f99e71b909f5c0b8c4112e303

/data/data/com.drnull.v5/files/PersistedInstallation6957834668154504640tmp

MD5 74d131d6b06dfd6030ce37689770c77d
SHA1 e31a08965f581a63bc729ffd6ad1476eda07315a
SHA256 8b8d22971488299123bce10852023806a8fa66989fce1d59e3a2fb4236456f2e
SHA512 ce8038617c737d4ffb10869e6802637dbaac74a7e7d8167cd4abcc517e3dc3335ae686d9bb1e214ede565bed861ec0861a2dd7499f4f3fc82337a0062dd4004c

/data/data/com.drnull.v5/files/database.db

MD5 d843b7fb4ba0ab475fd9a649e2f46b4c
SHA1 33d841027b55fd2fdfecc1acea67e18df4df77fe
SHA256 b7148b29a91b2c3ffd27ca6973c1f076f57a9f0de041fbc6a93a026c5d3c9c00
SHA512 35207281a5549dd2ff9c3cfcca6c140befcc5f73a3642d6cd95ae66511568507d18edceffb2bbe9189ea20147f32d2decda73de153dee78f72e3e1ef26e774b7