Malware Analysis Report

2024-09-09 16:10

Sample ID 240628-b5apzaxbkk
Target ba52d0bd1826ecaf674d68130b209e86e4297a831b181e95a9da16a4ff838772.apk
SHA256 ba52d0bd1826ecaf674d68130b209e86e4297a831b181e95a9da16a4ff838772
Tags
discovery irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba52d0bd1826ecaf674d68130b209e86e4297a831b181e95a9da16a4ff838772

Threat Level: Known bad

The file ba52d0bd1826ecaf674d68130b209e86e4297a831b181e95a9da16a4ff838772.apk was found to be: Known bad.

Malicious Activity Summary

discovery irata

Irata payload

Irata family

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Reads information about phone network operator.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-28 01:43

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 01:43

Reported

2024-06-28 01:46

Platform

android-x86-arm-20240624-en

Max time kernel

2s

Max time network

133s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation434176062709993783tmp

MD5 d12be5fb861596d114bc07e200b16e56
SHA1 9c96e56ecceb13df8a5dedc614fafd7b8005b137
SHA256 c1375a755f257062a18fe302fa108b74ae087f6d58e97b99cea358513600b52b
SHA512 862776b148df50983ee00a0eda8faf446f2e17cc9ce3e2a7f1a38b9f45c21af7434ef369e112710a946993f82bd8808502c5e0ffc787b79c241f1f3f6e9340a5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 01:43

Reported

2024-06-28 01:46

Platform

android-x64-20240624-en

Max time kernel

2s

Max time network

131s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 216.58.213.10:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation1483569181832291211tmp

MD5 aede050a5e3460e03af643a222e33eb9
SHA1 da390659c71426a2d7234ed1608909f61b04b82e
SHA256 f3d10e165d671bab345ef5746b3ceac36cd55e6b837b6c55ae6b03448e6b4cfe
SHA512 055fb83473cc0e73cc3b2c8b01ed123f51a5b5fc37f8c331c774ef9684f0de9d04460632558e407ed47ef262b5d5cd70ad71c60a48205b1da16d20b8c52e76e2

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-28 01:43

Reported

2024-06-28 01:46

Platform

android-x64-arm64-20240624-en

Max time kernel

3s

Max time network

133s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation706835913721959198tmp

MD5 0657b6add2ef71e94026986e0d8ec565
SHA1 a95e0ac61d6ad26d175c24b39699653c189918b9
SHA256 ae6b2e79fc2c4523e4041bbc508bfb57e3c1be615ff74916c1dca9a5bfac0c51
SHA512 d4a8d172c4a3f82fde1aa5dfdcd487d98bfb489715a823a398530d7272212bcf7ce3099d863da3660834cdad6361bd411497ee62929e459bbe43808144aa875b