Malware Analysis Report

2024-09-09 16:08

Sample ID 240629-rl9yqasclq
Target adliran.apk
SHA256 b15ae5265b825461da1bc334313377d1e997955db614889afaab5c9a7f1a9495
Tags
irata discovery impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b15ae5265b825461da1bc334313377d1e997955db614889afaab5c9a7f1a9495

Threat Level: Known bad

The file adliran.apk was found to be: Known bad.

Malicious Activity Summary

irata discovery impact

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-29 14:18

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 14:18

Reported

2024-06-29 14:21

Platform

android-x86-arm-20240624-en

Max time kernel

8s

Max time network

135s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation8726031780042889832tmp

MD5 f6c2be0e7b053393e9688acadd8e930f
SHA1 55edcb4d5755da9f585f84f56957092e2d916e4e
SHA256 3701791328400af2d04594991e6425c3b8645ba56b860da717e3728d37729989
SHA512 5ed90ec61bbad84ff8bd4c42aa9be49782cbb5e3660bdd63f2eefd590c1bc3d09cf6bdce36d5ce9a3377085cedd8f4084061e95a343c55c38d625df7ea9affff

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 14:18

Reported

2024-06-29 14:21

Platform

android-x64-20240624-en

Max time kernel

9s

Max time network

137s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation8750819041178053641tmp

MD5 e79474a20ae235763900fe0422e21a77
SHA1 91fdb44157f04683e2ad2bd134d54f26ae8a4b4c
SHA256 8a2bd946a5633213b3afdf9037393ef5609dd5d266f2270c703ae34570ab77ce
SHA512 10b1a563f0a510bd3d834ca016627f9f26e61a36507bad1afb8560a0334196b10404e1c6ae1831f6766a69883564c3cd107fbf60849ceba710fa960fd32ad17e

/data/data/com.temptation.lydia/files/PersistedInstallation3100452884118868869tmp

MD5 125492711f028221693f55f9a0157aa0
SHA1 d5c87701b57edb3945da25ee6b24d7c361ce1299
SHA256 fc6c889369143118a6e12ed530dc901e608b55fb8fef3e0ba9520344b9195d54
SHA512 5d567fbf06d8cfa2551d4e90592a4760c6f58465fb1b0461b285719d7ecb7e11e15beeda51e8c10014ce202e22fe03fac9121101223a25c8614820c9f9e3800e

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-29 14:18

Reported

2024-06-29 14:21

Platform

android-x64-arm64-20240624-en

Max time kernel

9s

Max time network

132s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation4289178214592196405tmp

MD5 5198444e11c378d8113f088f64ddf3d5
SHA1 d1358fef98b72ae1be866aae7718540095f39552
SHA256 7a80933cf0261dfce29978373c6db495b10e2c95ca75ed1ede1de52eca86f2aa
SHA512 6cc06104b094804f6211fe49c90a6dd6b35a024fbc1f25cdee5df51b30ccceb784604283d0692824f2c5a2957459d55b9660cec25be716dd6076927076465321

/data/data/com.temptation.lydia/files/PersistedInstallation4166929600506489003tmp

MD5 7b99826fe75da951c0f3ba095064a628
SHA1 6120fbd5e9b238eac37ee12f2ce962fabc089e3f
SHA256 1cb17a8abd256a62940afe4468626ae01b676a011ebf559ef064aa1f414e0b20
SHA512 925fb1f8b2e2843164e525b9ae48d701e93040c576c34cad0f3f15cf9ff47409b680b0ba5487ee853761ec0eb4d91bd177eae2a913c00d17d2992cc992b78e4d