Malware Analysis Report

2024-09-09 16:05

Sample ID 240708-azmlxatfmk
Target base.apk
SHA256 2c5772d40d2614f51de73770311c8d39e6c6db018924cfb31401fccd14d11b42
Tags
discovery irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c5772d40d2614f51de73770311c8d39e6c6db018924cfb31401fccd14d11b42

Threat Level: Known bad

The file base.apk was found to be: Known bad.

Malicious Activity Summary

discovery irata

Irata family

Irata payload

Queries information about active data network

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-08 00:39

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-08 00:39

Reported

2024-07-08 00:42

Platform

android-x64-arm64-20240624-en

Max time kernel

3s

Max time network

132s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation4919511876666001578tmp

MD5 5b80c8899e5022baf6fb315d74775ce3
SHA1 a848bb74f5ec3c71e662eaa8810682bf35479471
SHA256 f669e6a40d3f81fd5e632d8493600c4ca1c446b4547f8e60bcf7350c6d4a6ad3
SHA512 8522662182acc3f495f78913e212496217e828cbd485bf1a4d86db5942a939afc7c80af5dd8af75760da5f2cf9806b6f08ac60beedf4f6399a229eb2433858d9

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-08 00:39

Reported

2024-07-08 00:42

Platform

android-x86-arm-20240624-en

Max time kernel

2s

Max time network

131s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation4187461489552385656tmp

MD5 60da3eb0a8c74996cb104aafa2b7c92d
SHA1 9c8c43878707a405eda8175410ccd6fbe42c667a
SHA256 6073298ad56ee99d3587dbf885bd299b898c833f35fb18981baa7f15d754da7b
SHA512 387f6797ac44c3451b898e6c862ea4730a7842dcc22440d14e0373ffead5564e2d83e9a0522642278c83c94aed10b2808b9ba1448a822f5c67948dc57ff8106c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-08 00:39

Reported

2024-07-08 00:42

Platform

android-x64-20240624-en

Max time kernel

2s

Max time network

135s

Command Line

com.temptation.lydia

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Processes

com.temptation.lydia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.temptation.lydia/files/PersistedInstallation5091370208510562222tmp

MD5 130fc00f62cadcb8ed1562b5100cfbca
SHA1 391c018dbe27481df852f5c7ec01a7cbbb319a17
SHA256 52fe5f4e37ff88bc94be1c896fec030da7222bfbe0358f48b287c6ecb680ec59
SHA512 f136505d7dd917e1e49750ac63b6187ec5b2fed550755ede26b4fa8a7fd1665b45b23ad0a2253a073d06f4574a4efaf35a62691a1ae65915511f7b9627147e24