Malware Analysis Report

2024-09-09 16:06

Sample ID 240717-qcmw6asarn
Target e769ef0d011cbf3322c9e85d4cdf70af413f021d033aed884c1431f2b7861d0d.apk
SHA256 e769ef0d011cbf3322c9e85d4cdf70af413f021d033aed884c1431f2b7861d0d
Tags
brata irata banker collection credential_access discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e769ef0d011cbf3322c9e85d4cdf70af413f021d033aed884c1431f2b7861d0d

Threat Level: Known bad

The file e769ef0d011cbf3322c9e85d4cdf70af413f021d033aed884c1431f2b7861d0d.apk was found to be: Known bad.

Malicious Activity Summary

brata irata banker collection credential_access discovery evasion persistence

Irata family

Irata payload

Brata family

Brata payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Requests enabling of the accessibility settings.

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Requests modifying system settings.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-17 13:07

Signatures

Brata family

brata

Brata payload

Description Indicator Process Target
N/A N/A N/A N/A

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-17 13:07

Reported

2024-07-17 13:08

Platform

android-x64-20240624-en

Max time kernel

90s

Max time network

97s

Command Line

com.necapp.lpp4201

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Processes

com.necapp.lpp4201

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 51.68.172.198:5656 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5757 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
DE 51.68.172.198:5757 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
DE 51.68.172.198:5656 tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
DE 51.68.172.198:5656 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp

Files

/data/data/com.necapp.lpp4201/files/messdb.db

MD5 57a39108426ea4fb8e5bc74accc22a88
SHA1 73f83c87418acba44a084cb7055fc5c34f6cf25e
SHA256 9d36142e37864417222d54360d821b9a75f31ad31d1f9a45c947edb63ec6b2d2
SHA512 f122d601019b7ee6077574897b51d60cf8223780db64e0649a772183c8025ac413d3ce0683c8bf05373e293cb67ebb62d9dfea15d5d16c495bc0628279709b8a

/data/data/com.necapp.lpp4201/files/localdb.db

MD5 e7179ba1abb576a1eb3486db34de4037
SHA1 4dc87664c9be3d7a94d4886b7f56f4a8d7b983dd
SHA256 409f05ab16c6f1f0897959456d72f94a870b03581569f7c4970b22e541db827f
SHA512 50ee847527ad249dcb43d3d95dca9d8bb5bfdc459f6e5d639db4a31895e4f2ad75355451846cb732e380a576f41f1c3af19387cdc9ee7c5e46464c61613e458a

/data/data/com.necapp.lpp4201/files/localdb.db-journal

MD5 845bf8610f32eaaab6b987c81a47f384
SHA1 ec1d9274e2d2f5b3683d0e92a47289db1139cde0
SHA256 91135a7f5a6bfb992f3cb81855c4828f354a81d5071634fc856cc698806a096a
SHA512 82bd1034b0c742d255a1e08716ec7dd044ea8c0ef7702857b66280bdc5b8cae24e5d2586886f714a9136e00e00cdc57ed6b7619108af31c1b125f02a552e69f4

/data/data/com.necapp.lpp4201/files/localdb.db

MD5 443ddec5ccf7bc467aeecd4a3ac64735
SHA1 614051b1b376fe33ac7098513a6416381c84b30c
SHA256 5cbab2493af9f61591b1e282d660cfedb2ad4fffc26bda04ddfc911f19201968
SHA512 d2d3c0951be14137260498e3546c7432b4d3952a0a8197db4078232a9caea2bccec5e05b87fb8b0d64cce96f833bf95488a2ba5d0ebdbe04f8f9e4f9432717bc

/data/data/com.necapp.lpp4201/cache/~test.test

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

/data/data/com.necapp.lpp4201/files/localdb.db-journal

MD5 22af6a3130c5311cd180f7e531e93826
SHA1 7e1c7b58d3938d225bbd0b8f294d700fd8e22716
SHA256 426a97e34f8458de130f4897203377c7deb80249fe59de54207786f6b76407b5
SHA512 7bc842fd1dbd7b637534c7a7b8f94a4bd4c0d58b5de4546d3798ab807c46bbc8ea016720556efd1982f63eb2475511a2c1b17ec9005d8319c3f05f169aa61ccf

/data/data/com.necapp.lpp4201/files/localdb.db-journal

MD5 60cb39ecb4d96adc3bae29604a26e460
SHA1 f8ecd1efc62906014cb8c73120c1a63027bfad70
SHA256 9320c59d6147da0ea33c163949d630b37536e011289f1a929ae2cb78c888570c
SHA512 89581b66c11f7937bb8f51a7d1b15f49a692598ad8272bff9085da36b0fe9f677c3deddc555d4693c80f486021f3f5e4cc6160cffbf0a489a2f674db658c17ad

/data/data/com.necapp.lpp4201/files/localdb.db-journal

MD5 c1526f361577dafe385d6951c15ec0a9
SHA1 67b1d2fda299caca4d3e6d0bfd555e4546a14320
SHA256 35dceb0384f128b27b6956b44a09295d480fc8db2ce3739b4340f19579fb755e
SHA512 358ae9c20e385b2cf25cb18a21d4ee4deacb49f7f727e07309234229ebf3c7a22d3a2585e31fdb37313a5ad128728b5ef35d07f12d8109e3ee8c1416774ad8a6

/data/data/com.necapp.lpp4201/files/localdb.db-journal

MD5 6cdfedb6b80a7ab6fa625d797ba2841e
SHA1 33f09b2feb93fa328d3e148d900b3f33eee1f594
SHA256 59ab946e5e073cc490fa8112df4ee073d27df02e159f4240c5651de11aa91fcc
SHA512 0aed038f650c794c8d4c8e46a1fff5764939e5958fb2bfe8b094627b0ae959fa595db5b5fa86d55cc4ceab49ea52f3983cf89de62bbcf839784b4af288d5f791

/data/data/com.necapp.lpp4201/files/localdb.db

MD5 eb739e481d1ea199b5f3cf8b3854abc4
SHA1 1c970a9906cb0053c70f7f41f1ad44a32949e09c
SHA256 2e5b2a9db61691cdcb5bd9ebb816e1f3132f2c7b092edf0056dd97eb8daedfd5
SHA512 52b7419cdb5c8f2efe684aac58a9d826e630c00de2033a688f9191ba55e0520e6afec9567478f42fbb53c88f4e08fdf1c59f20f60a51b30cd9fdcb662a3536e6

/data/data/com.necapp.lpp4201/files/localdb.db-journal

MD5 d61c3f1cbd3ae13d5198618dd6d61774
SHA1 3626a8ec2c8f667c22b76bc0c547cee2df8dd8a7
SHA256 d610e8b540fbdddda5c18cdf9e7e919b14fcdc114df413bcbcad2b07a4288e11
SHA512 a32a30f6a8e64aaf35ccf7e5b8a3f0397c7f97adcdca569a067de8c98b17162427a961fb360a45aa2c4ffd9dbd90655e2da341d4ead1d9e2b4f0fe05a64b8aaa

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-17 13:07

Reported

2024-07-17 13:08

Platform

android-x86-arm-20240624-en

Max time kernel

46s

Max time network

96s

Command Line

com.necapp.lpp4201

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Processes

com.necapp.lpp4201

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5757 tcp
GB 142.250.200.46:443 android.apis.google.com tcp
DE 51.68.172.198:5757 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
DE 51.68.172.198:5656 tcp
GB 142.250.180.14:443 tcp
GB 172.217.169.34:443 tcp
DE 51.68.172.198:5656 tcp

Files

/data/data/com.necapp.lpp4201/files/messdb.db

MD5 57a39108426ea4fb8e5bc74accc22a88
SHA1 73f83c87418acba44a084cb7055fc5c34f6cf25e
SHA256 9d36142e37864417222d54360d821b9a75f31ad31d1f9a45c947edb63ec6b2d2
SHA512 f122d601019b7ee6077574897b51d60cf8223780db64e0649a772183c8025ac413d3ce0683c8bf05373e293cb67ebb62d9dfea15d5d16c495bc0628279709b8a

/data/data/com.necapp.lpp4201/files/localdb.db

MD5 e7179ba1abb576a1eb3486db34de4037
SHA1 4dc87664c9be3d7a94d4886b7f56f4a8d7b983dd
SHA256 409f05ab16c6f1f0897959456d72f94a870b03581569f7c4970b22e541db827f
SHA512 50ee847527ad249dcb43d3d95dca9d8bb5bfdc459f6e5d639db4a31895e4f2ad75355451846cb732e380a576f41f1c3af19387cdc9ee7c5e46464c61613e458a

/data/data/com.necapp.lpp4201/files/localdb.db-journal

MD5 13bbb4f2dcc7e3de142c7c6548a103de
SHA1 5ad927ce02fe2b13dd8d15027586ef0d3472f0f9
SHA256 c7f45769cb39503fb6f94d42d6c7daf3d5f59386bb8c34b798ab82a90c8c3a06
SHA512 b68b2c25f7e085d0cfd3caa16bf16db8b2b818e6edf80057f3dcd39ad34541f1997f80295baa2cbbb49c4fa593057c4136943e1cad29526ba5511974e735c607

/data/data/com.necapp.lpp4201/files/localdb.db

MD5 7e11f5e484b8033c30a14d7ac98cab88
SHA1 4baf6012a5f88fa9cd7a2b3baf403c1f44c1a6a1
SHA256 84c1c2e80fe7a0a5ce0c6493bd1100d1f5c032b18571ef8344b836f5b1fa580c
SHA512 70c98036e5072c22dbb4ba2efd093acd2500b0c2a418f77782bb6d983ecce7d826cb14c76f333c3e6796f48b2ad4107995bbad315143b3ecb2813194b38e6684

/data/data/com.necapp.lpp4201/files/localdb.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.necapp.lpp4201/files/localdb.db-wal

MD5 d61c4cd44f031b86fd754f55a1301721
SHA1 77e1e8d51ebf847d1a7040c90492c18afd548415
SHA256 266f85053450bca3d30c3a8cd044b764cbc4b0b05e7680bcb8668600af2da569
SHA512 acfe4335be1e4015e30641c083c6cd9f9934cd226edda579964bd671f154ca61f9731ec17ef8401ac9bbec7e4a09e9e453b4f126e2c2ba466e968a3510cd1a27

/data/data/com.necapp.lpp4201/cache/~test.test

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff