Malware Analysis Report

2024-09-09 16:06

Sample ID 240723-1x2k6athph
Target f1380e5d89b2c8744f55a5ef24e94d10102330171210ea5910d71c92e0d73559.bin
SHA256 f1380e5d89b2c8744f55a5ef24e94d10102330171210ea5910d71c92e0d73559
Tags
irata discovery impact persistence collection credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1380e5d89b2c8744f55a5ef24e94d10102330171210ea5910d71c92e0d73559

Threat Level: Known bad

The file f1380e5d89b2c8744f55a5ef24e94d10102330171210ea5910d71c92e0d73559.bin was found to be: Known bad.

Malicious Activity Summary

irata discovery impact persistence collection credential_access

Irata family

Obtains sensitive information copied to the device clipboard

Reads information about phone network operator.

Queries the mobile country code (MCC)

Queries information about active data network

Requests dangerous framework permissions

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-23 22:02

Signatures

Irata family

irata

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an instant app to create foreground services. android.permission.INSTANT_APP_FOREGROUND_SERVICE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 22:02

Reported

2024-07-23 22:13

Platform

android-x86-arm-20240624-en

Max time kernel

9s

Max time network

135s

Command Line

com.drnull.v5

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 dd63910155f3fc91bdfb8ac77c2cc9e9
SHA1 3635df965af827472cc8728cdde1a91a63df1641
SHA256 9f346a0df1c5a05aef88add42ccef271507228ce935226c6cf033b9292a0883e
SHA512 6f5e59a6c909c32896278bdc2af866fe664a18f2be65aa7f0e996ea54f87c9e6b2b7edfd0ea19f8a3e74ee87835708114d72c23fbbcfda923d9b20565de3730d

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-wal

MD5 b369bb740197c6258aa0588268682d75
SHA1 0dc1080c87478529be7439dbe29bcae5d31fe6d8
SHA256 1a9d331a5dd1a236f1ef3aff8d786212de3e016276fda98552a67f9d8984ab71
SHA512 f56f9a841cd2be50c9da4aa1e8c54cf8df58472e64d4b1e47dcd721119c70fa069becc6b0a278e06a6f554626a7bfcecb26d5a45e114c9ac062d082d905f535f

/data/data/com.drnull.v5/files/PersistedInstallation4913505718404124021tmp

MD5 a06ae700ed4e000695dde54e7d8d5100
SHA1 97deac04dce2c64279cb4604cb6efa8095fe2022
SHA256 4daf064520c50bc8bfff46d433a6e89acf0da50ef872e4f79f810af12b5a3e1c
SHA512 2939d6bd98e4c95079663f8b796ea1981c5b6461f2c2813ff53abc16eddedb854b59f75c25b0a52036f810a8e30cd58981a3c5d29de0f635be8e97523824f0e0

/data/data/com.drnull.v5/files/PersistedInstallation3932045112178315780tmp

MD5 66e495c22d913f059662f62ca736841a
SHA1 e5d95cabd6c7ecfacf1a714e0a18f3aebd1aae2b
SHA256 6df0724badeabd24ff484db532293ace31f7b475d802406fb82f275900fd286f
SHA512 ec1bb3aa01c9b97d7583074225725eaaaef0f88fe9bd5cf15aa717b9642436b0bf91407408e2078b270f9980aef382972915bf67108c05ee301aaee0b2bbc2fb

/data/data/com.drnull.v5/files/database.db

MD5 93de97394b9d0c7a1cc2f7fc4f1dbaf7
SHA1 f4f7d02d4af7ac4fbf9d7e36d23684a2147bb7a7
SHA256 ae7c28f31d9c23272d3f0a1c986bf1a262ca0a0f8c365b8c5ac17a115d598de4
SHA512 3ffbf228aa1e78082b5a689c95b72374072a631bd4885fe8bab8f719476ae26e25a6cccb938a595d2816a079a29c9cae93ca41ef19a8641b34679b902ec29f6e

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 22:02

Reported

2024-07-23 22:13

Platform

android-x64-20240624-en

Max time kernel

8s

Max time network

149s

Command Line

com.drnull.v5

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.drnull.v5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.34:443 tcp
GB 216.58.204.78:443 tcp

Files

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 b271f071154fc0e915b032be02417c61
SHA1 bb56d8a9374c6e2f6c3ee91089d494edffb5f112
SHA256 fc0706ba9cf9b0def9576c46b368d229b90a949eef9163df14dcf2e5aeefcacf
SHA512 e2bd6162ba2027ac57cb3e78967916e20ac11969eff24e0066c4a04fb8f6c4ebd81e175dd29fc0d1213e227985badd3d8ac1bb1217494391ee76bf063bd8dc36

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events

MD5 ffc13bd480a6c8e014b401dddac4bc54
SHA1 eb7ead40e51a184f92fb2e527d4bb6943acafd24
SHA256 699a6a035909a6a767baf568d85a53f6bf041f9d69426ab99d2158178deb126f
SHA512 9cb1fd991c9eac4b101590324653e9b9cdc4ffb71cb422bf53f7c40034d0eef2bd93772b20cfafc15123a7d77ee90514c47c386f617daa1356eacf51b9e30321

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 2061ce83e32171f8371537ac7341d048
SHA1 f3c83fc57a4a36c3449f85677548fc1264a3c414
SHA256 c34f1abf5ce058dd77b92dd797a28a457cb0036b4743bf0f474f2e1ac131bdf4
SHA512 eb678bd75ff9e57f0abe5cfe2e0e87a3a210706166892590ba44ab7e9d80ffdbb06370d23fd4a77ce00908ecff3b6a744efa8426140b010b281d7e6dd280f69c

/data/data/com.drnull.v5/databases/com.google.android.datatransport.events-journal

MD5 10987171152640bb6483f1b2ac3bf812
SHA1 be6a7217a2286d3dc3f4085529857f5ed19af9bf
SHA256 ad5384ef7bda5c4c733f54fcd2c32b3e4b034238f711f11046f9b7bad6650894
SHA512 c4953a493f4d0c4972042a666792832de90e08053a9e2c32a7278fda1d94b9751955e39f9c527a98da6f7a75e179927df19e30d56ae294b4eb12dd4d6b4dabac

/data/data/com.drnull.v5/files/PersistedInstallation3494398403017936756tmp

MD5 62b26454142a67f8869ecc82dda3e394
SHA1 8ea70940c6c3aa14e7fca3dda9ec185befb83a28
SHA256 6cd008fe2443ec024854159222fac903b4b723bf7aa666505ea4159bc337daaf
SHA512 5217d927f9e69695b65c9667029af4c8d6e6cc5fba635bb83f5674a4ad8a397273b58e8ef080e64e287fe43bd5da0de1171e397d580a0be8a88dc48c25ce03d9

/data/data/com.drnull.v5/files/PersistedInstallation4260260918101285880tmp

MD5 34766cd4e442a6b2e155a5e516dead3d
SHA1 4b3433bf05ccc8d40f6e0c3f3247747aebeb69a2
SHA256 683bc11ff1187f3df2a6eed4cb669b58fbc4aeadc8f3d19a3937acd6bcd177b7
SHA512 0bcf588ac1509ced33295195c9ca623c2c0d04bcc59c363562d3d9c718c33fe12df38e638ff8195927002277e7baa4dcde02675b55836f9087e4dd79c4f10027

/data/data/com.drnull.v5/files/database.db

MD5 27399fdcabaecb135ee09ef7d56d973f
SHA1 ff64b8ba7f085853130870cc4e4aa6b9a859faca
SHA256 d55d0c545ab87ce36c8c3cf67a17d1d845c7c4df508fb864470a474df56f59b0
SHA512 c4b77a1ac838ccfd9dc24eaef84b9ffa61792e5aca205cb737625e1abf0a050fc77b0662e82b96e8f7dfb45a7052893de132e07138cf08d118a6eb57ddc3d7cb

/data/data/com.drnull.v5/files/database.db

MD5 60b458cbc651f18ece52504d1fb5ead9
SHA1 a4b3409d910a425b4b34a95173fcdfe1e953e128
SHA256 51a4294c3ead3a1a9e78ac19d855641bba6ea42c65d69b2a63ba8c3a7d075d94
SHA512 219877a107d8501b15f4012528851652124a495457a3190488a10eb643c00b162823f00063caff817c82d85029db20699a7655bfe94fc340d19e29d359b06b3f

/data/data/com.drnull.v5/files/database.db

MD5 2f4bc3d4e5440ba04e850133a84bf75f
SHA1 086f148e716d27aa8557e6ece89f7df3e888bea3
SHA256 e6bafebbfe3a8347d90ada0b447d889875f560bf0c38775d5ed61ae7af52fa6b
SHA512 e7b428c9e22d10b405515bbbe142ac8e8040c51c84c204d5773efc925c3546707aeaeb9c2d711148341bf5ea732b84a4a750b630fe85095bdbf1a4c04c19e1a3