Malware Analysis Report

2024-09-09 16:05

Sample ID 240728-lzs98s1amk
Target 3463f2bf09900e924cd2dc0acb1a4ca89e37c74122425c43526dce9aa7a53b6a
SHA256 3463f2bf09900e924cd2dc0acb1a4ca89e37c74122425c43526dce9aa7a53b6a
Tags
discovery persistence collection credential_access impact pdf link irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3463f2bf09900e924cd2dc0acb1a4ca89e37c74122425c43526dce9aa7a53b6a

Threat Level: Known bad

The file 3463f2bf09900e924cd2dc0acb1a4ca89e37c74122425c43526dce9aa7a53b6a was found to be: Known bad.

Malicious Activity Summary

discovery persistence collection credential_access impact pdf link irata

Irata family

Irata payload

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

HTTP links in PDF interactive object

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-28 09:58

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

HTTP links in PDF interactive object

pdf link
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-28 09:58

Reported

2024-07-28 10:01

Platform

android-x86-arm-20240624-en

Max time kernel

22s

Max time network

132s

Command Line

com.myapp.exs

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.myapp.exs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-28 09:58

Reported

2024-07-28 10:01

Platform

android-x86-arm-20240624-en

Max time kernel

44s

Max time network

139s

Command Line

com.appmaker.testpdf

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appmaker.testpdf

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-28 09:58

Reported

2024-07-28 10:01

Platform

android-x64-20240624-en

Max time kernel

48s

Max time network

166s

Command Line

com.appmaker.testpdf

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appmaker.testpdf

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-28 09:58

Reported

2024-07-28 10:01

Platform

android-x64-arm64-20240624-en

Max time kernel

173s

Max time network

139s

Command Line

com.appmaker.testpdf

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appmaker.testpdf

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-28 09:58

Reported

2024-07-28 10:01

Platform

android-x64-20240624-en

Max time kernel

45s

Max time network

165s

Command Line

com.appmaker.testappsx

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appmaker.testappsx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:80 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.179.226:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 09:58

Reported

2024-07-28 10:02

Platform

android-x64-20240624-en

Max time kernel

123s

Max time network

165s

Command Line

com.appmaker.appmaker

Signatures

N/A

Processes

com.appmaker.appmaker

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.appmaker.appmaker/files/apps.db

MD5 c2a1f88133779c380ff4af26d8fc3487
SHA1 4473bf8ac5691a8444f6044b89e38c106262e895
SHA256 b1664dca893df407378fedd3ce41f0f72a353d0080b5b0e37c1a7b69708a5d2e
SHA512 32ed897c268115a8632ef8c8da7328b2ee0b14ab065ecfe61192dc65f5a64ce375aa8ae3eb2ea5ced07b588ffa0d505d2c6cd1c68d14306b9a826553a58cb2fd

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-28 09:58

Reported

2024-07-28 10:02

Platform

android-x64-arm64-20240624-en

Max time kernel

123s

Max time network

136s

Command Line

com.appmaker.appmaker

Signatures

N/A

Processes

com.appmaker.appmaker

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/com.appmaker.appmaker/files/apps.db

MD5 c2a1f88133779c380ff4af26d8fc3487
SHA1 4473bf8ac5691a8444f6044b89e38c106262e895
SHA256 b1664dca893df407378fedd3ce41f0f72a353d0080b5b0e37c1a7b69708a5d2e
SHA512 32ed897c268115a8632ef8c8da7328b2ee0b14ab065ecfe61192dc65f5a64ce375aa8ae3eb2ea5ced07b588ffa0d505d2c6cd1c68d14306b9a826553a58cb2fd

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-28 09:58

Reported

2024-07-28 10:01

Platform

android-x64-arm64-20240624-en

Max time kernel

67s

Max time network

138s

Command Line

com.myapp.exs

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.myapp.exs

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 09:58

Reported

2024-07-28 10:02

Platform

android-x86-arm-20240624-en

Max time kernel

124s

Max time network

133s

Command Line

com.appmaker.appmaker

Signatures

N/A

Processes

com.appmaker.appmaker

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/com.appmaker.appmaker/files/apps.db

MD5 c2a1f88133779c380ff4af26d8fc3487
SHA1 4473bf8ac5691a8444f6044b89e38c106262e895
SHA256 b1664dca893df407378fedd3ce41f0f72a353d0080b5b0e37c1a7b69708a5d2e
SHA512 32ed897c268115a8632ef8c8da7328b2ee0b14ab065ecfe61192dc65f5a64ce375aa8ae3eb2ea5ced07b588ffa0d505d2c6cd1c68d14306b9a826553a58cb2fd

/data/data/com.appmaker.appmaker/files/apps.db-journal

MD5 92934336642f93514c146d7d239a07d8
SHA1 d19d756b435abf1edbb0df561b464c8eb6b7e796
SHA256 2d7b3fdf35246318391e352c98812c83a6d7ec9cc154c6ebd082d3f75f685cea
SHA512 fab8dd7c91b64445758f3e32f16276e41cd8aea096da77a66151b9e8c29c0489ea169829a4620f6d488ddb0a56bbafb373a778f9642b72c77f02874d0789398b

/data/data/com.appmaker.appmaker/files/apps.db

MD5 62a4d9612947a6efb4dbc5d05a0c0feb
SHA1 67514e7ddc9b4b638c6bfb011973f96b6f3ae914
SHA256 51d4ce3345eabb9f2ae966d6e1c1ee9934e37e3840d77ff02bd724dd7a940258
SHA512 d2cf9c2339c855d4a6caf5e620d27f0cfa661a70d0f7dc2e6c4839479858da44cbd06148f0683806817d02108a968dc8433ccb471946cc5f7a740ba8008b1df3

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-28 09:58

Reported

2024-07-28 10:01

Platform

android-x64-20240624-en

Max time kernel

29s

Max time network

168s

Command Line

com.myapp.exs

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.myapp.exs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.34:443 tcp
GB 216.58.204.78:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-28 09:58

Reported

2024-07-28 10:01

Platform

android-x86-arm-20240624-en

Max time kernel

33s

Max time network

134s

Command Line

com.appmaker.testappsx

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appmaker.testappsx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:80 www.google.com tcp
GB 142.250.187.228:443 www.google.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-28 09:58

Reported

2024-07-28 10:01

Platform

android-x64-arm64-20240624-en

Max time kernel

34s

Max time network

134s

Command Line

com.appmaker.testappsx

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.appmaker.testappsx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:80 www.google.com tcp
GB 142.250.187.228:443 www.google.com tcp
GB 142.250.187.228:443 www.google.com tcp
GB 142.250.187.228:443 www.google.com tcp

Files

N/A