Malware Analysis Report

2025-01-19 05:51

Sample ID 241127-x639kasrgp
Target 7a02c5eb86106247a3e744caced3b621918e7033dcae40c8d4015d12e246abb7
SHA256 7a02c5eb86106247a3e744caced3b621918e7033dcae40c8d4015d12e246abb7
Tags
irata banker discovery impact persistence collection credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a02c5eb86106247a3e744caced3b621918e7033dcae40c8d4015d12e246abb7

Threat Level: Known bad

The file 7a02c5eb86106247a3e744caced3b621918e7033dcae40c8d4015d12e246abb7 was found to be: Known bad.

Malicious Activity Summary

irata banker discovery impact persistence collection credential_access

Irata family

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the mobile country code (MCC)

Queries information about active data network

Requests dangerous framework permissions

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 19:28

Signatures

Irata family

irata

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 19:28

Reported

2024-11-27 19:29

Platform

android-x86-arm-20240624-en

Max time kernel

11s

Max time network

15s

Command Line

com.errorforcode.netix

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.errorforcode.netix

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 api.cloudflare.com udp
N/A 100.100.36.227:443 api.cloudflare.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
N/A 100.110.66.92:443 android.apis.google.com tcp

Files

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events-journal

MD5 891e15483aee622ffa7d4000a3ffbefd
SHA1 8a8c4a5ea6a6b6be436022271b13ef1ea9c340e9
SHA256 127f00601b17330fea1702b80e35a11773febe0e9b00b5aba0934b28442a6626
SHA512 9ca23522f8fd9ec81ca28e4901ff45f708f251c30280d0a792c676908ef6fc8f3cfa40aebc506c47d5b435dc52f7fbedfd5e3c9101ca097925b8192f501c05b5

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events-wal

MD5 6f58157ecc700dda1d2db35cdc39f52c
SHA1 e8b7b927acf08464cb09cac7f06cdc5d899f3d7e
SHA256 16bc8a4dd65f05ddc9e50ef5efafe3b9e0bdfe5d11c412cce7da51f67499d946
SHA512 2696619217a6ebe9ba0b3a1b6bd7620656ee7cbef7d23182cd69c4be9141b21e2b5b0d43e60123a0e0947cc0528b540d2a74e011381b22ad4cd8a84875af4050

/data/data/com.errorforcode.netix/files/PersistedInstallation7183234945374604817tmp

MD5 7101dede0a231a967d1fbf635055d823
SHA1 a8a2ffdf54a832208d85249060c647a07bd2f7d2
SHA256 40457f2166f3b75321f9ecff8253434ff831844d49c647c659f393d681657975
SHA512 b0061df1e061005f7721916b381a2248f66f4c5dbf892a4932862833ccd25779dadc92e6969fa52788379245991f0baa3aebe5c77229430bf5bc47998b826f4b

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-journal

MD5 8c416532c19886852fe457a383201e4a
SHA1 3dfd8969406e2285d4716ab90456d2394e068ce5
SHA256 3b29ee1eabac9bf994961d31d40ce9346c20572efd08e4d4d48d16c251a849a4
SHA512 28e2dcd53217382a662836b647b9440e189efd9f1c43b934ac960da55a7bd773a1da0ff48d5f5bf2af617fcdee9bdf09d4b70be0b9993bf45220caa69c85fb0f

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-wal

MD5 3990842e2637b61ccc5d56e3020b48fe
SHA1 bcf648d237fb742debc0d8cc1d3f1b614965832c
SHA256 08057a2339252151383cc551ce897ff4bd97c63a0a687c2debc798240e8d4a2a
SHA512 92d9945dd0ddc863c07de3dbd84c88dd3d9c70e31495cbd8855072a9d42f72cffffeafbd00c210ef840bc62120801360ab750331efad233c90955f715fa7a16d

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-wal

MD5 82c5715b2d91048a2b792a9d98ffcf41
SHA1 127d67b75cc2da8e71827110c7c5dfa06c1e3d2f
SHA256 2dbc7f7e63f8dfe567d74b0b347234e7f19a452e2d0ffecd1af205684e4cdaed
SHA512 336d1a5e9bd2bb284ba66586813c4e0d1e07181dc496f6f5faf0db33edec507333527a1a758f08c1a0e24ad03e2755c189cec642e62bac7c4f4a795a253b8eaa

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-wal

MD5 2fc3586ae6e4dc2217ae2e03e42a7018
SHA1 0df28664d609956cc06a20e4b27cca3995e03c02
SHA256 675e70727b67a8b5fb97f917604d3e968e3ef0156a459e53e62c20b1adb115f0
SHA512 10ba1a105cc896d1691dcce8a5926c9968189afab30a648cd88d04aa4d58a15d6fd3d53f8f4927ff9bbf006d7da69b8a5590f58130d26c59a6e95473807c2083

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 19:28

Reported

2024-11-27 19:29

Platform

android-x64-20240624-en

Max time kernel

14s

Max time network

23s

Command Line

com.errorforcode.netix

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.errorforcode.netix

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
N/A 100.74.101.3:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.cloudflare.com udp
N/A 100.118.14.239:443 api.cloudflare.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
N/A 100.125.211.173:443 android.apis.google.com tcp
N/A 100.125.211.173:443 android.apis.google.com tcp

Files

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events-journal

MD5 0c217001a9d696ec12d5ea5c07c19573
SHA1 ecc946bd9dcd209ec0ca4fe3216a09b67d8f26ff
SHA256 52c99dd8b675518e7e19e13eeb1c0deb48beceb61bdde7927c2693b9c06f1a08
SHA512 dc435ef42f781ae35001b204364f5649935998e9a09c9bebd66b48e5dfd47d3a9ff63f9b6764fd292a983104c321f6b5b02b0981b168b49827a4e6278611267f

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events

MD5 3f1f249788f84119f8332bd714e2d9ff
SHA1 09a1a1aedef5df9c233dfb877f6595f85ff96471
SHA256 89327ea54ca86926205063e6d42b668dde413cc0fcda281eef91cfa1a04d2ec8
SHA512 cca4cf8d3541bca2df773364ecf59058a7872492160b97b83b950ca91cb43f4b8b40b1583c04f0c10e0f95be897e2b05ce2542575994a9f783778dc0bdb3976b

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events-journal

MD5 0b1e8407bd3572a216ef52bd195fc047
SHA1 c8311579bd481391eb448c75089fa836e479d75c
SHA256 5077734edc5d92fa3a35994beba9a6b55723409668d7303186fc0d3adbbea551
SHA512 b12691cdf33040248bf7a18b417c4a0c0ad4002a84040fba5826e5382fbf1f7646e16a39a5bfa7a1e2e55bdb90f515b037f561490b709dec0b47dd4937183837

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events-journal

MD5 9a06057db9bbdcc2d12c7bbdb7f2fc77
SHA1 c7dac0dd7f415e70a64602852d4e7b99aa43577b
SHA256 1200946fe00d1be33130c7088b0eb2c835a129c99d9662cdd3f78c7980a8d27c
SHA512 6a8977ffed9f2c9aee596241b46db4cd2059b2419f7a72b8f4a5175393b869e23e8fcbdbfcabe184909c53b605319124ba6e75f5375a126cc48b09f2f1351dc1

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-journal

MD5 54ce67e356e4a716806584388defb923
SHA1 55b3343c770a400e13d7eecf2dd9976e057ce81d
SHA256 05e107613c0e84bb290c1a9e94ae80c465f013ca255e897c9b6cd763c0bd0d5e
SHA512 1f8904b5cda5f95bdfdf0da80024b6475256087bfba5c119ed33c31fb21141830b040ec05ae8cbf8bc4133438381d580afa070aa7cf71edb569e9b59a36fab37

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-wal

MD5 61c4309ac4deba20d914a40045a19e35
SHA1 c78e97be9ca04bc58d8eaec0ec9ef532b231541c
SHA256 b8f411f5882099303dd212ee9d821a0b3a2c66c6453017a3b948caa63d75e589
SHA512 6ee081cf6579743bfe86bf52412a23a2e833444cd2e28cbbdf34a04a59d78b6e1a50c933262fc857fb54781de9ac37ec9c43e0a9eda9c583303db7c3b5d16269

/data/data/com.errorforcode.netix/files/PersistedInstallation6890745291467462570tmp

MD5 4731f0565c3a863b9465cb91338053d2
SHA1 876676e0ee0dff88a8b74de9d9417a5cb1a69332
SHA256 3b96b46b892112c91223c640720ea67190b05f151e0e4024d53822fd4a004852
SHA512 207c9561fbb3a2b211b7885afa50d07d6fe741e3afc9e639e0142a69a76aeb945d43943cf6e513b64695bffafbe62e047e9643306ae681ce88ca1542c19172b3

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-wal

MD5 388debc0322b650e7065f4e893e90359
SHA1 f8bb050ec0cc168de9daa40e90a3e26b96bb8291
SHA256 ec5a04f51e2c4db946010d1494266a1f78bdcee8085294b3db8053feb965c006
SHA512 f8816bbd87693045b294ebc19247ee954a3fe15dd96d2b5b8babf15597780ee2361a30b181f22fd141ad51c28ef64aa8c0bc8345d4f121a45eadf11b36c60261

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-wal

MD5 51b2880f28f76bfadd2ba8ebb1d42535
SHA1 d57d9eca5a7dd1eb072d36bf747dfefc65e6c682
SHA256 e5649834f8d204822d5ec436d6e7a19c2b7c8d397427ce04d2a29f1648a8a172
SHA512 3f7576fa2a75ff713109cadeb79c1c969e8a1d91b3d38ef5297f661e783308da1141bd22ceb84554561acb3ea0962dd8c213506ddb8ffeafff5ca2829e7024b6

/data/misc/profiles/cur/0/com.errorforcode.netix/primary.prof

MD5 aaa163108a7e79ae66fa54fd6020ef07
SHA1 591d01a1bcf3f82617a682561b0ceceff7a444a3
SHA256 5d379e396d8f70b05e8df2c54b8520a466d5687f3b2272fca18bfcf4a2faad42
SHA512 27d176b516b4070f289645e351b4e9fbe66cc1e47199492ea3c1f1c17b70621b93b1c164d940851417e7eb5763ec5d8f4f1389f330d397712758bbff80746ab1

/data/data/com.errorforcode.netix/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 639102b5c151df86a2915a129b12ca51
SHA1 e5f6f3b495157465bfd27fbf5128d98809764de3
SHA256 db6092f572fbb40cfdb95b23a80302d010d439288c2345d7cb9adf60ac300aef
SHA512 54f4b205c68bb0b4558facdfc993b5c2603d2b05041617946a55ee0e2fca6b72fcf7007530adce368da4c4c51f76c0402a8ff17e0b63b48c4d6f057f7e2a85be

/data/data/com.errorforcode.netix/files/profileInstalled

MD5 85b5fba05267c76e1807dbde9826c5a5
SHA1 c2384e39879fe1110858a3fb01e46a8f6a16c77b
SHA256 1f142c6d1d666726e8e3447fefa2827ab332fc4ebd630269451f49790c859af7
SHA512 36d1d2ec6367052bc27155755a0f6093882edb4df37566d72b50d04e742125bfbe702dfb2a926a72884e3106886e16907db4e0afae8d138d32a6845abe6557a5