Malware Analysis Report

2025-01-19 05:51

Sample ID 241127-x6nh4swrcx
Target 7a02c5eb86106247a3e744caced3b621918e7033dcae40c8d4015d12e246abb7
SHA256 7a02c5eb86106247a3e744caced3b621918e7033dcae40c8d4015d12e246abb7
Tags
irata banker discovery impact persistence collection credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a02c5eb86106247a3e744caced3b621918e7033dcae40c8d4015d12e246abb7

Threat Level: Known bad

The file 7a02c5eb86106247a3e744caced3b621918e7033dcae40c8d4015d12e246abb7 was found to be: Known bad.

Malicious Activity Summary

irata banker discovery impact persistence collection credential_access

Irata family

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Reads information about phone network operator.

Acquires the wake lock

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 19:28

Signatures

Irata family

irata

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 19:28

Reported

2024-11-27 19:28

Platform

android-x86-arm-20240624-en

Max time kernel

11s

Max time network

22s

Command Line

com.errorforcode.netix

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.errorforcode.netix

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 api.cloudflare.com udp
US 104.19.193.29:443 api.cloudflare.com tcp
US 1.1.1.1:53 www.zwavh.space udp
US 104.21.96.70:443 www.zwavh.space tcp
US 104.21.96.70:443 www.zwavh.space tcp
US 1.1.1.1:53 blu-app-saman.store udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-journal

MD5 270481c986bf33f4da450337a67c2d66
SHA1 4e4c73d27a2c9b6cc70a6a224bb8999d2545d57b
SHA256 d4a8cf05f0c1069622a46105dd06ac836ccc9ca98c02a9aca4ebda3022ba4670
SHA512 78c942e62ae8927429d09ea78d16fb060c87ce05d464998fe1c22056e2bf353ff241c57e0e1aba205ea4f0802c15e7a603b3221df4d0d14fed7294b354a2d961

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events-journal

MD5 e5d72433ca7cb521c3498e26423f3798
SHA1 eb7505c5b42edb9d65f0ff41d8315471710b324e
SHA256 362aa022888c9f86fdaa2c56b107d82c258f47307b6b3f3e445be06cd53e023d
SHA512 910c18d252e159db0261c08c8dbe3126f93acbe611bc3574766c444457d5b86a4019dc4e9e433d842993c4fcc70d16e5493869ebdc95f287169f67744ffd08ac

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events-wal

MD5 38ac1f9eb0ef4b08de67365626bf0837
SHA1 4e97e0e8dabee074829a06ec089be0f4b5eb74aa
SHA256 34bd533616bb875bd8f3234555029c73c4c744cb9f39d123111b841235f6cae7
SHA512 a85e33dc7d75bd612eba35253477fc2ad0be99a532e80e008558449c1d86510f74a8db7df5d2682426b6b904c88bce7963a0cb2c1b426ddd1dcbc34bde957001

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-wal

MD5 4c68f9294c75bfd09f28dbd3afc70112
SHA1 f1e0e9d96ed36d189dfbaecd57224574fa1b3f50
SHA256 f948573b3bef782bf7e0bcf65e09dff7345a300140358a57cb89d3b18a93670e
SHA512 bd195ed3c80aeadafe000db843cb6b1155d43a22da3c70f6f2b102d54d86848c11c94e1aa4625fe040fe066070036665d5468225149b54d413e16c010a48e244

/data/data/com.errorforcode.netix/files/PersistedInstallation5371231028793649tmp

MD5 8fe32ca62f2936b0d040b2474c8b2115
SHA1 c125439740fe18b069b1ee6235662a706814bd0f
SHA256 8072f6a340ebe425dc0b1d21b1c3a937063d3b925d69a5ec13bb1e5663cef999
SHA512 b2ba1eef882abf956f4861516ffe1de346d228ea03ce58a148e440a5c82d467164509dd19536c102a9ec7fea8f912ae334b157557a9d7325ce09001a5d0e95af

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-wal

MD5 09a0003cfe3aa8770ed5913635c9a950
SHA1 3c66f0cbd37fc16428ccd8626cb6e3ae000b132e
SHA256 c3b9ecabe1ace3246957720c9266ad36c6aed6d45586e33f8b4ea0f13acd6216
SHA512 18308f7f3fde67ac3c4dbee6fe4150e43b4d0518fbc16f81f6a26607d2daf387c88c8977bd7328942be092c2409bb5b58762b968e1cdaa684d1a4ad31a3dcd7b

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-wal

MD5 8b303e452423d1a9825aa82e8a912960
SHA1 862fdb301401de62ba50a5a973aa384bcf1b22e2
SHA256 5175410ad83ac6d87a5c5e2929fe0f65376709c77e835243b93c9d8a60881c49
SHA512 7d968e12c7bee4ab85ff3e6d7a213655f9af02f2401e898c6d5a2f19a6ae130015714f4e5cbc08db0508aa2b4fe6c8cd67a3b2b9a55f2e673b5a894ecbca7dcf

/data/data/com.errorforcode.netix/files/database.db

MD5 3b87b34a8addaebf97a4d55ef4b57573
SHA1 7ad9869ba93f0aa1b81d7997f15c7f0862dc1ffd
SHA256 5e8f87089e29464c18c2164e40da12a29ce7ffb56c46586836396caf4c02f2c0
SHA512 95a2305d25079803cd2ae3c0893ea461683337d0ac20bed74ad9192942c9b675e93459ad4616ff7c17322b904f3463de1e1801a59f702f34587b07933fe0f0e9

/data/data/com.errorforcode.netix/files/PersistedInstallation7625885160554880601tmp

MD5 1b48ae5889f976ee21f7b022e5f1636e
SHA1 5bd3ee3556845246a3f0f75906bb7c66adde1b96
SHA256 516269275749ed7ab1349cf416458995656ae7c9540e931eecf800fa216f8417
SHA512 374391f8f49c0172ff272627e341d1c60f48637a1e858c8f84f020f858357082b6cc07eeb2336e14c408bd9556006087fc29a1203a18dd8acf9ed4fe1caae75d

/data/misc/profiles/cur/0/com.errorforcode.netix/primary.prof

MD5 aaa163108a7e79ae66fa54fd6020ef07
SHA1 591d01a1bcf3f82617a682561b0ceceff7a444a3
SHA256 5d379e396d8f70b05e8df2c54b8520a466d5687f3b2272fca18bfcf4a2faad42
SHA512 27d176b516b4070f289645e351b4e9fbe66cc1e47199492ea3c1f1c17b70621b93b1c164d940851417e7eb5763ec5d8f4f1389f330d397712758bbff80746ab1

/data/data/com.errorforcode.netix/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 3f173d398043dee1c92279fc015a0b7e
SHA1 586a35d6e9d0437e80b18458f81206ddd0d42030
SHA256 6d72a99d78dba440ed33ff67fe36eefa4e7b3a6ebed18f3cb6c5042958e72d9f
SHA512 0d36e0b818e03ca37f1f09171ce5954b0e6dcd737dc919f4c5d4e22523302c63a909210be25f4a1bee3b8824eb7d2e985b09c681ff1b88d088e1bc6136661807

/data/data/com.errorforcode.netix/files/profileInstalled

MD5 8b13e51af6c7f46aacd55258bad3655e
SHA1 93f3979d2e3fb83729c3443e9bd7cfdd0b8285fc
SHA256 f2fa690afee315e8454d012d5a8c1ed6dd612b0eb7686285a84eb7d109d0da7b
SHA512 622e752ec18c112b3a6542fcb604ca0e01e0de97be397aa528217fd071b37d027a80fc6b504a81870feb12c0733a9b4ab485b3db20f779291824ccf595777297

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 19:28

Reported

2024-11-27 19:28

Platform

android-x64-20240624-en

Max time kernel

5s

Max time network

27s

Command Line

com.errorforcode.netix

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.errorforcode.netix

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.cloudflare.com udp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
US 216.239.38.223:443 tcp
BE 142.251.173.188:5228 tcp
US 216.239.38.223:443 tcp
GB 142.250.180.14:443 tcp
GB 172.217.16.228:443 tcp
US 104.19.192.175:443 api.cloudflare.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 www.zwavh.space udp
GB 173.194.76.84:443 accounts.google.com tcp
US 172.67.174.2:443 www.zwavh.space tcp
US 172.67.174.2:443 www.zwavh.space tcp
US 1.1.1.1:53 blu-app-saman.store udp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.187.234:443 safebrowsing.googleapis.com tcp

Files

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events-journal

MD5 3d7e7e163cef8c5e45a2a86f944ee5a5
SHA1 a6ff7d2972cbcca609402733805bde740360ce9c
SHA256 978232583f105e3a3281af769922d1f302e0504d2811c759a507b8aba1b4c15a
SHA512 5eafc1c1036b3b3286ca7b6af5d1f627ae9a2e72acc8876341dba214f9682226a0f64b77ff5c53d3c4a971a2d75e9d1d13aab479685d108f29202d39e763fda4

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events

MD5 f7f120e0885aaf8f8162d5aad64fc401
SHA1 f20bb12dd99ec0547c036ffb7afb5e5cfa5c225c
SHA256 465a783455182e02070d2eb9b1a8de7a97696d3ee7a8fa9348e1148e8810450d
SHA512 dc3c499662a08303f30e0084939e36f90fa3ea0aca12ce0c2104fb4e68fc88a143e012cf051b62468e616dd85c354f7e412303bceeabcac833251aca58d2e4c4

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-journal

MD5 96486e709ce694820d256fa8e2118a41
SHA1 c5ad6add50d44f789528e5fc93fb12ab195c5c9c
SHA256 613713bf1312f5920763ef1c22ec42d413a94675a67407ae185a70c37884d4e1
SHA512 631d192bcaa17e06b67ac9a33711ccfe402d6f9fb81a5cc23049ba8f9427eb95b3633498b908c7e31333b841464cbf710fb9e284a0d21513ae2787b460aff4bc

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events-journal

MD5 352f0bff2e0950b65a3aafbd51527ba3
SHA1 a1cf4468441bdc5659f3eac85094f77dbb4ef7e6
SHA256 ca5bde6d01e0c0bd3f7a1f1f24c5efbeb7a27732b18ca6f653fbef03f479883d
SHA512 3d1a4ae3730aa253d3883e5d022d1ea79faf94c536fc85dd791cea4ee9da8463a91ad002c0b80646a7686b91f4075296c80a48a8d3f7e5a9babd4225b4f2ba3e

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-wal

MD5 a9c7781696e6ca8a1786114d66a0ca9b
SHA1 9cb955781c75abcad30d599b5b34f1c07e4cd429
SHA256 56b455e97bcd24e9c691ec2f0b55d3a0453f57223ac2e2e5b00254969f192abf
SHA512 1ad436520ad5fb1201fac3232293fac8eecf96e21ce0bb47f4f62514cb0ae884410a152033b5946a042a77a2b328892d9a93aaa4e0d9ad0d8edcc447cfd06c7b

/data/data/com.errorforcode.netix/databases/com.google.android.datatransport.events-journal

MD5 df72a8bd4ea2296b4c85d6553ccf0fb8
SHA1 2dc7c581371fe7176227b0eac78bbc5c2c06c024
SHA256 89571fbec418fd14cf76a8886b3c6055fcbc9df100b5cfbc567890ee958afb50
SHA512 bef308b13358d38ddc991b3f70c6fc66030933dc6f8d05cb6131b884111c0f7377df0b55763596eddc9912b34c9312312948a187f42b3b8647bebdda3d4596bd

/data/data/com.errorforcode.netix/files/PersistedInstallation403619862343327642tmp

MD5 8deeb13ecb009a73207f2b9977704558
SHA1 9379064468611f564577518963fd6af89931f585
SHA256 364eb1523a31a817933a40542ad109364a6f78441eee61a7032fd35bf89703de
SHA512 91901c74febfb3ab87909ef437da90463617d44aaed4b59f8d347c2d3b32e3731708c5877768b9c9cf10ebc99b6d6d068fcc343ec8009afee1e1b65ab53d0e8d

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-wal

MD5 7b1d64c77c48a692ac4303f14ff47c04
SHA1 cb76aa3e70d2014ff9fd8cda0ed80aa5e2a939c3
SHA256 2d40c2cfe7d7fcef36b2d636e824d57e610f0c489c2515316ef967f08c95c3a2
SHA512 cc79d69c63ac2293a047a8f7503ca6cf31eb9b65c7ea22a1e3c4896291aa10cdb3362217cdaaccf3f54ceebeade9b9cf12e7c3ed11d748673df16e7c95eb4568

/data/data/com.errorforcode.netix/no_backup/androidx.work.workdb-wal

MD5 04e82ae517755d8b10df8f50be4e7a66
SHA1 32c831e4ab087fbb0dc3babcb0b7293d17a486c9
SHA256 34742a979ec2293465f26bbb903c0223d1b0711feead5a1d450ded7b2fc2862e
SHA512 e4a680783c567dbff224961372ca45dd3ca3d1d43a6438c84370828d61e7458c94e120222ca23906ee751b5767fab896d4a1872ccdf358ddb6282c747b5a9def

/data/data/com.errorforcode.netix/files/PersistedInstallation5047021169486638484tmp

MD5 88b679bddc413c3880823c8332c3152f
SHA1 07ea7bc2442e776e19652ebbe0305a5a167a0a35
SHA256 ca67448a2267c88907771bfdfe3e9c3e2d4376697432568bd847b2565e85819f
SHA512 1ce01263157491660b5ef0fc971e2087d00a03968ea68052e37cdcf0bfb196723585f4acb711b9843186dbe96fc24fc35c6afcfbc56fb59f0721206a6b2e4acd