Malware Analysis Report

2025-01-19 05:51

Sample ID 241128-2cwd3symhm
Target 8baea2e83cfc696a8ff9186f48d0da2f3192acb7c17267964117b5e947a05768.zip
SHA256 abece4841f503b30454f651906de6cbc5d35a464877fb95db4343d63a3b35888
Tags
irata discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abece4841f503b30454f651906de6cbc5d35a464877fb95db4343d63a3b35888

Threat Level: Known bad

The file 8baea2e83cfc696a8ff9186f48d0da2f3192acb7c17267964117b5e947a05768.zip was found to be: Known bad.

Malicious Activity Summary

irata discovery

Irata family

Irata payload

Queries information about active data network

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-28 22:26

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-28 22:26

Reported

2024-11-28 22:29

Platform

android-x86-arm-20240624-en

Max time kernel

3s

Max time network

131s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/org.bax.project/files/PersistedInstallation7699023198845316844tmp

MD5 eff8899ad06e3f3bb48d73fe5b494037
SHA1 af2e543ef5a2c57a1422397dd64be132f3802d10
SHA256 db9322c6a5c0a858f8878471316e7aa04c3355419858a87fbfe976174f46f846
SHA512 ce392c2a8d7fed7c088804bfe751f89e60c6986baad7afe7af2d6976f7871fb1e9a4b765ee4cc163c97cc81446965941aeca56ce582004433498fe6437b87209

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-28 22:26

Reported

2024-11-28 22:29

Platform

android-x64-20240624-en

Max time kernel

3s

Max time network

133s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation7123958786036169822tmp

MD5 41cff4d8cd665af84da99017336b508e
SHA1 1f852be4905527a353696c791f98feb95bcb6a63
SHA256 04cd9af725641d43d71ce80f7d16a67550b13c11f0ab8d0861fdd563db98549e
SHA512 ca6e2761499a53f36be105b48ece6722f1263b989650656df8cccf8bef859a3a5c95175c310b1352bc292b81d37301aa8d974597c371d79ae9f568fe69e68dde

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 334a59bb8b10ee5f3981da0132de9478
SHA1 90683c967ec123dd30a693bb90db03a4b175fcb8
SHA256 cea5f1421e9898c922568768dcfe79d1b869478566a3ebc51d61bbc59eaf928f
SHA512 2ad97c9e5989dbc65750b87d5d6b86eaad45a16d813b3d18c52d014574fef486333f3f14918d74d15791aad1189f0d8e3a1c77f3b4c74c4abbdbb52060a517ac

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 eb52a90bb70b76e946b62f50b6f7fb85
SHA1 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0
SHA256 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4
SHA512 b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 18a80406dfcc67bd57f7346d966ff089
SHA1 89da6390bf05c387d08b3216f09ffeae43eece2c
SHA256 74d42c7b00b64fe76a8289a7ed1d5dc8a2f38e3a309c1c49fb4640abdec0fc80
SHA512 9ca062e70a072ce33d772d48ddd8a12d67589eac0f48d3a8c7724fb91045e052b2afba7c7b879a96e150f82cfb60d47951fee5bec5066596be5fb6ee71026f31

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 ca65ff0885eb62dcc2ffd7bb75f13c1c
SHA1 24b3692a0f05c17217b3ffecd0cbcc3b5481a7ee
SHA256 d8ebc4175790b32613852039e96329be9b56b4c29aa42359f7191b59c3a79bfa
SHA512 733f6ca5aacc522808549e511301477f141d0c2d78978320cf23b1a518287be9cc02670286fcca16f26d1d39b4791f54aa4078420c5edfb01d1343f2dd2d2893

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 a479cc8144a031df855386d36ad56d91
SHA1 539409ec31621850a462f3427c758dca7c1ad3c0
SHA256 e17b7127fe243b0b83f6d9eaad72bfc14b622eec9a0857a086cdd9f7c1035c9f
SHA512 95c32a1abfb6e4b35f2d3da3d4ed51e0a6b087058d51075c7602511b2a51d2191df9142badccd068bb38693b7c9b77e0b942cc0fd5e0dd51358b7bfe70d41bdc

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 2b9973477640a096e980c057855a5f14
SHA1 a6456bcd11805eab708e76bb6b47889ceff9471d
SHA256 aa9e73399aaa96e2987fe26209ba5911a5bc458f32db4fcc45fcaf2c7befd351
SHA512 026303db02ce6b8856efb7891b4a0a924daf22e5ca447a03129a09f1132a0f99c6db711972f66a6f9187f1335b3b2f8c96be81cbd9691165170214ca72f9ff63

/data/data/org.bax.project/files/PersistedInstallation428721360631577103tmp

MD5 125478ef6943dbd9585e9cd7fa076d9a
SHA1 e06626e49b466a23fd3b48afca30419947ee23a3
SHA256 5932a6cb3c0538778a24b2dfec9b323ec0169161294fc3e275318c25e93e7432
SHA512 df398a3e4d1b312311cf0a9e1c6c5e7c788a3c5c1ad84881e0118dd0dc0c519c7337e2bdbeda09217e23d86c7f06aae44da21881bddf136ca9caa8168ee956fe

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-28 22:26

Reported

2024-11-28 22:29

Platform

android-x64-arm64-20240624-en

Max time kernel

3s

Max time network

132s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation6844689002157467895tmp

MD5 92a7ffa21b161fde68e0c77e971268ff
SHA1 5557d517e183b4736ca677ec2c14a94c994ff3ce
SHA256 169a3b22fda5286307f3f42550c4a73044fe80dfc1143a3831b36dcefe0381f3
SHA512 0fe381c60df304d7e59e02cfe5c135b47271ba2629ea3e332c5ca8b55c8e1bc43a585255cbb24e480d716d091f93f39a2c56388f804e2ab54c2e66dde724120a

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 532f20638c0db0be30be3d747fc572e3
SHA1 99f00961c6f36497819fffd53ce1981e6e1c3156
SHA256 0c91f663f5cf74559417dfb8bec1561941f9216159682742c13080581a37c577
SHA512 d837769b5ffbc55e7eee318d46f7667fe5115d85b26db6798a0d2ce829cc22651d75a20aeab4a278865c53c0ceaf385fda39487bbe2997321752acae625f7106

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 3792d6c2a626261d6ce5816b3aa621c7
SHA1 ba75d4479813290f3b3e6a18305d83172a139469
SHA256 b1c8159865f9a9b982a71ce59c4660b3e853460c0d6cd381cf68e55e02949348
SHA512 03d949bab81de22cd61ccb0ed6d394554d192fc304d12c4e2c26ffdac6e1837e04c171d7d1061b06e54afdfaf1d48955bb8e3d2cf8ae4750b205e07487225a04

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 5f0937fa47cf63dd3f1a4ab8a5d856bb
SHA1 ee2a414edaffb239d3cb756745e97371f664f48c
SHA256 b08c2f1884edd57fdb88dd5f9a021672e7e892df7cc02f6fdc8207c977f191aa
SHA512 73ffbe087a479c3e34a48a7419a6870e9c63db3b9e91640217c78e45b2195547a9c6c188dc88b37af29158946be818f0e94cde6f5a5911da9ad9e77a3f7436fc

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 6e8ea74c5f7702fac3bac8ed4578a0db
SHA1 aaf1e74cc44659569d8a18bc8e0e6cfb8ffb9963
SHA256 6bf4ad5683c0f24cb002630f8bfca9b7c4494bbe0a89f27a8b978a3f27be58e6
SHA512 541843b8d0c23307fec38e4723f5c0a741f9b2b22364da9f26a82e1694062034b2f5c781342ee3fd1f26cc4a0af970e69a0c22be88ebec49bf1ffa5e04d731f9

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 9eecd73304d4a44fe7ad162c38848482
SHA1 3bbb6b6f93b88ec4f46240eedc93be9a3e3b6a31
SHA256 d471c4b38cc2f36430dec31b8e7c1991fa4e14f1a434cb570572a7d5647d8acb
SHA512 114fb3e7dcedd55c9971029aaac9583d5f6d96318664aba45d4d76dab3576443f2fafa9d2b556da14bccbf4f7767e73a43c5e3dee533578919c25b3bd91d045f

/data/data/org.bax.project/files/PersistedInstallation5972244028746396220tmp

MD5 5212bb370849e68a7684ceb93045d7ca
SHA1 ca7ba317a9648616f0a0a0d8e2712090d9e4107c
SHA256 bc919016fcaccf7ee55f6ae3af3ca4f5d1e297bc930e940ab70741f861c833f5
SHA512 0bd575778b2017b77b0810af8f292ca6a82afce660b0a6bdd6657a6c767a2c7cccbb7c14111f8b5773b9f26b852894b338dba2da6e28b55b147a1e9a128ea490