Malware Analysis Report

2025-01-19 05:50

Sample ID 241128-2dgmbaynap
Target 9a18e212ffdd94dd262de2eeab7758657dee156ee2ddebeec6b97df7227ab8be.zip
SHA256 7f15de43d3d5f54c59efde740fe02b72bc7e9cb720010520cbac9b5e99484f46
Tags
discovery irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f15de43d3d5f54c59efde740fe02b72bc7e9cb720010520cbac9b5e99484f46

Threat Level: Known bad

The file 9a18e212ffdd94dd262de2eeab7758657dee156ee2ddebeec6b97df7227ab8be.zip was found to be: Known bad.

Malicious Activity Summary

discovery irata

Irata family

Irata payload

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-28 22:27

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-28 22:27

Reported

2024-11-28 22:30

Platform

android-x64-arm64-20240910-en

Max time kernel

1s

Max time network

150s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
GB 172.217.16.238:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.32.223:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation4965354041389265330tmp

MD5 a4a40d7038506e97ed0545bb7ee38b9d
SHA1 1aff756fc3f5906ecf18f64fbb9ab84cdee768a4
SHA256 ceb96b32d9c15570798ec4e97d1b37103eac97ebc71dfd11d9b542d78671dbb7
SHA512 a609857b19789887994ccb395fe378bc770071fa866395b996e5a78bade833f3eb9b3cfe8b063ebaa7df9e07a1c9c3c7328daca57cb5e5c24181066a05bc80fb

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 39dd57cef460270153eb5d27851656d5
SHA1 8b7e5f84ae2dcb770ed07ef1fd00c56b10ea674a
SHA256 727cdc8ba0ba3f0d114325e7b4a6bc7b1b9e2c6da623bd9c731013c8d03431d0
SHA512 3640559975d497098f6e671aab1f12449b62d500b853d0b4b553b7c7e4e11edb2a862af56a8481987d5881a92501c78ea2be25bd83de36eab6dae653c0376410

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 c86f6f882d7e526575a4b27f3341b56b
SHA1 a21ba9bf8de0acd8f9d1a2d5f15a90c66eb7b82f
SHA256 59621bd8d8341d4b5e5397337156b42ff362b5be3c1518006142c501c691be9e
SHA512 e85d4c7c6b5d6248f2221f9388cd53a32fcb8ebef7c0d0a6383f8cdc056f8f2e79c3bd22c46162d541516f399bfc574000060308ef63dca79e581b3f7ecde9fb

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 5a3d142cd762be4e4e7a22c66909b54c
SHA1 990bd09b5ba200aadd76032272c95e4209d10564
SHA256 f9d9f7f789164a61dfed325b147193fd5b09ac06ec3f5b968262928a3ec2e511
SHA512 b76b4d4354267cedff1d4c126ade96a8514631ba35e2e853c91a990635b9fbe7c43de2c3c35ea56e118b9e7c52eec1aed588711ff4f7215b05932d8a9241498b

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 fa5aea8f291e7eaba6097a9e1e96d6c9
SHA1 b983123f47095caa3e49a709538504534bdf0790
SHA256 da0f2187661bd3ca4fcc22c20fc3e3489ea82c36bdf83f376db782f74a95abc7
SHA512 5894380de08ac50ee5e1af68cc17b394907a552e6ca70731142fca41be5259068596381d0db8108ae5083dc435d24341f1964e6d612785af2a76fdabea70a018

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 226cc5a8f086dcda7243caa8fbdb356e
SHA1 f12730850ae1e71cffb16c646e16913ce137acd1
SHA256 0e6fae933047f060b510df23c423c74f8ce7d0ee9defe24c6a95b859b5f06bd7
SHA512 c1883c6664688ea1fc83086103afd32905edfede270f63f2a5abc9f3e6f3c567587b58d429d581d319851df1677eacf358ef4d5ebf551972ef68d7cc7fd6eaaf

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-28 22:27

Reported

2024-11-28 22:30

Platform

android-x86-arm-20240624-en

Max time kernel

2s

Max time network

131s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

/data/data/org.bax.project/files/PersistedInstallation1541473130147573880tmp

MD5 301ca51bf99edca9b96c3c738f4390ef
SHA1 7931b154082266dcb0485ef2364e26a9a71af936
SHA256 0105ad0288213a3ca2816b0276b71dca4858c6e1bd50ec9b3984fa658e8e32df
SHA512 73b34b4743dfd11303b4df8d3c4ee0fb068eaccebc99d15d46011f78a71b134e04456b48ff5f9fe729eb0e10e55de65372081b9e3dbcb9aca62489ab9b155596

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-28 22:27

Reported

2024-11-28 22:30

Platform

android-x64-20240624-en

Max time kernel

3s

Max time network

146s

Command Line

org.bax.project

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

org.bax.project

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/org.bax.project/files/PersistedInstallation3238574136711515586tmp

MD5 413d3812945345b572736bb40668afdc
SHA1 2372c5e415688cccdb50b2e1d0cb52d9abfd241d
SHA256 74110af118a33814de70da53c5b5a03cfe540d73d2efcc4bd921360a694b53f8
SHA512 bfae4bf0a7c3323902ff85aacc8a135a11df72da90182e027d8392b741edd257a2fc198d111b403a7dfe65e29577f915e54f7d9aa078f9251af92cd1f582c0c2

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 4c792444d566ade200c4e53c3c17069a
SHA1 09e612f518cc0eb6bd2b9c948262a7c78b270c7d
SHA256 06dbacf1979c33b1ef652dd226abfbed6a8891dc7e0836a33333b494c624de4b
SHA512 6316fb808211b2225f7e723e7e275df27d104da6841f7791dc08d92f119fcecd194a45bf579ac88551e5b72dd5946c1ebf5e95f98aed3d130c5bc2941dbb4bfc

/data/data/org.bax.project/databases/google_app_measurement_local.db

MD5 eb52a90bb70b76e946b62f50b6f7fb85
SHA1 42d767b5d1faa7dcef4cb4e1432a5f47ec2e9ee0
SHA256 48472f593a3e9cf9e91ee5f7d66dd9ff291bfb247eb6b46778c710fc24e8d3c4
SHA512 b356c858cadd14b6ecddf134f1c494c0107a1d36be9387984fc53dcb00e6779d944f058f4ac99d0fc2fe3a427cd1c2921c6fc38ecad53909fc4b5b6f04459b5c

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 997eb119cd0bbb32fe4a0a776384d639
SHA1 c113d186da822d7165768dba16b5216fcb5a9e58
SHA256 ae3bf26d8e9e73ab7d987a3120d114d3823b1401d4f8305c71c5acc0b219f93c
SHA512 bcb2286d39fc7100fd35d343dad190ba3f39f868f13161ced62e2097bd344bbfb1abe6973d5153e11026381dff4c903a17df0cd73c38d84a624a9564162425f3

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 c1e633da092c7f0dc6694a68cc4965e6
SHA1 05b345ad7eb743c52e44dcf3441cae02565643f9
SHA256 78e333966e3ed9d36b44e56c42b8539a5889dc388ede2576383c8f73f83eacae
SHA512 f4594ca04e7656b35d9193140dc0d5562dbb3d715be2473a0b60761d240645a292e5b53ff1651c8881da261cf7ed6242e7b872fe5ec2e2046e73f506de5a05f7

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 8855541eb66cb0069e78c6fdab74bbeb
SHA1 2f064bdca7a11a97d0f2dc100ab5c79373ffb41c
SHA256 fec8474900a85316cdc7738f6bd73cf2f0abb42ab49ceb7b9cb2a8db6a3ec30b
SHA512 f2e6472e7576cbdbe1aa8cd8d232f0420eca9081252be5a39c40a57f7ed3e98b108355c7df08053113b62df7220c0dab978b792f3ab2f829487d18a05729f111

/data/data/org.bax.project/databases/google_app_measurement_local.db-journal

MD5 613485b3bf2a684d6de87ab83b04a0eb
SHA1 67fa1749c28ec124b1ac94ee1a47bb5fd5cdead1
SHA256 c1e6284c6a09f259520a8d4dbfbef686e560e2ba2589048670bd4b81b5c9003f
SHA512 1ed3953b9918f82d2b6190e0513b4eb271ff3e1ba8a2a4a9620686e16b0a60fa31abfb096ede5e5db9955e0006622bac0f419d1cc0181a98d7878469c87d7711

/data/data/org.bax.project/files/PersistedInstallation2258936438699102061tmp

MD5 73e4bf837dc9ea08a6c8a44e87c02b0f
SHA1 1f1c2293b94faa3bef31da81b2daa7eaff1394a7
SHA256 567553d7f26a1883c5539aae3dea2146b2549e050aafd930303dc4976121aef3
SHA512 058aa22f77fbac422789bb61959055b9735a7c1ae2fd84c3757fe99fcc8403b5cda7e3a572218454b5d991a4756a2c4d64aa4a05bbd9c35014b4148ae42449b2