Analysis Overview
SHA256
0ed8987b07a4d017db6a475ff327eb6d9c6004ec5155a72635d3a4202a28839a
Threat Level: Known bad
The file 0ed8987b07a4d017db6a475ff327eb6d9c6004ec5155a72635d3a4202a28839a was found to be: Known bad.
Malicious Activity Summary
Irata family
Irata payload
Acquires the wake lock
Queries information about active data network
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-01 15:20
Signatures
Irata family
Irata payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-01 15:20
Reported
2024-12-01 15:23
Platform
android-x64-arm64-20240624-en
Max time kernel
3s
Max time network
130s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
edward.org
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.169.46:443 | android.apis.google.com | tcp |
| GB | 172.217.169.46:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.196:443 | tcp | |
| GB | 142.250.187.196:443 | tcp |
Files
/data/data/edward.org/files/PersistedInstallation4197045116340434624tmp
| MD5 | eb6548d44da7d24cd29520247a42b32e |
| SHA1 | a2a8ab29d856e5c1a765b4053965a821ecc205e9 |
| SHA256 | 3884f9f7901b8b395e22f1b4f57aae315e6567d27286f05b066b3210aa50c7e6 |
| SHA512 | 38f21f02c7d4c351050f8b2844a9b5ea84140627596dbdcc50782a3841227fe08aae1ef2bad0cfc0eecf87da120086e7f285e4d3147e95b45e7c7da9d0842ddf |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | 8501c3dc3f7da918d7b2f66717e9078c |
| SHA1 | 5af998f7c16f9267c569e0861a81164d06678019 |
| SHA256 | 10df95450e914530459555ee01ba2b8bc3b9e59f0ac72b453d8e72aaccb41cab |
| SHA512 | 48316be48db76b9366dc2824dc27124bce554833f60fe9506825413a2e66cacfb45a2fa7a4ea2cc4570481b759d06592949bd131538d431a8ce4e920c73368ca |
/data/data/edward.org/databases/google_app_measurement_local.db
| MD5 | d9cf75fdd1c2292d986f6c3d5d60f2c8 |
| SHA1 | 07ecb1d3a26d952ae5fecf54f36699ab498510b1 |
| SHA256 | 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a |
| SHA512 | 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | 2b99bfb85a969b7c583971a4177b4222 |
| SHA1 | 42749a6a0ba79fa9ea5c5e64a573600622df1ff0 |
| SHA256 | 6c0fbef0a11e54adb709dc8c0e4bc891e2b79c48ce1a2a8da9aa6b3bc45eeffb |
| SHA512 | cd456faecd68c887a76f22e96570ab61ed67ee00374131212b28855802ce26cd2a22307e4cdff97d84c4d16f229b9607dc2db93a5afecc11ca800d3e77b6506b |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | 645f8b39591c92491bdf10ada820474b |
| SHA1 | 23536cfde84e93c86a1d843fa8160c8308ca1060 |
| SHA256 | 0fbf48719287a6d672f8264863cf02226b428870c30e41218c68fcb4ece49885 |
| SHA512 | f0f6c8991339f0f2b84bff92a01e7d1856bb271cf9a32d2b41fae6d643487705aa3e4ae8b177fe77af24db3ea1aeb114d54d8367a4f199b651a522070e90c27d |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | 0561b5939bc7c5cf3469cdc1d4e24e21 |
| SHA1 | 2d6fbe6937424e93ad87caffae4509e8fd7487fc |
| SHA256 | f6ac3280a1530bf2dbacd7e90299b10957165d01f832304fc080a98f472f8aa0 |
| SHA512 | 2f5d7aaa8dd4e3f97e5997ad2ee8cefceb20084fb6ae6190e2b37349571d9b683ef153c2095671d45a44862323b275bb471adbf8ff760e31c763a0977499d6f7 |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | 0e083b267fd3093933d5b844d906f609 |
| SHA1 | be965c6b096a77bcf19a834a8ac7e120d286d65e |
| SHA256 | 67f4ce3ba601f958e6022a9a9a80302259b3a34c4ec98cbb6f4f05d3dadd7a42 |
| SHA512 | 12d5d6d2b03bf1066ea7a6b6abca9c112ab32fec71da0a0991bcb605330a932e06516a7e82eb19f13bbca75ca33a25872a8f3d02e85077cc1a63a0e5f6fd7048 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-01 15:20
Reported
2024-12-01 15:23
Platform
android-x86-arm-20240624-en
Max time kernel
2s
Max time network
130s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
edward.org
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.202:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.180.14:443 | android.apis.google.com | tcp |
Files
/data/data/edward.org/files/PersistedInstallation3045263811800423748tmp
| MD5 | 8da708fa89fe197811ce87e2cd8b95be |
| SHA1 | c1eaeaf71009c3ba05dd81df18e5b6cbd661d611 |
| SHA256 | 6a5ee5d88f44fd8a4b10308849217f9674cbdc97c83857c64640b7b473a35e05 |
| SHA512 | d2af241a59a76030416823077bbac2a2397a92dd917337b0696c1c124aeb9ec6fc3476714354b2ff7498395db0eb615dcf3232f00f89954b758b29dfbc9ce134 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-01 15:20
Reported
2024-12-01 15:23
Platform
android-x64-20240624-en
Max time kernel
2s
Max time network
150s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
edward.org
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.187.228:443 | tcp | |
| GB | 216.58.213.14:443 | tcp | |
| GB | 142.250.178.2:443 | tcp |
Files
/data/data/edward.org/files/PersistedInstallation2109957894545379565tmp
| MD5 | 08221c37a9a214aafb81bfcd6aa0fce4 |
| SHA1 | 1988d043978b0e0be5cabb5b26b03c1738b1e6e5 |
| SHA256 | 07d2ffaffbae93757b05ce098a5abe7148cea8f06f87bb72c6a61b57064de1cd |
| SHA512 | 1e1fc8db732c091ac8775c541497e4b66b84b0b9b53eca6e5adb31c99ff7e0147081372d527282f14be3154eeb1914b0f14505fc74e1760c4bd5e579e990df90 |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | d552ec0a9914381f1828614e5ce51c1a |
| SHA1 | 6139ce4808b31df0fb02652fef9f3b630968537a |
| SHA256 | ab5e692efd8847f51d98b39df711e4b165258d6006c15edcfa5e13bc6a8048e2 |
| SHA512 | 6cd920ab23d426684a3a6b53cd81cb82257a2e6ebf2f83c9b7fec664ede1d81c6aef0715e698a8bd0954c8d273e51865e08039bda3b5fad97773a08e6140a85a |
/data/data/edward.org/databases/google_app_measurement_local.db
| MD5 | 188c0542bc062e48b614e5ca8c1081af |
| SHA1 | 0eb9b89a5c92957cd1fe748cc063b32853339774 |
| SHA256 | c1ccc325c2699ed7f556cf171566317f706a911c4d02b1644a2a7908b93da58b |
| SHA512 | 62a67f2c56bc3b40d49c80094f160d355a8f67130e1924109426e0481008bc2cd11a9e2675a901abd03cad1e7fe0028031e20d826437edcf35b6f86e2499c2b4 |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | f89fb82ed3ae9e2c6f42dab1c785c2ea |
| SHA1 | affe8ff249ead6de3abdfed706672e5d96536259 |
| SHA256 | d24fe7c44ecd4f9bd05b6f3fe0a96bff1646dc15b61b92de461af26a649d4627 |
| SHA512 | b70d8031cbe198286d5993e746555cda13bc7b57644c8888a09528ddcc47ef4bb2bd2f095e1505994134cd941c14b7dd1e75ca1ca3c6b8ad8957da2ba40a4c7d |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | 4e9a229afc89f5bb9bf168142dc20bd0 |
| SHA1 | 1fe72040b1a9459265d7f42564955555161892d4 |
| SHA256 | 26e8ff0019465ce66953afcd642cfb7a69e41f5d1cc977b22af949ac10297dc8 |
| SHA512 | e59c755a48dcd6667dcf10c2ee65b1b8025af4b0686d2c1ed7dcafda5a9d5af3a0c9abae9da50165b0b7730c7a4b73428bbca82e127614d274b5147fbe5efd0f |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | c78e52c73eff23d56b47c7cbcbea5ea8 |
| SHA1 | fb555bca6bb235e4644749fe60394bb8c4d8aead |
| SHA256 | 9bab5d6943dc2463cacbfb8f3116cae57d11dfc34a9671050f5e93d5d63320f1 |
| SHA512 | 59eb4b28f892a4bd6f119aae2773b8eebbe76465abbd9cf9d3a75b366e3ec5eed57be311f931f73e2a82667758275bf9c88cdb6e34380ce577c243fec61416f4 |
/data/data/edward.org/databases/google_app_measurement_local.db-journal
| MD5 | 5a6f68cbbee03e20728801f8f3b92bb0 |
| SHA1 | 9af802e5b46143fdec95acd210d7c96ddd4d00c7 |
| SHA256 | a3e6ba39ffe2b393df0f7f6e53a9da8a4d55f99d8fc6da1c64398fcc2b75adf3 |
| SHA512 | 9b70af59f4ba2d5636919919f9e42471a45e03b3132d0fc5270ce562c4ca668725c59c54ec4385f8fdb52650d05f76fdf091174a0984c6dee1ae3659fc5e1f59 |