Malware Analysis Report

2025-01-19 05:50

Sample ID 241201-sqz5ravkcz
Target 0ed8987b07a4d017db6a475ff327eb6d9c6004ec5155a72635d3a4202a28839a
SHA256 0ed8987b07a4d017db6a475ff327eb6d9c6004ec5155a72635d3a4202a28839a
Tags
discovery irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ed8987b07a4d017db6a475ff327eb6d9c6004ec5155a72635d3a4202a28839a

Threat Level: Known bad

The file 0ed8987b07a4d017db6a475ff327eb6d9c6004ec5155a72635d3a4202a28839a was found to be: Known bad.

Malicious Activity Summary

discovery irata

Irata family

Irata payload

Acquires the wake lock

Queries information about active data network

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-01 15:20

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-01 15:20

Reported

2024-12-01 15:23

Platform

android-x64-arm64-20240624-en

Max time kernel

3s

Max time network

130s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

edward.org

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/edward.org/files/PersistedInstallation4197045116340434624tmp

MD5 eb6548d44da7d24cd29520247a42b32e
SHA1 a2a8ab29d856e5c1a765b4053965a821ecc205e9
SHA256 3884f9f7901b8b395e22f1b4f57aae315e6567d27286f05b066b3210aa50c7e6
SHA512 38f21f02c7d4c351050f8b2844a9b5ea84140627596dbdcc50782a3841227fe08aae1ef2bad0cfc0eecf87da120086e7f285e4d3147e95b45e7c7da9d0842ddf

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 8501c3dc3f7da918d7b2f66717e9078c
SHA1 5af998f7c16f9267c569e0861a81164d06678019
SHA256 10df95450e914530459555ee01ba2b8bc3b9e59f0ac72b453d8e72aaccb41cab
SHA512 48316be48db76b9366dc2824dc27124bce554833f60fe9506825413a2e66cacfb45a2fa7a4ea2cc4570481b759d06592949bd131538d431a8ce4e920c73368ca

/data/data/edward.org/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 2b99bfb85a969b7c583971a4177b4222
SHA1 42749a6a0ba79fa9ea5c5e64a573600622df1ff0
SHA256 6c0fbef0a11e54adb709dc8c0e4bc891e2b79c48ce1a2a8da9aa6b3bc45eeffb
SHA512 cd456faecd68c887a76f22e96570ab61ed67ee00374131212b28855802ce26cd2a22307e4cdff97d84c4d16f229b9607dc2db93a5afecc11ca800d3e77b6506b

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 645f8b39591c92491bdf10ada820474b
SHA1 23536cfde84e93c86a1d843fa8160c8308ca1060
SHA256 0fbf48719287a6d672f8264863cf02226b428870c30e41218c68fcb4ece49885
SHA512 f0f6c8991339f0f2b84bff92a01e7d1856bb271cf9a32d2b41fae6d643487705aa3e4ae8b177fe77af24db3ea1aeb114d54d8367a4f199b651a522070e90c27d

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 0561b5939bc7c5cf3469cdc1d4e24e21
SHA1 2d6fbe6937424e93ad87caffae4509e8fd7487fc
SHA256 f6ac3280a1530bf2dbacd7e90299b10957165d01f832304fc080a98f472f8aa0
SHA512 2f5d7aaa8dd4e3f97e5997ad2ee8cefceb20084fb6ae6190e2b37349571d9b683ef153c2095671d45a44862323b275bb471adbf8ff760e31c763a0977499d6f7

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 0e083b267fd3093933d5b844d906f609
SHA1 be965c6b096a77bcf19a834a8ac7e120d286d65e
SHA256 67f4ce3ba601f958e6022a9a9a80302259b3a34c4ec98cbb6f4f05d3dadd7a42
SHA512 12d5d6d2b03bf1066ea7a6b6abca9c112ab32fec71da0a0991bcb605330a932e06516a7e82eb19f13bbca75ca33a25872a8f3d02e85077cc1a63a0e5f6fd7048

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-01 15:20

Reported

2024-12-01 15:23

Platform

android-x86-arm-20240624-en

Max time kernel

2s

Max time network

130s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

edward.org

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

/data/data/edward.org/files/PersistedInstallation3045263811800423748tmp

MD5 8da708fa89fe197811ce87e2cd8b95be
SHA1 c1eaeaf71009c3ba05dd81df18e5b6cbd661d611
SHA256 6a5ee5d88f44fd8a4b10308849217f9674cbdc97c83857c64640b7b473a35e05
SHA512 d2af241a59a76030416823077bbac2a2397a92dd917337b0696c1c124aeb9ec6fc3476714354b2ff7498395db0eb615dcf3232f00f89954b758b29dfbc9ce134

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-01 15:20

Reported

2024-12-01 15:23

Platform

android-x64-20240624-en

Max time kernel

2s

Max time network

150s

Command Line

edward.org

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

edward.org

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp

Files

/data/data/edward.org/files/PersistedInstallation2109957894545379565tmp

MD5 08221c37a9a214aafb81bfcd6aa0fce4
SHA1 1988d043978b0e0be5cabb5b26b03c1738b1e6e5
SHA256 07d2ffaffbae93757b05ce098a5abe7148cea8f06f87bb72c6a61b57064de1cd
SHA512 1e1fc8db732c091ac8775c541497e4b66b84b0b9b53eca6e5adb31c99ff7e0147081372d527282f14be3154eeb1914b0f14505fc74e1760c4bd5e579e990df90

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 d552ec0a9914381f1828614e5ce51c1a
SHA1 6139ce4808b31df0fb02652fef9f3b630968537a
SHA256 ab5e692efd8847f51d98b39df711e4b165258d6006c15edcfa5e13bc6a8048e2
SHA512 6cd920ab23d426684a3a6b53cd81cb82257a2e6ebf2f83c9b7fec664ede1d81c6aef0715e698a8bd0954c8d273e51865e08039bda3b5fad97773a08e6140a85a

/data/data/edward.org/databases/google_app_measurement_local.db

MD5 188c0542bc062e48b614e5ca8c1081af
SHA1 0eb9b89a5c92957cd1fe748cc063b32853339774
SHA256 c1ccc325c2699ed7f556cf171566317f706a911c4d02b1644a2a7908b93da58b
SHA512 62a67f2c56bc3b40d49c80094f160d355a8f67130e1924109426e0481008bc2cd11a9e2675a901abd03cad1e7fe0028031e20d826437edcf35b6f86e2499c2b4

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 f89fb82ed3ae9e2c6f42dab1c785c2ea
SHA1 affe8ff249ead6de3abdfed706672e5d96536259
SHA256 d24fe7c44ecd4f9bd05b6f3fe0a96bff1646dc15b61b92de461af26a649d4627
SHA512 b70d8031cbe198286d5993e746555cda13bc7b57644c8888a09528ddcc47ef4bb2bd2f095e1505994134cd941c14b7dd1e75ca1ca3c6b8ad8957da2ba40a4c7d

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 4e9a229afc89f5bb9bf168142dc20bd0
SHA1 1fe72040b1a9459265d7f42564955555161892d4
SHA256 26e8ff0019465ce66953afcd642cfb7a69e41f5d1cc977b22af949ac10297dc8
SHA512 e59c755a48dcd6667dcf10c2ee65b1b8025af4b0686d2c1ed7dcafda5a9d5af3a0c9abae9da50165b0b7730c7a4b73428bbca82e127614d274b5147fbe5efd0f

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 c78e52c73eff23d56b47c7cbcbea5ea8
SHA1 fb555bca6bb235e4644749fe60394bb8c4d8aead
SHA256 9bab5d6943dc2463cacbfb8f3116cae57d11dfc34a9671050f5e93d5d63320f1
SHA512 59eb4b28f892a4bd6f119aae2773b8eebbe76465abbd9cf9d3a75b366e3ec5eed57be311f931f73e2a82667758275bf9c88cdb6e34380ce577c243fec61416f4

/data/data/edward.org/databases/google_app_measurement_local.db-journal

MD5 5a6f68cbbee03e20728801f8f3b92bb0
SHA1 9af802e5b46143fdec95acd210d7c96ddd4d00c7
SHA256 a3e6ba39ffe2b393df0f7f6e53a9da8a4d55f99d8fc6da1c64398fcc2b75adf3
SHA512 9b70af59f4ba2d5636919919f9e42471a45e03b3132d0fc5270ce562c4ca668725c59c54ec4385f8fdb52650d05f76fdf091174a0984c6dee1ae3659fc5e1f59