Malware Analysis Report

2024-10-19 12:18

Sample ID 230917-k3nngsbd56
Target 85317f8dd8662c759a22b6290a35e7726ab78b897d42087a581e77825460162ebin_JC.zip
SHA256 85317f8dd8662c759a22b6290a35e7726ab78b897d42087a581e77825460162e
Tags
octo banker evasion infostealer ransomware rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85317f8dd8662c759a22b6290a35e7726ab78b897d42087a581e77825460162e

Threat Level: Known bad

The file 85317f8dd8662c759a22b6290a35e7726ab78b897d42087a581e77825460162ebin_JC.zip was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer ransomware rat stealth trojan

Octo

Octo payload

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Requests dangerous framework permissions

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-09-17 09:07

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-17 09:07

Reported

2023-09-17 09:10

Platform

android-x86-arm-20230831-en

Max time kernel

2724703s

Max time network

130s

Command Line

com.hotfounde

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.hotfounde/cache/zukrstohbksvsu N/A N/A
N/A /data/user/0/com.hotfounde/cache/zukrstohbksvsu N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.hotfounde

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.138:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 14logites432532s.xyz udp
US 1.1.1.1:53 20logites432532s.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 12logites432532s.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 22logites432532s.xyz udp
US 1.1.1.1:53 19logites432532s.xyz udp
US 1.1.1.1:53 13logites432532s.xyz udp
US 1.1.1.1:53 15logites432532s.xyz udp
RU 176.111.174.92:443 176.111.174.92 tcp
RU 176.111.174.92:443 176.111.174.92 tcp
US 1.1.1.1:53 15logites432532s.xyz udp
RU 176.111.174.92:443 176.111.174.92 tcp
NL 172.217.168.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.206:443 android.apis.google.com tcp
RU 176.111.174.92:443 176.111.174.92 tcp
RU 176.111.174.92:443 176.111.174.92 tcp
RU 176.111.174.92:443 176.111.174.92 tcp
RU 176.111.174.92:443 176.111.174.92 tcp

Files

/data/data/com.hotfounde/cache/zukrstohbksvsu

MD5 965393330f77bb1426a5877f06d2ebd0
SHA1 7fcb36f4134e9bfd2e4a419c0758c2622c661173
SHA256 b164207f9fe1c37f5e1edb090a4ccd27c4c37564960109e42192b8e399f59066
SHA512 cf5ca338c9e0b228052210d4046f170b65c712685ff72924e3b9e6edec74d55620e617402ddb0ab0413da0881c5e2313f06602876b811d7551415e3abf12af24

/data/user/0/com.hotfounde/cache/zukrstohbksvsu

MD5 965393330f77bb1426a5877f06d2ebd0
SHA1 7fcb36f4134e9bfd2e4a419c0758c2622c661173
SHA256 b164207f9fe1c37f5e1edb090a4ccd27c4c37564960109e42192b8e399f59066
SHA512 cf5ca338c9e0b228052210d4046f170b65c712685ff72924e3b9e6edec74d55620e617402ddb0ab0413da0881c5e2313f06602876b811d7551415e3abf12af24

/data/user/0/com.hotfounde/cache/zukrstohbksvsu

MD5 965393330f77bb1426a5877f06d2ebd0
SHA1 7fcb36f4134e9bfd2e4a419c0758c2622c661173
SHA256 b164207f9fe1c37f5e1edb090a4ccd27c4c37564960109e42192b8e399f59066
SHA512 cf5ca338c9e0b228052210d4046f170b65c712685ff72924e3b9e6edec74d55620e617402ddb0ab0413da0881c5e2313f06602876b811d7551415e3abf12af24

/data/data/com.hotfounde/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.hotfounde/kl.txt

MD5 e6770a5252ca082ef1ac367516e0c073
SHA1 cb12739c242fa3fc1f7c8095f571d0f25a407bd3
SHA256 c7aacc75fe5e2b17f0f1b17e11a6a81294741c5a8a02e16de2de2abafd243218
SHA512 950cf77303a8dbfaf2701eae92cf95ca755b88b6b55138984283ac9a172fa38f3148b33d4210f0ceefac5e12976a84e6d050d274489751ecf68a783ed747603f

/data/data/com.hotfounde/kl.txt

MD5 db8596a53501248e1c83811fc7b0f796
SHA1 073cbb37d17830e478dd01d0c3eec42fb732e8d4
SHA256 c1f87644ef50bdfc2cfb483eb8df1253a820cccb14a73afcfaf9ba138856ee0d
SHA512 be6228f50230fbc89fd71574360913de4b348012b2a0e94ec7bd7da859b701673d0d4ceffa559d0d71c26edcedbc21b4ca8d9bc28076bd2c37d23d5c047f06f7

/data/data/com.hotfounde/kl.txt

MD5 407781531027a9ca782af102a44c3dc2
SHA1 ad778aa986f2e7c33f06cb038cb73b01a3a88c29
SHA256 22ddcd472042405754443b619f8ab0ed250a897eea26625def0f20672ac57ddd
SHA512 5965987cfe4046fc84f16c912781e0c03ddb5a20d5a585af41c08759c6d597c5a6f2f851a12c342642523f7dd340809058a0b10e3344bfb8f7568e2f5dc35def

/data/data/com.hotfounde/kl.txt

MD5 430a7d0aaad1f22e5475af9d46866b03
SHA1 4691a0626196d7c2053f910efb379295c680a051
SHA256 d91bf9c0852c66470cae4decb0975466df74dcbb7ef14730eba21693b018ddb6
SHA512 70a132bdee28fc45d2eaec932c80894a55fda7c367c742c2c7cc5aa5f74b5ad9de404b43e58b528454c566eb54c2eb78694b59a414ec5fa1c7dc81af89d708f5

/data/data/com.hotfounde/cache/oat/zukrstohbksvsu.cur.prof

MD5 b676a80c6d32eb2e286699f1b64908e5
SHA1 064d586c948fbf765d477bd12e79e928bb4b463c
SHA256 2e279c054fb7f6001bef34d0668d6ee08791a35ea83530ac524f26219543f8cf
SHA512 ace14f34f073a448a5592c58e51ca62b3c79c2b43b0b69b4e3bc31e74fa6d9503691c682fbe9cfbb460bb786077e6ab99c0646fe0c2fc2c13872a298d8367ef4

/data/data/com.hotfounde/.qcom.hotfounde

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-17 09:07

Reported

2023-09-17 09:10

Platform

android-x64-20230831-en

Max time kernel

2724557s

Max time network

156s

Command Line

com.hotfounde

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.hotfounde/cache/zukrstohbksvsu N/A N/A
N/A /data/user/0/com.hotfounde/cache/zukrstohbksvsu N/A N/A

Processes

com.hotfounde

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.39.98:443 tcp
NL 142.250.179.170:443 tcp
DE 172.217.23.202:443 tcp
NL 142.251.39.110:443 tcp
NL 142.251.39.110:443 tcp
DE 172.217.23.202:443 tcp
DE 172.217.23.202:443 tcp
NL 142.250.179.196:443 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 17logites432532s.xyz udp
US 1.1.1.1:53 18logites432532s.xyz udp
US 1.1.1.1:53 14logites432532s.xyz udp
US 1.1.1.1:53 21logites432532s.xyz udp
RU 176.111.174.92:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.208.110:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 g.tenor.com udp
GB 216.58.208.110:443 android.apis.google.com tcp
GB 216.58.208.110:443 android.apis.google.com tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 21logites432532s.xyz udp
GB 216.58.208.110:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 172.217.168.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 g.tenor.com udp
GB 216.58.208.106:443 mdh-pa.googleapis.com tcp
NL 142.250.179.138:443 g.tenor.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 1.1.1.1:53 20logites432532s.xyz udp
US 1.1.1.1:53 growth-pa.googleapis.com udp
NL 172.217.168.234:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 lh3-dz.googleusercontent.com udp
US 1.1.1.1:53 20logites432532s.xyz udp
US 1.1.1.1:53 12logites432532s.xyz udp
US 1.1.1.1:53 15logites432532s.xyz udp
US 1.1.1.1:53 lh3-dz.googleusercontent.com udp
US 1.1.1.1:53 15logites432532s.xyz udp
US 1.1.1.1:53 19logites432532s.xyz udp
US 1.1.1.1:53 13logites432532s.xyz udp
US 1.1.1.1:53 22logites432532s.xyz udp
US 1.1.1.1:53 16logites432532s.xyz udp
US 1.1.1.1:53 16logites432532s.xyz udp
US 1.1.1.1:53 16logites432532s.xyz udp
RU 176.111.174.92:443 tcp
US 1.1.1.1:53 16logites432532s.xyz udp
US 1.1.1.1:53 kalpazanlan103.xyz udp
US 1.1.1.1:53 kalpazanlan103.xyz udp
RU 176.111.174.92:443 tcp
RU 176.111.174.92:443 tcp

Files

/data/data/com.hotfounde/cache/zukrstohbksvsu

MD5 965393330f77bb1426a5877f06d2ebd0
SHA1 7fcb36f4134e9bfd2e4a419c0758c2622c661173
SHA256 b164207f9fe1c37f5e1edb090a4ccd27c4c37564960109e42192b8e399f59066
SHA512 cf5ca338c9e0b228052210d4046f170b65c712685ff72924e3b9e6edec74d55620e617402ddb0ab0413da0881c5e2313f06602876b811d7551415e3abf12af24

/data/user/0/com.hotfounde/cache/zukrstohbksvsu

MD5 965393330f77bb1426a5877f06d2ebd0
SHA1 7fcb36f4134e9bfd2e4a419c0758c2622c661173
SHA256 b164207f9fe1c37f5e1edb090a4ccd27c4c37564960109e42192b8e399f59066
SHA512 cf5ca338c9e0b228052210d4046f170b65c712685ff72924e3b9e6edec74d55620e617402ddb0ab0413da0881c5e2313f06602876b811d7551415e3abf12af24

/data/user/0/com.hotfounde/cache/zukrstohbksvsu

MD5 965393330f77bb1426a5877f06d2ebd0
SHA1 7fcb36f4134e9bfd2e4a419c0758c2622c661173
SHA256 b164207f9fe1c37f5e1edb090a4ccd27c4c37564960109e42192b8e399f59066
SHA512 cf5ca338c9e0b228052210d4046f170b65c712685ff72924e3b9e6edec74d55620e617402ddb0ab0413da0881c5e2313f06602876b811d7551415e3abf12af24