Malware Analysis Report

2024-10-19 12:19

Sample ID 230918-1w5w7ach61
Target 0bb481d1633760ad1491304a0edf3477cf2a172d99a641af6ef64c391cf9ec8e.bin
SHA256 0bb481d1633760ad1491304a0edf3477cf2a172d99a641af6ef64c391cf9ec8e
Tags
octo banker evasion infostealer ransomware rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0bb481d1633760ad1491304a0edf3477cf2a172d99a641af6ef64c391cf9ec8e

Threat Level: Known bad

The file 0bb481d1633760ad1491304a0edf3477cf2a172d99a641af6ef64c391cf9ec8e.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer ransomware rat stealth trojan

Octo

Octo payload

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Requests dangerous framework permissions

Acquires the wake lock.

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-09-18 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-18 22:00

Reported

2023-09-18 22:03

Platform

android-x86-arm-20230831-en

Max time kernel

2857499s

Max time network

130s

Command Line

com.rananimalclth

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.rananimalclth/cache/rvutggvetmys N/A N/A
N/A /data/user/0/com.rananimalclth/cache/rvutggvetmys N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.rananimalclth

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.138:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 5jamiryo22113.net udp
US 1.1.1.1:53 7jamiryo22113.net udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 6jamiryo22113.net udp
NL 185.225.75.207:443 185.225.75.207 tcp
US 1.1.1.1:53 7jamiryo22113.net udp
US 1.1.1.1:53 4jamiryo22113.net udp
US 1.1.1.1:53 2jamiryo22113.net udp
US 1.1.1.1:53 3jamiryo22113.net udp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
NL 216.58.214.10:443 semanticlocation-pa.googleapis.com tcp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 185.225.75.207:443 185.225.75.207 tcp

Files

/data/data/com.rananimalclth/cache/rvutggvetmys

MD5 cb9c6e00df039c92031cca4db45292fd
SHA1 8526461e115aeb2483a65569a797de42de37262d
SHA256 38d51dbbacff037825bffe611e1ef3d2710ea62e596408f285403fef587337d7
SHA512 005b1c6cca446e375377023c4b79553835ceabe1344d1e9fd3733fdcb3b76e04172391ea1db7c8831b59880f630652e64d3c84d2cee4b689124b0a814a1019fd

/data/user/0/com.rananimalclth/cache/rvutggvetmys

MD5 cb9c6e00df039c92031cca4db45292fd
SHA1 8526461e115aeb2483a65569a797de42de37262d
SHA256 38d51dbbacff037825bffe611e1ef3d2710ea62e596408f285403fef587337d7
SHA512 005b1c6cca446e375377023c4b79553835ceabe1344d1e9fd3733fdcb3b76e04172391ea1db7c8831b59880f630652e64d3c84d2cee4b689124b0a814a1019fd

/data/user/0/com.rananimalclth/cache/rvutggvetmys

MD5 cb9c6e00df039c92031cca4db45292fd
SHA1 8526461e115aeb2483a65569a797de42de37262d
SHA256 38d51dbbacff037825bffe611e1ef3d2710ea62e596408f285403fef587337d7
SHA512 005b1c6cca446e375377023c4b79553835ceabe1344d1e9fd3733fdcb3b76e04172391ea1db7c8831b59880f630652e64d3c84d2cee4b689124b0a814a1019fd

/data/data/com.rananimalclth/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.rananimalclth/kl.txt

MD5 adadae9dc10a9dd5658428cdc4d1de61
SHA1 029b6fb86f61b7c8cbfafe177958fba5483c8720
SHA256 c77c795ad90f7080822032dfacd044ca261dad5abdcef626d4ce70c03be7e021
SHA512 ee755ddc1a754b101d941d859457f99844428349e3ebae5d6a9fc5d4c29797678cac18c4db0bf563bdbe3d9babcd3d72ad343244c3d54d6b55837b5746273dd7

/data/data/com.rananimalclth/kl.txt

MD5 9d7025c78d908d0dbafc6e839b1307cf
SHA1 69798d5fe14e85a31345b2662fae36b6c7d27272
SHA256 206edf1cc3a4f5368806b99ea63099c4741144e4a072675cb20d1d9859988dd0
SHA512 ed955c1fba72d362e5b8e6aee0b6be0388ab7bac5913f9cfd48e4b0e11ad5864e49a657ebf21b43daf6f79df2c0e1ddd876f10d7dc1cfd7426ea3fb83f890cdf

/data/data/com.rananimalclth/kl.txt

MD5 fc2708a136056885e1810a7a630535cd
SHA1 8be5e330615121a98b48448011af24f5d717cfb2
SHA256 0dcc61b6a6e6d8e12f9427e5ff53bba60354c11069e41311b42966d258d3c559
SHA512 84216bf5d5488218fa6dcf1c0b19a2eba1e31907f39080fd4a54bf9fafb76ab59c340de5bf6145ff0841cba9d1612e90fc5bcb023e25b66049ae631e66b34e58

/data/data/com.rananimalclth/kl.txt

MD5 94d03a42a5cbd317925cac7f5e9ff98d
SHA1 e89ecfe4da623df9f0518753b703189a75b70f9e
SHA256 793f9fcf0ccf3b35580e8dee2ef0464b9a39858d77fdcb5409d71eb3d92fb246
SHA512 583365b7a572e8ffd0144604b991c39de3daf4ef3f4d0aa4e84f28a510b4c336878be8aba309eb00d846468db2cf2690b78bce67a579031dee56407d20f1e738

/data/data/com.rananimalclth/kl.txt (deleted)

MD5 edade7dae623e4887601de28b0e4e185
SHA1 95018747e37c7e75f73b5de136dca7299a23d91d
SHA256 f1e13e09d28d0056f86faaa070f3df9dfdf21c3389791b498fadb86856780535
SHA512 0d4b3f7a91161f53f8f2ddc00e2df1344b53b03582f815a63d40ad8abfcf931e900c8f34401b1a3237b163f329076b485a3c655d1c760b1c0735bd9672a60ceb

/data/data/com.rananimalclth/cache/oat/rvutggvetmys.cur.prof

MD5 73294fc3e960f35ac34f30448fe8c8f3
SHA1 e94748816ee9a613f22f4de626a2b2d45221379c
SHA256 a8241952b95dbf8cd9c9737266df9b414bd974c2ec50d6b1e6d8598a1b15337f
SHA512 c4f54e6f17196092a2ee5df197bd48a022066a69904e805c5c14f28a21f34af8ff0b3a9afa8a35dbff3a360a764e02815ef8a9697c74b384143f0e3785723c69

/data/data/com.rananimalclth/.qcom.rananimalclth

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-18 22:00

Reported

2023-09-18 22:03

Platform

android-x64-arm64-20230831-en

Max time kernel

2857499s

Max time network

144s

Command Line

com.rananimalclth

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.rananimalclth/cache/rvutggvetmys N/A N/A
N/A /data/user/0/com.rananimalclth/cache/rvutggvetmys N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.rananimalclth

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.170:443 infinitedata-pa.googleapis.com tcp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 5jamiryo22113.net udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 3jamiryo22113.net udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 7jamiryo22113.net udp
US 1.1.1.1:53 6jamiryo22113.net udp
US 1.1.1.1:53 4jamiryo22113.net udp
US 1.1.1.1:53 2jamiryo22113.net udp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 185.225.75.207:443 185.225.75.207 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 185.225.75.207:443 185.225.75.207 tcp

Files

/data/user/0/com.rananimalclth/cache/rvutggvetmys

MD5 cb9c6e00df039c92031cca4db45292fd
SHA1 8526461e115aeb2483a65569a797de42de37262d
SHA256 38d51dbbacff037825bffe611e1ef3d2710ea62e596408f285403fef587337d7
SHA512 005b1c6cca446e375377023c4b79553835ceabe1344d1e9fd3733fdcb3b76e04172391ea1db7c8831b59880f630652e64d3c84d2cee4b689124b0a814a1019fd

/data/user/0/com.rananimalclth/cache/rvutggvetmys

MD5 cb9c6e00df039c92031cca4db45292fd
SHA1 8526461e115aeb2483a65569a797de42de37262d
SHA256 38d51dbbacff037825bffe611e1ef3d2710ea62e596408f285403fef587337d7
SHA512 005b1c6cca446e375377023c4b79553835ceabe1344d1e9fd3733fdcb3b76e04172391ea1db7c8831b59880f630652e64d3c84d2cee4b689124b0a814a1019fd

/data/user/0/com.rananimalclth/cache/rvutggvetmys

MD5 cb9c6e00df039c92031cca4db45292fd
SHA1 8526461e115aeb2483a65569a797de42de37262d
SHA256 38d51dbbacff037825bffe611e1ef3d2710ea62e596408f285403fef587337d7
SHA512 005b1c6cca446e375377023c4b79553835ceabe1344d1e9fd3733fdcb3b76e04172391ea1db7c8831b59880f630652e64d3c84d2cee4b689124b0a814a1019fd

/data/user/0/com.rananimalclth/kl.txt

MD5 debf5e1cf518ebed08855325023f04ce
SHA1 0add3d518edcad346610c13522a631ed7dc03b80
SHA256 f260729fb2aac7606a86af354d927f42460106ce869eee027f74af0fc47604c8
SHA512 9456be7b69ce581361f78820b43810fb321ca9188647a841326f2ac2d82ec435507b7e3c438d83cb503dafde44abd6cc14c3828746678f2028dc1fa3fc32c0a4

/data/user/0/com.rananimalclth/kl.txt

MD5 8fc9964ee8ac3db5753c9728b7a8c5a8
SHA1 9a7f5b5006d049d0f47316f02150c35463a590a9
SHA256 0627e989a5ee32ee9795b92392c38173ab2a860ea21a91cdc4c0ae4b41a2bdd4
SHA512 417fb0473e3ee4f512c8ac3c7061b94453b235e0a13dea4ec0f2335ea62317087320eb86f9da12833ee7c85747a31cdc337f06fbf000489c33d36d2ab754a40d

/data/user/0/com.rananimalclth/kl.txt

MD5 24ecccfbc908e8503444e586c9e921a0
SHA1 c11a54eff11be515cab69a83c8b72b15890bc18e
SHA256 cabebcde8278d53156908f2213229284615a19fc4ba869e2a4fcc9716305c599
SHA512 894d440e13e1becb0a7be3cad5e3672a1944a0e9956adc285d9c21a4a0105bc356c733b060b974865f44388d1c891f1d79de758aa5bdb0e6b36e9dc929afa5e4

/data/user/0/com.rananimalclth/kl.txt

MD5 d2a33e5c566f5aca20fc7617b5b6d9a2
SHA1 e3fad0436c7f2de31b585e30787ad76e24503243
SHA256 e7d33b1d7cca3037bbd8ae43f6fa4f18a13a08d4e916845d3c35142180aec940
SHA512 574c1c29b9a5fb1bad639ba6cbca86683d596f3d645106c6dd9256bfcdf1a46af62eef520a290ede08c855899649848bfc1514fac0f0ad2a6e0bc146c06990a8

/data/user/0/com.rananimalclth/kl.txt

MD5 c720516762a990137545307df7f90586
SHA1 3bc8d7aa6658b3e71629875aff9aab7d27fcecb7
SHA256 5293acda1a571b76fc78362667fd7dd74622a9886a02d86a39788c911e2b5af7
SHA512 20f7b222049d61c27c8d7051253aaaeed89309a23e176d4b78be05929fdb801edb2f75267eacd648e0b4f0c18d05883f7a8c86e50ad9cbaaed6f52d9b135eebf

/data/user/0/com.rananimalclth/kl.txt

MD5 e91b52a4fceacfe726c7887e62c25916
SHA1 160125a86d86ecd03faf54daef25c18207138553
SHA256 74cb509d0313553dbb95a7331c57458fefe1d6db2fcf45cf519ce9a3ad187824
SHA512 c6645f82a38bf31d8eb622dd352006f585d3569aa07e3869dac14c67bcdbf923b9796d3075b0e1de6719c603739851fadf1690d895dc29356b44a4874b56e13d

/data/user/0/com.rananimalclth/kl.txt

MD5 d9497450e98b3ddbed48a06cfd39a604
SHA1 0819861e37476e03a653f3ad035096e857c47ec9
SHA256 02e53f8b3f6e5acc5754f78fb06e7837972ea3094288256589428abee78e6ad7
SHA512 9716f0740f930560345f21e986f5466d50566076b9fd07a900f469bb7951e9f373dba89605a7f16989fffc946026edc0cb16c02032e76d76861a16de5cc5dd26

/data/user/0/com.rananimalclth/kl.txt

MD5 bc49a2b7e78bf785e0178e53c10df093
SHA1 c462fcdf1f84d567fa9e1eef2febc0ace65ff2b5
SHA256 36c52cea3d7f4bc568afb3c7e5821ca8ed3c83fa51c5c071c4ae363b4a4bb350
SHA512 d96f21553ae1e5e207818ff3e2ce665a94212257cb3709461b3a9ef21c72cdf6547d078cf635f3e4cf5473a632dd4dd406c2b9e6feba3fbc04d611879798ed2d

/data/user/0/com.rananimalclth/cache/oat/rvutggvetmys.cur.prof

MD5 758d801c0d905389d1b39e727881ee91
SHA1 e74bb1dde3c825d97b20155d2a4f5fc8da65e34d
SHA256 744ad0c59163e5f30e692941a9d98b29350bf050c54bcb0cf6b3defd145f691c
SHA512 421228932311f7d9f97d142deea3ecad893aa31097d1f6c72901a0b493af54936dd0ef76cc25317d212e68787b79d5e76bd1bdac5ff3dc253245a00c99ef37c4

/data/user/0/com.rananimalclth/.qcom.rananimalclth

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c