Malware Analysis Report

2024-10-19 12:18

Sample ID 230920-r7rn9sgh6z
Target 6153966e76e62c9a812601469553a291f1bc1f26c9e7ff56f0d3e0a28d6cf8ce.bin
SHA256 6153966e76e62c9a812601469553a291f1bc1f26c9e7ff56f0d3e0a28d6cf8ce
Tags
octo banker evasion infostealer ransomware rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6153966e76e62c9a812601469553a291f1bc1f26c9e7ff56f0d3e0a28d6cf8ce

Threat Level: Known bad

The file 6153966e76e62c9a812601469553a291f1bc1f26c9e7ff56f0d3e0a28d6cf8ce.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer ransomware rat stealth trojan

Octo payload

Octo

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Makes use of the framework's Accessibility service.

Removes its main activity from the application launcher

Acquires the wake lock.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-09-20 14:50

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-20 14:50

Reported

2023-09-20 15:20

Platform

android-x86-arm-20230831-en

Max time kernel

3005000s

Max time network

1806s

Command Line

com.pressfigure65

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.pressfigure65/app_DynamicOptDex/EGxsby.json N/A N/A
N/A /data/user/0/com.pressfigure65/app_DynamicOptDex/EGxsby.json N/A N/A
N/A /data/user/0/com.pressfigure65/cache/hcjfh N/A N/A
N/A /data/user/0/com.pressfigure65/cache/hcjfh N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.pressfigure65

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.pressfigure65/app_DynamicOptDex/EGxsby.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.pressfigure65/app_DynamicOptDex/oat/x86/EGxsby.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.202:443 infinitedata-pa.googleapis.com tcp
NL 142.250.179.170:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 cm603lzeyxdw.site udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
N/A 185.161.248.142:443 cm603lzeyxdw.site tcp
US 1.1.1.1:53 cm603lzeyxdw.biz udp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
NL 142.250.179.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 172.217.168.195:80 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.162:443 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 cm603lzeyxdw.biz udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 cm603lzeyxdw.biz udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.174:443 tcp
US 1.1.1.1:53 9r8i1u84t2gp1.online udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 9r8i1u84t2gp1.online udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 arw2he7x57wp1.pw udp
US 1.1.1.1:53 arw2he7x57wp1.pw udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 blessedik591.info udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.39.106:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 cm603lzeyxdw.biz udp
US 1.1.1.1:53 zazarazgok7215vor1.pro udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 9r8i1u84t2gp1.online udp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.138:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 9r8i1u84t2gp1.online udp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
US 1.1.1.1:53 9r8i1u84t2gp1.online udp
US 1.1.1.1:53 9r8i1u84t2gp1.online udp
US 1.1.1.1:53 9r8i1u84t2gp.online udp
US 1.1.1.1:53 9r8i1u84t2gp.online udp
US 1.1.1.1:53 f2kic1nam25n81k.cc udp
US 1.1.1.1:53 f2kic1nam25n81k.cc udp
US 1.1.1.1:53 arw2he7x57wp.pw udp
N/A 185.161.248.142:443 arw2he7x57wp.pw tcp
US 1.1.1.1:53 cm603lzeyxdw.site udp
N/A 185.161.248.142:443 cm603lzeyxdw.site tcp
N/A 185.161.248.142:443 cm603lzeyxdw.site tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
N/A 185.161.248.142:443 cm603lzeyxdw.site tcp
N/A 185.161.248.142:443 cm603lzeyxdw.site tcp
N/A 185.161.248.142:443 cm603lzeyxdw.site tcp
N/A 185.161.248.142:443 cm603lzeyxdw.site tcp
US 1.1.1.1:53 cm603lzeyxdw.site udp
US 1.1.1.1:53 cm603lzeyxdw.site udp
US 1.1.1.1:53 cm603lzeyxdw.site udp
US 1.1.1.1:53 cm603lzeyxdw.site udp
US 1.1.1.1:53 cm603lzeyxdw.space udp
US 1.1.1.1:53 cm603lzeyxdw.space udp
US 1.1.1.1:53 maza5rra11vti251mca.info udp
US 1.1.1.1:53 cm603lzeyxdw1.site udp
N/A 185.161.248.142:443 cm603lzeyxdw1.site tcp
US 1.1.1.1:53 5a9udxg6l6gd.su udp
N/A 185.161.248.142:443 5a9udxg6l6gd.su tcp
N/A 185.161.248.142:443 5a9udxg6l6gd.su tcp
N/A 185.161.248.142:443 5a9udxg6l6gd.su tcp
NL 142.250.102.188:5228 tcp
N/A 185.161.248.142:443 5a9udxg6l6gd.su tcp
US 1.1.1.1:53 alt6-mtalk.google.com udp
US 1.1.1.1:53 alt6-mtalk.google.com udp
N/A 185.161.248.142:443 5a9udxg6l6gd.su tcp
US 1.1.1.1:53 alt1-mtalk.google.com udp
US 142.251.9.188:443 alt1-mtalk.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 mifwwidpg udp
US 1.1.1.1:53 zobjkccobuyq udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 pxfbarx udp
US 1.1.1.1:53 pxfbarx udp
US 1.1.1.1:53 zobjkccobuyq udp
US 1.1.1.1:53 mifwwidpg udp
US 1.1.1.1:53 zobjkccobuyq udp
US 1.1.1.1:53 mifwwidpg udp
US 1.1.1.1:53 pxfbarx udp
US 1.1.1.1:53 pxfbarx udp
US 1.1.1.1:53 mifwwidpg udp
US 1.1.1.1:53 mifwwidpg udp
US 1.1.1.1:53 pxfbarx udp
US 1.1.1.1:53 mifwwidpg udp
US 1.1.1.1:53 5a9udxg6l6gd.su udp
US 1.1.1.1:53 5a9udxg6l6gd.su udp

Files

/data/data/com.pressfigure65/app_DynamicOptDex/EGxsby.json

MD5 226f1cd6ab5661d77401fe89757beca8
SHA1 3ef0910dfd91b87b0c65c7a793007291c0cb7b33
SHA256 9676b36080d39f0663bf991bc9007a33306f7c549a9a5b3e87a8842735cc76f6
SHA512 2c3d2fe93f1c3ac004a282539dd26fa330445112404e2d7ca8ffd8b0374824e2e8de2bfff0beb5439022716d0ea727b140bbf8e1ca406a19d3c7c1d0b85a9c04

/data/data/com.pressfigure65/app_DynamicOptDex/EGxsby.json

MD5 047c2cbc6d9706e3d9e4e1bec0910bf7
SHA1 e4f143d1eef6b74382a98258fa17a3cfeda6f418
SHA256 a7e525b82b7f94fa20a769d557e6616b734f9a675504682aee5fd1d277433dd0
SHA512 392d68bdcb8db634e1bce02c38aaadbeffa7982fb2012db1b1c42f23f3daa4c1385b83473f3fb14b78f9a7225ffb663f6c03be3461d3e189c8ab7273f879914d

/data/user/0/com.pressfigure65/app_DynamicOptDex/EGxsby.json

MD5 af73f1889e4ada2c7fbb0512c31c6dbb
SHA1 927cae26592a79b9eefda0dc8e8473954b3b49cc
SHA256 67b19fae633db8d33717975a406969e59cc00f2e70bd43ae41c79349c6f74a7d
SHA512 be7a9381f6169910e0baf052bd2978ea5577e024074d68e909244e3e5c248e856d90a9cf42bb9819a7e285a8e9fcf159f4a8de9a5c099e6f0f6b87e3e2f3916d

/data/user/0/com.pressfigure65/app_DynamicOptDex/EGxsby.json

MD5 d081aaa8c167bf676a3521d7dc6c888e
SHA1 cb56830b448ab1c485656d22d509b36839ce9acc
SHA256 d38501e22d23feb948612ea574812d167bc04874ec194ddb20864ca12b5f961c
SHA512 aa85ee5587af1c8565dd32ef2c38a8d0612d5be0fb76cff94707e2b7fa4d44dd6c2106deafcd2df9f9b2fec633f78c98ccb745e567c5cace9b5af0901a4b7fbd

/data/data/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/user/0/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/user/0/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/data/com.pressfigure65/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.pressfigure65/kl.txt

MD5 197d9bbc8274cd987524eca4e0ecd8be
SHA1 0f9ba2ebc993dab4ae4ae03e4c76b098857f6c41
SHA256 bd464ee35096c592c412d18d678477b42e783bfc6fb2456aaae5161d6f787cb9
SHA512 c41b20f9f8732480acb60e29f8da4c70cbb31b83410f1b21f076a1fed85a445af8c76c956dcfabc93bc285b8482f223e4b251e0c6ea02ef9624ac80b149b12e6

/data/data/com.pressfigure65/kl.txt

MD5 abb1f4c73ebacd4fa821b00fee254c98
SHA1 d6f1c7ba2cf99a8d180549ec61c7f71762232ba4
SHA256 3114ee00a12f34fd26f914d258065ba4961e3c0dda6b41aec38fdf7e0963f987
SHA512 f62f5c6bee4d705d465ebb1742451856a6447be822dc3a4828a905b08399b13e6f3bdbbd455c25b63e051ba84cf3304d77931b321b0d53b02448123a9b7feaa2

/data/data/com.pressfigure65/kl.txt

MD5 8b41811ed6ea636e53b28f141f34a54e
SHA1 4c2326be0cf1c3e326e50b6ce72f2bb53be9a198
SHA256 529315a93ac028ed8df4db45abe8abe2356fd6a662487105c36cfc0024e25f9a
SHA512 4bccb5bd07b8df5e3c080c1a1fdfdf1229e3dd9d374d46b225b13e0588294cd8695fdb5a823339537ffef60762a91237f8c1bebbe3a3d352e2cf04ec0dd54a2c

/data/data/com.pressfigure65/kl.txt

MD5 cd6047de08fe369024b0c8aa8a91b652
SHA1 66be6c739941cf08b64b62ab6b87049b292fb1e7
SHA256 0faa498fc5062ca773c4aa202317b6b906cc943f17a04763904ed4eada40911c
SHA512 8568dd239d7f77c5bedb26361974b1ed11173fa1c30bddf05657eda0288db2c5165fcc8b1d0897d5fe3c47a0d3a8d510f4222c6d3a8bf444bf9f7d088054744c

/data/data/com.pressfigure65/cache/oat/hcjfh.cur.prof

MD5 bc43b6eefb9352cc9e0401747d416cef
SHA1 6a76479861cc77dfde99dad8e683f14d11b1e186
SHA256 df279a6ef564b6d56b81a25378de9795be21867fb23c8ebbadbd12010026174f
SHA512 a562d9a200754656d3506b646b71218f66fa4413d621b0002770c8a83508e8a684bc4be91672943233d31c05e55274f844a4dbc140fe20ed44e6ac371b9c183c

/data/data/com.pressfigure65/.qcom.pressfigure65

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

/data/data/com.pressfigure65/cache/oat/hcjfh.cur.prof

MD5 cee6663ad7f9d3a804fc047de6e533c3
SHA1 4b7f85f8253c55653aafd1c6e673945e164ed37f
SHA256 ce073a26f4f718f9cf2976316822a227a992b37e74da82babaee1e72c95a3f71
SHA512 53f2148889d8d12c7f56a502411e31e2249add64faaa9f5a08d7ec75725fa0ccecdb5f74c297f3d5af1d945e1d7d2674fe3804d6b9016144552947aa343640bb

/data/data/com.pressfigure65/cache/oat/hcjfh.cur.prof

MD5 e3f7f69bec11c193d071e5361fb1c5b5
SHA1 28732381cf8f3e1b14b909b6b41a40b15cc8278d
SHA256 d48386bbba769f6e5d724bc9faa6e52e9a6033984200e85066d5b2b82cf77c64
SHA512 ff4cc18d8d00e6f57779f7dd35d4baad8102cb5bca954c7dabe764f24529c77480f19a44fab3ad329800c7c00acb4d346bdf963bf2e80a0820f0b5b21efe3f90