Malware Analysis Report

2024-10-19 12:18

Sample ID 230922-1ws8dsce53
Target 022e1e2decb27cb580a1234ffb095b9ecd3b5462939023a825bc7e604ff2fd1a.bin
SHA256 022e1e2decb27cb580a1234ffb095b9ecd3b5462939023a825bc7e604ff2fd1a
Tags
octo banker evasion infostealer ransomware rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

022e1e2decb27cb580a1234ffb095b9ecd3b5462939023a825bc7e604ff2fd1a

Threat Level: Known bad

The file 022e1e2decb27cb580a1234ffb095b9ecd3b5462939023a825bc7e604ff2fd1a.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer ransomware rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Loads dropped Dex/Jar

Acquires the wake lock.

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-09-22 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-22 22:00

Reported

2023-09-22 22:03

Platform

android-x86-arm-20230831-en

Max time kernel

3203063s

Max time network

130s

Command Line

com.bedhold27

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bedhold27/cache/jsyuggfsoyg N/A N/A
N/A /data/user/0/com.bedhold27/cache/jsyuggfsoyg N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bedhold27

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.251.36.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.202:443 infinitedata-pa.googleapis.com tcp
NL 185.225.75.207:443 185.225.75.207 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 4jamiryo22113.net udp
US 1.1.1.1:53 6jamiryo22113.net udp
US 1.1.1.1:53 2jamiryo22113.net udp
US 1.1.1.1:53 3jamiryo22113.net udp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 185.225.75.207:443 185.225.75.207 tcp
DE 172.217.23.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.206:443 android.apis.google.com tcp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 185.225.75.207:443 185.225.75.207 tcp
NL 185.225.75.207:443 185.225.75.207 tcp

Files

/data/data/com.bedhold27/cache/jsyuggfsoyg

MD5 882a1e4e99ae0002eeb7e92682684cf5
SHA1 523c3240acde39974fce6cd6b9097237215b0ffb
SHA256 c711224b7419ff9c4699a16adb63173b10127631e1ebff4b33e20975d5b991df
SHA512 d13fcb64de9c1c18dbe070c26463bd10dc22e30d25a5b5b9c444ac144fda0f81dae8895b1acecf0e9281fcebdcaea2c7dc6206ed72a8a5fb49c8f28f0f98d598

/data/user/0/com.bedhold27/cache/jsyuggfsoyg

MD5 882a1e4e99ae0002eeb7e92682684cf5
SHA1 523c3240acde39974fce6cd6b9097237215b0ffb
SHA256 c711224b7419ff9c4699a16adb63173b10127631e1ebff4b33e20975d5b991df
SHA512 d13fcb64de9c1c18dbe070c26463bd10dc22e30d25a5b5b9c444ac144fda0f81dae8895b1acecf0e9281fcebdcaea2c7dc6206ed72a8a5fb49c8f28f0f98d598

/data/user/0/com.bedhold27/cache/jsyuggfsoyg

MD5 882a1e4e99ae0002eeb7e92682684cf5
SHA1 523c3240acde39974fce6cd6b9097237215b0ffb
SHA256 c711224b7419ff9c4699a16adb63173b10127631e1ebff4b33e20975d5b991df
SHA512 d13fcb64de9c1c18dbe070c26463bd10dc22e30d25a5b5b9c444ac144fda0f81dae8895b1acecf0e9281fcebdcaea2c7dc6206ed72a8a5fb49c8f28f0f98d598

/data/data/com.bedhold27/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.bedhold27/kl.txt

MD5 c546723fc5cfd2a7ce916ec23135f1c2
SHA1 c967c4ad2e7941833cb02cfa03fbd1632a36e492
SHA256 7a2824aee00bfe4d20e1db6015db7f035d3e2a653e4675d9495d4b67c85e9b8a
SHA512 35403c125ad923493595d6907c402a2a3fa933d26686ac7ec7cdcb2718642c45fded95ce9a14ca3fea21729871025667309b95b55d6de8815b5665bb63e9d0c7

/data/data/com.bedhold27/kl.txt

MD5 1c098e18f85f235dfa6db027771592d3
SHA1 1c8214ddc795be316563b8546a4bbda246d2f5f6
SHA256 b7413028bdb526465aba863945297970f1021204770e4b30ef634e12487049e1
SHA512 091ebf96e14910be714075dcefe76ff26c205e7f202450c5e5bc4307312018a842e7a0f39cb432f942ec03919d8493f571feb1c7f04a6854db69fa02e201a91b

/data/data/com.bedhold27/kl.txt

MD5 7f35fb302c2e5f98843b35ee4e973d94
SHA1 e3e2f2dcbc2169dc7da52865a0c7db4a64b69df4
SHA256 6330fce6b2c16505ac461b64a05b6bc16a13141bb4364c3883fc4d27dbec98a3
SHA512 1c7d77a4cd346fede72dcb7eb0bfc4a00d2df3d81decc90bc546ce1bff909988e1630830debcca2f2593838c0988f7f52bd5b29966917ef6086d6397879e4d57

/data/data/com.bedhold27/kl.txt

MD5 a9d533e52b100f68e4b63323618f48ff
SHA1 4a01a49a814b4adad0bfb328338bb0801399f664
SHA256 c7d9e225839ba42b6409d876b7a5a8623e929745c66794c8f5dd902144311320
SHA512 d0ada28692d15954e4bfeebff54cb3a4849769a98a5bf923fc40194fd0cce60c2a3995840cb097439b0b3e20d0124093537ec65c28a13d639bd00615ed21326c

/data/data/com.bedhold27/cache/oat/jsyuggfsoyg.cur.prof

MD5 6b50928a8d5d75ab6e0655ff95094005
SHA1 1f877a37c54260bca1ebe0a88e0286f5b0644328
SHA256 6eb538c28c50a83d846c4985da02e28f4171221012383819271a2d62967cd926
SHA512 6d168c8a829500c64f1bf7fdb98724eeca569e5afe9278d69687e0ef08ef05c319b7295aa1b0525905de51d188ead52c52cf43bdc8340e22c60045066be844b8

/data/data/com.bedhold27/.qcom.bedhold27

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-22 22:00

Reported

2023-09-22 22:03

Platform

android-x64-20230831-en

Max time kernel

3202915s

Max time network

150s

Command Line

com.bedhold27

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bedhold27/cache/jsyuggfsoyg N/A N/A
N/A /data/user/0/com.bedhold27/cache/jsyuggfsoyg N/A N/A

Processes

com.bedhold27

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
NL 142.250.179.206:443 tcp
NL 142.251.39.98:443 tcp
DE 172.217.23.195:443 tcp
DE 172.217.23.195:443 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 4jamiryo22113.net udp
US 1.1.1.1:53 3jamiryo22113.net udp
US 1.1.1.1:53 7jamiryo22113.net udp
US 1.1.1.1:53 6jamiryo22113.net udp
US 1.1.1.1:53 2jamiryo22113.net udp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 3jamiryo22113.net udp
US 1.1.1.1:53 2jamiryo22113.net udp
US 1.1.1.1:53 5jamiryo22113.net udp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 1.1.1.1:53 5jamiryo22113.net udp
NL 185.225.75.207:443 tcp
NL 185.225.75.207:443 tcp
NL 185.225.75.207:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.202:443 semanticlocation-pa.googleapis.com tcp
NL 185.225.75.207:443 tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 i.ytimg.com udp
NL 185.225.75.207:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 172.217.168.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 i.ytimg.com udp
NL 185.225.75.207:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
US 1.1.1.1:53 i.ytimg.com udp
US 1.1.1.1:53 i.ytimg.com udp
US 1.1.1.1:53 i.ytimg.com udp
US 1.1.1.1:53 i.ytimg.com udp
US 1.1.1.1:53 i.ytimg.com udp
NL 142.251.39.118:443 i.ytimg.com tcp
NL 185.225.75.207:443 tcp

Files

/data/data/com.bedhold27/cache/jsyuggfsoyg

MD5 882a1e4e99ae0002eeb7e92682684cf5
SHA1 523c3240acde39974fce6cd6b9097237215b0ffb
SHA256 c711224b7419ff9c4699a16adb63173b10127631e1ebff4b33e20975d5b991df
SHA512 d13fcb64de9c1c18dbe070c26463bd10dc22e30d25a5b5b9c444ac144fda0f81dae8895b1acecf0e9281fcebdcaea2c7dc6206ed72a8a5fb49c8f28f0f98d598

/data/user/0/com.bedhold27/cache/jsyuggfsoyg

MD5 882a1e4e99ae0002eeb7e92682684cf5
SHA1 523c3240acde39974fce6cd6b9097237215b0ffb
SHA256 c711224b7419ff9c4699a16adb63173b10127631e1ebff4b33e20975d5b991df
SHA512 d13fcb64de9c1c18dbe070c26463bd10dc22e30d25a5b5b9c444ac144fda0f81dae8895b1acecf0e9281fcebdcaea2c7dc6206ed72a8a5fb49c8f28f0f98d598

/data/user/0/com.bedhold27/cache/jsyuggfsoyg

MD5 882a1e4e99ae0002eeb7e92682684cf5
SHA1 523c3240acde39974fce6cd6b9097237215b0ffb
SHA256 c711224b7419ff9c4699a16adb63173b10127631e1ebff4b33e20975d5b991df
SHA512 d13fcb64de9c1c18dbe070c26463bd10dc22e30d25a5b5b9c444ac144fda0f81dae8895b1acecf0e9281fcebdcaea2c7dc6206ed72a8a5fb49c8f28f0f98d598