Malware Analysis Report

2024-10-19 12:18

Sample ID 230922-1wxwksae7w
Target a0c79d77bd751f85953e443375081320e706623e879ef36220cc2e466d1f11eb.bin
SHA256 a0c79d77bd751f85953e443375081320e706623e879ef36220cc2e466d1f11eb
Tags
octo banker evasion infostealer ransomware rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0c79d77bd751f85953e443375081320e706623e879ef36220cc2e466d1f11eb

Threat Level: Known bad

The file a0c79d77bd751f85953e443375081320e706623e879ef36220cc2e466d1f11eb.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer ransomware rat stealth trojan

Octo

Octo payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Acquires the wake lock.

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-09-22 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-22 22:00

Reported

2023-09-22 22:03

Platform

android-x86-arm-20230831-en

Max time kernel

3203076s

Max time network

148s

Command Line

com.decidecommon2

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.decidecommon2/cache/didve N/A N/A
N/A /data/user/0/com.decidecommon2/cache/didve N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.decidecommon2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
DE 172.217.23.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 epi2nciifirarda227.xyz udp
US 1.1.1.1:53 epi5nciifirarda237.xyz udp
US 1.1.1.1:53 ghost232412512.xyz udp
RU 176.111.174.135:443 176.111.174.135 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 ghost23241312.xyz udp
RU 176.111.174.151:443 ghost23241312.xyz tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
NL 142.251.36.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.206:443 android.apis.google.com tcp
RU 176.111.174.151:443 ghost23241312.xyz tcp
RU 176.111.174.151:443 ghost23241312.xyz tcp
RU 176.111.174.151:443 ghost23241312.xyz tcp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
RU 176.111.174.151:443 ghost23241312.xyz tcp
RU 176.111.174.151:443 ghost23241312.xyz tcp

Files

/data/data/com.decidecommon2/cache/didve

MD5 77eb4be53fbbac5d4f936dbbf0ddc4b3
SHA1 9d945be36e65d4181de0480c40ecf89fcbad12f9
SHA256 88b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b
SHA512 f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470

/data/user/0/com.decidecommon2/cache/didve

MD5 77eb4be53fbbac5d4f936dbbf0ddc4b3
SHA1 9d945be36e65d4181de0480c40ecf89fcbad12f9
SHA256 88b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b
SHA512 f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470

/data/user/0/com.decidecommon2/cache/didve

MD5 77eb4be53fbbac5d4f936dbbf0ddc4b3
SHA1 9d945be36e65d4181de0480c40ecf89fcbad12f9
SHA256 88b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b
SHA512 f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470

/data/data/com.decidecommon2/kl.txt

MD5 806d17a46816b74a1353387484c24142
SHA1 6df7ae903ec9d20eb2b1b58c5fae0b88a0929ec1
SHA256 dc8b89123078f6b3fd4a998360cd980fcf828e23e6f2aa4702763d1d95fd94ce
SHA512 834b28013e113a7e792d41485f3edcd642ddfc6d6a2162b56ccb85a708fb423004636404630928d3aceec86413eae6008d6eab8bffeee1d1addee61a485261ee

/data/data/com.decidecommon2/kl.txt

MD5 3f7c41125df8b2059770c64865cfe9b3
SHA1 568db405cce9d2c0f1ee99b9b5725b2d62ae33af
SHA256 c34c065829047f91dbcf7e89433b4246b037ef66909f9ed93cd561a0ec7884fe
SHA512 eafde004ba82992219b805528a244aa0dd73f071a9de3b9f06f40d21714321f2523b7ae0e8311bad3cc10ffdcf62fb4e45464b8fbf1bfa11f77c1b5490e2a733

/data/data/com.decidecommon2/kl.txt

MD5 dabed06afe94b62cb8dbebd8d2d1eee2
SHA1 2332b36608ad1cc7c54ad4c6027e17b916daf70d
SHA256 da3fddac2bc1782e1a456f32645498642baddf88567e98792acb2b6a725c918a
SHA512 c23d4fd8b691184bb9a921c0836ca8b0939ca4c12cddf90270a7caaea26e4f129cd4c58e7187e51bf4323b929e0b926445438b599615e7124009d3b6553e84c2

/data/data/com.decidecommon2/kl.txt

MD5 6d57c90cee9e7b0d442de64b39e9fb03
SHA1 a75fa5d340a9ffaa20f12c3f6c507b601c5f34d2
SHA256 f85eb340afa3118a701b9e1afbe78119185cc7f7abc374ee0aa3c8955901a8b9
SHA512 e97f2147eec975ad569f8253a523a3408fef325911a885c3ae892bcb49c00d42ef9d618eebd680875807149d4410b5154dd5ad84e113bee5796e4e7c4b186e27

/data/data/com.decidecommon2/kl.txt

MD5 7ebd54786a13e351cdcfc74b2b08c37b
SHA1 49765b8bf283c89e7d26cdd2c285026a6bee7c14
SHA256 18787d953cb0c96bf5acfb8054fc9e3ca2118342a00816f9fea1d717aa389413
SHA512 77d21c6567ed5c9f7772a5d4c1080bc063fe180cb9b9fd2e0a4f0715416bb7c33832a7b548ef7746b7780dec83d43e77cd71f1aaa94e4df49cbbcad7384efae7

/data/data/com.decidecommon2/cache/oat/didve.cur.prof

MD5 54b48f40f677c5bcdc0cf73659bcf087
SHA1 cbff1019ced71170dffe27695bc4bb190c7aea1c
SHA256 20f7c5544a1049a69edd88144a1bd0537ddc20c58a63005071e77f6eddc09a8a
SHA512 8ada9010214e78ac17bc905dd07eb5ce52353244e8a888a93710787280f25ccb3525be5080efd46fbb003a3e4de227ce790b7da5d23fc94f251e25cd23ea5d65

/data/data/com.decidecommon2/.qcom.decidecommon2

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-22 22:00

Reported

2023-09-22 22:03

Platform

android-x64-20230831-en

Max time kernel

3203077s

Max time network

155s

Command Line

com.decidecommon2

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.decidecommon2/cache/didve N/A N/A
N/A /data/user/0/com.decidecommon2/cache/didve N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.decidecommon2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.39.106:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 ghost232412512.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 ghost23241312.xyz udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.168:443 ssl.google-analytics.com tcp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ghost232412512.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 ghost23241312.xyz udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 ghost232412312.xyz udp
US 1.1.1.1:53 epinciifirarda27.xyz udp
US 1.1.1.1:53 epinciifirarda27.xyz udp
US 1.1.1.1:53 epinciifirarda227.xyz udp
US 1.1.1.1:53 epinciifirarda27.xyz udp
US 1.1.1.1:53 epi3nciifirarda27.xyz udp
US 1.1.1.1:53 epinciifirarda227.xyz udp
US 1.1.1.1:53 ghost232412512.xyz udp
US 1.1.1.1:53 epinciifirarda27.xyz udp
US 1.1.1.1:53 epi3nciifirarda27.xyz udp
RU 176.111.174.135:443 176.111.174.135 tcp
US 1.1.1.1:53 ghost23241312.xyz udp
US 1.1.1.1:53 ghost232412512.xyz udp
RU 176.111.174.135:443 176.111.174.135 tcp
US 1.1.1.1:53 ghost23241312.xyz udp
RU 176.111.174.151:443 ghost23241312.xyz tcp
RU 176.111.174.135:443 176.111.174.135 tcp
RU 176.111.174.135:443 176.111.174.135 tcp

Files

/data/data/com.decidecommon2/cache/didve

MD5 77eb4be53fbbac5d4f936dbbf0ddc4b3
SHA1 9d945be36e65d4181de0480c40ecf89fcbad12f9
SHA256 88b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b
SHA512 f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470

/data/user/0/com.decidecommon2/cache/didve

MD5 77eb4be53fbbac5d4f936dbbf0ddc4b3
SHA1 9d945be36e65d4181de0480c40ecf89fcbad12f9
SHA256 88b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b
SHA512 f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470

/data/user/0/com.decidecommon2/cache/didve

MD5 77eb4be53fbbac5d4f936dbbf0ddc4b3
SHA1 9d945be36e65d4181de0480c40ecf89fcbad12f9
SHA256 88b6c51c3e39bdbb0575248d8cacf275464aab1606e5c061ec053daa0a46b69b
SHA512 f46f3ff023c4cf171ca964f19da2cc6975a566d9daad3be2fabb06ddf8a5175ff5bdad3ea256cd12bc4de1dc5955cbc917f2ddd01cc8fe79ebfd133e82fa5470

/data/data/com.decidecommon2/cache/oat/didve.cur.prof

MD5 e173ba9509052aa276aa65656e0afcd0
SHA1 e369b46754c87af08bfe155d9f3730409b1c24ff
SHA256 d2593ba8bcbdcece6a0d252106cda0b8429f1ac13262484f4ef7b57e6798694b
SHA512 7f4beeba1c1c0b2063c19c063327c76a4332ddf490df2424f3df02c2adc3848d174960361e384d9e92e52f7edf8ce17a65d6c5b2407399357ccf951df59afb5c

/data/data/com.decidecommon2/.qcom.decidecommon2

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c