Malware Analysis Report

2024-10-19 12:18

Sample ID 230925-1x9a1ade43
Target 8f0284b41c15c0c6745aa86b340f31b5c3f7d5ebc18017eaced95301d39f98d7.bin
SHA256 8f0284b41c15c0c6745aa86b340f31b5c3f7d5ebc18017eaced95301d39f98d7
Tags
octo banker evasion infostealer ransomware rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f0284b41c15c0c6745aa86b340f31b5c3f7d5ebc18017eaced95301d39f98d7

Threat Level: Known bad

The file 8f0284b41c15c0c6745aa86b340f31b5c3f7d5ebc18017eaced95301d39f98d7.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer ransomware rat stealth trojan

Octo

Octo payload

Makes use of the framework's Accessibility service.

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Acquires the wake lock.

Requests dangerous framework permissions

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-09-25 22:02

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-25 22:02

Reported

2023-09-25 22:15

Platform

android-x86-arm-20230831-en

Max time kernel

3462983s

Max time network

132s

Command Line

com.simplesun4

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.simplesun4/cache/zpaofggcurnjq N/A N/A
N/A /data/user/0/com.simplesun4/cache/zpaofggcurnjq N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.simplesun4

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 apppro.live udp
HK 194.26.135.139:443 apppro.live tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
HK 194.26.135.139:443 apppro.live tcp
HK 194.26.135.139:443 apppro.live tcp
NL 142.251.36.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.39.110:443 android.apis.google.com tcp
HK 194.26.135.139:443 apppro.live tcp
HK 194.26.135.139:443 apppro.live tcp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
HK 194.26.135.139:443 apppro.live tcp
HK 194.26.135.139:443 apppro.live tcp

Files

/data/data/com.simplesun4/cache/zpaofggcurnjq

MD5 5712cd19b2532170ea43b9248e0f7582
SHA1 0dc98b341312ad0bbeae349e0c93b08201f56fe5
SHA256 4f99c72a25b0cb7442a512768635f0b03bb0a1e28e07663d1b69dd955df872f6
SHA512 f9a7c754b4992fdb1c1ba2db9dbf89c9652a07ecaf90335ebbafce269f3f5cca7e7fd9671243e70f368dab95553688cb42cd81807e886e1a8939e9e1cd866784

/data/user/0/com.simplesun4/cache/zpaofggcurnjq

MD5 5712cd19b2532170ea43b9248e0f7582
SHA1 0dc98b341312ad0bbeae349e0c93b08201f56fe5
SHA256 4f99c72a25b0cb7442a512768635f0b03bb0a1e28e07663d1b69dd955df872f6
SHA512 f9a7c754b4992fdb1c1ba2db9dbf89c9652a07ecaf90335ebbafce269f3f5cca7e7fd9671243e70f368dab95553688cb42cd81807e886e1a8939e9e1cd866784

/data/user/0/com.simplesun4/cache/zpaofggcurnjq

MD5 5712cd19b2532170ea43b9248e0f7582
SHA1 0dc98b341312ad0bbeae349e0c93b08201f56fe5
SHA256 4f99c72a25b0cb7442a512768635f0b03bb0a1e28e07663d1b69dd955df872f6
SHA512 f9a7c754b4992fdb1c1ba2db9dbf89c9652a07ecaf90335ebbafce269f3f5cca7e7fd9671243e70f368dab95553688cb42cd81807e886e1a8939e9e1cd866784

/data/data/com.simplesun4/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.simplesun4/kl.txt

MD5 2405e987da0d53e27b792160977cc464
SHA1 0e24be77796bde476e495a496e3878de07fb35da
SHA256 0fd8f374c7eb18b8bb62c4c38d906bb89cb68e7e14acd0ef9d1f5a66ab411f60
SHA512 69f62d38bdeabc92802ad60e43fb45778dccddd82f8fadbcc73b27fbce46170079ff60356fca4ab51349c8f6758830343f70db0ff9af993d617dea14d03fcd4a

/data/data/com.simplesun4/kl.txt

MD5 558832d04b460fe6df05b349a9cfd704
SHA1 ed7b97338fc196851bdedfe1892f57e01768babf
SHA256 4512bbd3ecdab116e55209359e4b14d295e76a6150f107dafe15c8346a74ec84
SHA512 9774d9e80798af06c406ae4f3df29736b984836f9b6539ff5ed0cb3f98fbb1d32d4eb1e3d66dc32559dc8f076b0af082f26fa35717bbfa238b307937f876bbb3

/data/data/com.simplesun4/kl.txt

MD5 84cd2a908f5ccb064f47fcc4af895e0d
SHA1 15027281ba9f2f4bd1434ba609bfd233c5cc8c0c
SHA256 6c5974b55d5d41d410358f22f24fc8cb38bffcc2fb50d2635738e75992ad3ef2
SHA512 fbd4524d2390906bbd3e543425ae0949465788150f6b99b45b05a095760851790495358a95a8a88de59681a4a792cc0e2b68a630c1ddf40354d6bcd4bc300b02

/data/data/com.simplesun4/kl.txt

MD5 60b73267eb3624e35552cbfc24e436db
SHA1 fe79015414eb791013fe9d142555796b89e6c800
SHA256 8fcf4013e18370c8726e52ceb80a720d20a7cff47b4925643679aa9e16d502c5
SHA512 35056f97e7dd240363e911e4994fae6edd9f9836a07e191973cd205ab7b6990a162a51258e5dc809928f13eddf851a922c31799b2d6c00c860354c605920b2df

/data/data/com.simplesun4/cache/oat/zpaofggcurnjq.cur.prof

MD5 2c4d3eb866061e0582e28ecdf2627195
SHA1 4eb7ea7bcd96bcd553676ed15a841e17a1812cea
SHA256 9da14c27fe2da02dd95fc54f76c09a1f77752943fd18ba2ebf42c2ac862389fb
SHA512 1b1714ed2ffbe22fabf4d4595328ab44928adb43eb2f7cf358e1fe76e3c026980936395d28ea162779827dc7cbedbb7042e31cf99a082772bb22a48e0df0ac76

/data/data/com.simplesun4/.qcom.simplesun4

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-25 22:02

Reported

2023-09-25 22:13

Platform

android-x64-20230831-en

Max time kernel

3462734s

Max time network

138s

Command Line

com.simplesun4

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.simplesun4/cache/zpaofggcurnjq N/A N/A
N/A /data/user/0/com.simplesun4/cache/zpaofggcurnjq N/A N/A

Processes

com.simplesun4

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
NL 142.250.179.206:443 tcp
NL 142.251.39.98:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 172.217.23.195:443 tcp
DE 172.217.23.195:443 tcp
NL 172.217.168.202:443 tcp
NL 172.217.168.202:443 tcp
NL 142.250.102.188:5228 tcp
US 1.1.1.1:53 waytoupio.click udp
US 1.1.1.1:53 www.ip-api.com udp
HK 194.26.135.139:443 waytoupio.click tcp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 acsmartio.tech udp
HK 194.26.135.139:443 waytoupio.click tcp
HK 194.26.135.139:443 waytoupio.click tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 g.tenor.com udp
NL 142.250.179.202:443 g.tenor.com tcp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
HK 194.26.135.139:443 waytoupio.click tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 acsmartio.tech udp
HK 194.26.135.139:443 waytoupio.click tcp
HK 194.26.135.139:443 waytoupio.click tcp
US 1.1.1.1:53 apppro.live udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
NL 142.250.179.202:443 safebrowsing.googleapis.com tcp
HK 194.26.135.139:443 waytoupio.click tcp
US 1.1.1.1:53 apppro.live udp
HK 194.26.135.139:443 apppro.live tcp
HK 194.26.135.139:443 apppro.live tcp
HK 194.26.135.139:443 apppro.live tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
HK 194.26.135.139:443 apppro.live tcp
US 1.1.1.1:53 waytoupio.click udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 i.ytimg.com udp
NL 142.250.179.182:443 i.ytimg.com udp
NL 142.250.179.182:443 i.ytimg.com tcp
US 1.1.1.1:53 waytoupio.click udp
HK 194.26.135.139:443 waytoupio.click tcp
HK 194.26.135.139:443 waytoupio.click tcp
HK 194.26.135.139:443 waytoupio.click tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.40:443 ssl.google-analytics.com tcp
HK 194.26.135.139:443 waytoupio.click tcp

Files

/data/data/com.simplesun4/cache/zpaofggcurnjq

MD5 5712cd19b2532170ea43b9248e0f7582
SHA1 0dc98b341312ad0bbeae349e0c93b08201f56fe5
SHA256 4f99c72a25b0cb7442a512768635f0b03bb0a1e28e07663d1b69dd955df872f6
SHA512 f9a7c754b4992fdb1c1ba2db9dbf89c9652a07ecaf90335ebbafce269f3f5cca7e7fd9671243e70f368dab95553688cb42cd81807e886e1a8939e9e1cd866784

/data/user/0/com.simplesun4/cache/zpaofggcurnjq

MD5 5712cd19b2532170ea43b9248e0f7582
SHA1 0dc98b341312ad0bbeae349e0c93b08201f56fe5
SHA256 4f99c72a25b0cb7442a512768635f0b03bb0a1e28e07663d1b69dd955df872f6
SHA512 f9a7c754b4992fdb1c1ba2db9dbf89c9652a07ecaf90335ebbafce269f3f5cca7e7fd9671243e70f368dab95553688cb42cd81807e886e1a8939e9e1cd866784

/data/user/0/com.simplesun4/cache/zpaofggcurnjq

MD5 5712cd19b2532170ea43b9248e0f7582
SHA1 0dc98b341312ad0bbeae349e0c93b08201f56fe5
SHA256 4f99c72a25b0cb7442a512768635f0b03bb0a1e28e07663d1b69dd955df872f6
SHA512 f9a7c754b4992fdb1c1ba2db9dbf89c9652a07ecaf90335ebbafce269f3f5cca7e7fd9671243e70f368dab95553688cb42cd81807e886e1a8939e9e1cd866784