Malware Analysis Report

2024-10-19 12:57

Sample ID 240215-mgm6yaeh25
Target octo_alphasecurity.apk
SHA256 652b7e62c4a55424c816422f1f550bce4816e43ad10fda9f13e779dbf17b54ed
Tags
octo banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

652b7e62c4a55424c816422f1f550bce4816e43ad10fda9f13e779dbf17b54ed

Threat Level: Known bad

The file octo_alphasecurity.apk was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer rat stealth trojan

Octo payload

Octo

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Requests enabling of the accessibility settings.

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Declares services with permission to bind to the system

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-15 10:26

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 10:26

Reported

2024-02-15 10:27

Platform

android-x86-arm-20231215-en

Max time kernel

59s

Max time network

46s

Command Line

com.mountainperhaps4

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.mountainperhaps4/cache/bcdqtbyga N/A N/A
N/A /data/user/0/com.mountainperhaps4/cache/bcdqtbyga N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.mountainperhaps4

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mine-495834.xyz udp
TM 91.202.233.138:443 mine-495834.xyz tcp
TM 91.202.233.138:443 mine-495834.xyz tcp
TM 91.202.233.138:443 mine-495834.xyz tcp
TM 91.202.233.138:443 mine-495834.xyz tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
TM 91.202.233.138:443 mine-495834.xyz tcp
TM 91.202.233.138:443 mine-495834.xyz tcp
TM 91.202.233.138:443 mine-495834.xyz tcp
TM 91.202.233.138:443 mine-495834.xyz tcp

Files

/data/data/com.mountainperhaps4/cache/bcdqtbyga

MD5 e642dec39002bfe3da103141818d6f03
SHA1 90dd375490092ee7f1b51c8b18ee42321ac9bdae
SHA256 a46c8e5157275971938cfe52caa62ead06d819dbae42f4bc2d49045baa8aac4c
SHA512 dfc570cfe19503b96ea95a901ade6a5b33d10ec2f921456c11d1e5a7716197d999122ec250eaacfa1977e949fcc58d98a2ecac7930c33c7a392610c238d1c881

/data/data/com.mountainperhaps4/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.mountainperhaps4/kl.txt

MD5 7ea4adcb6a46fbfd7f047eaf557e1ae6
SHA1 1a7a2594667ec2519688b8dddb0473a6564353e6
SHA256 580a0e4a43016094f422a342b72dfe213981d98fb53d4053c59f5a7bf4886ee2
SHA512 32e4e28f8ea70a9211775bec0c9d6da2bf486c1dba4a9ebadb8db4c00b536d3703fbe0f41a45b3449461777ab28ab165bf3df4edcaa1322d1594f52d115f5c74

/data/data/com.mountainperhaps4/kl.txt

MD5 6fe5ba7ce2b5fb55a735ef523daadf6f
SHA1 cecd9a8884b670128deebef434d4e47ed5c94518
SHA256 2f484d47dd875e659c8a4d838ee962c2adbd7a6e0d7dc942365ed6b4f1ee0a92
SHA512 4e2fb064326900c1e2efce1a4fb6605fc37db4c1eba751ff876033b8f1e805c91c0e6d5317de552b11d052ab1dab84481e05f07ba67129e601ffbcc1e3d76817

/data/data/com.mountainperhaps4/kl.txt

MD5 ae2020f35f05ef75359d8a21247a335c
SHA1 a3219f98075931c6ffce992284eb8936a55fad6c
SHA256 6865586fbe7b88c55ed3eb8596523f80a871a37121286748a6604e546982e6d0
SHA512 6e8fa064d659b74241427518a89b7fdcb9f2cb33cedd9d47ca7dd8c1f685412abdf488b9d84d9a5063d1dd21e3af40e395499a02d461e2807a9d3ae42bfbdbaa

/data/data/com.mountainperhaps4/kl.txt

MD5 a5825aa197602faeafc11c23741fee28
SHA1 857fefc8c32b10ca8c2a58cf95685d8f06742758
SHA256 33e64b1bfbaa71328c93e55b1eb0fa219b5c2eed319794a356a3c82a34718b5a
SHA512 44df37408cac7513e3fe9df97d0c8fab4577da2d8bd563e6fa6c124d64b358c896b1596fddc25a44d74ac80a9f6e653c664ea384d4255f13ffea9b7d719e1dbd

/data/data/com.mountainperhaps4/cache/oat/bcdqtbyga.cur.prof

MD5 0ec5fd6f083a91ed64a9dc37adb15587
SHA1 9022a2e56a87e2435b0863715a00a761142e3eb7
SHA256 a148f4bce7d1fe658b0d1f4cc057bff00477d3b735f6fdfc46846dd70c87fe33
SHA512 bafce3b057551edf72b2f015910f933859b95e18b667d62d3c8c7352bee8aa0caf8d28e220cb663e7e8ded1acc34a281def758877d01ffbab82be28144915c54

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 10:26

Reported

2024-02-15 10:27

Platform

android-x64-arm64-20231215-en

Max time kernel

62s

Max time network

68s

Command Line

com.mountainperhaps4

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.mountainperhaps4/cache/bcdqtbyga N/A N/A
N/A /data/user/0/com.mountainperhaps4/cache/bcdqtbyga N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.mountainperhaps4

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.78:443 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 mine-495834.xyz udp
US 1.1.1.1:53 mine-495834.com udp
TM 91.202.233.138:443 mine-495834.com tcp
TM 91.202.233.138:443 mine-495834.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
TM 91.202.233.138:443 mine-495834.com tcp
TM 91.202.233.138:443 mine-495834.com tcp
TM 91.202.233.138:443 mine-495834.com tcp
TM 91.202.233.138:443 mine-495834.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
TM 91.202.233.138:443 mine-495834.com tcp

Files

/data/user/0/com.mountainperhaps4/cache/bcdqtbyga

MD5 e642dec39002bfe3da103141818d6f03
SHA1 90dd375490092ee7f1b51c8b18ee42321ac9bdae
SHA256 a46c8e5157275971938cfe52caa62ead06d819dbae42f4bc2d49045baa8aac4c
SHA512 dfc570cfe19503b96ea95a901ade6a5b33d10ec2f921456c11d1e5a7716197d999122ec250eaacfa1977e949fcc58d98a2ecac7930c33c7a392610c238d1c881

/data/user/0/com.mountainperhaps4/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/user/0/com.mountainperhaps4/kl.txt

MD5 610d005e4f26f43dbf30627bad81ea12
SHA1 d1379fece7afd0df47c15d2aabbf606b26f2f0b1
SHA256 259d90bcbcc8e6aa71f0c4d5cfa99fe7637cadfc1cd5ad49dbcc356beb559ecc
SHA512 25c824836ced73d28d5cee68e8edeb8933549cd4d87413ffe7bc4ab729d39184a946b697888e30d5beb3e74fb0b8168c27b6d2d858eeb9037290577152d5816f

/data/user/0/com.mountainperhaps4/kl.txt

MD5 d14947ed272d13d15e6eba753b8e26f6
SHA1 33e68eda773655261cc99e346cbde78524ac5125
SHA256 c4accec751357aca81d22fad2a78979685a4ba6d0a7fe002e806619cf4d3fc89
SHA512 913fee1f03b9ab93c74d856f4c691994f002c1bb5a4c21bc5a8e398be286776d039f8879d81c6606149ec7b8f3e03abe34029f4204c66df704f8c910b73dede2

/data/user/0/com.mountainperhaps4/kl.txt

MD5 b7f36b769cbfa0207d8dd8f31d9d0d80
SHA1 f14deb0fa729fcb86d97081fd9aac89350ff215c
SHA256 5598b6663964749db9415b5e8929189f6098b5a37cf55143d71afd3980109573
SHA512 3c5b7c0524f16682df023d74bf3fcd1ad4a9659e2277e906d9c919e427f20732c67e0e2d13d9ee21989493a79bd09acd1f62c53d2570ce2b90ec70d9a67daf76

/data/user/0/com.mountainperhaps4/kl.txt

MD5 0c8a3c32142e94a1bfd02207c74998c8
SHA1 8d33f40fb6ded72110a9a58190a3441a5829f19c
SHA256 6ce52f41e647b7644b33c60741b14d4aa7ef8cda87705f600355ab8d7393cb12
SHA512 6397e26678d3ae6f02af2d1b279f2bad63aad7b69a3966643c573a272c528cd924f9f05411ad09074808fa58cb077065943e55b88d08194f91c2b4a98ad30417

/data/user/0/com.mountainperhaps4/kl.txt

MD5 b4a848df2204ff49333cab9fd2cafc63
SHA1 a1cdaa543915b89be253daf6809718fbf517ebb1
SHA256 8dbe8943958be6accd2771d4f92e1cccece97bc7428c1626d24a401358789650
SHA512 94b12913318548a4bb719e3c9d4c25db4da7529e7bdb73c98dc47cb66d20a51fe222af9d3b48185a2ac3713cd273ae2d36a52f62b07253328d21cbfc4146382f

/data/user/0/com.mountainperhaps4/kl.txt

MD5 ee70c6dd0e210db310cf9492b6498e43
SHA1 750b34e6877fee811e272e1984ab54238e004fa7
SHA256 a218fdf19edd5c3afd696fa748d34b5bfcec90eb36f048dd50ef1b7c618bfe53
SHA512 bd975bbb5eedbdf8720c7feffb52becb0424776db68e74b81ef7cc33520f384cf2fc9b9755de8e122451fe0a579b549a35d7bbefe4ef86f49369efb274839be4

/data/user/0/com.mountainperhaps4/kl.txt

MD5 43c84d40572b356fd8a760af1972fe93
SHA1 08a93bba805af59e248b9a25b02307d8f688829e
SHA256 530ae7efd92fe9b8be5f5ee33cd4ddbf0754a82ea1fcc82f4c614a50fbbb7af0
SHA512 a9cfb36ad24398c503a78532e9963c806470d992a9bb9844671c8297cc99d34b8d60397aca62a63614a5bfeb8cd4841353155a9e10ae48a22cf30bc6257be789

/data/user/0/com.mountainperhaps4/kl.txt

MD5 306d4846d502d2e607642b98289c98b5
SHA1 b8aacf9880e1bd8cbbbd66ff4bfc6d3d4f8d989e
SHA256 a9e59f4bfd3f9b7fb3ad90267d7bd9d69ca9e13a23c89148e71c789b112052b6
SHA512 19bbd4429d4cdd8c2522621997e5b94157d780b78b0b0446838a26be505cc4481fc0d9df241efd3cf99211ac2d4ad8af1540c1de2becea3454fcfb6edb3a12ae

/data/user/0/com.mountainperhaps4/kl.txt

MD5 d417ab543554db0836599afc07a65e8b
SHA1 0a05299d25eab795a0f6960207ca9b92361fa68d
SHA256 8171171dcd57e65660dc99149346c482d5fc326daaeb6f58d17ebed0987874d0
SHA512 ee5fd3b2fcf891339ab7b97e127ef914abcb4808a2bf07e97f6b4e0c8ec2c8ec7968c39442cac674010f06334a746111ad2c95b5de56a72160f35b732a8f15e0

/data/user/0/com.mountainperhaps4/kl.txt

MD5 55cda537870ec55c35ce75ee3c49329d
SHA1 7d93e211b23b27379527badcfe93cc9d7b75cb7a
SHA256 83cde0b2176fa5a365a666fcc81264920905c16d1ce4515245436c70f5350bdb
SHA512 3d76caab5f408ec011138bf2b0feb57c07fc3e40b501ced38149ebf245d5c4453cb9930b0c9feaede637b8fc9f4b3a76beb9c2f198598b06320fe6bf0e9e1c3f

/data/user/0/com.mountainperhaps4/kl.txt

MD5 eec3c882c3d9a84fb0449c7d005dee08
SHA1 fbc97043d76fd57b6604da01597ed005750c1e92
SHA256 d7ac8378212e72401d3fc8104e78f4044b5f14215fbec7f811f22d0bdcef23e3
SHA512 f7a2fe5d10bb52a86453d018e893cbfca4fbf77c7ebf51f4ba8fef0905b620e145fbb2305c3635f27fd2c3becc73ecd365b17c24bc8279f753f9cf5f8de0fca1

/data/user/0/com.mountainperhaps4/kl.txt

MD5 d9634b04b5869d4388e01de82d6fabea
SHA1 2dd9238ea8a14c8f5dde7b21b75534d81e275e6f
SHA256 dc1838d8eb80f37ed8baa81c7ac61a95703e9a205ea986fb0128deb632887273
SHA512 b7e0134b2f11670c229e98c989ef5b60bd67ae11b5911ef66463268378275b8f6032eebe8a188f4b587b767eb703ffe523a27bf7efd65a99a98b0c0c2fd552d1

/data/user/0/com.mountainperhaps4/kl.txt

MD5 d12251eff1f000e57ec6584533d6b8cb
SHA1 1795224151803d980f824c842bd8d39e57b70e77
SHA256 8cd4170d9338005fdd18d832747d4d7f06b729bca51503e589441e8226af5539
SHA512 8903cc6929402ccccf51a6fe41710e6d3bea4f2c8198655f88185dc282082cb5a67fae13d90b56e5b6506105f2ac235e359000c1638c7ba6bcad90b84c5937b0

/data/user/0/com.mountainperhaps4/kl.txt

MD5 c11946291818ad10b175e36df4d0c90f
SHA1 8e9dd6a92eace8e1c89b7127d14179af501afde3
SHA256 82c4181dd78700903d0c5a9eb233136f4916f7d3b8d8b301452eaffb298d62da
SHA512 6597557ff987c69f651e46767ddf514d210a342d87de16e4b3a89aa94e4f3cf3c6f4493b15e38a9650ec594823c09215e1149e42166ade0b762b52b567097633

/data/user/0/com.mountainperhaps4/kl.txt

MD5 57359c7a515897f22d417fdc9b0ff9a6
SHA1 5fb4280b45d9073e69b0318a1937f39880755403
SHA256 22de463e386e61a637d536713352d96d3a52d1c930842ee507442a46fa35c559
SHA512 a1142539812244ad0106f6d1517942b0da45d3a72161012808739198d9c4662913d59952bc7e3fa72e99aa07c533f962b408985cc7760880f3e984d873cb5b78

/data/user/0/com.mountainperhaps4/kl.txt

MD5 5a1dcd994ca15524e284182662934889
SHA1 e04aa683c8219d96bf9a2e8dc2e1a56fe10471b6
SHA256 ba0e952577ddc4852e11b08e0a4e0822a7e883a288f4b7be9ca1e34136a8047e
SHA512 4880643a6db170ffb1fe65453b6d313e87bbe1e6051a1e7b780ebeed2d037a0d0337c19ea50a9caf06a37274322fc88113b87aa617437fccfce64d0bd09c50f5

/data/user/0/com.mountainperhaps4/kl.txt

MD5 e9a655199314d3be3ed24da47f72b7ad
SHA1 323254a27a4ae915c46e852d15a63a2e773a4ac5
SHA256 82907ebfd042eeb7b4ac5a481f65db8bc77dd8da307d1a459cfb7384cc303120
SHA512 c3c6cb381db39ef343a78d2efb6940e76442b85546b5df3adeb6a1674a42b5f3f75def4a422f1c838444996238b5228d6b62ba56f6663c1e530375349a94efc9

/data/user/0/com.mountainperhaps4/cache/oat/bcdqtbyga.cur.prof

MD5 69e2c43f6ae578d98ee926e27c98afee
SHA1 7ef998e0f97116a9731e1e7c4de29a5abc696ac0
SHA256 3b7c8df1bfa06aebe20d5cfbd1553eebbbbbec47a47a7b44bff7798759374e68
SHA512 96da7f605c5bc2b0546a4e8f77201115a883850b37d9b9073459b132739c3be465e6d072a9a241c8f5b605f507be3eb63fc617220058f12fb5a0f418571d022b