Malware Analysis Report

2024-10-19 12:57

Sample ID 240215-mj3peaed5z
Target octo_googlechrome.apk
SHA256 d6c6f631148ded2b6048fc34a5a2ba9b5c2576e0436983bb0f0bf8f8d6941b6f
Tags
octo banker infostealer rat trojan evasion stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6c6f631148ded2b6048fc34a5a2ba9b5c2576e0436983bb0f0bf8f8d6941b6f

Threat Level: Known bad

The file octo_googlechrome.apk was found to be: Known bad.

Malicious Activity Summary

octo banker infostealer rat trojan evasion stealth

Octo

Octo payload

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests enabling of the accessibility settings.

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-15 10:30

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 10:30

Reported

2024-02-15 10:31

Platform

android-x64-20231215-en

Max time kernel

61s

Max time network

67s

Command Line

com.wasturn0

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.wasturn0/cache/bqcppes N/A N/A
N/A /data/user/0/com.wasturn0/cache/bqcppes N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.wasturn0

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 feeeleen.top udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
RU 176.113.115.116:443 feeeleen.top tcp
RU 176.113.115.116:443 feeeleen.top tcp
RU 176.113.115.116:443 feeeleen.top tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.wasturn0/cache/bqcppes

MD5 0f1013eb6265187c8f6ea22b96608d29
SHA1 ca2d38e8e3006f80d0d1547dac1c89a0e9a34e0b
SHA256 e859db4a5f8e48facff32e43a5d6fd98454acef0ff1b74c275ffc2f9614d1977
SHA512 b3b59cf8a30a4177e2bbf0394423353c21ea67c53df0753f6787e12e27a8ec5a2ede025e1d51fc6aa702814486521492ba6d7684ac3a5e67a8e1f0aacc009d89

/data/data/com.wasturn0/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 10:30

Reported

2024-02-15 10:31

Platform

android-x86-arm-20231215-en

Max time kernel

60s

Max time network

57s

Command Line

com.wasturn0

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.wasturn0/cache/bqcppes N/A N/A
N/A /data/user/0/com.wasturn0/cache/bqcppes N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.wasturn0

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 feeeleen.top udp
RU 176.113.115.116:443 feeeleen.top tcp
RU 176.113.115.116:443 feeeleen.top tcp
RU 176.113.115.116:443 feeeleen.top tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.wasturn0/cache/bqcppes

MD5 0f1013eb6265187c8f6ea22b96608d29
SHA1 ca2d38e8e3006f80d0d1547dac1c89a0e9a34e0b
SHA256 e859db4a5f8e48facff32e43a5d6fd98454acef0ff1b74c275ffc2f9614d1977
SHA512 b3b59cf8a30a4177e2bbf0394423353c21ea67c53df0753f6787e12e27a8ec5a2ede025e1d51fc6aa702814486521492ba6d7684ac3a5e67a8e1f0aacc009d89

/data/user/0/com.wasturn0/cache/bqcppes

MD5 f76ac8d35bed09fa82c9e0758f8ffc54
SHA1 086c3213a3e63d30b6800962b8bfbc2dcd95b75e
SHA256 020950b66e1ce9b9cd67636ed89f595a7de1cf8c763a43b32b2d9e7e74dfb620
SHA512 e04f0e47a6314fb928d91bad776b83003856ed82a283133b66589d49b0706d54f8513d27bf0cd75f22b8909186076523e7a2a50e699136afaca76f07faccbc36

/data/data/com.wasturn0/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.wasturn0/cache/oat/bqcppes.cur.prof

MD5 471119745a31e49ea3309e06fb393baf
SHA1 c6bea3bb91745e56164d39aa2ee76bf5500fc3d7
SHA256 9abf27534c4449da89a596689303c55b91574f53a2e8dbc6f6dd54a087739769
SHA512 bd89535c373d4cee8dd2f33ce7f0267e175529ac59b2d9169061d933b3b5859f9818188f3cf80d12a450d1ad0a2bdaf3759476f966b6b9eecb95413deac5c911