Malware Analysis Report

2024-10-19 12:57

Sample ID 240215-mnm5hsfa39
Target octo_alphasecurity2.apk
SHA256 03c9675fb981414de940100aadd3fb789cc6773d331ba3a7c9f67da783c8f0e1
Tags
octo banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03c9675fb981414de940100aadd3fb789cc6773d331ba3a7c9f67da783c8f0e1

Threat Level: Known bad

The file octo_alphasecurity2.apk was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer rat stealth trojan

Octo payload

Octo

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Declares services with permission to bind to the system

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-15 10:36

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 10:36

Reported

2024-02-15 10:38

Platform

android-x86-arm-20231215-en

Max time kernel

60s

Max time network

38s

Command Line

com.beenbody10

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.beenbody10/cache/ahkbiiaazb N/A N/A
N/A /data/user/0/com.beenbody10/cache/ahkbiiaazb N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.beenbody10

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 mine-495834.info udp
US 1.1.1.1:53 mine-495834.org udp
TM 91.202.233.138:443 mine-495834.org tcp
TM 91.202.233.138:443 mine-495834.org tcp
US 1.1.1.1:53 my-859745.ru udp
TM 91.202.233.138:443 mine-495834.org tcp
TM 91.202.233.138:443 mine-495834.org tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
TM 91.202.233.138:443 mine-495834.org tcp
TM 91.202.233.138:443 mine-495834.org tcp
TM 91.202.233.138:443 mine-495834.org tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.beenbody10/cache/ahkbiiaazb

MD5 c57ad0cbcf85aabd5b567bbe17f5828b
SHA1 6f59c61f7f4df55247d808cb22625f0062654ba0
SHA256 5051f914e9239ac7f4d8ba03ba237198815a2963db6d833038dd4f8f0c8a0303
SHA512 2a62e42d676d39093b94f553001d221f4bc31660ce04f8284e06b5e0e448574dc7f186dd6a9d9f82bd6eefef92292ed7fbb5f346121ed2e14182547f511595e7

/data/data/com.beenbody10/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.beenbody10/kl.txt

MD5 22b9d783e43251ddc36f20746a8c2699
SHA1 5856fe1889a60af1c3fef4bb2acbb2b4036b8a18
SHA256 b9070abbf618852069d3aaae78764fdfeeb8881ea29b90568e86278df8bc795d
SHA512 6b85378a9001b3f8c6f86061374fc615aae3a01b7ccbca5a71541bc2c775985cbbd5d2321358cce0a36a16123628faae30524c9ff3a31d21050fc1d294d285a2

/data/data/com.beenbody10/kl.txt

MD5 3dac74ac6586c4bf6f7ab74e2a90b0bf
SHA1 94200104af14ca7305f92052633ca4c6b9df5dee
SHA256 634c5cb75b8782b4dce25653d3b1a7c5f5e02daeb2b3328d1aba9d23b8963b24
SHA512 13860c4b9d027be8b09fb28e3cf4a8f3c651537e28af0b6b8fc96df4d18e557d9da6dc4930a2a46216f3e2a8b6f8c4291669921a442fecf0405fbb90c17c506b

/data/data/com.beenbody10/kl.txt

MD5 2fa314739d7cd147192c78896af54add
SHA1 60a5f4a4fd68c438d66c59b4a44e07ce2360fd40
SHA256 5859742532e41a35ebb56a3ca875e4bdb46586f78a16f46ee592a9a874c2c56d
SHA512 14f43e6cbecc2fafde3b87b78e9e27624a4e59cd25b32f055e8dc5a56b425ca7bbb8c03bea22852b15833f8667ce46d8bf61e6e6d3b70685def96c7ae10fd4cb

/data/data/com.beenbody10/kl.txt

MD5 fe3ee832deec923ab870284671f6b953
SHA1 0ba492903abeb90571514e4fe67813086edbbc08
SHA256 203f6465cd8b29b6019c5ee37eead21cabeae550dcc84891a2d8ebf91cf9c21e
SHA512 377a7bed1f6ce9bd8d9ae2f679443b6c6a20db259732863d8f53126963ce4551875cf5dd70740fbfd54a075cc47546dab764bbb8ba6163ef00b30fe993d222fd

/data/data/com.beenbody10/cache/oat/ahkbiiaazb.cur.prof

MD5 31ffc2506d861ea57e4f493b65866d02
SHA1 3d80cd428d8ef501415e70a379db66cace0257b8
SHA256 cd0b2f63b2badddfe42ee2acf372c481d3c3227ab0c8e961a07cdc62ac9869ed
SHA512 f0604f56906d5201afa2fd97c54d389667a3fe739b103642d1fd58ca2ecc9ce5a4dc44759efb8f9603e18cae1febc668751c0727f6e28d66dbee0c24dfae9d23

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 10:36

Reported

2024-02-15 10:38

Platform

android-x64-arm64-20231215-en

Max time kernel

60s

Max time network

68s

Command Line

com.beenbody10

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.beenbody10/cache/ahkbiiaazb N/A N/A
N/A /data/user/0/com.beenbody10/cache/ahkbiiaazb N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.beenbody10

Network

Country Destination Domain Proto
GB 216.58.213.14:443 tcp
GB 216.58.213.14:443 tcp
GB 216.58.213.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 udp
GB 142.250.187.238:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 mine-495834.org udp
US 1.1.1.1:53 mine-495834.net udp
TM 91.202.233.138:443 mine-495834.net tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
TM 91.202.233.138:443 mine-495834.net tcp
US 1.1.1.1:53 mine-495834.xyz udp
TM 91.202.233.138:443 mine-495834.xyz tcp
TM 91.202.233.138:443 mine-495834.xyz tcp
TM 91.202.233.138:443 mine-495834.xyz tcp
TM 91.202.233.138:443 mine-495834.xyz tcp
TM 91.202.233.138:443 mine-495834.xyz tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
TM 91.202.233.138:443 mine-495834.xyz tcp

Files

/data/user/0/com.beenbody10/cache/ahkbiiaazb

MD5 c57ad0cbcf85aabd5b567bbe17f5828b
SHA1 6f59c61f7f4df55247d808cb22625f0062654ba0
SHA256 5051f914e9239ac7f4d8ba03ba237198815a2963db6d833038dd4f8f0c8a0303
SHA512 2a62e42d676d39093b94f553001d221f4bc31660ce04f8284e06b5e0e448574dc7f186dd6a9d9f82bd6eefef92292ed7fbb5f346121ed2e14182547f511595e7

/data/user/0/com.beenbody10/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/user/0/com.beenbody10/kl.txt

MD5 0397c4de14f3783b0419d3dfa49de9bf
SHA1 8e373daae226b1880f94af00654b385e38263e37
SHA256 629262094469a926bf4bb9ab00f0bf167303e2c08adf6b6fcf74da53df4d8bd3
SHA512 7d861f949a4f8812f8485ff1d42123d0972b6f58e79b3ddbbf2be2072fad83bd6cef275cfef59fdeae1c16dfce3cba1408523d8c1b4d87e56ff36ad5823116f1

/data/user/0/com.beenbody10/kl.txt

MD5 8a0f223d0fcc089b9bb069e6d515b858
SHA1 c3038d907b5a983f623c757103f74edd6068af51
SHA256 06b640815226c48b723d260e86a6fb80a8e1ba810659d32fbb15cf52760f1d72
SHA512 a711227ae5e7d4696e53e700e26ef8771454663e19df41924b8edd029d81f2cb63822c5d5d12dbead53f92bf30c8b2f1b96d15ec322a5f0dbe5a68d4b01c810c

/data/user/0/com.beenbody10/kl.txt

MD5 565f4f2e3c7e6807287ecca2005858b9
SHA1 d1bfb3be03c75991ffe3cf91d23d093eae6f186f
SHA256 5528a3085e2c3556f78bc034b9ae442592a2bebee7572c796bc5f958dfd6e809
SHA512 043164803ffec4aff4bbe6e9d2ed9374a09530b1abf054ea01ad86aee33ba479ca654c90867f03e3ab57dab26b275b669bcdeed904e3a10f8f336fb68ebe2e80

/data/user/0/com.beenbody10/kl.txt

MD5 806f19cdd5fae9ad64cf1a4f1626f256
SHA1 8321af547fea84518c527610396957acb5aa6870
SHA256 884b78f90a3b346fd0ce7375f963bc10ee1f59a08f6e78da9464b45aba9dc38f
SHA512 98fc11dadd62d1c48ee825c33eb942636ff735b424ab7a77c9ce0061b03d5eae5c4b87cc5b84df298bdacfac0492062cd00a7f41fc9ada8612577b4456fd9fd0

/data/user/0/com.beenbody10/kl.txt

MD5 85d8b7b52489823aefd0085fa2ff2a9b
SHA1 89b3361567f4ef6142bd7d790210d444f955a46a
SHA256 5e77063dd2a35bc3503e9aef271534e738923dbe444693842bbe4cdd97f5ff67
SHA512 3ee2e104ff3cc06609eb0cb6911b0baeebc1ca7737f6e87d238adef93257eb5f88ab1f7b60603ad0886edcc3f678b0e438a2daa494f5cf445c193b9b3c3ba4a0

/data/user/0/com.beenbody10/kl.txt

MD5 a3f2540162c042e21dd975ce1fce7395
SHA1 03f42f5025608302b30957944f157ca06430ad28
SHA256 74240c496e0c00dab4ed288c97febd7b994eef7a3e9077abddd58c96009ee0b5
SHA512 668e3aeba593cd2f30f5ce121b534da596659bc58c1954dbf9e9e359ee8f52315f1aa66d2e3eb1b1c2aa99bc4aac6ab1522b7cb84025bf692e17afea48f31030

/data/user/0/com.beenbody10/kl.txt

MD5 f8931f7422fc0c16c1afd077edd3640d
SHA1 437581e4ed3c55ecffa8aee01b542fa99ef008d0
SHA256 37708d8374229b4a26e772d5a795537e16347f5df1b02e1944f4633f17e9df0b
SHA512 a2908bbed5805a06badc7d55c1ef00760f151b87dcd91c99c20e6a41c1abd2814c2284c69238e9f240a6889826024c1f21863c418d6511ceb613d21a47bbab25

/data/user/0/com.beenbody10/kl.txt

MD5 844fa2ca54c64fff5c34bee247b88d9e
SHA1 f4921b6eed306a26b34b0a223b0ebd67c04bdcdd
SHA256 c077217261f28012da2574a15e3394371098e529835285f7dd5856c587d6b0de
SHA512 77973d9c48a033a96898217e2cb6364380cd6ee76e3286319eb83a5caa985e341a0e6b4281cac2bbe59d0a58b053818afa87d522edc02fe521e70bfcab1c7db4

/data/user/0/com.beenbody10/kl.txt

MD5 7478409ea70af9a8f8c05d0c483611a2
SHA1 a936e052ae9c2ff958c6bcdcc7a429478c7b453d
SHA256 51599c032f606ccb01dae675e38c05df9919cb2a3d961b67d08ce09406b8ff9e
SHA512 bf5a18a22359e038a3b0fb844024b6c57c19485ae457848a086b4ebd66dfc0f1772d1644f2f905425ad322d194cb0a57bb8bda44fcb5bafaae8d23dbfd306d74

/data/user/0/com.beenbody10/kl.txt

MD5 a28db638b27f3956da86160d7ed91d69
SHA1 159b58d586ee7cdff34659ebcef46db63d645c3f
SHA256 55644c781de87a3e41a54e65f7499a17863f410d068f203f87b59305dc1d59cd
SHA512 c31fccd560d9ecd57edf36f6110c41b2599db35becc31dfd290840f35611df565b00ea032bbbea61aa618f11417f0c9787ca875d14ec7796c1f3d41678ed263a

/data/user/0/com.beenbody10/kl.txt

MD5 b13dddbd74e0bcc127d8528138187c1d
SHA1 86121877e357e911710735736db4c2ad7c8fb033
SHA256 81cf47d135d83cbd6f8faa641451febea040262e7ba8acaf0a444df4fda2562f
SHA512 7d3b5af0c563f23a3dfc6f9294311da19b315eef120776b6e8bbbc2b80f815ff8863cd2db6473c33d6fad63c9643fbef8ef72437180bd85d7fbcbd9d073cc98c

/data/user/0/com.beenbody10/kl.txt

MD5 b41bd0a5c9a4285c2c3851ee48312fb0
SHA1 9f837bde9c5789cc5b33a78e02b0ddcb7c1a7561
SHA256 81e1ea898514d90508974a97fe3c38f49a8d1c99fa99460a207cf60a1a68de64
SHA512 db1b45a294cb534dbbe9832e20ae2b08c4bb82c489ed517c156ecaf49c65d6b3165b3d072c0e97c8dcc2597aa3fe742478d6fe4b6da0d202aeccb3037a2afba4

/data/user/0/com.beenbody10/kl.txt

MD5 075bb16a91890b6c6c524306d9c55416
SHA1 7be9da4ee004fb24b06dd38459bf59c80ee15272
SHA256 005a1111177b33aecdda378b87c152f64166c2d5ffb7dcfb420b0ffa3fc07b4b
SHA512 c40286c94860876381bf15fed8aa44aa1fb57c7e963fbf95244e66d98bd0d22df49631470f5cc8d0b75e36b1b867522be6124d09471e0628da46b61fbfe2b351

/data/user/0/com.beenbody10/kl.txt

MD5 95efd6b05390b3a742e48f91a9d46d99
SHA1 2575f09211899fa03fc28129cbe358b1eaa8ffb1
SHA256 84044d0e9c6d49992d2a3e035d637fb5deec1781d8de29f97d0704789363bbcc
SHA512 a7479b5492dfe29e1cb872639d9c7b9643931bee7a8cd84e2882be390c0b53e55a4c4440442d1944d827809dad3c9a4c1be0d2439b243f5ef5ae5f9efd8a35c0

/data/user/0/com.beenbody10/kl.txt

MD5 d4d297f25796229392c97303e2566aeb
SHA1 a480d318e7819febb07208d702868a62d9f432ef
SHA256 1a4135d56d85238a48201bf2ce6958d60219d4bb0e0b8700b903605061d494ba
SHA512 093d08ee60dd277cf5d20cf51c6376d2908454abec217850b5910ce392ec9b62197a23088c54ce4241e83478ca33bf665d1abd60612f3c49b50818c12c6826f3

/data/user/0/com.beenbody10/kl.txt

MD5 1a8ac4c6aa27a8825381ba73f7eea978
SHA1 1c64b0e7e03a2383b0c2789cf77212742b6bb29b
SHA256 c8c96b1b35d5dbde443cb0bc9e1465ea02692dae5ff136a1e81ad57ec1507aba
SHA512 674c69d442f579fd0374acc4ca4e5e4774c6de63b006df1e014c968119dee51b7e546fe902ee0b473d59b2b9f15f6c81339a2837edf689c79abaa5aaaee5df88

/data/user/0/com.beenbody10/kl.txt

MD5 ea3ba61a9639ad2e8484aaff074dd805
SHA1 4e8872e87cc5e34c0cf47fcb939064e2e28736fe
SHA256 e1f2cf640b026a37adcbae2df74b755e51a34472fceddd29e21a28fa481d2e1c
SHA512 c302fa5e4766d4eedb3fa181b76833f04267b55b1f03f964755e7ecc9512364bce721dd86f315b8cb7cb332d7e2a26997acce4c0053044f2801c64a0d8c2d9e6

/data/user/0/com.beenbody10/cache/oat/ahkbiiaazb.cur.prof

MD5 7c72788d6d955c727bb929a681b855a7
SHA1 64f6e026d284bf3153c898e16d6711a62c2f3d97
SHA256 519351abbc6404b448c48baa56c5ab8369c59f731ec0b6cc3e5db6fcb2c09a12
SHA512 79bdfd03a1d90ec5755a20e2a2ba464f8c41616b1b0426f010903a2f1751ff9015a22de25f8c163c7edd27f395b0430f618733262d5a1826368febac0119f838