Malware Analysis Report

2024-10-19 12:57

Sample ID 240216-1w649age84
Target 0b89fd06da5bcb4c84a2c366bcb76023b07c4852658a913c6847d00075208a73.bin
SHA256 0b89fd06da5bcb4c84a2c366bcb76023b07c4852658a913c6847d00075208a73
Tags
octo banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b89fd06da5bcb4c84a2c366bcb76023b07c4852658a913c6847d00075208a73

Threat Level: Known bad

The file 0b89fd06da5bcb4c84a2c366bcb76023b07c4852658a913c6847d00075208a73.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer rat stealth trojan

Octo

Octo payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-16 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-16 22:01

Reported

2024-02-16 22:05

Platform

android-x86-arm-20231215-en

Max time kernel

144s

Max time network

136s

Command Line

com.moonmoney52

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.moonmoney52/cache/vbazninjrhltfh N/A N/A
N/A /data/user/0/com.moonmoney52/cache/vbazninjrhltfh N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.moonmoney52

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
US 1.1.1.1:53 asamanaproductioneditiontols.com udp
US 1.1.1.1:53 asamanaproductioneditiontsma.net udp
US 1.1.1.1:53 asamanaproductioneditionksla.net udp
US 1.1.1.1:53 asamanaproductioneditionctfm.com udp
US 1.1.1.1:53 asamanaproductioneditionkdna.net udp
US 1.1.1.1:53 asamanaproductioneditionalsk.com udp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp

Files

/data/data/com.moonmoney52/cache/vbazninjrhltfh

MD5 79720987609e1405b1cd8d599160e3c3
SHA1 7980d0d57a09120ad408ecae85ec62be964025aa
SHA256 c8dd6bcb323a57ea1d8165edb14789af639c0e9a0326fb6e9d1a0bb1430e88d5
SHA512 5eb93664023f40f5f6f2c0718b3b7db8edad7e13a69bf6e0369e8f23d1d6d7f3e1e994a449cf1a54324b99fc32be1c49a2b29fab1afc8467fb9435c9c48ca9c1

/data/data/com.moonmoney52/kl.txt

MD5 2007d39886f443cfba98bf21fc6c6b97
SHA1 cbb1980b4715b90e4d58c08ec87d52b6d84115d4
SHA256 d44b738dafb8e7b34dce71cdadd229641f49e9d985f3b2ca69a5486b9beaafbf
SHA512 d4f91a9bb55ef056345dc7e4931c4332c5910ad15f455f8f5e79635def09ccea82b7710f03181ba40db59fc975d82b8060ee1dbbde38f08d538a7efee9989aee

/data/data/com.moonmoney52/kl.txt

MD5 3b8be2e049e2e08b438287faa87e3089
SHA1 28d46d3bea167fbc46987edc642637ef8230ae37
SHA256 aa5846f1588288ba17bff156ee5757678029e455cd633451bf426037a4520c27
SHA512 06b62c06f1ea191df5fa4ec8593d7add4feeebf0057d520c33dac96b8df7f8efa13c16d43161b0c9fc3772899792cedaf19ba78ee5a0d977a2b55464da7ff1a2

/data/data/com.moonmoney52/kl.txt

MD5 3213fbfbdde0ef99b8f2c56d7ade15eb
SHA1 06b9ce214c11beeaac8d981ecba79707e89b8634
SHA256 9f7d18b10b8e7d018f1d5e254fe4cdb3b026121ba2a952be12acaa380c68bb02
SHA512 4881b69a69596d832e46a030b8e9b7659ef2c436461e2953bbb8d545508008249af667e20a62a6547ebf94518f74ecf60c4aee5dbe1df248b9577bb91c30c2b2

/data/data/com.moonmoney52/kl.txt

MD5 b25d91e8604fe9d70c19a037fc9408a6
SHA1 9bd088b920bf8fddbed9121380f7d53a9888179b
SHA256 32e56e9e07cdb95c07ee81135d8481d521e8ba619e8c4ac8e53e09d6ea206b99
SHA512 8644b40aef70e9147b02cfc8f867bbea079b67c3231cf5c14a1092ca3abe2a782512c0716b40a4b62aad0be527dbd2ce27a9bc45ccc28f24597d6e12bf76b3fd

/data/data/com.moonmoney52/kl.txt

MD5 0b34259e19504e45cd6378c41d238d68
SHA1 c8132ef89ba4bae724c7686af75523c809706371
SHA256 2b3f834a59b149751d7c88093b34c94cac390794b75c3b1d2f5791520c7f7365
SHA512 76542df5a7937f57df7674ba6985454b76bd4c91801678bb67554c5b584fba6c3b54ae8a2bd1b799238588b6b1ef7f8cb08ade5490fe023740421e656572a287

/data/data/com.moonmoney52/cache/oat/vbazninjrhltfh.cur.prof

MD5 72f1afd4ce9653c5e6ee1372da0b8882
SHA1 fdeca7cd659319b8b5328c71616deee98b7ee7ea
SHA256 8e42b32b3a133073811ae559e982198209eec6edf32ae4a3d31e642e8c8b41f0
SHA512 d380373a458dd7314f186c008070aefe29ceb0eb8526b33562039c7cf210626c0224474f4943e7eaa7591c996737f0f619d215bef1be81bd949177a7098c9534

/data/data/com.moonmoney52/.qcom.moonmoney52

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-16 22:01

Reported

2024-02-16 22:06

Platform

android-x64-20231215-en

Max time kernel

157s

Max time network

139s

Command Line

com.moonmoney52

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.moonmoney52/cache/vbazninjrhltfh N/A N/A
N/A /data/user/0/com.moonmoney52/cache/vbazninjrhltfh N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.moonmoney52

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 asamanaproductioneditiontsma.net udp
US 1.1.1.1:53 asamanaproductioneditiontols.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 asamanaproductioneditionpskl.net udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 asamanaproductioneditionalsk.com udp
US 1.1.1.1:53 asamanaproductioneditionctfm.com udp
US 1.1.1.1:53 asamanaproductioneditionkdna.net udp
US 1.1.1.1:53 asamanaproductioneditionksla.net udp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 172.217.169.42:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 142.250.187.206:443 tcp
GB 216.58.201.98:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp

Files

/data/data/com.moonmoney52/cache/vbazninjrhltfh

MD5 79720987609e1405b1cd8d599160e3c3
SHA1 7980d0d57a09120ad408ecae85ec62be964025aa
SHA256 c8dd6bcb323a57ea1d8165edb14789af639c0e9a0326fb6e9d1a0bb1430e88d5
SHA512 5eb93664023f40f5f6f2c0718b3b7db8edad7e13a69bf6e0369e8f23d1d6d7f3e1e994a449cf1a54324b99fc32be1c49a2b29fab1afc8467fb9435c9c48ca9c1

/data/data/com.moonmoney52/kl.txt

MD5 4f789f842f18c2b6a1b9c35605c2d908
SHA1 fc4c643dce0376c13e5d189f46ec37995337e25c
SHA256 0f8020bc20c7ec0452d458fc5035baf79b5c9c97817fcebfccf80b6625ed5f4c
SHA512 f800de2d1d25aaa594a7918c597852e193b43573ea7d3e73e61bd267bd73671b28b1c62e1f0ec750e7baf23e034aa76942d7bdb341ba5211a710f54cd2455fdc

/data/data/com.moonmoney52/kl.txt

MD5 524fff3a49755957110159a8a5cff2a4
SHA1 bcc801d9146f6ffb1c26637bd2dc0ad0823a268d
SHA256 3db6553501100bedd23fbfefce4e28a09c0fb0eb1c769e25e7e72a4eb155284d
SHA512 4d5ed2e03ff380a15539f89ed26b9a09d92eae95306349c8a454b84eed9ac9aa5c35f4a2725242c373f13332ee41153cb16916935cdfff032cb1a961e3706b0e

/data/data/com.moonmoney52/kl.txt

MD5 c01d7027d93ff36e1cdea2988055719f
SHA1 25e30472c8098e8a41c52c1d21ba78322b179cad
SHA256 e57a7c2d5e98d4b3d0ecdfc2146c21d611e7aca9e48197442bdd6e544c544f11
SHA512 e228697e6ee215e4c0e567b22e1391a8711458cb7e0e73eb05e677057de3369b8f7c297a2171b036ad787f44733c10f0cf63b60582116539f4b858592afaae91

/data/data/com.moonmoney52/kl.txt

MD5 d27d8ccf674b9cf7e3fca6e1a2d10f43
SHA1 be1c3bf9c1f676568278ba061959216b5dc81e48
SHA256 fdfcf270c745021a859fdd0bed699b71328d6407ec7f57f539c0bc0d78accdf9
SHA512 16f72c5024b61d5304ac051f068ca94ca4e19373b71f1decba1fb936005daebac46876c3bbaad61a58dd31af5dd8a268e1c99997d75abb85b031bc567172e844

/data/data/com.moonmoney52/kl.txt

MD5 28c7a0f349d116f70526d9b938c47062
SHA1 71c40157cffe565fd4c10f35ed6f983a0f67e2d3
SHA256 8268cae57c4077c579277c40283a41bcc1148b87e31abfb9cd3dffdf20854b8c
SHA512 e22cad7f57b99fc4897accc1ba7153d2c0137383e989644e689acd12d50266bf7b1b8945ae309963fcc08a77e8c4b729f0e6492398e2f4106a33b5b93d3293a1

/data/data/com.moonmoney52/cache/oat/vbazninjrhltfh.cur.prof

MD5 0976d3f783c0728fccb9938a881b2223
SHA1 2a601a035122e7af12b363734855ba7bba019f00
SHA256 16a2b1e491975098790665b95a9d49cb4d2e07591ada914e74b54a64e2efae8d
SHA512 bbe7cae1c9dde2395d6763f36aacc9b543bf52b20d30d8dae52c5354a5d4c07559159a02670af771e3e87c4ea2a7d51828395372adb04a33f5118a152fb7caeb

/data/data/com.moonmoney52/.qcom.moonmoney52

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c