Malware Analysis Report

2024-10-19 12:57

Sample ID 240216-1wnynsge75
Target b67d4ee527387e1dfdd75842abdc3a4e3902035b25799abc013d772e9287c265.bin
SHA256 b67d4ee527387e1dfdd75842abdc3a4e3902035b25799abc013d772e9287c265
Tags
octo banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b67d4ee527387e1dfdd75842abdc3a4e3902035b25799abc013d772e9287c265

Threat Level: Known bad

The file b67d4ee527387e1dfdd75842abdc3a4e3902035b25799abc013d772e9287c265.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer rat stealth trojan

Octo

Octo payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Reads information about phone network operator.

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-16 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-16 22:00

Reported

2024-02-16 22:02

Platform

android-x86-arm-20231215-en

Max time kernel

149s

Max time network

152s

Command Line

com.feelthend

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.feelthend/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.feelthend/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.feelthend/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.feelthend/cache/dosvrhigwiz N/A N/A
N/A /data/user/0/com.feelthend/cache/dosvrhigwiz N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.feelthend

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.feelthend/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.feelthend/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 lilisiaplaksiminailmas.com udp
US 1.1.1.1:53 lilisiaplaksiminailmas.xyz udp
US 1.1.1.1:53 lilisiaplaksiminailmas.site udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
RU 2.57.149.104:443 2.57.149.104 tcp
RU 2.57.149.104:443 2.57.149.104 tcp
RU 2.57.149.104:443 2.57.149.104 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
RU 2.57.149.104:443 2.57.149.104 tcp
RU 2.57.149.104:443 2.57.149.104 tcp

Files

/data/data/com.feelthend/app_mph_dex/classes.dex

MD5 1eea6f73d162cadc9b73b4cdca962541
SHA1 a4571c63345d1ae4483f632e7c816faf38c6baf8
SHA256 c66b9960f5043c38324aeb7b16cb02f3b7570399b5aab1b1145131a32e865ef4
SHA512 5c4ee86f170eebe183a785b509a902551846e4a6beb24151eb1f837f1d2431f2b186caab4572aa3c74be28fba82d00cd451724bbb1ee6eecfd8b2dff57277855

/data/user/0/com.feelthend/app_mph_dex/classes.dex

MD5 0c87ab9356d19848b0d1939046089473
SHA1 2d594aa4fe9a0b9d79a250b311c13f389e35af57
SHA256 d877affe343a061bcc50a092ec2ab92fa962811daa929d22fa60d31484b9842d
SHA512 d6d9990ff5e09b1199def56a207a8efe180e9711c6d8372262e0193abb7f4197e0dfb2c409501f1d068f7c35697cb976ded7cecbf39361bfa6c4be2c5c6284d1

/data/data/com.feelthend/cache/dosvrhigwiz

MD5 05c7e2b0c533356b8ca4db1ffe1bdd17
SHA1 5b5cff5ea051506639f83c174ef2596108b48447
SHA256 b71c43d845aa3ae593952a81d359c3dfc34620a571e355125bd3e6e64f440e93
SHA512 31647e5a78749795a6d47cc0d38fb5cde6cddb730a0a4c7c6c514bd206f6f3d9985ce247585859a80918cc466562fab229d258cb12009da6d02bb440ebee0d7c

/data/data/com.feelthend/cache/oat/dosvrhigwiz.cur.prof

MD5 c49220fdf158144ad70e2f2ae74a41ed
SHA1 2a6f000af5ca382330220f75ab26abe1f376531b
SHA256 3bc869c793dc5ee057782a04c63be54d8e696e979b71c02b5eac276aea2e5659
SHA512 db7dad17fd825f8cbdcb28c5bb16eb5ff3a76bc472f3a29820722bf0bc0392c746942c8f656ce39b1771d5636c71a3fb95b8aad38b455679e563a48fa1874ffd

/data/data/com.feelthend/.qcom.feelthend

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-16 22:00

Reported

2024-02-16 22:02

Platform

android-x64-20231215-en

Max time kernel

146s

Max time network

150s

Command Line

com.feelthend

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.feelthend/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.feelthend/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.feelthend/cache/dosvrhigwiz N/A N/A
N/A /data/user/0/com.feelthend/cache/dosvrhigwiz N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.feelthend

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 lilisiaplaksiminailmas.com udp
RU 2.57.149.104:443 2.57.149.104 tcp
RU 2.57.149.104:443 2.57.149.104 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 lilisiaplaksiminailmas.xyz udp
US 1.1.1.1:53 lilisiaplaksiminailmas.site udp
RU 2.57.149.104:443 2.57.149.104 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.42:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
RU 2.57.149.104:443 2.57.149.104 tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.201.98:443 tcp
RU 2.57.149.104:443 2.57.149.104 tcp

Files

/data/data/com.feelthend/app_mph_dex/classes.dex

MD5 1eea6f73d162cadc9b73b4cdca962541
SHA1 a4571c63345d1ae4483f632e7c816faf38c6baf8
SHA256 c66b9960f5043c38324aeb7b16cb02f3b7570399b5aab1b1145131a32e865ef4
SHA512 5c4ee86f170eebe183a785b509a902551846e4a6beb24151eb1f837f1d2431f2b186caab4572aa3c74be28fba82d00cd451724bbb1ee6eecfd8b2dff57277855

/data/data/com.feelthend/cache/dosvrhigwiz

MD5 05c7e2b0c533356b8ca4db1ffe1bdd17
SHA1 5b5cff5ea051506639f83c174ef2596108b48447
SHA256 b71c43d845aa3ae593952a81d359c3dfc34620a571e355125bd3e6e64f440e93
SHA512 31647e5a78749795a6d47cc0d38fb5cde6cddb730a0a4c7c6c514bd206f6f3d9985ce247585859a80918cc466562fab229d258cb12009da6d02bb440ebee0d7c

/data/data/com.feelthend/cache/oat/dosvrhigwiz.cur.prof

MD5 6aa4897ee6863f0483ba8cac8894f374
SHA1 fc3d9e0f9a099e8842b3a852da55ac00159ab3d7
SHA256 fa8c302138532a2607c59615edd7fc383abac252382e0c251a33ec040f151b16
SHA512 98d1f53445061c6efff4c0ce476ca67928272a16655d7ce776db618dc69b33745034df87289d5d96cced8438e950b4bd792b04ba7740930f89a5ce0528140a45

/data/data/com.feelthend/.qcom.feelthend

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c