Malware Analysis Report

2024-10-19 12:57

Sample ID 240217-1w1x8sbb7t
Target 85fe2fbfa2a5bc2047439ffb0f7426166f43ecaf353f6194e15a46898b045f8f.bin
SHA256 85fe2fbfa2a5bc2047439ffb0f7426166f43ecaf353f6194e15a46898b045f8f
Tags
octo banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85fe2fbfa2a5bc2047439ffb0f7426166f43ecaf353f6194e15a46898b045f8f

Threat Level: Known bad

The file 85fe2fbfa2a5bc2047439ffb0f7426166f43ecaf353f6194e15a46898b045f8f.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer rat stealth trojan

Octo payload

Octo

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Requests dangerous framework permissions

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-17 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-17 22:00

Reported

2024-02-17 22:05

Platform

android-x86-arm-20231215-en

Max time kernel

144s

Max time network

136s

Command Line

com.showfigurejvt

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.showfigurejvt/cache/stxynlhnv N/A N/A
N/A /data/user/0/com.showfigurejvt/cache/stxynlhnv N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.showfigurejvt

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 asamanaproductioneditionctfm.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 asamanaproductioneditionkdna.net udp
US 1.1.1.1:53 asamanaproductioneditiontols.com udp
US 1.1.1.1:53 asamanaproductioneditionpskl.net udp
US 1.1.1.1:53 asamanaproductioneditionalsk.com udp
US 1.1.1.1:53 asamanaproductioneditionksla.net udp
US 1.1.1.1:53 asamanaproductioneditiontsma.net udp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp

Files

/data/data/com.showfigurejvt/cache/stxynlhnv

MD5 3e537571a2320495a1eaebbe053e8327
SHA1 3d09d85960a1c483e2c078f30d15bcef8ec87adb
SHA256 150f5106cd0c7bc969cc850c299148391dc769b63f825c2f6da8748b1410859f
SHA512 1396a25c175e19a141efb3d703f3b9c6f7cfb03059f50197aa88b7256793814da027c928e623bd1ec238eb787c70f9283a23c147d88d45c06e14afd34a443d56

/data/data/com.showfigurejvt/kl.txt

MD5 2deded09d601d402906e3b1880c7b56f
SHA1 ceb62203973a70d76ad5dc73963e6221d342d8db
SHA256 3b9e6122f8cc3e05cf5f378f1043fe313707c7475624f5b250020d8201743772
SHA512 d9e82766fb42219f8958ad2ca4cb34e9284aa8d166be4a94bb470a9321770566d704a0dbfbf5e9da9be3725758ea213aa7f8e8c0ae5cc3d25a006439ef80f572

/data/data/com.showfigurejvt/kl.txt

MD5 edaf5839c82c066c61b5bc3a5e844909
SHA1 993496ae03dbff186cfc6b76bf4679217ffd2a55
SHA256 6c2db56df0fc358d805c0feb83d01e97950414672dab5317a92c8f6b13aa1bd7
SHA512 917b84a542ec1bf7521ec9aebe56e8c389cd3734cffbbd9459fea4081bc1c2cb85125dba8af25578dceb32b9492e54984d4c4d748648ca6aa847b7bc56d2b962

/data/data/com.showfigurejvt/kl.txt

MD5 d52349d0bafb708ed00a0227dee123c6
SHA1 71e2120b4cb7a4fa5c72d16a67fc6a8281e3cdb6
SHA256 6417075cb40406c951ab90c63e7aea140a342a3a08b89369d6a9693f61d3b9ae
SHA512 e42960daecaa6b565f9f1505038d2faeeaf97dca8a326fb50f5c1c9864999d7e0ffd62b301d454730d26a269f2320a82cb29d8377bca5f13315f5e83b012ef99

/data/data/com.showfigurejvt/kl.txt

MD5 81157ee10c9613f92d1ca88611582a84
SHA1 d2b316b2bbc6d2939af047e616354c6212f7e14e
SHA256 348473aa5af5268815d4f182a11dd6689a6083c22a0c591d1c09534b084bf652
SHA512 5be6711ceb6190009cbe497b297c4d9cdf12757a87658ee0c4fb81b2b6ea50fd4c36a461adb722b833584ba4ca88cd745e8239cd746a743a0c787eae5ea60fce

/data/data/com.showfigurejvt/kl.txt

MD5 76d23ef33ec52589e1266d704b45ea95
SHA1 5e2a39b0338a5ef5e05e1175711fab8780296820
SHA256 2376f01859b560c7f706f2e517123d3064165fcd0cdd832dc695932d11480733
SHA512 3bafe71a5f1d8190980118534616f2ec23a56844ef7d1b1f68bc09f5becdfa7f9b5de1243b11253e53b563f6da551e2d754049b7244defe3b4335afa2c9dca76

/data/data/com.showfigurejvt/cache/oat/stxynlhnv.cur.prof

MD5 0a9a61d42d1e293dd8a4015615f9ce4b
SHA1 90ebd916dacf4cf157dd050c9317f180c7e9692b
SHA256 2ce8799e3c37457dab947069e04d477278d37740e4497928194741911a12c9e1
SHA512 b2cd4a076aabd341819c71fb7ebcb7984af0afb2be9864cc5def7414a44e571e70f6388d8f176bf8bc575a3c3aca0d3dc6b930d2934ea9097141950187ea404b

/data/data/com.showfigurejvt/.qcom.showfigurejvt

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-17 22:00

Reported

2024-02-17 22:05

Platform

android-x64-20231215-en

Max time kernel

156s

Max time network

152s

Command Line

com.showfigurejvt

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.showfigurejvt/cache/stxynlhnv N/A N/A
N/A /data/user/0/com.showfigurejvt/cache/stxynlhnv N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.showfigurejvt

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 asamanaproductioneditionalsk.com udp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
GB 216.58.213.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 172.217.16.238:443 tcp
GB 142.250.200.34:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp

Files

/data/data/com.showfigurejvt/cache/stxynlhnv

MD5 3e537571a2320495a1eaebbe053e8327
SHA1 3d09d85960a1c483e2c078f30d15bcef8ec87adb
SHA256 150f5106cd0c7bc969cc850c299148391dc769b63f825c2f6da8748b1410859f
SHA512 1396a25c175e19a141efb3d703f3b9c6f7cfb03059f50197aa88b7256793814da027c928e623bd1ec238eb787c70f9283a23c147d88d45c06e14afd34a443d56

/data/data/com.showfigurejvt/kl.txt

MD5 da2900d07ddec9f516b7bf4a7dfded2e
SHA1 452513998e9e7372c39cb3d929fe7e54107a2f90
SHA256 e212b27b9aac5ce8acfb863b7d4bd3f734801490cbc4bdbe356ec1731387014e
SHA512 c28aef6242eae8e05457770fc213caf3fae0cdf15bfe379662ba7f3d79f7fb5e1937d725f1a7208e08c53ec4c31063a1f57d9fa3cb3920c457acc21fd8e5b7cf

/data/data/com.showfigurejvt/kl.txt

MD5 66f847e9af8275aa256d6fa730907c42
SHA1 e32c273ddb7e9cdca0b25b6598f8cbbcdb7164bd
SHA256 81f901e85aef4d29f5616c073f934d328513397498be73ae1c5a83454a00eb9e
SHA512 7e71599d915b4c79df72e3286ce853972a5c19ac997a04435b5c59c55c3224af6b4b238b9f570bda22f0f7757ab2c867a07294c8c6f1dbd912f8958b97c7a299

/data/data/com.showfigurejvt/kl.txt

MD5 07f93e02578dcd6ace065f33bd0476bf
SHA1 e19b4f05c1c56d222de6871ceeeb03e412cd8d21
SHA256 7478c1598a48857e2a9f2aba59b4a8caa1468c251f670359e32d40f868a03130
SHA512 e8d17d0593c99da1cfc15aaeb3b1bb5566967c1f6e4979acd2edcc3a8966eb66e0ff2653a5b3079b14971df258252039293298c786ae2711da3711ef46788907

/data/data/com.showfigurejvt/kl.txt

MD5 274cb19bbb3659675db128858e66696c
SHA1 31663626e34d179fa914fd5d8e036530414484b8
SHA256 585236ac64195ff59984f079536b193d89a871e2c98df2a6fe4bed853608cea5
SHA512 5ef4bc28d482203d9db504c8bb6e9d23db26a150a67b25125eb836a7ad3e9424a1850634465a2038c3dcaca25f3fd98b229f6a74400a96944a334f843ce2d0b1

/data/data/com.showfigurejvt/kl.txt

MD5 03f548317b8c44eeada65047086890dc
SHA1 78203d81c1d8c46f7ce8e5f5b9687c65f9aaffbe
SHA256 d62e0657eaff7547626323ae860f5664b41be21bea79984bc282343fe7b2ae14
SHA512 4d17505f9d8b7092d6a730cbc9a90efad7ebdc010c0f33a126a9ba189adc03a7e38c383085f7ec2a9844bffc9d4efa47bf14507e52257d7910a1edc77ad786f3

/data/data/com.showfigurejvt/cache/oat/stxynlhnv.cur.prof

MD5 fbd7420a59b6f05344d426d6252792d5
SHA1 ee669aeccfcd754b03c628378f7dbefd5142e5fd
SHA256 b3620482ec4c329bdb68a0fa87d42ff473393b9466a56f045348e9ed06c80286
SHA512 d416523294de0ea33428d9ff9afd916cfae46dd1392be9df1ae03e2a941931b079d24b8acc7e4160fafd19ef31a369cd9cb4d30dfc83d773bf736c60fd7e4f53

/data/data/com.showfigurejvt/.qcom.showfigurejvt

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c