Malware Analysis Report

2024-10-19 12:57

Sample ID 240217-1xdjbsbf84
Target 5f8d3e7abe25c3a918735f5cf7f962495c240ee86be4a0e3037b47bae153496d.bin
SHA256 5f8d3e7abe25c3a918735f5cf7f962495c240ee86be4a0e3037b47bae153496d
Tags
octo banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f8d3e7abe25c3a918735f5cf7f962495c240ee86be4a0e3037b47bae153496d

Threat Level: Known bad

The file 5f8d3e7abe25c3a918735f5cf7f962495c240ee86be4a0e3037b47bae153496d.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-17 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-17 22:01

Reported

2024-02-17 22:07

Platform

android-x86-arm-20231215-en

Max time kernel

36s

Max time network

141s

Command Line

com.centerselfv

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.centerselfv/cache/hloxnfzwnmfaz N/A N/A
N/A /data/user/0/com.centerselfv/cache/hloxnfzwnmfaz N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.centerselfv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 asamanaproductioneditiontsma.net udp
US 1.1.1.1:53 asamanaproductioneditiontols.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 asamanaproductioneditionalsk.com udp
US 1.1.1.1:53 asamanaproductioneditionkdna.net udp
US 1.1.1.1:53 asamanaproductioneditionctfm.com udp
US 1.1.1.1:53 asamanaproductioneditionpskl.net udp
US 1.1.1.1:53 asamanaproductioneditionksla.net udp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
RU 91.240.118.224:443 tcp
RU 91.240.118.224:443 tcp
RU 91.240.118.224:443 tcp

Files

/data/data/com.centerselfv/cache/hloxnfzwnmfaz

MD5 8f31d93863ccf604f9db59e46b521d13
SHA1 187ae24ae4c84074a2c843af89d64937a934e6a8
SHA256 e81fbfe4c70f8b433a0ce67b6a2a0b3e989e2dd59a32db1ca95b93038a05951d
SHA512 14788a8a73bb840bb2cabefed3a827542901fd4c04dfb1687f0b3f88ed28d0680fea242c5cea73ce1d81a22010fd9691c091482a6a125b077afa702713393f40

/data/data/com.centerselfv/kl.txt

MD5 24665df0d3d47746148346007a160f6a
SHA1 fa122eb2db9d2a69662ff554e9a88bbf83dbbb09
SHA256 efcdda2026240a2eccf8a1b631074b6e97d68ca1036aa53cd1799582d6f28e44
SHA512 9b7c6380159ec21d08c9b4290f453d033bcdb4100e16c0f9da4e2ee1ee5ce5ae33735a0bca82af8255c85bd34a875e9107f085a17612c2ce610a9228cd77ff07

/data/data/com.centerselfv/kl.txt

MD5 f4b20e682f2ad0f9cc25099c1e77ccff
SHA1 a64f0e234da0299b13df99fd7df5dcf0c9a4f6b3
SHA256 f221c46e6e3014f2baacf6a82b58e0d404c857931f8f77801c958acd7df125d4
SHA512 fa7a9c4b04b9f0c5393965bd8fcdb790989d7bfe280752a207bc4bf663db6d6253f8d5f8aa7c9c4d6a6e7da5beb2fa14bd01f3e867072f516dfe5001ade888d6

/data/data/com.centerselfv/kl.txt

MD5 00145b71fdc723d694563702283ca95b
SHA1 0e175312c80dd50f99e0957b791bc55107cd855a
SHA256 73420c9adfc5f7db2116ae587b672e7416e5e049817dbf7e4aa8bb7e735ce9b9
SHA512 70bfddd7324b5490c94903fb558ee1c9003816be7c393c193dcdb6bca2bdfb0cd67c3f9e9708c99cf4a62cf5d9ca0f5420fb4bca93771d3a60900698b8bf8030

/data/data/com.centerselfv/kl.txt

MD5 502ab6e4c88c760be9c30a67ea268121
SHA1 d41681bfadbf7bfc69b2f2b99e94cb705a0aef8f
SHA256 194c8bddab1ef572cfab6e4d345cfab4d907cd72fa2cb86723521156655250d8
SHA512 04f6ae03f69432e6390a29ac1f513a5dc1416c49c2db689b3ebddf5a24bccd325b620ef29c11d4256a597102ffa1e9541828433564d9c7de7774b5c6dfe45f58

/data/data/com.centerselfv/kl.txt

MD5 b4df1d49f85e6d71d84140a59ed9021f
SHA1 9060f00b4de8973589639e1f5a29ead6a726212f
SHA256 7e96a398be453d0dfe63d03a2564b3516dacf4fd8fcdae1885d833581b8f9068
SHA512 e38aa3047936d4892bfb261cd5a9626c78914530d0eaa780e5432e3b7cedd320d6d073e4b07a5de77f907a1aa6eac788322108f25a2f5bfd3163bbe5c92b4290

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-17 22:01

Reported

2024-02-17 22:06

Platform

android-x64-arm64-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

com.centerselfv

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.centerselfv/cache/hloxnfzwnmfaz N/A N/A
N/A /data/user/0/com.centerselfv/cache/hloxnfzwnmfaz N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.centerselfv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 udp
GB 142.250.178.14:443 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 asamanaproductioneditionctfm.com udp
US 1.1.1.1:53 asamanaproductioneditionkdna.net udp
US 1.1.1.1:53 asamanaproductioneditiontols.com udp
RU 91.240.118.224:443 91.240.118.224 tcp
US 1.1.1.1:53 asamanaproductioneditionpskl.net udp
US 1.1.1.1:53 asamanaproductioneditiontsma.net udp
US 1.1.1.1:53 asamanaproductioneditionksla.net udp
US 1.1.1.1:53 asamanaproductioneditionalsk.com udp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 142.250.180.2:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp

Files

/data/user/0/com.centerselfv/cache/hloxnfzwnmfaz

MD5 8f31d93863ccf604f9db59e46b521d13
SHA1 187ae24ae4c84074a2c843af89d64937a934e6a8
SHA256 e81fbfe4c70f8b433a0ce67b6a2a0b3e989e2dd59a32db1ca95b93038a05951d
SHA512 14788a8a73bb840bb2cabefed3a827542901fd4c04dfb1687f0b3f88ed28d0680fea242c5cea73ce1d81a22010fd9691c091482a6a125b077afa702713393f40

/data/user/0/com.centerselfv/kl.txt

MD5 fc95dfc3fc3b28fbec59403cb791d167
SHA1 9a3673ce288d32d3b4e82726dc69e57126fa293a
SHA256 3f7bc5abda4b6e4ff35e8f02dee41e5505a0ed8290124d4d0e9189b1caac0352
SHA512 e7d9613b1e5b92d4da768ca29e54709740b1ff7e4f73825618bce36c4c6fdbb12d96920a7ac8ae798b7269f057c58d837064ec29a085a40f246a66e863db8d39

/data/user/0/com.centerselfv/kl.txt

MD5 4ffbead2b75c25b71ac01ae37950c606
SHA1 510562c2e307c9986a8bf97e9d6c91b95e083114
SHA256 fc1c74ea6af7011dfdef5bfce7a79faa0a1a8e5de757cb55610d73b92ba4c7fd
SHA512 91463789facdcb23e557fe322e04c11bb01347c1491d1564a009fe82a6842e1c47230b0777b619429934564ae77a0afc9480312515439be345dac0c6bdfa8eac

/data/user/0/com.centerselfv/kl.txt

MD5 535dfa13ae327307423f39659dd64d5b
SHA1 39f4bf37571933e224ad744d7d172a54dd9409a3
SHA256 54083024aa5aac480bae021cb280011269ba255ec4b699bd739ea7f8c8e0f3b5
SHA512 dc1d8e03fb7206692030567c8dbd57a431b99f8581bfc318a09f1f2f19edc9787076418f12cd808a797c9baabe3cc99fab8833345335df1dd922595e6fe2f3f2

/data/user/0/com.centerselfv/kl.txt

MD5 24ca20f0efd26c028730199691385855
SHA1 cfc91d7793e815852b69d0cd30e39d802b5bf29b
SHA256 3e7ce1d1ee790e905da58e853d04e086f9d41ce38a52f34f0bcea142f4c07aac
SHA512 951d14ed38d15cca7793bfb13504d6133de9f3641bd862f3503a1e0c3c5051f49c49fb7f8d09d816969ee42e939cb54adf15bad19b021571ae35b356db4bade8

/data/user/0/com.centerselfv/kl.txt

MD5 d9a04f27c42292b37238cc8530c3d971
SHA1 7390ddbc9ad885216e7b859777bb61b09c272662
SHA256 b7d8ea43e2435454838a9de2ae417f2a0c1b30f5207702996bd6876c562570ff
SHA512 62eda0e993ef0dd4079359d7eba5d8c45a6de82a5d3a27ca8476fb1e61da132740cd5632d559572afa2a7441074d96c89ff7799204d92533a0cc9ce65c3d7c79

/data/user/0/com.centerselfv/kl.txt

MD5 5066dda0839922bacf92a941c047c662
SHA1 2a81d66c21841c03efca9ce7b0e2535c4abd36c3
SHA256 f185bd757b7942045dba6a989567785ecf2228aa1d2d6ca2c8b2570739b11e39
SHA512 dddf089871a80201c9af2e75bdb0dcc7a79d61bc5bfb5e14e2361d0949bed0f285e80edb78c794643f21f8813efbad91e3592cb0655a5c4ff177cafbec6efca1

/data/user/0/com.centerselfv/kl.txt

MD5 1f3f5bab0fab9d80f06e0ed5284baf09
SHA1 01e86efbcf46d53960fd25c7014954b3246ed346
SHA256 a3948f8f88cd6a357c759f691e37e1e0c1d638e3fb3e3f36914cdfa09fdf5898
SHA512 86e371eb6b02786e8ca65a9a964cfb0e189f6cd20fd2d056c1d2c05dbed42363b4b3cc8806e5a7a805c6d12622030b171d8128d41c437873f26a0249378e090c

/data/user/0/com.centerselfv/kl.txt

MD5 f453fac8046df34e7c79e6ea566e7ac5
SHA1 d7fab0d911190b059d0f5f6b99840a868388884a
SHA256 add25eb65e239b990489ce29dd4c4ffcfaca0f08f49c901992005a6759f0b763
SHA512 1a92174a9b9c7e62d229c0716bdc88dfcf96b7d284c09227c52bf46af730a5652f8355e6c7b0018f70578e06d9128ef549291ae2c3527fb2a52d1df0a1c14ad2

/data/user/0/com.centerselfv/kl.txt

MD5 512e8211955a5bfdbb471f61bab9dead
SHA1 918ad7b562e5ba56cb70f01b47a34408e526cfaa
SHA256 64be3d220d792541ea306cf0f63764133dbe78a32f9bd5023c26e10bad526496
SHA512 f374285d55c4586416e211b5d7022c4e6d9a9a99c08146047d8ac7ef0e8e885f2ff57170a6bb6af291cb5b8ff6d2f8f5f242435f6038bf995e9ea1e6365104da

/data/user/0/com.centerselfv/kl.txt

MD5 b6e6a68ec154ea008c3d1717fd355a6e
SHA1 886ae593da7c40c2c0710eb252ff33e2053b33ce
SHA256 d011265647cc70d258edd35426c8277ca86d8186301b9a2127c5ceee3432fc98
SHA512 e7627004c5aac13e6e1611ff3b64e46b4538f2d9c33e94798dfbb36d01bb2091c69f59b90869cee640fb141d4dbd823384a182651ea0f78e2d0e13036d6703f5

/data/user/0/com.centerselfv/kl.txt

MD5 f95bdfc627a1fe8a9bb660783754f877
SHA1 2c6fcf6fee4390c95d6a85cfe649b571321f2fc2
SHA256 df423230226642a281a3c8fbd73f7157968491f72f5080e9c4ea62107790b2b1
SHA512 ea37b388944ffca0cd5b288ba6b6e3cd6eddbf9dd8d703bf1de1612fd1f25d24b5e139f1dc5e197fa4ec67b7b972924dc8c6288666e29ebc3be706c87346f194

/data/user/0/com.centerselfv/kl.txt

MD5 bb055cd488d0769a6d52d761de0234c3
SHA1 9cb7fdc6169defaaf1554d876de576ff840e3055
SHA256 b74a18432929b681dae2731f3ecec65e12be18fa565e97d8c9ef0731f080a597
SHA512 6a4e235e6ef8eed47991555952880a8379b67fe1f55a1425bd45f4255b63b23fd87e258cc7e735ebec843bfa9c0b97bc455118edf6448ed59590f5684bf2f4c3

/data/user/0/com.centerselfv/kl.txt

MD5 76b7fee414f7725078782d43274e22c7
SHA1 d26749d0e7b16bd70d050f2bac12858a9e036b04
SHA256 ca0120ddf2d2d34ae7e9afd9e3085dcbe37d720eb217456c035fba0b8a0fc3a8
SHA512 ceb67453739bf096ee4590faade33512cdf8c06159b304c9b980bd07049331b69bb1a2964b1794b786e66f2beafea106f9caaa64ebd1e13eb519de586c83bda0

/data/user/0/com.centerselfv/kl.txt

MD5 6a568f1b3da9783405a7e66132e45382
SHA1 18d17f639d6a4c77e6a92c4d333a3f7b383a5872
SHA256 d1013ed58a0c1e6ff7accadafb844c37a429b37bed30ab64fa67dd99bf379477
SHA512 36d7eee87d9d0379605ee5d8740c2479116795396ab4491a4231f6809c0f2c03570b4d04a39ea245366cb643408dbe9f0190997529d56acd12d3e74429b6a16a

/data/user/0/com.centerselfv/kl.txt

MD5 d98346d0c3087741bd3bfd2207e282f7
SHA1 dbd9baec364076f0347c93336f34fbac1b69bb37
SHA256 3f559de9d2d8dec06ff1af88efed481369d3e461c1d30f20509f302aeeab4dd0
SHA512 92a3f27f0517b934c667f42f0ffc271f3c961188cebf52916d1ea68b13929bf332ae5b716fd5327cbb0229950eaf610cf251cbe7679ebb8f49ddff7a27f42e6a

/data/user/0/com.centerselfv/cache/oat/hloxnfzwnmfaz.cur.prof

MD5 da9eed4051a8b7322c417b2594532678
SHA1 e05ba449aa3ab0b8715b5e8ddb1ec36d70f23c7b
SHA256 7c79d19705fe1dedb83fc5817cc2d1134213fd33c5f28e711e59af2d7dd9734a
SHA512 00a36b9d4a8d555cbe873dc66581a4626abb069b2f8c6f89ebb0f2cc08dbab4ddb4ac93df988e2ed05bfd22b2049f435cc93a4cd9b4e7e630b57432a486282f6

/data/user/0/com.centerselfv/kl.txt

MD5 ce20a32ee92e2925bbcd337c59a133e9
SHA1 84ee583200db0b2d2fed52bbf5727e126fcbfe67
SHA256 de1a77eef71952acb2030d86285a29a6082f915622efc45a683388986fb69f43
SHA512 3efd5c31097ae483853731b482d4b8918e6f6f8591b9c44859861d6e4e79122c8fe66ff5ba8f8287eee3ddcb387f0fe7ee021c11291bf75ebbaa15c4ff5a1498

/data/user/0/com.centerselfv/kl.txt

MD5 c7373fa653dc37dda9118354cc20aff6
SHA1 5e7359eade370d54777082cbb7b28688eb165483
SHA256 cd87a94d49eb21aed4879fe78306642e4026066805b9be4c9aaf150dafdb13c0
SHA512 fd5ce792018cb59982110699a58c4469b49d83f9c9117ec3fbf3928c4100a61d9de89cccd8e7b6b630b6003969b310d007a2d9a2d4759441abc6327aea7192ba

/data/user/0/com.centerselfv/.qcom.centerselfv

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c