Malware Analysis Report

2024-10-19 12:57

Sample ID 240218-1wvq8afa6w
Target 1e9300f1e1015b6d458763a3e4fc726b215186aec0e740f920a71b9c5af5ada0.bin
SHA256 1e9300f1e1015b6d458763a3e4fc726b215186aec0e740f920a71b9c5af5ada0
Tags
octo banker infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e9300f1e1015b6d458763a3e4fc726b215186aec0e740f920a71b9c5af5ada0

Threat Level: Known bad

The file 1e9300f1e1015b6d458763a3e4fc726b215186aec0e740f920a71b9c5af5ada0.bin was found to be: Known bad.

Malicious Activity Summary

octo banker infostealer rat trojan

Octo

Octo payload

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-18 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-18 22:00

Reported

2024-02-18 22:00

Platform

android-x86-arm-20231215-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.35:80 tcp
GB 142.250.179.228:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-18 22:00

Reported

2024-02-18 22:03

Platform

android-x64-20231215-en

Max time kernel

146s

Max time network

158s

Command Line

com.onlyenough7

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.onlyenough7/cache/mksjoybkwiazc N/A N/A
N/A /data/user/0/com.onlyenough7/cache/mksjoybkwiazc N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.onlyenough7

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 asamanaproductioneditiontsma.net udp
US 1.1.1.1:53 asamanaproductioneditionkdna.net udp
US 1.1.1.1:53 asamanaproductioneditionpskl.net udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 asamanaproductioneditiontols.com udp
RU 91.240.118.224:443 91.240.118.224 tcp
US 1.1.1.1:53 asamanaproductioneditionksla.net udp
US 1.1.1.1:53 asamanaproductioneditionalsk.com udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 asamanaproductioneditionctfm.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 216.58.204.78:443 tcp
GB 216.58.201.98:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp

Files

/data/data/com.onlyenough7/cache/mksjoybkwiazc

MD5 169141bf6637d767cc3adbef0e3f29cd
SHA1 b44a1b231cf4ca5664ab0a7f9026c33d64c610dc
SHA256 eced83ae144d2163642ffadc7a6b0d092ebb85f663bec18c5993f84b3973c2b2
SHA512 ceea3fa1279c3dc693ddff07fc24737b86fa97d8b3543378c2f5898c26928310ec05430368909a5f9c17a0a082a2e31d62992b4d858fa3e455d12accebd136c8

/data/user/0/com.onlyenough7/cache/mksjoybkwiazc

MD5 4ef770fb87b027f2f2025b6d42a30f60
SHA1 488dd38deed969d64154fc578193855fd422cc90
SHA256 e1624a55b8a1845ba588e67f886f28cef6af37477a697df7c713d6cbca65d343
SHA512 39a2091e9a84cff98b565892e362df6bb253c30aa6f5fef220fccaa6d21cfc110cf448b751b4ffa5b0071e46395bea22dc24760f3a18337586116a19468a14c1

/data/data/com.onlyenough7/kl.txt

MD5 8fe043251db914adbb5782d5f11891ae
SHA1 501b7bd67a0795baea14f6951ebb18824d440a50
SHA256 e9291d247982795dee7ffa4c3093ba3396ebfad76dacf46b6c816929c7850e7c
SHA512 3822b59094d5fd3d2ff188fc7aa1e9f2b957d2748d00889b572dd213a66d2d460d68297308a93ac1c175bef1aee6845e6d185e66306c3c0234aab2651f12e07d

/data/data/com.onlyenough7/kl.txt

MD5 0fab7970f47ca29424751acabd6e82b3
SHA1 3861e4b48a4bfb7f057500012369249a9fcc3152
SHA256 1f090aa31870145af4f0f21b29c4609c8f4fa0d543ab6e0a5e0dd1b19e876137
SHA512 a93e4bdee6f08c50d699c2e8ff3ba7e407bdbe55031490061c33cf82a06a7e529d32fa5d48d41b2cf73297c1e99e56223993757e63c4b517a43ae78caa70bcb2

/data/data/com.onlyenough7/kl.txt

MD5 1030a14cf46678bf3202ee1620c2fe6c
SHA1 65f20a3a468ff1e57187f32ebf013b14543a7243
SHA256 390c92196f5d5614676530c81ab4399c567c0407fda55176a666c3e81eb41e4b
SHA512 70db897f9bbcb60a05115a935f77ffcdccd6213655ebf954da369e0d160b866e09ae176fdf4fd311a5834451b2f2fa3cf2a280a7d2fc6eb7d14c6435c4d733da

/data/data/com.onlyenough7/kl.txt

MD5 a790d56d5ff9650b8fcf503abe521cb9
SHA1 8bdcf3107ca186694f4a562566d888f619bfd27b
SHA256 34df87ada78b3a3ce7c4083717db83a01ca2a82c4f90bf2b0f228c514b1358b9
SHA512 17186a4c02d70abd72e50ae3d47b37cffb1ce7f15408c15c6cdb0296470bb517f0fd80027ffa141ed229847ac6af3d4554f5e06a38d1265e177f48abd2391261

/data/data/com.onlyenough7/kl.txt

MD5 3cdd1d57613e7bbb0111699b7007ccb8
SHA1 dccd3cc2bcf268982e4009f1d0c1ca37252298a2
SHA256 7b8f8100ca2101514b60a5d95933ed46b2f747d11ba4c5eff674d6a8df27ebf9
SHA512 bc7413c1147f2cc115117a5785095937b61ca664fd7bd892a75c7522fcb0677274cd9aacc08f0a1e182aa8ddf6278da89f2c6f1b18738c920a8886b1de97c195

/data/data/com.onlyenough7/cache/oat/mksjoybkwiazc.cur.prof

MD5 2bb95f69f7de1c815ab8014d2a1d8503
SHA1 a22d1de782ca402a37effae34929e7648bade08c
SHA256 4605654f86c465c640cbe1dfecfdca2852343bac0099230ad1b8b60f32f91bda
SHA512 a5208ee8fe1d1407a8e65ccaf9e27f803641550b144ffced31798a6edf06576787b5116fad02360f62de231619dc053e917d0f270fe4fa102122e341d3c83311

/data/data/com.onlyenough7/.qcom.onlyenough7

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c