Malware Analysis Report

2024-10-19 12:57

Sample ID 240219-1xefmaec31
Target 638d1b55ffa756a9e44080d1f6271e8450a59a3ca9b1af0b54473b8792e3ec80.bin
SHA256 638d1b55ffa756a9e44080d1f6271e8450a59a3ca9b1af0b54473b8792e3ec80
Tags
octo banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

638d1b55ffa756a9e44080d1f6271e8450a59a3ca9b1af0b54473b8792e3ec80

Threat Level: Known bad

The file 638d1b55ffa756a9e44080d1f6271e8450a59a3ca9b1af0b54473b8792e3ec80.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer rat stealth trojan

Octo payload

Octo

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Reads information about phone network operator.

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-19 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-19 22:01

Reported

2024-02-19 22:06

Platform

android-x86-arm-20231215-en

Max time kernel

146s

Max time network

145s

Command Line

com.selfbroughtuo

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.selfbroughtuo/cache/wfudsluvg N/A N/A
N/A /data/user/0/com.selfbroughtuo/cache/wfudsluvg N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.selfbroughtuo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 asamanaproductioneditionalsk.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 asamanaproductioneditiontsma.net udp
RU 91.240.118.224:443 91.240.118.224 tcp
US 1.1.1.1:53 asamanaproductioneditionpskl.net udp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp

Files

/data/data/com.selfbroughtuo/cache/wfudsluvg

MD5 f71c1fa9154c4647f51ae499d2c31671
SHA1 da1c89eb3566c49c16e98d072eeef138f92194c0
SHA256 b2a66cc77f9496f885b06d1152d615f94e560a26456a8082c34ca92d04857f1e
SHA512 36a75332db9068afe731b9f336279c814e91e29f5d05aac3b752feae4029653c3be0b58243ef90bd652c2ddd8a4b4555592af172655a6797afc6cf059b9b4ed4

/data/data/com.selfbroughtuo/kl.txt

MD5 bbfc916140edada44840ad3b33e62ec6
SHA1 9df44d08c32b1726095dc34395610c332e822cf3
SHA256 8d2611b0ad6852b5e8da36227ce358d7dc0710a7b98217691c27531d319a72fe
SHA512 f1e80f877688c3793628f5c62ee9efc3b37edfd2d004a2ef09d33c3fad9ca232af74bbd8fc43827b44bec7e7c364e1ab777a408a7221aa087e944643b24b2224

/data/data/com.selfbroughtuo/kl.txt

MD5 d1e6115c384f07045d8af850c0714ac6
SHA1 337ae731c3f509c7e304c1cd294c88d324db78f7
SHA256 e6c9f0998b33d3124ea761b091f14381b153dfff9df36b13b59655f0467c11da
SHA512 b923827bbb2404ff9658091d02197c519f79d01be7b4f43cce8b30d8b0691db5e05048a88af691a71be16d5938f59021117382aedec576ec28ec4374682ec985

/data/data/com.selfbroughtuo/kl.txt

MD5 13389dc924e5b123adc5de8b45bcb3c4
SHA1 5bc1cf796dd4d758c2b157c33b701ff5fe54d217
SHA256 c858ae4597d2901a0681f702f9537491a99ec70269ae2621f3bfd6ef04065e11
SHA512 dc9420428cbd246f1209f61723992e70f5de1ab83184a6d0c354584494485fa52ceacf8d32b35055d25e1ac75d9cf42011e0922572bba1c2269ffd311dbbb40d

/data/data/com.selfbroughtuo/kl.txt

MD5 dc0033b6e666b215573f8dfa098416c6
SHA1 9c231fb35704c4da275b4f17b8250fbb0848f6dd
SHA256 48902d53fdf682aec427574b1ec36b4545d279fe9c437bee52afdd6a22ea6cbc
SHA512 ffcf50cba9f1a06d1d0b93db9241de7809d787732dbd64dbb384ff4135db6b4b5646e69e18e7cc2b3398f57fed33d69b321542e061e1d863aa3acf30d77cdd9d

/data/data/com.selfbroughtuo/kl.txt

MD5 be425a3d880bcde73fc0276c92571e1f
SHA1 c5a1f118237ed335dac28ede00eff2db07f01c16
SHA256 bd6f74c850ae35d9016b1476c4b3c0715ac8e8b7a5aa63867da4d1aa7db462f8
SHA512 4538268db7c56e41192eb206236203d35121527257325f02317d84be5b41b8ac38c3fade53166f2fe84056d1f63f0f78c511df9a499619a196977c2ae8b324fb

/data/data/com.selfbroughtuo/cache/oat/wfudsluvg.cur.prof

MD5 d339173ee35cfc890829e22353283c84
SHA1 e7765d510aa2667953721ca14b35f9135a0f22be
SHA256 afef65b1bcaa285bb3a9d17ef5971d2afd8c592c7359989ea658a791fcc73129
SHA512 2b5c6c5a3f226ecd27d5ffbe48596bf8e08d646dba6fa20ac1d790d3e613896a7dfe1607f816dacb8f49357e6ac7b96945346c47af374f01ad01adb6ddd1ce39

/data/data/com.selfbroughtuo/.qcom.selfbroughtuo

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-19 22:01

Reported

2024-02-19 22:06

Platform

android-x64-20231215-en

Max time kernel

152s

Max time network

160s

Command Line

com.selfbroughtuo

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.selfbroughtuo/cache/wfudsluvg N/A N/A
N/A /data/user/0/com.selfbroughtuo/cache/wfudsluvg N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.selfbroughtuo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 asamanaproductioneditionpskl.net udp
US 1.1.1.1:53 asamanaproductioneditionkdna.net udp
US 1.1.1.1:53 asamanaproductioneditiontols.com udp
US 1.1.1.1:53 asamanaproductioneditionctfm.com udp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 172.217.169.46:443 tcp
GB 142.250.200.2:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 tcp

Files

/data/data/com.selfbroughtuo/cache/wfudsluvg

MD5 f71c1fa9154c4647f51ae499d2c31671
SHA1 da1c89eb3566c49c16e98d072eeef138f92194c0
SHA256 b2a66cc77f9496f885b06d1152d615f94e560a26456a8082c34ca92d04857f1e
SHA512 36a75332db9068afe731b9f336279c814e91e29f5d05aac3b752feae4029653c3be0b58243ef90bd652c2ddd8a4b4555592af172655a6797afc6cf059b9b4ed4

/data/data/com.selfbroughtuo/kl.txt

MD5 32c2ed280ef1847d59cf8dbc6664865b
SHA1 a4d5d700f6a6f8868835cd3f86c2d2dad486029e
SHA256 46221ae05c8527f33b1757b0566e412cbf40b38f5ae0c920798e85ce69f79b6a
SHA512 a551fbbaa674e49f09593bb2c7db222220554d57c83e8563bf4540b06766aaa3cf5956d98a805a4b4abf0a543e71083bdf10cefd347a13bf01b6106cc9bde3bc

/data/data/com.selfbroughtuo/kl.txt

MD5 97f19109a1703fb00a5d285948e6a512
SHA1 59aab9cb44f7eca0b5f7e3c538385d6aaefbb7f4
SHA256 e6a16d81b594182918ad616dc0fac2fa3d79088a9ea27902b8ead3365ececfdb
SHA512 419e5dad21d424f0822ab984cb20837d3602bea543533af8cdcc6569516ec10b0b3bf1301e8e5969482d673fa1d6672d2d5137aa255a275e71800cc7dc351891

/data/data/com.selfbroughtuo/kl.txt

MD5 64f850241c9c173315c2598d257d072c
SHA1 04da6b0a57bf25e9ab6415dd71f253b494c19297
SHA256 c7b85cb7858b71f9966b5c201caee1fa49dfef7da21b1e7c469d0beccdcfdbcb
SHA512 7f1bcafae89196293ab9f65d8315b65414dea4d9ecc1aac69e4540e17fda0d654b372b2c8bfdbee03d917a97df0d2d523764a7a4dc048f4a98a091c85c00f4f0

/data/data/com.selfbroughtuo/kl.txt

MD5 8e2c2d0b6ecdaa7befa2e357978dc3c5
SHA1 93d416cda385597ac4d31e89b1ea9c06881eecb1
SHA256 308444b123a3e9149b1d40f03ae96fd176f7dde65cc67a2624d214ec38a454f9
SHA512 a2e5d94de5687141b55aaa5e6b794ccf630269b257f82ef4c8afd12bc180979fe88dce0ad949625f6fd038e7703a8251ab5c2ca50e863c474fd17ac8cffef4bf

/data/data/com.selfbroughtuo/kl.txt

MD5 8206cef84ebe84cfc4171b187f1872f8
SHA1 1acf75b2d3fb5f9ef8037979d0ea26d687c171d1
SHA256 3def7c616657f1ac963ccdf8ec2a23b28d983e7fe427a6f6440bf4432b2e3e98
SHA512 46299559732df22dfd6fcffc83b922b6c2e66bc70398e47dae41134b10e1b2bec52cc7298b3c544ea460c1a811f4ab410b9568f9ef9610db5819afca32c5ba41

/data/data/com.selfbroughtuo/cache/oat/wfudsluvg.cur.prof

MD5 9984c9eaf8e82df8aeffb3ce3d1c1beb
SHA1 64e645e1c12068f5586e78116383ac6c8b5920f9
SHA256 e6669008aae806c7baedcd541a85d5d49fdeb887a8c814b5e07a095997e8b40e
SHA512 f70b5ae28792ad1f17197f3a31d83ddcd888326dd69a1d5d088fc25b7349b87f6a59bc2b495222294dc31df83474738a05c8bf51703864e5e2ec9cc3b4afcd7d

/data/data/com.selfbroughtuo/.qcom.selfbroughtuo

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c