Malware Analysis Report

2024-10-19 12:57

Sample ID 240220-1wth6aga59
Target d135d7e49193382c81aeb05c0940cceecf31608e326300fb1406fcf9d697d1b4.bin
SHA256 d135d7e49193382c81aeb05c0940cceecf31608e326300fb1406fcf9d697d1b4
Tags
octo banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d135d7e49193382c81aeb05c0940cceecf31608e326300fb1406fcf9d697d1b4

Threat Level: Known bad

The file d135d7e49193382c81aeb05c0940cceecf31608e326300fb1406fcf9d697d1b4.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer rat stealth trojan

Octo

Octo payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests dangerous framework permissions

Declares services with permission to bind to the system

Acquires the wake lock

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-20 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-20 22:00

Reported

2024-02-20 22:03

Platform

android-x86-arm-20231215-en

Max time kernel

40s

Max time network

131s

Command Line

com.looksurface85

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.looksurface85/cache/lmjzyibakimpw N/A N/A
N/A /data/user/0/com.looksurface85/cache/lmjzyibakimpw N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.looksurface85

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 asamanaproductioneditionksla.net udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 asamanaproductioneditiontsma.net udp
US 1.1.1.1:53 asamanaproductioneditionctfm.com udp
US 1.1.1.1:53 asamanaproductioneditionalsk.com udp
US 1.1.1.1:53 asamanaproductioneditiontols.com udp
RU 91.240.118.224:443 91.240.118.224 tcp
US 1.1.1.1:53 asamanaproductioneditionkdna.net udp
US 1.1.1.1:53 asamanaproductioneditionpskl.net udp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 tcp
RU 91.240.118.224:443 tcp
RU 91.240.118.224:443 tcp

Files

/data/data/com.looksurface85/cache/lmjzyibakimpw

MD5 0aafea5cb0f0a8b5f6a9b3c994c24cfa
SHA1 5c830119827fdfff65b47650417781759d661660
SHA256 8a594fece033f23918b97a69c851dc5e19aed3650d34ee8efbb11cc7d63e072e
SHA512 19b1ec93f3bbc47b0198758321f4ff4670ab40c9c7da03bb953bb1f9bb178469d75be21d546da98ee48ddb0ca50dd5374eea5b563ead2aeff97185aab97804ed

/data/data/com.looksurface85/kl.txt

MD5 c16ed86d8a84ebb22e580bb92635deb3
SHA1 fda7b97c9632526e511cdc2fdadd030ed68a827a
SHA256 fb04e89b2e785c6e968916b000fc9513342f831142d539e6334038a0676d9ed5
SHA512 ff00e71389411f743019e15b37e5bd7e6feefeef0cccdaf573dad0fcc8afcb372213f7a955c063221fdc971a807a9f244acc6e192476fd345670429c37b570f6

/data/data/com.looksurface85/kl.txt

MD5 eda84cde0890c5f85e579b4606159501
SHA1 15485c045c514d5134e085b39f0dec1edf7e74aa
SHA256 4bd149e7bcfc75fbc7b761c3720a4c701714e6f0ea137a57aac5f9a5319139a1
SHA512 72e752cba836ce1d938d51bebfaa3ded4a077cfa905c22740a7d3eb62538692d5a9c5596bba55acd58931fc1559090f6b66bf25d61a4374ef6a141db2d9ef9b0

/data/data/com.looksurface85/kl.txt

MD5 a5c9884730254fd78607a14aa25c180f
SHA1 39152004e5ba379f863e0750a350cf7d6273543e
SHA256 f2f647ae708f2d03a0ccfcdc6982cd983d7e944f0eae0d13719db1790df6a53a
SHA512 d6754ddc63538ff6e538d4152f95a6e20f7286169cf0dc25dec4b1a32aebd903a5eb1a9fda67fa43a6e7e6c114ad0523296d54accce6e1d9781eed4b7fa888ed

/data/data/com.looksurface85/kl.txt

MD5 79755fef726de49380d9a1bdf0825f08
SHA1 5808fcd3bedcddbbfb09fefbab4fc1f7a55f7e3c
SHA256 9c15741b8a20907e32336443dc3bb7ba86f8cd0b8716ec7b9d3d342eafc1c3d6
SHA512 6c824845c32c1b9a6c8f5586c24830980686490233f0c58a8fdb97cd7c354acd2627c12f16c3456eadf5f8c43a7451bc0ce12b94546c3086dbda9a015adf20d4

/data/data/com.looksurface85/kl.txt

MD5 21b07dc9321cf6d495bd9b3d07896e6b
SHA1 a3d66e46fac6c749a79ecf55b31cc44e61985c4a
SHA256 c62496a9ae71057ce9a197f52e656cbd3a686aacbdafb759420242a2ddad9e4f
SHA512 7e1c465d36fe575822fdea8ab10f671868752ba79963b4a3482bf0e12470c073559003cd84029dd962bf011576e118d7be1b732c6060dcb2092473f49d34194a

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-20 22:00

Reported

2024-02-20 22:03

Platform

android-x64-20231215-en

Max time kernel

151s

Max time network

157s

Command Line

com.looksurface85

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.looksurface85/cache/lmjzyibakimpw N/A N/A
N/A /data/user/0/com.looksurface85/cache/lmjzyibakimpw N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.looksurface85

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 asamanaproductioneditionkdna.net udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 asamanaproductioneditionpskl.net udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 208.95.112.1:80 www.ip-api.com tcp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 172.217.169.46:443 tcp
GB 172.217.16.226:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 tcp

Files

/data/user/0/com.looksurface85/cache/lmjzyibakimpw

MD5 0aafea5cb0f0a8b5f6a9b3c994c24cfa
SHA1 5c830119827fdfff65b47650417781759d661660
SHA256 8a594fece033f23918b97a69c851dc5e19aed3650d34ee8efbb11cc7d63e072e
SHA512 19b1ec93f3bbc47b0198758321f4ff4670ab40c9c7da03bb953bb1f9bb178469d75be21d546da98ee48ddb0ca50dd5374eea5b563ead2aeff97185aab97804ed

/data/data/com.looksurface85/kl.txt

MD5 c61829b8c2b1778bc6196c888aee52da
SHA1 280a1c645a866fb3d4dc9727e1323260e48654ef
SHA256 30e5307bfa53877bf1436a36c1c5222a4ec23929a2083022969b6cff28267088
SHA512 6458a0b22f12576734cb99cf47480f2c6a50612fcf64085b3541aeda240768483e49a9a1a6197ed46c2a0c79f678164ecb3a344e94f521077d4889f887b5637c

/data/data/com.looksurface85/kl.txt

MD5 a6c450639aa4955cb689928a486b076d
SHA1 3548da4b03be5f715d8870b56d866da6eb1ca25b
SHA256 ea2bcc78527c2d6ba953038697dd1a57446e36cc9a525410088222a1b55caba6
SHA512 0c97e52a31331d57a1850a9bfb96a024aef535a7c6c47b4e5fd7574e74ea3ea02edd65261eb547f7e5041042473f70a9c8ee7b93df293bb52eb2ec46b052eb6b

/data/data/com.looksurface85/kl.txt

MD5 a5c9884730254fd78607a14aa25c180f
SHA1 39152004e5ba379f863e0750a350cf7d6273543e
SHA256 f2f647ae708f2d03a0ccfcdc6982cd983d7e944f0eae0d13719db1790df6a53a
SHA512 d6754ddc63538ff6e538d4152f95a6e20f7286169cf0dc25dec4b1a32aebd903a5eb1a9fda67fa43a6e7e6c114ad0523296d54accce6e1d9781eed4b7fa888ed

/data/data/com.looksurface85/kl.txt

MD5 21b07dc9321cf6d495bd9b3d07896e6b
SHA1 a3d66e46fac6c749a79ecf55b31cc44e61985c4a
SHA256 c62496a9ae71057ce9a197f52e656cbd3a686aacbdafb759420242a2ddad9e4f
SHA512 7e1c465d36fe575822fdea8ab10f671868752ba79963b4a3482bf0e12470c073559003cd84029dd962bf011576e118d7be1b732c6060dcb2092473f49d34194a

/data/data/com.looksurface85/kl.txt

MD5 7b48026de709cc7e6e47e096f159e7af
SHA1 f48c54da6143d16bddd57346be330a4e29d49979
SHA256 63868f3bd2886f6581351d90dac0ef9ec8004cc69d6d3d8d7be10c21dd8c0700
SHA512 4579ef9b241407117c00072c09d0c6e7d366308e6abe9eb98171e9da5cf28cf931ac88794e8b61ab95754dca9a34f402ad5de4a0a8c9696461a39b776c25729e

/data/data/com.looksurface85/cache/oat/lmjzyibakimpw.cur.prof

MD5 403de874ab3ac10045f33fa1fefe5510
SHA1 e9b94ea07dd20a9d473d7f3c58b2d7191a368471
SHA256 1ff5e9da6c68f040900078d89a820e312d78f3640f23fbd1e1fd73d654a3519f
SHA512 7e1e24031d46132b32b489b01724b377677360c2bc83ac5e0b8e80eaab97f747868e9c82608fb8032b3197cb72cdcecd697031f22642c6f8b1e71879551a177e

/data/data/com.looksurface85/.qcom.looksurface85

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c