Malware Analysis Report

2024-10-19 12:57

Sample ID 240220-1ypmzsga98
Target 61bdfe6aca8ddd26ec6337aa93d89e99ab0c0b930be39ae8ac96d1e346e156a3.bin
SHA256 61bdfe6aca8ddd26ec6337aa93d89e99ab0c0b930be39ae8ac96d1e346e156a3
Tags
octo banker infostealer rat trojan evasion stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61bdfe6aca8ddd26ec6337aa93d89e99ab0c0b930be39ae8ac96d1e346e156a3

Threat Level: Known bad

The file 61bdfe6aca8ddd26ec6337aa93d89e99ab0c0b930be39ae8ac96d1e346e156a3.bin was found to be: Known bad.

Malicious Activity Summary

octo banker infostealer rat trojan evasion stealth

Octo

Octo payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Reads information about phone network operator.

Requests dangerous framework permissions

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-20 22:03

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-20 22:03

Reported

2024-02-20 22:17

Platform

android-x64-20231215-en

Max time kernel

154s

Max time network

160s

Command Line

com.butdevelop8

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.butdevelop8/cache/phdyakdrajra N/A N/A
N/A /data/user/0/com.butdevelop8/cache/phdyakdrajra N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.butdevelop8

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 asamanaproductioneditionksla.net udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 asamanaproductioneditionpskl.net udp
US 1.1.1.1:53 asamanaproductioneditionctfm.com udp
US 1.1.1.1:53 asamanaproductioneditionalsk.com udp
US 1.1.1.1:53 asamanaproductioneditionkdna.net udp
RU 91.240.118.224:443 91.240.118.224 tcp
US 1.1.1.1:53 asamanaproductioneditiontols.com udp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 216.58.213.14:443 tcp
GB 172.217.16.226:443 tcp
RU 91.240.118.224:443 91.240.118.224 tcp

Files

/data/data/com.butdevelop8/cache/phdyakdrajra

MD5 dcc81481bef1f682bc8f245d75c5b849
SHA1 1cce72d507fbf67399992fcd3570216bdee8b187
SHA256 e0e0e7f572f8d2beae03523c50fab8b7f9bcecfeebf9374c20b4b1cbeeadb51b
SHA512 3b2a378b67b0bc62fd969b51767000da909d6886a8761a19b57e8ab776786cb666a3ded8e653b9368c0006cda855a0ffa12a12963d34bf06a0a239f0545f4f1f

/data/data/com.butdevelop8/kl.txt

MD5 602b7cb6fbdc616b7b8eef2d11350111
SHA1 b81b559eee35e0f5847f3ca7f4f4d2927dd90195
SHA256 cdbc09f6c90fbdc7a6afc5ba92ff0e05ce958452c3ffe4f6d25fd06afdec05d0
SHA512 90cff1c8245ee5d40617c1ff37bfff40d400747a8943bd87b2862464a5f70c55ddeee796c7abebfe5bd8edf65aee606da8e9ae3b79549ce3d8d3de67e3b69eb4

/data/data/com.butdevelop8/kl.txt

MD5 11a9eba06a315d788b999bb459dcd7e7
SHA1 1037e7faf11c24accbeaae30530836781f40abbd
SHA256 2c9c543bbdd11a87254433075c82478820e2930f71cc9b3c6025e834da846696
SHA512 0d94e43bf9d26daf2dd54de1a83c4e69d2e377c2885cf638cd1e8dcd7defa25239e3f2be74ac2449b660d75240a8416f93b689a4623395ac53bb97f9d66c3907

/data/data/com.butdevelop8/kl.txt

MD5 32576f22681cfbd4cefad3c83ad65ae5
SHA1 ac2eea388b9e8141900b951f605ab992e08b92cc
SHA256 9b60d579c416b95ca951435ed173f85649476c0ebd4592d1152342029d42889c
SHA512 ad4ad30a7feeb6a728a1904daad0a9714286bb05268267adca9e9874861da5827ac897b597a39ac3d3b82f3a23bd23215d6c2b3b6269df1ca89d162415d461a3

/data/data/com.butdevelop8/kl.txt

MD5 f2654799facc62308918f68b6351412b
SHA1 e07ededddfafed5fdf50edd7b30a2e14663d2295
SHA256 b838b324db14380abcbee7ef3c22ad251b436553cd51075cd74e6b411a296b86
SHA512 29f44d26e23528fb0b8bda87c3055be11e602d7b6692d6b3e25f199bbad334a08499b8e24843a5a22f945de8f721be1bee0d25afafea550784d45a1e30cab3fd

/data/data/com.butdevelop8/kl.txt

MD5 e1469a6569ad12f94f5753da8594975a
SHA1 761ff0c37e83a2bd78aabb0b111ce23a03be28ab
SHA256 dd7473b47bd4835cec2c2aa38ec59f9955c318c575125dee8fd36480dd0445c4
SHA512 11d89e53d45576c0c96fe2908a40095eca209e3528b705adfde91b62cd7778fae799a97c71ae31d4060bfca6a027ae83ec86fceb1c10146904a39adcf13a7174

/data/data/com.butdevelop8/cache/oat/phdyakdrajra.cur.prof

MD5 f2c3c71bd6499af72665223cee79d587
SHA1 6a9545e2984b42fdc6a427b26bfcba9e99629fc0
SHA256 4d797a39d4376b8bd2098109305bb44a5a3756b4669a9bcd20af5445e57177af
SHA512 6e4279e375b91bb1e74680d2f001f3685727c12426ff5fdf873696d8318f82b6e7a265ba85f35ea5cbb4ea237933c2d8e3c8f9d229292051f5b048b379ccd8da

/data/data/com.butdevelop8/.qcom.butdevelop8

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-20 22:03

Reported

2024-02-20 22:16

Platform

android-x86-arm-20231215-en

Max time kernel

144s

Max time network

137s

Command Line

com.butdevelop8

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.butdevelop8/cache/phdyakdrajra N/A N/A
N/A /data/user/0/com.butdevelop8/cache/phdyakdrajra N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.butdevelop8

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 asamanaproductioneditionksla.net udp
US 1.1.1.1:53 asamanaproductioneditionpskl.net udp
RU 91.240.118.224:443 91.240.118.224 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp
RU 91.240.118.224:443 91.240.118.224 tcp

Files

/data/data/com.butdevelop8/cache/phdyakdrajra

MD5 0d37325614e4a4509794624fc01b1bb0
SHA1 3cae7a8efa3f9eb43c9185658f95890b3986632c
SHA256 c1bb021155aa1e425749561145f363ef7896b2ed30c0b51c7ede3f91513dc1c5
SHA512 0c620e983bbb5d46625ac3e811d7b27ec78fd1d5a7fc51986053d60832d29b8ac29909a97b49411907023198649bd5c6be0c297698405315b1586c15d80e678b

/data/user/0/com.butdevelop8/cache/phdyakdrajra

MD5 dcc81481bef1f682bc8f245d75c5b849
SHA1 1cce72d507fbf67399992fcd3570216bdee8b187
SHA256 e0e0e7f572f8d2beae03523c50fab8b7f9bcecfeebf9374c20b4b1cbeeadb51b
SHA512 3b2a378b67b0bc62fd969b51767000da909d6886a8761a19b57e8ab776786cb666a3ded8e653b9368c0006cda855a0ffa12a12963d34bf06a0a239f0545f4f1f

/data/data/com.butdevelop8/kl.txt

MD5 201ff232ca9c971e7606f0650b6e0574
SHA1 0cb6b907629c473436e2c7f50e72631d624c5af2
SHA256 0888e96e6fcb918337bd4c65860733af32cccfdf7bdf53e3e8b512b01713f4a5
SHA512 81534c5edd16273eb937dc9f167a35c95447c7fc5e246e11f1df28d14f82f34a6d71459b35902cf9d90bb3c13d013c3778656f937d57a0c31e17285b4e56861a

/data/data/com.butdevelop8/kl.txt

MD5 ea3aab0a7bc2d00051413695a98561b9
SHA1 52853112221aba2a88d47d11ff50aaac6dff6ab9
SHA256 0361c7b9d87eb405813907798ec96d7d4bf17eaa656dd947b8591cf226953050
SHA512 7ef9f6bc6df44bfbb3ecb3c6454b62ce2b2085027957eb114aff953ac9cff81bf3fb4592aaf2a187c09c8499afda0f059160bd4c27fbaea4de287a4527e60b29

/data/data/com.butdevelop8/kl.txt

MD5 4c1457cecb4a41a0c5009344593b7379
SHA1 3809600559a133ba0ed94cbf50bf25896fc9cd93
SHA256 90497e5aad7d191ca17452edd08c2784dc15edd3f7033b66b678ca14d9b72497
SHA512 5c2da9102c19b8e67614cc0cccbfb440c2e338fffd5b6ed1867d24ad4378d90de0cfc57e3b846a56e086d49d964f94adb9ca8dc9e1c9c27983bce987f356ffc7

/data/data/com.butdevelop8/kl.txt

MD5 80a062b3b2fae3636f1001c6e4808842
SHA1 e0362882881f8d2a6946177b23405ace52ea44a3
SHA256 c3a61fda9e22005e83475d1727a225db45ad33579907a82fa8bd8532438dd2e7
SHA512 3a5534b47695d3bc2fc006423ed2ebb64442d9c98cb131ddaafcedf966edd12fdaa856c0ff262c85f34a627e156eb2b69ede74a68e70067850774b618ead543f

/data/data/com.butdevelop8/kl.txt

MD5 d27845fbf6a70989018ac6635e4ab216
SHA1 99a8ce5735676b018bfc115189521bfcc33a78e9
SHA256 33b3a74943217aef1ca1d471e5f1bac3670ba8bf4806b7fa921138d7f9a4e82b
SHA512 ffedc0a0cb07b5de887bad77b8bd80288c7acab08902a4f916b3854b09d81df5a3474cf24f2b0acc5732e13973a7972adf4a6c0324464237d393b0153583d3eb

/data/data/com.butdevelop8/cache/oat/phdyakdrajra.cur.prof

MD5 4994cd8335a1397962b0110288caf3e0
SHA1 9acb6759e87f6454df7d80275782c0f427b2f9b1
SHA256 fd4d40497940404a2eaf0790357c0a1c4e314720fb3722466496d8a747c117c6
SHA512 51675b29aa74597aa3c2eb54d8048289de5cc08009d72ba5df64cbe9f3e09e3c028bf7fc274859b31a55f0da3ff982846d15015a1648e6d155afd8fa37c4b25c

/data/data/com.butdevelop8/.qcom.butdevelop8

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c