Malware Analysis Report

2024-10-19 12:57

Sample ID 240221-1z9pjsge27
Target 86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65.bin
SHA256 86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65
Tags
octo banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65

Threat Level: Known bad

The file 86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests dangerous framework permissions

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-21 22:06

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-21 22:06

Reported

2024-02-21 22:24

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

157s

Command Line

com.areahold7

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.areahold7/cache/oexdcrdfcxejxvc N/A N/A
N/A /data/user/0/com.areahold7/cache/oexdcrdfcxejxvc N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.areahold7

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 checkdns.digital udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 checkdns.shop udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 checkdns.club udp
US 1.1.1.1:53 checkdns.services udp
US 1.1.1.1:53 dnscheck.club udp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 1.1.1.1:53 dnscheck.design udp
US 1.1.1.1:53 fastcheckdns.xyz udp
US 1.1.1.1:53 fastcheckdns.shop udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp

Files

/data/data/com.areahold7/cache/oexdcrdfcxejxvc

MD5 56ded8c27f4e7298fce9784f0519f2f1
SHA1 37e243a1d505d29e6a539f1ac28e276a0565240c
SHA256 516e4bdda593e99595df1e597b5dc433f70c2e0f499b3403b140293adeec8a59
SHA512 da72b4d9c399da98cfdbdad350f23cc6abb0eb0eb1c93ec135bc730aa35895d7db643c9ea5b579aee1834aec606139fe9f6722dd653dd01ddf099a1a4216becb

/data/data/com.areahold7/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.areahold7/kl.txt

MD5 3e38cea8c5691f42b8be19967e48190b
SHA1 aad1926ac587221459756fa8896a521d300ac29b
SHA256 32eb0b739b0dd55a83fb6c20971a255d904625e9ddc625eda6be9718a0d6d33b
SHA512 9cb654c7c94784d409d3e549dd94bd6c8a809e21587ebd9dfa2d403319ca24d6a462cbf13897647f413eef826357c62cb582b319d3d3c7ac8b65fb04f9a24afb

/data/data/com.areahold7/kl.txt

MD5 626e36a369e132497f4ff18b318d7b62
SHA1 782ce068faf4c00874cf0dfc0ae871ffa879c165
SHA256 31d72496b6bc1d56330de2f38fc9d2019cb1d7dbbbb9b8266eed068693f80139
SHA512 c55071147fe40036212a8996f1f8fbe9b056fbd17bb507da06b057ee28c557e6adc31bc485220551bbd5b54c1711b0dd4727a7615580e918e14a721d74416222

/data/data/com.areahold7/kl.txt

MD5 d5254f910e601ff44bdf66839a305284
SHA1 0fbb99936a67936fff7aad64eecc8b5fa856b6ac
SHA256 24e22b1a39ff11591655865e9027ac06e1dd0e935344aec8fc53ed2245b01b75
SHA512 8ab8d49f601a58b4f0a92ce901adb2cee0ca0a5952cf19ab0c867378e941cefdc0a6524b7729d2d508f08c05eee691b1803545f9406ad9a305f6be6de9a2b530

/data/data/com.areahold7/kl.txt

MD5 0d3597ef1b82cd9adef227b4e7a49b15
SHA1 dada2caa98e62649449b5db68c15a9ceeed67098
SHA256 f3dc2d523868c6b3f29298e1ab71bf258d6086055a0846375456a35c8ca42266
SHA512 dbc8cdbad85593adc1fc632029c6c7dde95b6aa49ab3c1073f9f66b22d4c3a38d5bcf1bcb3e3c37a00b122d5e2ca803a299c32e8c4eec4d4928ebb705ef6aa59

/data/data/com.areahold7/cache/oat/oexdcrdfcxejxvc.cur.prof

MD5 d6b1e8fbe331519aefe25be3ff96a70f
SHA1 cdc9cdcc94759d6e141910f965c332c15ef84939
SHA256 fc6d4b87d53cbbc476052a2868ebd04171e33de158cebdc46e62014556fb8753
SHA512 ffe60497320efbba3e2d0746e3bf8d8c69a958135e1a21d80f1f8683fba91bfa224eed6c5f854a3bbe4a5b51ce42ea17c09469fa0cc94588a5db37fb90b8e411

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-21 22:06

Reported

2024-02-21 22:24

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

154s

Command Line

com.areahold7

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.areahold7/cache/oexdcrdfcxejxvc N/A N/A
N/A /data/user/0/com.areahold7/cache/oexdcrdfcxejxvc N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.areahold7

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 checkdns.digital udp
US 1.1.1.1:53 checkdns.shop udp
US 1.1.1.1:53 checkdns.club udp
US 1.1.1.1:53 checkdns.services udp
US 1.1.1.1:53 dnscheck.club udp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 1.1.1.1:53 dnscheck.design udp
US 1.1.1.1:53 fastcheckdns.xyz udp
US 1.1.1.1:53 fastcheckdns.shop udp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
GB 216.58.212.195:443 tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp

Files

/data/user/0/com.areahold7/cache/oexdcrdfcxejxvc

MD5 56ded8c27f4e7298fce9784f0519f2f1
SHA1 37e243a1d505d29e6a539f1ac28e276a0565240c
SHA256 516e4bdda593e99595df1e597b5dc433f70c2e0f499b3403b140293adeec8a59
SHA512 da72b4d9c399da98cfdbdad350f23cc6abb0eb0eb1c93ec135bc730aa35895d7db643c9ea5b579aee1834aec606139fe9f6722dd653dd01ddf099a1a4216becb

/data/user/0/com.areahold7/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/user/0/com.areahold7/kl.txt

MD5 008a21ae433d0be99c7dd03bc8d55e2d
SHA1 b5ff4890af59fac94c8e7e5e58339e5fcbe933fb
SHA256 a37147a993bae3b8545a672e4675db43bdc4e3ef6c79d7f96d1fe187da46762d
SHA512 d4262560f8d63e04025f8533acf569f3a81f52a1204b3c365010c3e233a4e137b3eae99b3f79dcd662118b1e13e09938433bb2206baff6aeb9b9d2183293590e

/data/user/0/com.areahold7/kl.txt

MD5 0e1a254e7c6177ed85e5585f60a149af
SHA1 ce61a3c7ebe3ad8126b308c2c4e4e535ecc85b62
SHA256 9cb9ca4c404d26a1cf8ed38ddb884769d41aa48a0abb107131b9bf0922ce6269
SHA512 33c53a60b1cead2493ef2dc2f0e9bca5fcdce2d83c26bb6d324c66904dc95b308ec464a24fc26037af6c420eedf016fd30adce9e9553d4b3008a25933fad9ea9

/data/user/0/com.areahold7/kl.txt

MD5 6e8e6e462c928c9ef2dfa405f1091aec
SHA1 671d6d7b95073341b4da04c2c2c4254151bf99f1
SHA256 286d72a14172f5c674dbc4ba00f0ab625a356346b7456225c91ef7eefff509a8
SHA512 bc35b5f10a6ba7b1dca67d04c176468f4efcb520d468f90abf0970d6b2cb46195b5101575e235048591e7599421d9e4f1796d36144176849b2776886fea430cf

/data/user/0/com.areahold7/kl.txt

MD5 f5211d6d53a99e83770b39662de4b2e2
SHA1 f716e2389be263fbb7393ba298e4993cc97704e1
SHA256 382d0738d385d5d9e34a2abfbb8c3e9d193b8e9d921be7a57bb991b07ef661ec
SHA512 fe8a80dba8053d036327515fddcbfe6ccd37b2db5cbfca16a88ee7faee6f0e75f0eec0eb0826a72c318c1c080527c76841fa0be43154e1c4db34a5873190df20

/data/user/0/com.areahold7/cache/oat/oexdcrdfcxejxvc.cur.prof

MD5 acab498a0df000db950e4c79708fc935
SHA1 243cc7653ba603077064ddcd6b83ce13b2f4e26f
SHA256 56c6e90c27cd3ef9e652a31ff61b3fd76a165b5c918324d3a282f28f4be0a1ae
SHA512 a014e67659539661dbcfa44fe6b3bca22b5de23a81e215d273e134bb8990afeafec54c807e968efebfb514ab0476c22e0152cbd802286ea0e7dda7b9824c2726