Malware Analysis Report

2024-10-19 12:57

Sample ID 240221-3be65sge8x
Target 86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65.bin
SHA256 86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65
Tags
octo banker evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65

Threat Level: Known bad

The file 86eb0483008455f916d92928553d61e395a93b571bfa6889eaf5acbfbca9fd65.bin was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer rat trojan

Octo

Octo payload

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Acquires the wake lock

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-21 23:20

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-21 23:20

Reported

2024-02-21 23:21

Platform

android-33-x64-arm64-20240221-en

Max time kernel

47s

Max time network

55s

Command Line

com.areahold7

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.areahold7/cache/oexdcrdfcxejxvc N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.areahold7

Network

Country Destination Domain Proto
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 udp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 checkdns.digital udp
US 1.1.1.1:53 checkdns.shop udp
US 1.1.1.1:53 checkdns.club udp
US 1.1.1.1:53 checkdns.services udp
US 1.1.1.1:53 dnscheck.club udp
GB 142.250.179.227:443 tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 1.1.1.1:53 dnscheck.design udp
US 1.1.1.1:53 fastcheckdns.xyz udp
US 1.1.1.1:53 fastcheckdns.shop udp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
GB 142.250.187.196:443 udp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 172.64.41.3:443 udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 172.217.16.227:443 tcp
GB 172.217.16.227:443 udp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp
US 199.59.243.225:443 dnscheck.club tcp

Files

/data/user/0/com.areahold7/cache/oexdcrdfcxejxvc

MD5 56ded8c27f4e7298fce9784f0519f2f1
SHA1 37e243a1d505d29e6a539f1ac28e276a0565240c
SHA256 516e4bdda593e99595df1e597b5dc433f70c2e0f499b3403b140293adeec8a59
SHA512 da72b4d9c399da98cfdbdad350f23cc6abb0eb0eb1c93ec135bc730aa35895d7db643c9ea5b579aee1834aec606139fe9f6722dd653dd01ddf099a1a4216becb

/data/user/0/com.areahold7/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/user/0/com.areahold7/kl.txt

MD5 116823a04d18220cbd8146b0cb3bfc7b
SHA1 87fcde429ad5601a8dad31dc8057cc42eae0e961
SHA256 e6944c9e097ebfd52a99cedb845c9234019433f9d8f7f5695c8667fb65c30dbe
SHA512 5849758444b1e87d6db3767d513c00468fb4a7026b2f55441e47e1e0de50c20240cd8db4456130b07eb14f81f6a3355df91747ba134b88d19a66e9baf49a0106

/data/user/0/com.areahold7/kl.txt

MD5 3f838f3d7beab0aa98f041929df67b38
SHA1 6239d5012ba27a5a2cfd430104df4d2b0197764a
SHA256 970e15cae7b76095287b08570c60a504afd5ad89aed53f47ee79c2b61f3e33cb
SHA512 7d581a22895876c3f290a34b4c19a0735eb8f4910ff1af6d4f2f9cc0385bcf56cd88490aac0921786cf785ceff907e9d66c1d58e2ab6a9109c9286414085a609

/data/user/0/com.areahold7/kl.txt

MD5 1c899fe2d0cfcd1088a137c606ffc1be
SHA1 871a23d36dd39d50eff0eb053d736357954aa950
SHA256 76d2c62faf31edd02710e40152bd130775ccee62cc26171218170ccd134ad3d6
SHA512 6b392a325a8758c66194cc1d975a74f3f9667125f1b6a267b0dff77c0e5f80f2102220e0eddef63f1da9a9c2ea3bb2c55d984d521da4758f821ad8a0565f6288

/data/user/0/com.areahold7/kl.txt

MD5 25e8799bd7cbd46077fb89aaa709a1e9
SHA1 ea63ba14cc523ac215466581ca00e5bfdec5d0a1
SHA256 23be8ca4fa063dc0e813fa982b19ca9fb772f71451730f741b6b3ce446204f1e
SHA512 a60649362c9528744e59e3b3c8a0077272ebe78295e5b715e77f14bbe65f97e7608410a6352443c97cfd844a4addb27fae84593d1e70e7ffafa0062886fc0ca8

/data/user/0/com.areahold7/cache/oat/oexdcrdfcxejxvc.cur.prof

MD5 370037d73d0d8a96cf94be16ea97b3a5
SHA1 a53f9604cac6861d2fe1af6723fa53abb1453aab
SHA256 d23c57863f9b0415d39697b15a4a5e5e13f09047e8fa52b54da4a9db40cd7aad
SHA512 47e89f42371987e36ca228d2c1e339591eb686b170a92bb1df61a397579b0b233a9a64f1fa688270fdd8598c2aa26c51323d31130d200ec5cd7c9495cf633696