Malware Analysis Report

2024-09-09 13:45

Sample ID 240503-geg91sge41
Target 37b24f726f18682145efaded790a76fd95417898f383a5842f980a8484418e6f.bin
SHA256 37b24f726f18682145efaded790a76fd95417898f383a5842f980a8484418e6f
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37b24f726f18682145efaded790a76fd95417898f383a5842f980a8484418e6f

Threat Level: Known bad

The file 37b24f726f18682145efaded790a76fd95417898f383a5842f980a8484418e6f.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo

Octo payload

Prevents application removal

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests modifying system settings.

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's Accessibility service

Checks CPU information

Checks memory information

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-03 05:42

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 05:42

Reported

2024-05-03 05:45

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

151s

Command Line

com.orderslowzez

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.orderslowzez/cache/cmnbkskb N/A N/A
N/A /data/user/0/com.orderslowzez/cache/cmnbkskb N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.orderslowzez

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 teckmarakbads2.shop udp
US 1.1.1.1:53 teckmarkanmdas4.shop udp
US 1.1.1.1:53 maraksatandas13.shop udp
US 1.1.1.1:53 teckmarkanary1.shop udp
US 1.1.1.1:53 marababrtdas.shop udp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 kemertarladakal.shop udp
US 1.1.1.1:53 kemerdastarladakal.shop udp
US 1.1.1.1:53 tecbabbshop24578.shop udp
US 1.1.1.1:53 techhubshop24578.shop udp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp

Files

/data/data/com.orderslowzez/cache/cmnbkskb

MD5 56fbb6aab4884d17d4760a19eaea8eb8
SHA1 c5e03d9a83bd086ce8015cb77ba7f05cc16433ce
SHA256 80a5b9496f2b637a80ef8cdbc5a46a9dae705e76c4c203b687aeaad111bbc562
SHA512 7e4218f20289ce0f4ee26788e2ea73e4d69adc7984e751d4fdc0a1875a3ef769c97cd0fbfa13a6d255679a7c2f8b0a62db13b44b811332dc23093dfb84e93f8f

/data/data/com.orderslowzez/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.orderslowzez/kl.txt

MD5 6eb06a66397853234674ec78eada03a8
SHA1 3fa7402436ba5255c76a827eba18e5cae7d15238
SHA256 2a97487eedd606e04d78a3a6bf79f7cb065b6a06dd0eb38379e6bb9a4f609e7a
SHA512 524e5e2ac4061de6271936f71f383fa5feb3da6506e57afb5558f666c0e8cf8fd778e81d6b23112845686b8fdc30ff1e13951391b15d99fcfec3bb55f3b53cbc

/data/data/com.orderslowzez/kl.txt

MD5 f8f546dfba3569604ba52c7070696f4f
SHA1 74fa30a7b8f694d68a1f56ddef509213855d11ab
SHA256 31ca48a124fb6cb7aad1bf4e2978672338ccc7e3e6130ad2039ec10bbe685980
SHA512 9f626977740d72c9aa1daac71245d9c99961cc8f50c9d06d32919378007616db3218bae08e8c70b2f9b3d90a2756603dc1c6d75c4e5586590e575302fbb85061

/data/data/com.orderslowzez/kl.txt

MD5 a7af51b8e045faa7bdf8f59e7f6bd1ad
SHA1 2b2463c341d4748316eaec673b82d52c2e5098e4
SHA256 d499ca9a7b6c36443cc5dbf1ddeac1cc27c6ba824ebd2e97e08222cf1ad8ddf7
SHA512 30b9699a6f3948865d8c02a1e38f9aa95ea6ad275c4720663389de0a980e6cd85f78d1fb6d8064060197ecfb511c80a668a1690231e9b606bfb18ed589121758

/data/data/com.orderslowzez/kl.txt

MD5 51664200cabd756031d910ee9a870f24
SHA1 2b51a4079a822b4da8086ebe7cdd4cfeb40bee76
SHA256 ce3c526c75e19125da4c98dbaf3450c55d430788dac1c239d11f7efe94f216d5
SHA512 233497d4e01ee28d6f56e8b8d0dd42fb694f39c4ef4d73c7eab7296c5b67354dab67a86cd05c8dfda95382a5bf23b322e3d3c207ca887a1069fd73855dea5116

/data/data/com.orderslowzez/cache/oat/cmnbkskb.cur.prof

MD5 457fefa5c6714791656ad0d9870007c3
SHA1 69725cd9111888f6608b20b55e4ce4e58f2e5e56
SHA256 2e4a9d6022693cdaccdd95d93a6a65e79501247b4c96dc24c88acb8c3ebb2878
SHA512 677b752695f3ad13e49b20b8a29820093bcfa42b4884b04d200c4c0eccc3d49d3ca587204ea80879f503b8765627ced464c4c76793d616dc40c8891c47a6b8a8

/data/data/com.orderslowzez/.qcom.orderslowzez

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 05:42

Reported

2024-05-03 05:45

Platform

android-x86-arm-20240221-en

Max time kernel

62s

Max time network

136s

Command Line

com.orderslowzez

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.orderslowzez/cache/cmnbkskb N/A N/A
N/A /data/user/0/com.orderslowzez/cache/cmnbkskb N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.orderslowzez

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 maraksatandas13.shop udp
US 1.1.1.1:53 teckmarkanmdas4.shop udp
US 1.1.1.1:53 teckmarakbads2.shop udp
US 1.1.1.1:53 teckmarkanary1.shop udp
US 1.1.1.1:53 marababrtdas.shop udp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
US 1.1.1.1:53 techhubshop24578.shop udp
US 1.1.1.1:53 kemerdastarladakal.shop udp
US 1.1.1.1:53 kemertarladakal.shop udp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
GB 216.58.213.14:443 tcp
GB 216.58.212.194:443 tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp
AM 85.209.133.148:443 marababrtdas.shop tcp

Files

/data/data/com.orderslowzez/cache/cmnbkskb

MD5 56fbb6aab4884d17d4760a19eaea8eb8
SHA1 c5e03d9a83bd086ce8015cb77ba7f05cc16433ce
SHA256 80a5b9496f2b637a80ef8cdbc5a46a9dae705e76c4c203b687aeaad111bbc562
SHA512 7e4218f20289ce0f4ee26788e2ea73e4d69adc7984e751d4fdc0a1875a3ef769c97cd0fbfa13a6d255679a7c2f8b0a62db13b44b811332dc23093dfb84e93f8f

/data/data/com.orderslowzez/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.orderslowzez/kl.txt

MD5 e4178efecb32e4483849d4f7725debee
SHA1 69ad753a8d5e835dbad24b2af855fd4f52ff64d4
SHA256 1c80c47b3d0fe923ff468c0d17e4ee014e1b96c78f3d92c15b1343b90f9577a9
SHA512 f4eb13a9ac02a76bb357138964d43453cfa4c86914d4f9033b6c27fbff8b4f44d06e64a7817c9506f71b386d3895cae5675b07876ac5245573c63235020780bf

/data/data/com.orderslowzez/kl.txt

MD5 c8d9a45ea4fb6b968d177e0187606119
SHA1 501f74c33ed2a5eed5f1f427db95e3569a9d2b77
SHA256 380e60584673893fb45d2c7e2e3d9aa348006f56304c026e0eec58ad74ccd2fd
SHA512 d1ccbeb1b5d5d3626344c2c6933b7b15cf932fd2b3c1744702a36f658aac17277d6b879d0c909fd5300d4f44be8d7c68bba9fefeac064fc5cae0006212708e66

/data/data/com.orderslowzez/kl.txt

MD5 35109005ed04ad8c486ca8990c1b6168
SHA1 333fa2038d327797367aa372f791c59370f6bfc7
SHA256 accafb6196d3ea99e500a81743f92aa322c4df680509b53905353264dbeafa50
SHA512 cabc98fd29b3fc984955a833e88c791ff5918a465e591457a94b3ac446e2b5a8a46698627d6503f21069de3ee16f6df305f47c5325287fed0ec249ae618471e1

/data/data/com.orderslowzez/kl.txt

MD5 da66e322b81b5c41eb0f840b9f9f0a3d
SHA1 1025c249842ffa98a4f8920712a65c4c0e8350fb
SHA256 3182fb083a135af604953946ff615a15b342f32d38f2e3145a1363bd82306b3c
SHA512 b583ed950f6f158dae54369dbc0fb14c40bb7d4e5d75e2c8194d1e4fb0afa1aec52b44916c61cd1fdbd3debe6aa91eaa33c248a401df5bf0d601ffc26d5f6c1f

/data/data/com.orderslowzez/cache/oat/cmnbkskb.cur.prof

MD5 83c241c525faddc5fa7d5dee743c7292
SHA1 b910e653182f766bb658a03033c20d5a6ce1a76e
SHA256 79411378e9fd5a93df51d45bd1c6a23498b73e8e5894f6c0cc62b52d9ba3666a
SHA512 4cf89b46c4e37e4e52e9fe3c11d1269bac67c77649efb6da48329fce700349483dc4d5c5a0743dc488d1a4cf324d2ee6c0937f720479bb941e27a950a019d274