Malware Analysis Report

2024-09-09 13:44

Sample ID 240503-gejg3sae96
Target 1dda2398fb3c4c2aee9b2a18f0975b921cbd2809625618d7a91d174806c677b7.bin
SHA256 1dda2398fb3c4c2aee9b2a18f0975b921cbd2809625618d7a91d174806c677b7
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1dda2398fb3c4c2aee9b2a18f0975b921cbd2809625618d7a91d174806c677b7

Threat Level: Known bad

The file 1dda2398fb3c4c2aee9b2a18f0975b921cbd2809625618d7a91d174806c677b7.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Prevents application removal

Makes use of the framework's Accessibility service

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Registers a broadcast receiver at runtime (usually for listening for system events)

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Checks memory information

Checks CPU information

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-03 05:42

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 05:42

Reported

2024-05-03 05:45

Platform

android-x86-arm-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

com.beautyship5

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.beautyship5/cache/qhqrdtmuyib N/A N/A
N/A /data/user/0/com.beautyship5/cache/qhqrdtmuyib N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.beautyship5

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 tecklardankalan.shop udp
US 1.1.1.1:53 karamdsadvs2.shop udp
US 1.1.1.1:53 tecbabbshop24578.shop udp
US 1.1.1.1:53 karakalandankasd5.com udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.beautyship5/cache/qhqrdtmuyib

MD5 7cfcfcdf2f1a2e962d3975435a55b97d
SHA1 0e3b3c6e167542c580dec3a674f2fc3b4e91628d
SHA256 abe48a2b945177b37b9f59db9f4d8f92ea9dc991f0835b7df3191e937b6d8929
SHA512 eafb08deef09f5b4644c42e9bccac724dd5ba0345f43ea5cbc4ca8286b6ee34e579fa6195fbff24ceeb5e25db521e44edd99cc4d9a5691405e0e1f71b805548a

/data/data/com.beautyship5/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.beautyship5/kl.txt

MD5 c00ddd290666fe14a8eacbab49b451b6
SHA1 283ccb96fab0f7f91ba14369a3d230905bc86477
SHA256 2c3b1f49987beb055425724ef3622ba1bf91429f9663cdce3a4be9fb9bed954c
SHA512 c24a170d2486a57b0c7ebe85f291eea012a74953dd66e5c5109a308a49f6cda29eb68638cf7b09d2d6b173c0588c2bdab2813cb4855047d8fc15ce6c4f50a2eb

/data/data/com.beautyship5/kl.txt

MD5 3d3647e3daa52eddee3d00fcf9853aa0
SHA1 4fb6833f63c649831eabd0accf204ec02010c3f4
SHA256 7010727a8ae128efa3ef610933a0d5f12641632fa323480923d01899951965d8
SHA512 79ad60d23dc310f138390d83c7d51b4a4ebdd9fac1317a8179f0c87b56386dc0e54a47b069c38f08924549a601b04652beaedb46a00f93124df5b8b46debe52c

/data/data/com.beautyship5/kl.txt

MD5 40bfdce70eb72eae3640383135611bc8
SHA1 f529c1c686d7e148c761291fafb7cb7f7cfc3740
SHA256 1ba3aff085dd2b4865e361764fca9c8844634eef81e3fbdb17daa772fdf9f8b5
SHA512 511a7aa1c0bf4004b36d6834851f39d025ea62263a05e5114b143055a1f45666abbbbf423b4d4c41ba8b741d067e3704f4275986d8466ab04fa9194ecd116c36

/data/data/com.beautyship5/cache/oat/qhqrdtmuyib.cur.prof

MD5 9ca4ac046c8566f4bdbc23b563fcb22f
SHA1 8a83915f6b6c4a62acf67d3847fbeceeb8cb871e
SHA256 4124e01654e1f6a0261e395bde553fa1dcff309c75c6122cebaf75c55de89a72
SHA512 b303c0f09f72ac094c685d791225fb556bcc518952744570541a55563886129496e0bdd61140f370752df3c1d11c9e994d9b5fccf7933250f38bc58fddf9fd33

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 05:42

Reported

2024-05-03 05:45

Platform

android-x64-20240221-en

Max time kernel

152s

Max time network

157s

Command Line

com.beautyship5

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.beautyship5/cache/qhqrdtmuyib N/A N/A
N/A /data/user/0/com.beautyship5/cache/qhqrdtmuyib N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.beautyship5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 tecbabbshop24578.shop udp
US 1.1.1.1:53 tecklardankalan.shop udp
US 1.1.1.1:53 karakalandankasd5.com udp
US 1.1.1.1:53 karamdsadvs2.shop udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.169.78:443 tcp
GB 142.250.200.34:443 tcp

Files

/data/data/com.beautyship5/cache/qhqrdtmuyib

MD5 7cfcfcdf2f1a2e962d3975435a55b97d
SHA1 0e3b3c6e167542c580dec3a674f2fc3b4e91628d
SHA256 abe48a2b945177b37b9f59db9f4d8f92ea9dc991f0835b7df3191e937b6d8929
SHA512 eafb08deef09f5b4644c42e9bccac724dd5ba0345f43ea5cbc4ca8286b6ee34e579fa6195fbff24ceeb5e25db521e44edd99cc4d9a5691405e0e1f71b805548a

/data/data/com.beautyship5/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.beautyship5/kl.txt

MD5 0a3121b57955f25d536766f2eefe3b92
SHA1 c3e247c5f4a695a5d2fe7662f5312ff0d279e921
SHA256 fd2af059ce625aa7dfe71b2197239c74b85e0dadf4592e9fc692ab742cee054b
SHA512 da8670fc161328b6ad02f79e07ef6c22a7bf264827cb0e23a53d52d5d116cf73205052faff9460279283fd00a4bebde2f27c717000e9e43f90ac504912c0760f

/data/data/com.beautyship5/kl.txt

MD5 238c50c250a0d6fecd985c7161f4fd22
SHA1 1a19d8dfdfdcbaf2d7e4497c34dc3f05843112b4
SHA256 984eb651a74c3f2c4457e8777165913909e53e28759f617fa9109c966ca8c669
SHA512 3e73a72f294671282e398a575b952f35c795fc95717bb2a37c738ca9d37f102047e25c194dbd939429720fdcc6597012a5f63f8094423af8d4fceb4d147389ee

/data/data/com.beautyship5/cache/oat/qhqrdtmuyib.cur.prof

MD5 2cc1de2ff82319c898c02c10a30a0fa7
SHA1 4bca2ced645129b7a8c4b21975807053b5046f38
SHA256 0d528ccb44c61db1d612b407eed83ca5f8cbebb8700bf2b7b9225eb734355da9
SHA512 8315d45eef8ce89ad4a0ac17fe4d21eba331874d525619f14cae70ec935300cb3273c00293dddc8764e221e292e573a9760bded3b1316dabb676eb7071a1f8d8