Malware Analysis Report

2024-09-09 13:44

Sample ID 240503-genrssae99
Target 1dda2398fb3c4c2aee9b2a18f0975b921cbd2809625618d7a91d174806c677b7.bin
SHA256 1dda2398fb3c4c2aee9b2a18f0975b921cbd2809625618d7a91d174806c677b7
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1dda2398fb3c4c2aee9b2a18f0975b921cbd2809625618d7a91d174806c677b7

Threat Level: Known bad

The file 1dda2398fb3c4c2aee9b2a18f0975b921cbd2809625618d7a91d174806c677b7.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Prevents application removal

Makes use of the framework's foreground persistence service

Checks memory information

Queries the mobile country code (MCC)

Checks CPU information

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the phone number (MSISDN for GSM devices)

Acquires the wake lock

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-03 05:43

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 05:43

Reported

2024-05-03 05:47

Platform

android-x86-arm-20240221-en

Max time kernel

37s

Max time network

137s

Command Line

com.beautyship5

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.beautyship5/cache/qhqrdtmuyib N/A N/A
N/A /data/user/0/com.beautyship5/cache/qhqrdtmuyib N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.beautyship5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 tecbabbshop24578.shop udp
US 1.1.1.1:53 karakalandankasd5.com udp
US 1.1.1.1:53 karamdsadvs2.shop udp
US 1.1.1.1:53 tecklardankalan.shop udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.beautyship5/cache/qhqrdtmuyib

MD5 7cfcfcdf2f1a2e962d3975435a55b97d
SHA1 0e3b3c6e167542c580dec3a674f2fc3b4e91628d
SHA256 abe48a2b945177b37b9f59db9f4d8f92ea9dc991f0835b7df3191e937b6d8929
SHA512 eafb08deef09f5b4644c42e9bccac724dd5ba0345f43ea5cbc4ca8286b6ee34e579fa6195fbff24ceeb5e25db521e44edd99cc4d9a5691405e0e1f71b805548a

/data/data/com.beautyship5/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.beautyship5/kl.txt

MD5 b8c1f6814152fcb7b59b2e85a6bdc4f3
SHA1 bcdeff7d2393de66e781719ad0322634cefee556
SHA256 a085baef3250f11e00ee04a4596f370b1a16d989dea1bc711bf856ff6cf5cf17
SHA512 aeed8618190961ca1b4e7358bb0c3782657988370017b2fb0d3e28261699095213566e9e8b90d760a5bbe3db9dbb8aca14a461df5d1da6118dad06bf647d3819

/data/data/com.beautyship5/kl.txt

MD5 122bd64537df474ac891bd955278a92a
SHA1 721634253326c978860831c7c8c59496949da197
SHA256 11b3fd4d3e8f463a3dca8b6e0b9fa68e0855852489100d46c61f82ef7968ace6
SHA512 76b20a4778e03cc2ffbe3f82f475a2ba0948e5073e567bda264ec57d19b44d664e049c130b8b0ab6824521d3e3f03ac4791c7ec25100a5eac39b9bbb5ab411e1

/data/data/com.beautyship5/kl.txt

MD5 13f5a3f40b6549bc09ac07a711ad0b56
SHA1 554293f8aa0821ee89c2c532759cea64d8e5549a
SHA256 b8b4cc2ff762860780b3a795d93e07f901527b4ff6de90968986f2b2e244ec5b
SHA512 7d0f55a0d71188ace242b1ae6293c01c62273cabf8afedc8f45975801e5b5d4a16c9ee1100b5e5a3f29c5f2e037c8a2e29aa012860df2b13def3a302b6474c56

/data/data/com.beautyship5/kl.txt

MD5 8abe2da1bf631598cdddb0cc7d3bcda5
SHA1 f4a61be323ea58b94a0f6ff5bdca6317803b97e2
SHA256 865c6ef0dccafd61c744c038af36c4aeeceef006be8a761355d2ee95a0ab650c
SHA512 b7b79fc56583879da2ce620ed24324d593f17077997d70b1c389954e9609556e028cf0272e30f35c56b56bcbcc05376481d5dfc487867715e7e81504c1101762

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 05:43

Reported

2024-05-03 05:46

Platform

android-33-x64-arm64-20240229-en

Max time kernel

152s

Max time network

139s

Command Line

com.beautyship5

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.beautyship5/cache/qhqrdtmuyib N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.beautyship5

Network

Country Destination Domain Proto
BE 64.233.166.188:5228 tcp
GB 142.250.200.36:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.228:443 udp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp
US 1.1.1.1:53 tecklardankalan.shop udp
US 1.1.1.1:53 karamdsadvs2.shop udp
US 1.1.1.1:53 karakalandankasd5.com udp
US 1.1.1.1:53 tecbabbshop24578.shop udp
GB 216.58.212.195:443 tcp
GB 142.250.187.206:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 172.217.16.227:443 tcp
US 162.159.61.3:443 udp
GB 172.217.16.227:443 udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.178.10:443 remoteprovisioning.googleapis.com tcp
GB 172.217.16.228:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 172.217.169.14:443 android.apis.google.com udp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.200.4:443 udp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 216.58.212.251:443 tcp
US 1.1.1.1:53 social-magazines-prod.storage.googleapis.com udp
GB 172.217.16.238:443 tcp
GB 142.250.187.251:443 social-magazines-prod.storage.googleapis.com tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.225:443 udp
GB 172.217.16.238:443 udp
GB 142.250.187.251:443 social-magazines-prod.storage.googleapis.com udp

Files

/data/user/0/com.beautyship5/cache/qhqrdtmuyib

MD5 7cfcfcdf2f1a2e962d3975435a55b97d
SHA1 0e3b3c6e167542c580dec3a674f2fc3b4e91628d
SHA256 abe48a2b945177b37b9f59db9f4d8f92ea9dc991f0835b7df3191e937b6d8929
SHA512 eafb08deef09f5b4644c42e9bccac724dd5ba0345f43ea5cbc4ca8286b6ee34e579fa6195fbff24ceeb5e25db521e44edd99cc4d9a5691405e0e1f71b805548a

/data/user/0/com.beautyship5/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/user/0/com.beautyship5/kl.txt

MD5 7cf37cdea20621f35b45117617f7c061
SHA1 6f8d284872e5417e60443bd27422ed3e7788036a
SHA256 7d4400fc485f805c43b38901deb53a53179d49ad92b9cbc51dc3340863d91ea8
SHA512 db43be9da34d6fb21d41605f07c62844c59accf8bfe5b64596dc6e19b99f14d3eadf551cd84b74d5feb7921b3d187ad09956d8aed81064f86fb1476114f7229f

/data/user/0/com.beautyship5/kl.txt

MD5 2f49c3a4c350070b293128f9d5ad5eb1
SHA1 b71847553d636a89baee5cfa85cd6a9947b4c992
SHA256 53abbf8413c38c4023a55cf1f10cf151740a01df56ad68f98dcd677280234272
SHA512 49a70f87b45301bc347789695de3c0db4b1c5d559e2512f93261538f095bca5626670d7a42419b7b9751ad141493c9e45c787cdbe06e8e9185f2cceae573076b

/data/user/0/com.beautyship5/cache/oat/qhqrdtmuyib.cur.prof

MD5 c9a687db0c64235d1cd818e22c8f05ef
SHA1 ce123e15d4747d321ea2d2eda247f516d2d74aab
SHA256 35c9ce889765ce30982d96a3714535956da01d0a56d82c507535b5c79afb58d3
SHA512 2a84a7399dc038b86367277f6435a93baeb16f856c675c5230141c0636e6de239b98facf679dd7593f50af750a8f728766ef9e9ec1187ae71cc794c8659cee99