Malware Analysis Report

2024-09-09 13:45

Sample ID 240509-1wrpkagg8s
Target bbfe342c2c724f0d0bd1b98f5fc7e0bc1ba0df198abcbbdb9787cf7b9d613763.bin
SHA256 bbfe342c2c724f0d0bd1b98f5fc7e0bc1ba0df198abcbbdb9787cf7b9d613763
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bbfe342c2c724f0d0bd1b98f5fc7e0bc1ba0df198abcbbdb9787cf7b9d613763

Threat Level: Known bad

The file bbfe342c2c724f0d0bd1b98f5fc7e0bc1ba0df198abcbbdb9787cf7b9d613763.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Prevents application removal

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the mobile country code (MCC)

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Declares services with permission to bind to the system

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-09 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 22:00

Reported

2024-05-09 22:02

Platform

android-x86-arm-20240506-en

Max time kernel

46s

Max time network

133s

Command Line

com.wantless7

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wantless7/cache/sjmafccglyaqlb N/A N/A
N/A /data/user/0/com.wantless7/cache/sjmafccglyaqlb N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.wantless7

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 yeniuygarckaportaci.top udp
US 1.1.1.1:53 oyungouardman.com udp
US 1.1.1.1:53 ataseiorunaa.top udp
US 1.1.1.1:53 kediseakiyoruz.top udp
US 1.1.1.1:53 karaaslancamping.xyz udp
US 1.1.1.1:53 vasathastalari.top udp
TR 178.215.236.93:443 karaaslancamping.xyz tcp
US 1.1.1.1:53 sevmekdeacilar.top udp
US 1.1.1.1:53 cigkoftebedavahizmetim.top udp
US 1.1.1.1:53 candancanda.top udp
US 1.1.1.1:53 biggiyenim.top udp
TR 178.215.236.93:443 biggiyenim.top tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
TR 178.215.236.93:443 biggiyenim.top tcp
TR 178.215.236.93:443 biggiyenim.top tcp
TR 178.215.236.93:443 biggiyenim.top tcp

Files

/data/data/com.wantless7/cache/sjmafccglyaqlb

MD5 609cd45af3ba82a4e0051575b9bff5e4
SHA1 790ff88a2766e4ae24b182e7640426053f66d34f
SHA256 e9dce8bab315d2ece8a709e8246e744260c6009adb23f8c5903d2ba487c081a6
SHA512 39ad25da4c5d284e96fbed4b78dbbc2cc6115cf5193ede1575dfc98ad6f42e8f28567deb633f037d2f113b4f16b71ec02c33d4f195c83b66f05f489cfc84b258

/data/data/com.wantless7/kl.txt

MD5 0b0a4835c69a6aa55f13bd45c67e1dac
SHA1 d1546dfd2002544365eac2b49300844427e1316e
SHA256 e53619da61d3b29d333d8255b1dc9fcbefe7c629695addb7d3e7d07b72558e82
SHA512 430b89926dd5fd626ea7d62027ac98413159c7609663b26a8e2ec9334312c3b6c441a6e048ac2193672e9958e2e7ca6cfd5ddbcc1b22d768f8eb2032c9fb1c14

/data/data/com.wantless7/kl.txt

MD5 54758cc342cc200bbd538509a8249cb5
SHA1 307e9a516b060924ba8464fd97a54a5be6a84168
SHA256 336793fc0b0595adfbfa6774570c6c6b715af7abc36998b1107571c71d1d0efb
SHA512 c20c24492eb00888f532878e16f356bd7e4608def2397bb975d2fc9c1de04f59dc6ee89546b7f3f33d12af00c9d0129ca9f43c1323caaddc1f677037cab3c45d

/data/data/com.wantless7/kl.txt

MD5 021e643dd4e87c152abcc622122a08f1
SHA1 5ab22516caa81987eec104885b921fccf9e4457b
SHA256 50cca25c0012033c1f5833a44e069d7742b838496b3a6cf1e8e975d477948166
SHA512 ae655712a66e8949f7437347e3ca91ceb511f77a0161ddd926ed8b2f5e97175d5109d1f13c8dda80c1fc0595a2e182b75a2b6a338b337bbcc44cd9453e7b0245

/data/data/com.wantless7/kl.txt

MD5 19e20e40598ad694f114f7f8e02db20a
SHA1 62973aa6639362084cef986ebdd21958b78eab66
SHA256 5d2b8ec55967f8c6e0f9e68b3d7170f62cdee2a3783dda16265486d2ef334ead
SHA512 492e6c60dee639938e73d26bbcc660471ae5f728a702562b56045aacbaabb0fa431d29fa9cd55517e518dec6f3d90d179476a3cce92632e80e0f92bd3e478a79

/data/data/com.wantless7/kl.txt

MD5 25e5f67a6e217d47e7141b8ade0bbfb9
SHA1 2a8f018f24c101f38087cdca532bc7f95468872b
SHA256 920c1097a0aafb54814f783fe3c5f983eb1286efbff88c7acf616e64c64f9141
SHA512 2b595e7cbfee4876fbc9917b98d99e97651bf91d9cb1a6237c6e74e3f9130eeeba6d81dbad67d6b7029e4e6866539d31fb5ca29739cb0bd02f5a96baf543a507

/data/data/com.wantless7/cache/oat/sjmafccglyaqlb.cur.prof

MD5 a450268c63abf0682edfa00850b99e50
SHA1 c2be57f1ee7d13c2f5af286245141ab76229ddd3
SHA256 afcfd6f1b4947d3865f598d65992b217d12996805aa5b2a9ecf37c346808a4a1
SHA512 6f45184d5cac80ba5d4fe485d35fe709cfca8277a01859eecccd000cbc4811b003ff76c2ef194ce8d64f46e4d4dd18156174a1aca638bdd7594ca16f1b7cd649

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 22:00

Reported

2024-05-09 22:03

Platform

android-x64-20240506-en

Max time kernel

147s

Max time network

143s

Command Line

com.wantless7

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wantless7/cache/sjmafccglyaqlb N/A N/A
N/A /data/user/0/com.wantless7/cache/sjmafccglyaqlb N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.wantless7

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 vasathastalari.top udp
US 1.1.1.1:53 servisdepaketlemem.top udp
US 1.1.1.1:53 huzunluponsimm.top udp
US 1.1.1.1:53 biggiyenim.top udp
US 1.1.1.1:53 kenedabirnumaratedavicisi.xyz udp
US 1.1.1.1:53 karakutuoynlar.top udp
US 1.1.1.1:53 oyunlarlemmi.top udp
TR 178.215.236.93:443 biggiyenim.top tcp
US 1.1.1.1:53 sevmekdeacilar.top udp
US 1.1.1.1:53 canozturkkaka.top udp
TR 178.215.236.93:443 biggiyenim.top tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
TR 178.215.236.93:443 biggiyenim.top tcp
GB 216.58.201.110:443 tcp
GB 216.58.212.194:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
TR 178.215.236.93:443 biggiyenim.top tcp
GB 216.58.204.78:443 tcp
TR 178.215.236.93:443 biggiyenim.top tcp
TR 178.215.236.93:443 biggiyenim.top tcp
TR 178.215.236.93:443 biggiyenim.top tcp

Files

/data/data/com.wantless7/cache/sjmafccglyaqlb

MD5 609cd45af3ba82a4e0051575b9bff5e4
SHA1 790ff88a2766e4ae24b182e7640426053f66d34f
SHA256 e9dce8bab315d2ece8a709e8246e744260c6009adb23f8c5903d2ba487c081a6
SHA512 39ad25da4c5d284e96fbed4b78dbbc2cc6115cf5193ede1575dfc98ad6f42e8f28567deb633f037d2f113b4f16b71ec02c33d4f195c83b66f05f489cfc84b258

/data/data/com.wantless7/kl.txt

MD5 2b22b959998eecb4ee801a5a042b1016
SHA1 162ebf194902f4749e8b8b0c84ab688179bd5dc6
SHA256 7825dae04ba374e8afb312c34b3872c49f36dd02bee27a0c64fe85d0a6b07580
SHA512 91c77fc192407220fb5eecc4ee7fc7538b1a9870c7d20a902358ee6d6be1de82a6e7df5c8ed0553208363744080a15a0e868033e2fca7cfd16a4298b909f05a8

/data/data/com.wantless7/kl.txt

MD5 30116d48f83a8af79dbb18735cd6cefb
SHA1 265a997aababb25ff6adb662d22991bacba2256a
SHA256 a59efc58b25d4f04a46f50bc5ab7b3440c1904c6049532cd7d261ca9d7472d40
SHA512 7bd97f5f0ca367c37d32000c85ba9b0ef15f506db878c7f295743b119bc3c456b37b8d22782b73010372434bdd208f10d7444dbf1e362bf41331e85f86cedcac

/data/data/com.wantless7/kl.txt

MD5 1ca81b3dae356c615a0ae7b38c905fa5
SHA1 96637ae43a7ba80994bf1176d17e6a992e1f53f3
SHA256 f07b8629a9358de3de6672a8cc4550a574bd144c576bfddd12813d47cfcff1de
SHA512 40f5fea2d7afb8e2067edaf5f2edc24e85d36a9e3993ec1af06a8a82fbc89883dcc9258a150b6f986e0ee65ac49dfc6163ed0391c1a110fcfeef18cce79b6a7d

/data/data/com.wantless7/kl.txt

MD5 a541d560b23a9a70d357d467f1e742ea
SHA1 aaf9f5124afde79e4fc0042ef29b545b54ed306f
SHA256 d2287e5f6da258810ce3ce769ae0e4ea492127fb2a816324ceaa165338ab551c
SHA512 68bbfe8dd39f59d53452be7df44b4f457f3c84318169d045c29dfc262368df753ca1c55d8431960e15f72be21ce83b3e514f675980713206656eda8b704b860e

/data/data/com.wantless7/kl.txt

MD5 a77b4dd8ddd697a047c3bda47320934d
SHA1 86db39ef08ffae03ac4e07c71ef387f8991a405c
SHA256 956ab8d5252e750fa2cef6f088c92588a06014caaed9a677263dcee0d72b30c9
SHA512 650a747465e4006f7b3943f19b61e311cc6b4239df49fa6eb52e2e79d3fee090d481f99308b681b19cd28e0c39b10935f51eade9dd300d70854aa3d030c7da26

/data/data/com.wantless7/cache/oat/sjmafccglyaqlb.cur.prof

MD5 d735ee7fa24bfe717183502653dc1e58
SHA1 6a133926b88bc2c6f377764775c27909fb8c2ecc
SHA256 be059a461ea765f46f1e62b4f31313210ee843f8c96ffd88372bd12741bb364d
SHA512 3e4254937a3d6dd7352d72d4a8cc07456ff7aaa22384e8d470ff23f1c1551fecf600eda6d9cc28ac0aa52191c7d37e6b02fad4b7f1dfc6323849e181f8a6cd82

/data/data/com.wantless7/.qcom.wantless7

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c