Malware Analysis Report

2024-09-09 13:43

Sample ID 240509-1wslvsca88
Target abc9cb34c9612f3137016d1af7f502a992f19079b313efa60c47443104f209cf.bin
SHA256 abc9cb34c9612f3137016d1af7f502a992f19079b313efa60c47443104f209cf
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abc9cb34c9612f3137016d1af7f502a992f19079b313efa60c47443104f209cf

Threat Level: Known bad

The file abc9cb34c9612f3137016d1af7f502a992f19079b313efa60c47443104f209cf.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's Accessibility service

Requests modifying system settings.

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Prevents application removal

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Queries the phone number (MSISDN for GSM devices)

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-09 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 22:00

Reported

2024-05-09 22:03

Platform

android-x86-arm-20240506-en

Max time kernel

40s

Max time network

133s

Command Line

com.helpsmallgfq

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.helpsmallgfq/cache/vweuds N/A N/A
N/A /data/user/0/com.helpsmallgfq/cache/vweuds N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.helpsmallgfq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 kozandelimisin.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 kozansinyalcimisinla.com udp
US 1.1.1.1:53 kozanaseviyor.net udp
US 1.1.1.1:53 kozanhacibaba.net udp
US 1.1.1.1:53 kozanhackerr.net udp
BG 80.76.49.223:443 kozanhackerr.net tcp
BG 80.76.49.223:443 kozanhackerr.net tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
BG 80.76.49.223:443 kozanhackerr.net tcp
BG 80.76.49.223:443 kozanhackerr.net tcp

Files

/data/data/com.helpsmallgfq/cache/vweuds

MD5 f4d86c3c79bdbfbfdb16b4d9ec60b04e
SHA1 40193068b538b85639e8b56459533a24fdd5c0fe
SHA256 c9eb4073fb69f66133fa87e92d61217db74aa2bf0bc74a5c623060568b4e38aa
SHA512 e9528dc9beae7c977378b610a1c02345516c3f5b48fc00c6393acf56e9154ad94b95e36bb095f17804d2b090ff796731baaa5effa994b079e7934b5e02abf896

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 22:00

Reported

2024-05-09 22:03

Platform

android-33-x64-arm64-20240508.1-en

Max time kernel

152s

Max time network

146s

Command Line

com.helpsmallgfq

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.helpsmallgfq/cache/vweuds N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.helpsmallgfq

Network

Country Destination Domain Proto
GB 216.58.213.4:443 udp
GB 216.58.213.4:443 tcp
BE 173.194.76.188:5228 tcp
GB 216.58.201.100:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 kozansinyalcimisinla.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 kozanhacibaba.net udp
US 1.1.1.1:53 kozandelimisin.com udp
US 1.1.1.1:53 kozanhackerr.net udp
BG 80.76.49.223:443 kozanhackerr.net tcp
BG 80.76.49.223:443 kozanhackerr.net tcp
BG 80.76.49.223:443 kozanhackerr.net tcp
BG 80.76.49.223:443 kozanhackerr.net tcp
GB 172.217.169.35:443 tcp
GB 216.58.213.4:443 udp
BG 80.76.49.223:443 kozanhackerr.net tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.180.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.180.3:443 udp
BG 80.76.49.223:443 kozanhackerr.net tcp
BG 80.76.49.223:443 kozanhackerr.net tcp
BG 80.76.49.223:443 kozanhackerr.net tcp
BG 80.76.49.223:443 kozanhackerr.net tcp
BG 80.76.49.223:443 kozanhackerr.net tcp
GB 216.58.213.4:443 tcp
BG 80.76.49.223:443 kozanhackerr.net tcp

Files

/data/user/0/com.helpsmallgfq/cache/vweuds

MD5 f4d86c3c79bdbfbfdb16b4d9ec60b04e
SHA1 40193068b538b85639e8b56459533a24fdd5c0fe
SHA256 c9eb4073fb69f66133fa87e92d61217db74aa2bf0bc74a5c623060568b4e38aa
SHA512 e9528dc9beae7c977378b610a1c02345516c3f5b48fc00c6393acf56e9154ad94b95e36bb095f17804d2b090ff796731baaa5effa994b079e7934b5e02abf896

/data/user/0/com.helpsmallgfq/.qcom.helpsmallgfq

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

/data/user/0/com.helpsmallgfq/.qcom.helpsmallgfq

MD5 feb943de418e879a95d1be7e97c115a7
SHA1 fdc4d1f93e71d0bc3e95c45d3a56aab72e7df908
SHA256 710cd0408f7fd72f6ab373f281a6a8a0f11e4ce7422052089378666a6cb71813
SHA512 39c75f134f3524bb255569acb86983f91bddb064477401293b928c2738cdb46a549cd978cbff9c75ab8e2d55a003cea1a16f41d889899051e66d179b60d7b6cd

/data/user/0/com.helpsmallgfq/kl.txt

MD5 39cf4d7d27c0e46e4a7138d7501ee6bf
SHA1 79215147abca087041054aef38ed3999a571bdbd
SHA256 4c59289b08903c7406772e414c40ddfeb0f22af744cab3afd41a260a876df129
SHA512 49baf76b5e631e6e92b315a6cf2f6f304726b6ccab8572155f7939dc767034ca2ff29e561b3fcd206660f964d8f64845bdfb68727a6ca76bea46c8e2fed53013

/data/user/0/com.helpsmallgfq/kl.txt

MD5 f859950cd9867c900ca0d8f991e4e53c
SHA1 b97f0452932367fa5a51574225bdb2115abce464
SHA256 71724aa18839d5e8ddfec92738ce2cce4f95eafd136d97afc35da3aaa9baa0e8
SHA512 065aaf9c9792cb3839d828bf30222caab63be79754b993edbdaa5201a0743ee969e970f99694be3a2466230a2ddea4f84b5c99a0b45c51a9a4765bdec0f2c77b

/data/user/0/com.helpsmallgfq/kl.txt

MD5 9b438b50f73a62dc27193acce4a58cdb
SHA1 db98105fccf3e0451080180bde0f9bf12189f4ad
SHA256 330d5c024f2c0a71df228c891ce09607b853881dfc42d4a1723181a5a59204dd
SHA512 e631c10d89b7ac7d80e672904b0c77eb1cda6b1e323164e323e0a115f5b4efa066831a3e46f6826061d4999467402c05dcbce3875d08e96043be012b659ead2f

/data/user/0/com.helpsmallgfq/kl.txt

MD5 50f0571e95865fd7ac5421a50dba9e5d
SHA1 d09420f31c0022a2fa137c531f5874818284d413
SHA256 2a7a5feef77e2df466d64dbe2ba17a7e6c250143dcfa483bee34d80adc92ae1c
SHA512 6d55af24c81e2e11e1124299cf7d69a0c2dbf700dd8b23f4505db7702d5c84922932e6202ea87e615695ab1c6fae0aa965d7a364685686cc12464fb4c9279915

/data/user/0/com.helpsmallgfq/kl.txt

MD5 cce74c5a89344965875e5d4b8a4211f5
SHA1 3e7c79c24ce78a232e0bafd8ca4df7576b401836
SHA256 a40b644f3ebac841c14b0a87a44e4ddaec8ecbc0635db2fcaa821e1f8f9e5fb6
SHA512 097fdef02f6bee7da83e0b64b8f0aeabf8f58a507f040b0b32449a13e2ff7db6ce79efa4ceff87838a8076c4229e046e74916aa8dfd1051b948d1e55d791536b

/data/user/0/com.helpsmallgfq/kl.txt

MD5 fdfc67a1486da061f4e2b2d058d43e81
SHA1 2ef847d94ed278135a793f300b398ddf1e0ea186
SHA256 b4bcf8a9ef36e755b7431e8b0e22e629adba917db6ca89e5e6c3e91475af5551
SHA512 f6e701b398930d12b129e2b388db5dc823ad0a2880766877efad03aa4cc1885006b398e64ebce6b9b7e01ea655aafa33cf064e1a09108fd5cd639f746ba2efbd

/data/user/0/com.helpsmallgfq/kl.txt

MD5 4e2b5578f5fd5640dd1792a197661227
SHA1 e818204e86c0230c9be6e69c839e2a5df01baddf
SHA256 b870e6a5f653574d45f63c78715e76551bc2fe483fcf3f1fc8577b096f524686
SHA512 851993cbc779b045c1f19a6828586103f152c6bf5d9e90c828bb34fce15bbcd4f214c77a77191bd3abe157a7790f181032faac19b71ec4e30f21181da89f97f7

/data/user/0/com.helpsmallgfq/kl.txt

MD5 3b9716e1d3f49249cb68785f86135500
SHA1 1422e3b17cbb9e24cff095338a42137909885c05
SHA256 eb0a5b9105037a7e6de94374fec87f18403bad8d364d04d06966478edd607f96
SHA512 8fde1c52a8c910de1cd6c6044c7465186e1465a20dba82ac8bcade849a508b1fe5eef90365a8f63201080a8e7857d15718f3f8deb88528379e1b25a2cb9dc1ad

/data/user/0/com.helpsmallgfq/kl.txt

MD5 2efa8334ec54f8a0547456fb06f615d6
SHA1 dde5b1129eee9fdcf67e3aab49df553182f47634
SHA256 170eb21bb8302b5dabcfc0d3d94a2df104b41d88a3e149e5853887fd8b971e78
SHA512 1916f7f050bf285a6b48ac09c535d81344fb848afcdd835a3a573f8ce57c510b8acaefdf09ee95d44f7f637b2cc0b70897e4e0b261a659fa049b50b0f9775854

/data/user/0/com.helpsmallgfq/kl.txt

MD5 5d212515d3da50127ddae5941a74ee59
SHA1 2e6c023228647f2c0a31693ecc34411a693e5443
SHA256 c64d4210b9470e797b75790d47808f2cdbd1c23b30f63110935a25c5bc3455c3
SHA512 09b893addeb7056a095409dc57765f7e0156ee7c79d37597e248a73d0308fc1741247d8e0e3f0a95f8a51d361280e6e03d116b29f4fa2950925e865638ec68cf

/data/user/0/com.helpsmallgfq/kl.txt

MD5 f73efe3a2971bcd54ed4d9cbc151881c
SHA1 fc7f4321e3bb34d54e241933483b89f6aa894e47
SHA256 eba20c9b999aa4d0b20aec16a9250017a8b126921559957376fc57b7ffad6bb2
SHA512 28b5db11d8651e55073aa21a02172e682c1fea80968102b1b79195e3c242e9cae184cfbc5c730e46300f5ef33faebf5bfb9d29ecd515e2dc6594fb0c7021a08b

/data/user/0/com.helpsmallgfq/kl.txt

MD5 411c740c19737844565db7058e06965d
SHA1 0879ced5c3f904b8eb4a79163375a2c9cd3d22b9
SHA256 f321609f5308a4b7209e2fac8e8ab2389f3b899637640d315cea3f20162d9207
SHA512 5aecdd5aa571b48fa98296760f9a11267a8f7700774ae35ba0d5ede033afcfd75c0e471094435dd138d092146f711adcf5873d8d949e44d608f074e214c4b9c3

/data/user/0/com.helpsmallgfq/kl.txt

MD5 5ffe7581b51c688fe686a1680b8db2f9
SHA1 169020f6e6734241a721b257410c97dc7a80a819
SHA256 84e9954780416a3ced2b0f0ffc8e2a19570769d945a6ac4c2e5e2195258522fd
SHA512 edaa5d4ab0339841bf628c9b4ec2a7d7226f12dbc5573d038d9bbff86e64c3b463d1fa63977d2783579d30c4ab00504481c534c1049887adb7704ce2f0bbf13d

/data/user/0/com.helpsmallgfq/cache/oat/vweuds.cur.prof

MD5 2d9c1589c9fcd98ce7e2526f2e332f15
SHA1 d3b56d962c9944c22fa8873bd550fe6065de9a50
SHA256 abcefeba459d5ad42b00ebb6742db654e19c5601faed3fabb8637aa380783c47
SHA512 193ca3139895b84cf01924cfd3aca57f51c746159aef8685978464b0b3843a769c989531e42f8b72fb77c61ea3247bf1ec20417961b5bf6d94a50b9d19fed232

/data/user/0/com.helpsmallgfq/kl.txt

MD5 1755283a692981da0238c8354227d32f
SHA1 3f1539fcb822ea5ab8b22296802e8e1131834e11
SHA256 0999bdc8028d7d77135cdf2a643a9151b8db84a13574fde66fc948a567f07503
SHA512 695356dbceb7ab6b5b51f51630b79c1fd8c03f7bd4756a1ba21eca93f0d9f70f5535077abc620695a613a5233178fea94aec009a659e5b57f7c6507bf0689890

/data/user/0/com.helpsmallgfq/kl.txt

MD5 424d26d9ca21a53f15601815f6298bdd
SHA1 b59164e3c326e5fcfd029a01ca4815b243ef4960
SHA256 6803cad98d1edb2d99e915a7617339b016601e409636819677d854f727c0491c
SHA512 32f9e9dc047228ac2efa47a5b6c3791294a8e22ed3c76310fd71e16e8f2ccc4a26c4187e4c582d32718a7cafc1bf9f94f2312f382369b12d78a297fb2fe0daa5

/data/user/0/com.helpsmallgfq/kl.txt

MD5 b3de16dbec6e4dcc5ec8f4038791c157
SHA1 3ed40bd9f00f1c000b3595db965ac0e706939351
SHA256 ee73185f077b7d0436fe8aa5d97d624e04f9525b991f3a781e2a05b6a5aaac96
SHA512 19cc8750b1dbc82af8bb7fa48c42a61e4af29722a40badba5d3304946ca45e494af55cb5f5fc79a59c103b6f1a5239bd7586b2b59fbf0e5ff9b12fecd057ac6f

/data/user/0/com.helpsmallgfq/kl.txt

MD5 0d9aeaf6b3b1f9f812bd14504f47666a
SHA1 a6ddd5ae462684449a1e077334b052e10f22ed84
SHA256 0e30480e9eaabf3c696c4523911d459f38ef40133ca0f7308ff35c253231db59
SHA512 6f24b5256c979c6b45dc573d093a9eb660b4623da26d2140c89621f290a68d440d1143ae40b19b5c4e47f9c020e61417cb1adf0af75969eb57c5798a033a3129

/data/user/0/com.helpsmallgfq/kl.txt

MD5 3ae1418d79f6827bfa9ea16a68280613
SHA1 95992fe84c1296bcab654c4b6201fbc4c1d03d1f
SHA256 c570c2cb7f94113d1d12b8a7dfb12141604e14f5664ea158adc2d835bcba3c3e
SHA512 5621e2cca8077ac7bde2fb5b379ce550dd6f385d68ba8f887d0d1046b39eef4d5d6f131cd9104de3f199810ad0330c5fe3f84bb3286937e5d29b8e1217cfe4a0

/data/user/0/com.helpsmallgfq/kl.txt

MD5 5970dc051ef28c22550d8e9c314d3a91
SHA1 69af8672b3bf6e9009499c1f0dcf3937cf41c959
SHA256 ad846153b4a53443996642c2c0f0f1d6015a355f96267935b66a77954c994f4a
SHA512 afbd8f733aef1aabb090fb5236df4351b25e76a304b68e419077942d6b24861c75a84126bbdc12c55cc52e450fd60d72592dce2f0bc43b26d2c0f0fac4363f9c