Malware Analysis Report

2024-09-09 13:44

Sample ID 240519-1wv2zsca55
Target 8876d90ca56b89ba6b9814643460784823980b35b1c238affe6d72ea0b19ad39.bin
SHA256 8876d90ca56b89ba6b9814643460784823980b35b1c238affe6d72ea0b19ad39
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8876d90ca56b89ba6b9814643460784823980b35b1c238affe6d72ea0b19ad39

Threat Level: Known bad

The file 8876d90ca56b89ba6b9814643460784823980b35b1c238affe6d72ea0b19ad39.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo

Octo payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Prevents application removal

Makes use of the framework's Accessibility service

Requests accessing notifications (often used to intercept notifications before users become aware).

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the mobile country code (MCC)

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 22:00

Reported

2024-05-19 22:07

Platform

android-x64-20240514-en

Max time kernel

178s

Max time network

169s

Command Line

com.endbetween46

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.endbetween46

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 hadikapanikapatsana.xyz udp
US 1.1.1.1:53 bilebilegndere.xyz udp
US 1.1.1.1:53 dlounayyanimda.top udp
US 1.1.1.1:53 izlemebskasiyla.xyz udp
US 1.1.1.1:53 tambanunakere.xyz udp
US 1.1.1.1:53 saybyebyetohepiniz.xyz udp
US 1.1.1.1:53 tabukareler.top udp
US 1.1.1.1:53 fesatokero.top udp
US 1.1.1.1:53 leardolordoloro.top udp
US 1.1.1.1:53 yoktuhcfener.xyz udp
US 1.1.1.1:53 lemanobelki.xyz udp
US 1.1.1.1:53 kefalmefaltefal.xyz udp
US 1.1.1.1:53 kranliktaaradm.xyz udp
US 1.1.1.1:53 astralanahatarim.top udp
US 1.1.1.1:53 anilardvrimi.xyz udp
US 1.1.1.1:53 gecelerisvdmpkiyasen.top udp
US 1.1.1.1:53 buzbuzdagdaglari.top udp
US 1.1.1.1:53 ruhumdnzincirr.top udp
US 1.1.1.1:53 tutankamunhaci.top udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.213.14:443 tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
GB 216.58.212.194:443 tcp
GB 142.250.180.14:443 tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp

Files

/data/data/com.endbetween46/cache/nkbkg

MD5 49942b1e9ef99dd6efd7610e2f4887a9
SHA1 8bda7cb915aba3b7026d8438357444c2f17673f9
SHA256 ffb1d94e8619a2bc50279883c65bd06b3690e5dee35b24b4dd65ef73583ba3c4
SHA512 3f308dc3dd25ff82711749c5ef03c7c9ff73c6835ef4c527a699d75b5cafd11cce9c4f1619200bf9f72c7078a73053f6b601d6dea01f7ce1e98719bf6c4c7812

/data/data/com.endbetween46/kl.txt

MD5 c15f06e40697566acaa29cfdb26d4831
SHA1 9174029b5bd8150a25b7c533564f4614d636d192
SHA256 296aaf48771b0854d84860c9e19fa35fa81a2476386f90d51b5f267c43a816f8
SHA512 1c260b1e78af58770b21ee0e4eb230221f8659cc16fb35f7742c00cf4e97e2ea897fd031d432a70b81d36d6935022d028470cba33cadb58024f755e865dd0fd0

/data/data/com.endbetween46/kl.txt

MD5 5684ab41e6ea30762272c15fc8812a81
SHA1 1f78fbab0989440b2aac5a7c2c2a977521a7d0f4
SHA256 46c1f32d7175d4d0a601f6978488c2a201fb21c50f559313f5203d5b38f1bd5f
SHA512 c9a785de604fce7719f6090fafd375f1642b0829b8f37b958e56e9c135d9f1b5ecda2e19850ee3548aaf76cb456033ce1bed3c91eb4793994efcc0921830b6d4

/data/data/com.endbetween46/kl.txt

MD5 6ee7380c250d8ca8574485a4e754d621
SHA1 8c332068112767dcc5944a8850015dfec89a2130
SHA256 f1e0ca0aab81c2a11448ff0fcebd0835db8d886915f9b26d076c01a166234dd2
SHA512 67a3ff61853f65206552ead5afc108fa0fc0d4b7a48b9bdbe3920e94e65a3fcede81a563b49f60a0a9473fb92215b761c343a1cf561e4a150ff3e1f74fcfef1b

/data/data/com.endbetween46/kl.txt

MD5 c61e1ffcb92b20cfdc202651776729ff
SHA1 6bd4ebd2bd0433af78984483752a354c2d31d32a
SHA256 afc8bfd18de574c58c14d0ed2363aa825a1814378a4c7765d9abf1b7b65e15b9
SHA512 597fabec13fa04b2f8b43d7cad06881b3d5bc19c463374d933865b902f896481f6464564770f96e47c13c2ad97328c1c1fc461ee24e2dad6c85740446194c8d0

/data/data/com.endbetween46/kl.txt

MD5 0e25256687a391d8b1b1ef04704e732a
SHA1 79c9045baf41af11e3016e82edcd3fa9d43e4c0b
SHA256 43e85eaba3192a3e2a0250aa0bcbe5b1c10fefc6c8563509d246629635abd89e
SHA512 c6b0622527c75a1d079bf28057d811d271848ece1cc27f41045eba2cb1db590c6b9fe8f2bb7a0317224b6318dd030e496a856d9bd4a78ee3ce7ca2f3e19790ac

/data/data/com.endbetween46/cache/oat/nkbkg.cur.prof

MD5 c90aeb6bf037f4361abfeea884c2507f
SHA1 dc68124493100714f2e0d51a9d28ec25a9d2ee0e
SHA256 7f6f00692a1e643ae88d7640ccfd5cd4c5074c5ae1035ecad7fd34b24bc2599b
SHA512 6ec3eaee7142bcc470cd0613231313176caabb0089a04b12b05a8427e6209e5b4c60237648fbd37beeaf8c72f5d93781ece0fedd18248317414e99d55d0b74b3

/data/data/com.endbetween46/.qcom.endbetween46

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 22:00

Reported

2024-05-19 22:07

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

159s

Command Line

com.endbetween46

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.endbetween46

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 saybyebyetohepiniz.xyz udp
US 1.1.1.1:53 kefalmefaltefal.xyz udp
US 1.1.1.1:53 kranliktaaradm.xyz udp
US 1.1.1.1:53 tutankamunhaci.top udp
US 1.1.1.1:53 gecelerisvdmpkiyasen.top udp
US 1.1.1.1:53 bilebilegndere.xyz udp
US 1.1.1.1:53 dlounayyanimda.top udp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
GB 142.250.178.3:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp

Files

/data/data/com.endbetween46/cache/nkbkg

MD5 49942b1e9ef99dd6efd7610e2f4887a9
SHA1 8bda7cb915aba3b7026d8438357444c2f17673f9
SHA256 ffb1d94e8619a2bc50279883c65bd06b3690e5dee35b24b4dd65ef73583ba3c4
SHA512 3f308dc3dd25ff82711749c5ef03c7c9ff73c6835ef4c527a699d75b5cafd11cce9c4f1619200bf9f72c7078a73053f6b601d6dea01f7ce1e98719bf6c4c7812

/data/data/com.endbetween46/kl.txt

MD5 744ee8ced41efaa723eb15cd37e6251a
SHA1 003f6653636f85a87b570f668d640319e9f0d53c
SHA256 95334dc94f51989588a6eb7bb5ba32138db47134d2caa6a1126a281854f0792a
SHA512 eb50d1d798a3dd54ab8d08e80c03485af495eb119e657c70b22fd5a8f33da466f95666746b96a435126c214e831c74318ea727b41710c263b030f7d053d2b7c5

/data/data/com.endbetween46/kl.txt

MD5 d748905870a2c56ea0c81b44e23dc51f
SHA1 b7b7f2d63528e215eeea7fd2930ae7e1fc3221c1
SHA256 a9bb28ac1bffd458c4d6056133cd92e14b55cf68c4c0fa707ef6cedc276848d7
SHA512 3837c07d36cef927b62a96fb37b333d060d97e15b84741d6de7acf5de9451af53bc6746bcb60f07e0b03799a2edc706dec17888ca7be10642a681a75018f69d4

/data/data/com.endbetween46/kl.txt

MD5 7bd3e290d2c66ca59511be8391970712
SHA1 db0139b612d0e04b6f4721d6c03a2249e3f1caea
SHA256 0e6d431a2ba5dd1829ca68a2af62216e87aa7e07da23d6481c3eb68f70a47dda
SHA512 2b74abfe3581f369aff05e57748a299867a8f1f3bf941380267d0835d6fef9f458250fb1dbc84017afc12512753631130e89f889e85b40e105c4fdfbbb943349

/data/data/com.endbetween46/kl.txt

MD5 b7d34d0793f9722ba91e7a94767d7d7e
SHA1 770e7c723b5c9358814bea8aa04aa28adc964c33
SHA256 ddeffe158ad49858725d7423a34266f0d151476e70489aea5e17eb2139053023
SHA512 9a939db31b0d64d0197c5f44d7dd1391872354330d19d6310ff26906d8ce62b32256b6808e46367f92f867473a8b05949cc436d1b5c89423203f20e9ff379565

/data/data/com.endbetween46/kl.txt

MD5 35e0f00b7872d10d05949b0972b86ecb
SHA1 b3fd3bea7809e7bebb0690ded979589b4eaf2745
SHA256 170de179aedb2b633f3f1b1533c52ad61d3ec69fdd72c20c3afbd5d3565d66d9
SHA512 0b42b9b23f4a979aa0249c7a208109a1c5400fadc97d082b21f0990d91fbfc44a9ff393eb855232edb6d6fc5e0344588378ceea2cde92366cfb524d5a6774b1c

/data/data/com.endbetween46/cache/oat/nkbkg.cur.prof

MD5 2a7632cb5caaa176c0a9faff630e25af
SHA1 9380b1f82e2a1a82a3cd2654e367968b9230df19
SHA256 755c1bf74a5b6acba39762dc9ab80a732ca9b6112c27b41059cd156b5b6df02c
SHA512 ff695f4aed6924dc52c1c15596b46edf432ba4d7257f6b48807ce032ab104cd8e31004f8ba204852809e5e7cfd0afb53b01c938521316fe97d51742f6e74edfa

/data/data/com.endbetween46/.qcom.endbetween46

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c