Malware Analysis Report

2024-09-09 13:45

Sample ID 240519-2walqaff81
Target e2ed40286a9d8975e01bd6138bb5f00099bd1c91bff48bcf526c6d47cf8de03b.bin
SHA256 e2ed40286a9d8975e01bd6138bb5f00099bd1c91bff48bcf526c6d47cf8de03b
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2ed40286a9d8975e01bd6138bb5f00099bd1c91bff48bcf526c6d47cf8de03b

Threat Level: Known bad

The file e2ed40286a9d8975e01bd6138bb5f00099bd1c91bff48bcf526c6d47cf8de03b.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Prevents application removal

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the phone number (MSISDN for GSM devices)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-19 22:55

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 22:55

Reported

2024-05-20 08:09

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

147s

Command Line

com.endbetween46

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.endbetween46

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 fesatokero.top udp
US 1.1.1.1:53 dlounayyanimda.top udp
US 1.1.1.1:53 ruhumdnzincirr.top udp
US 1.1.1.1:53 izlemebskasiyla.xyz udp
US 1.1.1.1:53 yoktuhcfener.xyz udp
US 1.1.1.1:53 tabukareler.top udp
US 1.1.1.1:53 buzbuzdagdaglari.top udp
US 1.1.1.1:53 gecelerisvdmpkiyasen.top udp
US 1.1.1.1:53 kefalmefaltefal.xyz udp
US 1.1.1.1:53 tutankamunhaci.top udp
US 1.1.1.1:53 lemanobelki.xyz udp
US 1.1.1.1:53 tambanunakere.xyz udp
US 1.1.1.1:53 hadikapanikapatsana.xyz udp
US 1.1.1.1:53 leardolordoloro.top udp
US 1.1.1.1:53 bilebilegndere.xyz udp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
GB 216.58.212.227:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp

Files

/data/data/com.endbetween46/cache/nkbkg

MD5 49942b1e9ef99dd6efd7610e2f4887a9
SHA1 8bda7cb915aba3b7026d8438357444c2f17673f9
SHA256 ffb1d94e8619a2bc50279883c65bd06b3690e5dee35b24b4dd65ef73583ba3c4
SHA512 3f308dc3dd25ff82711749c5ef03c7c9ff73c6835ef4c527a699d75b5cafd11cce9c4f1619200bf9f72c7078a73053f6b601d6dea01f7ce1e98719bf6c4c7812

/data/data/com.endbetween46/kl.txt

MD5 f2c5a23714e28a4cb69a10f12e3588b4
SHA1 d29d18a8c1455946ae80ead78d8b549d2500293c
SHA256 15f3eb2528c4c1c2ccf3ae3a4159be07e0c2bf814291e12fb397fc4b3c39207d
SHA512 a9953b73aa53176cf43a05f8fd8721621d20f23a825f55f8488a040081317d3a960893d5a0124e8bf0d45bbf03ffeabe6e0784ecd0608d27e98a7b597c8b2a68

/data/data/com.endbetween46/kl.txt

MD5 b7f6b4b86a320adf5d95803b919ac93a
SHA1 4afce4caff92d3ea16c1252d52bfb5d9caca185a
SHA256 daec006d409f855916addab6486854a883e36a9c8d2b27112452fe7a10e88ae2
SHA512 7177f985e1c9f1551df3dd1835976ee960cf99235a54030274f8a74b3d629d361ec18bc78706e131624aa508676edc0871b67eb43f80df4e444db22fec03d6c7

/data/data/com.endbetween46/kl.txt

MD5 7c9b75cdf14244b5e05b56da194dcb55
SHA1 1c87401e3f08768d39c42bd722376dca95954c37
SHA256 3803a2214354206d0b726f5a872f58a58eaa97dafc0890f3ce22e47bfa5d812c
SHA512 453c2be085d4e8f72247af43319bac776c55b419add838b3e37284d581725acd9bff3471570bf5d441bcc60c88a023cb2e5dfdfdabf4be0a9e95ceb18f82557a

/data/data/com.endbetween46/kl.txt

MD5 361541a106653d50d790b501aaead57d
SHA1 b4f2960291913d4e51aade61d6d839a037b608f8
SHA256 81a7dfdbdb9ee98d2969aba874854237f8bc612188147a41bb86e5c9b286f40a
SHA512 485a5ad6217cd2a3095cca00a217bb22bbe5fed9f35c28e91a59879e88a897c3792d50ad4ebf7315ef0ea64289f18e1f299cf992349f3037c731127b42545f26

/data/data/com.endbetween46/kl.txt

MD5 218188b30ebd62cf8b164ca325ddccc5
SHA1 d90588ce25ae95cdfef41672cb890cb5116f2544
SHA256 d564fc74efa3f1c3bce9d2c016d7776facd8acf98cfe9b12fde457aab29bb110
SHA512 5e5189ea8decb550f68e0066e7c22923656b3815a262aa9c6d3027fdfd28b06485ccc55cf0ab2fd1aec14345fce538d9636f88f0deefe48d5540b31d6ba24130

/data/data/com.endbetween46/cache/oat/nkbkg.cur.prof

MD5 5697b85233ea25d2410d8257bacf2553
SHA1 99fb3cec655fd2258e33afa57766743d346d5fc8
SHA256 cea8321b67415f9bae9a5be4a36d9b3e3d93181ba6114fed390efba436cf2d45
SHA512 ffabf6c2d6eb3c80503ea6872cd2e053c497bdea4e17e727975fd9d3108626631de232ae3025fcff7451e37b0d4fe53374f1063d04d63ce1396b16e285a486ac

/data/data/com.endbetween46/.qcom.endbetween46

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 22:55

Reported

2024-05-19 22:58

Platform

android-33-x64-arm64-20240514-en

Max time kernel

179s

Max time network

183s

Command Line

com.endbetween46

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.endbetween46

Network

Country Destination Domain Proto
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 gmscompliance-pa.googleapis.com udp
GB 142.250.179.234:443 gmscompliance-pa.googleapis.com tcp
US 1.1.1.1:53 bilebilegndere.xyz udp
US 1.1.1.1:53 saybyebyetohepiniz.xyz udp
US 1.1.1.1:53 lemanobelki.xyz udp
US 1.1.1.1:53 tabukareler.top udp
US 1.1.1.1:53 anilardvrimi.xyz udp
US 1.1.1.1:53 leardolordoloro.top udp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 yoktuhcfener.xyz udp
US 1.1.1.1:53 tutankamunhaci.top udp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.179.234:443 remoteprovisioning.googleapis.com tcp
GB 216.58.204.74:443 remoteprovisioning.googleapis.com udp
GB 216.58.204.74:443 remoteprovisioning.googleapis.com tcp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.204.67:443 tcp
US 172.64.41.3:443 udp
GB 216.58.204.67:443 udp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp
BG 194.59.30.2:443 tutankamunhaci.top tcp

Files

/data/data/com.endbetween46/cache/nkbkg

MD5 49942b1e9ef99dd6efd7610e2f4887a9
SHA1 8bda7cb915aba3b7026d8438357444c2f17673f9
SHA256 ffb1d94e8619a2bc50279883c65bd06b3690e5dee35b24b4dd65ef73583ba3c4
SHA512 3f308dc3dd25ff82711749c5ef03c7c9ff73c6835ef4c527a699d75b5cafd11cce9c4f1619200bf9f72c7078a73053f6b601d6dea01f7ce1e98719bf6c4c7812

/data/data/com.endbetween46/kl.txt

MD5 82fd5dd1dbb608672a4595021be7bdb6
SHA1 e70683bb96e8606e80098f1f2431a54b7cb1df8f
SHA256 5fa8ad5c816ef9a4d1029c0c056f21e4859e0766f0a90a28cfd403784f75dff4
SHA512 26600b5638a3fa7c221ec6b67280898c52ee98ca64a1500db2e92cbc144b6fdf02053aec9cc44e5497c39d0195977f9b2cb3f8d7b6975de735cef320cec7d25c

/data/data/com.endbetween46/kl.txt

MD5 19e9f82b7ddc575cba56286e679c9f63
SHA1 b969b7b885f6167c3afca23774db9aac323819fe
SHA256 412cbf7f49a79fd32d8aea5bd71dc2ca68a836f1221b64ec43c5fcb1d8f8a732
SHA512 0f97466bb146968103c2743ab6bdd95403b5f8e960e9d9577aee2bcc204a18d301968703e3bc95dc89694b0368cbf68b5a323af06b40f743a68fb8d8649bab14

/data/data/com.endbetween46/kl.txt

MD5 6361b7d418c75432dbe37265faa42fe7
SHA1 a9d367a77c64e84a75528254fdfb4ac9d3273a8f
SHA256 b943c1571f14499c4aba9eac37eb45956cb9ddd604b8e156f788e5ac77b43bb1
SHA512 818902ea9204d45aa662fec7ed6b28ca66401abdd942dabaa2b36252f5069feaeb07d96a9e2d83a39fe50d05ee6c9242288b6a8fb303dd26c48efe932d0d50d0

/data/data/com.endbetween46/kl.txt

MD5 9426795c5793bf3b44a1f4d2bf4c7ff6
SHA1 17506366c6c222e47964d239a6b8125718377ea1
SHA256 59668a6d6d1557a8d0963f3318040e4d15b8dd06bc40990972ac851d8c4f10ec
SHA512 8c1290215b28ed2b63ea31705c2e64f8e3d5e800236b27f2d0d4c80addddfc07d1d6dc36ec6ec598fd7a59b07abc503c60663543e736414c629be9e5a8d2b88d

/data/data/com.endbetween46/kl.txt

MD5 7510519430125a61c869a4399e0574a1
SHA1 91d4005a9c546d0e593726c201281376a0abf79c
SHA256 03cf95d3e52db5517f120c8d8f411d642c28c94861ece842f83f264c687b2f6e
SHA512 abfca3c0809eb01e10bc2beec8c4f43ea18aa5646c3bbda639e616d5f2622d647c2a5213af002aef5664792e27178ff6b7eea34bcfaede77a39fc0393a9b5740

/data/data/com.endbetween46/cache/oat/nkbkg.cur.prof

MD5 26e533155daee1a01d92f0db1c3a6b21
SHA1 d537eaccf520f4833f79b7c3e26885bf441a460e
SHA256 19a3ac528c4dc35c7a5519875a2a15bead77781dc49eb5006e0be4ba194f059e
SHA512 b1faac72b17d038de1876e8bf6e8e95ad65890682e8c1e1735630838ccc7fb18d27093781301df4536d4139219d6c3eae9d27ce56bc3f15b989c79a9cbac81bd

/data/data/com.endbetween46/.qcom.endbetween46

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c