Malware Analysis Report

2024-09-09 13:44

Sample ID 240523-1yfp3saf2t
Target 426954e0a7644e35830b79367caefe01f3e7e365c0eb47313a11ed2e66eaf085.bin
SHA256 426954e0a7644e35830b79367caefe01f3e7e365c0eb47313a11ed2e66eaf085
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

426954e0a7644e35830b79367caefe01f3e7e365c0eb47313a11ed2e66eaf085

Threat Level: Known bad

The file 426954e0a7644e35830b79367caefe01f3e7e365c0eb47313a11ed2e66eaf085.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Prevents application removal

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests accessing notifications (often used to intercept notifications before users become aware).

Checks CPU information

Makes use of the framework's foreground persistence service

Checks memory information

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Obtains sensitive information copied to the device clipboard

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Acquires the wake lock

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 22:03

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 22:03

Reported

2024-05-23 22:21

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

131s

Command Line

com.songcuttme

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.songcuttme/cache/dyokgf N/A N/A
N/A /data/user/0/com.songcuttme/cache/dyokgf N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.songcuttme

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 54ggter6ujfgt.site udp
US 1.1.1.1:53 frewgewhy6fg.top udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 kdehrweuybvfrer4.xyz udp
US 1.1.1.1:53 jey6mjdyerh82k.online udp
GB 142.250.178.3:443 tcp

Files

/data/data/com.songcuttme/cache/dyokgf

MD5 f8381cf8f86cec2fe023ef7c7ea1eef3
SHA1 900d231469096258522fe835c3db86db626d8134
SHA256 c7ee41ba68b8e9b5a89223c6c47735cdde4ed8576b04c1d9f45e9f4e20232f5c
SHA512 0e4c34efa8ee76023e42e81062f83d284e60b842d5029d1e2d7b4de6181edc1e4654fdda3fb50a3550d4e82c5298315b8cd5cb82f120f06c36f969cf7918269e

/data/data/com.songcuttme/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.songcuttme/kl.txt

MD5 73d80bb54e8f1663a3a2e87c3aeb3187
SHA1 e29e86bcf6cef04c8e6ddad6611f73ee7f492c66
SHA256 9ada1a92cb15e6eae5560ebcc5e9e9fef92f1f0041c9301075ef19a9c1a64b50
SHA512 cf88b792277f7b91312b55fe5508217bf67b73d96cedd3ce527abdd63b31f00fe35f6e8994454d3b2e60e35d9422561e222e0300a1f2992f0d192ed38d892194

/data/data/com.songcuttme/kl.txt

MD5 2cb8877c5ab5c68c202246a4733cfc4c
SHA1 a207b013106d2bb6c6dcd9dcdeed097a48963447
SHA256 70905b90f608cbf83e7a9590d0b13134b94eeb121a5b283ac9df2bda69271f60
SHA512 2cb1b3e9f1d9b6416f18b6887aff6e96815da344f76fe2c7cf225e32fa97e64bbbdf78513ab5c7b3559051d68a8ec58584551b4ed2b8dfb49981a013d778a1c6

/data/data/com.songcuttme/kl.txt

MD5 d7b6f387348ced5178fa3c1f7110f618
SHA1 c6f39c99c5a9ed76d291c02e732455cf02c3c720
SHA256 c66d4d0757cd8c9e8b3f6a537844a690e088173ed8dd8555ae3be77fea76de32
SHA512 3522a88265eba3731530a913425af0a919e4992cb2cde6cedeb636e0573c9211df7219c171b6df42f28fa3b06ca51626b043f08ec629b545454c4152f8e1b972

/data/data/com.songcuttme/kl.txt

MD5 323ba8425678ad6664c9173cbc9e008c
SHA1 58b9dc94d14961038b98f58e7db73c3fb8ff2d83
SHA256 884f28a31c83f9de1d9d0b49c54637433afd48b50b8e8cafc0e3d667a85bf05d
SHA512 640b23d6dc08da6642b790e4e24e2dca98d73b157ee339fcd21eaf5ca4d64b014de6f75e75d1ba1cd7ea9655123492ed531d3cfede6cfcca951a1fa40eb90f65

/data/data/com.songcuttme/cache/oat/dyokgf.cur.prof

MD5 275da2219f325eae580e1b8578a29f7d
SHA1 ca25029c11440287fd4ee9656675b7e36a86b11f
SHA256 711c04967a5fc15a5caa43c22f83c1814bb84028bdd438ae8bafa5f317e17808
SHA512 b25abd4aa5a28fbaa94d75a251773c148adf21d8e22218e18daf81710797f3150321a8f6870945290fc8998fee30297fe134c0f30abab160208a8f8f9df2a835

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 22:03

Reported

2024-05-23 22:21

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

145s

Command Line

com.songcuttme

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.songcuttme/cache/dyokgf N/A N/A
N/A /data/user/0/com.songcuttme/cache/dyokgf N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.songcuttme

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 54ggter6ujfgt.site udp
US 1.1.1.1:53 jey6mjdyerh82k.online udp
US 1.1.1.1:53 kdehrweuybvfrer4.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 frewgewhy6fg.top udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.180.14:443 tcp
GB 172.217.169.34:443 tcp

Files

/data/user/0/com.songcuttme/cache/dyokgf

MD5 f8381cf8f86cec2fe023ef7c7ea1eef3
SHA1 900d231469096258522fe835c3db86db626d8134
SHA256 c7ee41ba68b8e9b5a89223c6c47735cdde4ed8576b04c1d9f45e9f4e20232f5c
SHA512 0e4c34efa8ee76023e42e81062f83d284e60b842d5029d1e2d7b4de6181edc1e4654fdda3fb50a3550d4e82c5298315b8cd5cb82f120f06c36f969cf7918269e

/data/user/0/com.songcuttme/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/user/0/com.songcuttme/kl.txt

MD5 a26d623c626780f04b1e2036f687c371
SHA1 d51d80aefc09c777162d369aa42a1cfc1831f722
SHA256 c8d374f99b3c2ab8ef59bc766067ac31b0cbfc450cadb857fc228d263f4709e5
SHA512 a4c0c50787a7c8ee134ae3362619df53dcf7e452f7ed4cc0603e6c57079fb67bfc8a3dec5683b51409ad8d311e60bec3767d4ff2816061ba5979acef2bcaaa0f

/data/user/0/com.songcuttme/kl.txt

MD5 836697af65b404d908a176be160632f1
SHA1 3a626c9b76cd6923201166eae158b764c643aa16
SHA256 77373b9eb1f1d6428e14f91c5e01d33afda408f9ae27105716d31ba7deca0c1c
SHA512 f899fee5d9e449b8363d0462f300bd46f8e349b8ea5a52063c99f172db14e500604c3cbfe528648084f52986fd00b9310feb52633817f9510cd3cacfb53b218e

/data/user/0/com.songcuttme/kl.txt

MD5 4d2516b2b5bf6f9c26ec082f82bcfddd
SHA1 312e601f8bc3d53811e97cc7ef7e995fead37268
SHA256 ffdf50205ff11ed4eeae3227ee0effeca57a63cff2ca106203a670365d0a4151
SHA512 7304053ad1dd3efd5f35fc5d314f072bf55eba4269b9303bfdda4ceb37f8a0d195e4743dafd9a30d0038b1b0ae4827b3978f1ae38e9cc81848d43be200edfaa8

/data/user/0/com.songcuttme/kl.txt

MD5 e1edf3d728e8c6ae6aa07e22d7755e2f
SHA1 18e241109d231d6641f219de44c5642851e6419e
SHA256 904bd317c05b0444504e08dcc0834b9cf10b59f507d3d458eb4e00db115af2b6
SHA512 19957f26821a15fbc40b7767867ea6ad54dfc07b1e8440b1d782c4d72cff1fbae0929aaa8eea5946fbea8a9013519598c5ec0dff9a4dbfee742b6c62849c31e9

/data/user/0/com.songcuttme/cache/oat/dyokgf.cur.prof

MD5 da74e2da32506d5db72fe18c82b19f04
SHA1 a1f44e487d0a164020ea27a45f445131cb8e984a
SHA256 bd28bca59ae341d111607982bbcd8cff81a9f91bcd4e4d24c47af27b260b36d4
SHA512 727a97a50c403a18d797fd3e9d6fb3d442965299d9e6c5f8b033fd289417dacdaa5cca059c7dac5b85aa005892a9a3c3e1bab995b904f4d81d6e613a9ae1943b