Malware Analysis Report

2024-09-09 13:45

Sample ID 240528-1wth6aea7s
Target bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5.bin
SHA256 bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5

Threat Level: Known bad

The file bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Requests accessing notifications (often used to intercept notifications before users become aware).

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Prevents application removal

Requests modifying system settings.

Loads dropped Dex/Jar

Checks memory information

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-28 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 22:00

Reported

2024-05-28 22:03

Platform

android-x86-arm-20240514-en

Max time kernel

69s

Max time network

183s

Command Line

com.whatev2erwh2atever

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz N/A N/A
N/A /data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.whatev2erwh2atever

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 89divos.shop udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 89divos.tech udp
US 1.1.1.1:53 89divos.art udp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
GB 172.217.169.66:443 tcp
GB 142.250.179.238:443 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp
SY 94.232.249.36:443 tcp

Files

/data/data/com.whatev2erwh2atever/cache/ntygrhadjbuptz

MD5 65cb593886751d7394957a9da951aaf8
SHA1 64eedc22cbde9f912d227744f9ebe6b8e6f638f8
SHA256 8a6242f184ede2ac58585af93dc550c4b7a824570bc881222afa5071fb50d4bf
SHA512 13ab53b5c34be5e6a0aa93ee6d8761d8797d1626a9005c2ede2e23547daec56a58902e8e87e13ae7e4540618abbff5857233c7bfdc0601aeeabe263fc46e3766

/data/data/com.whatev2erwh2atever/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.whatev2erwh2atever/kl.txt

MD5 6e5ece685ed2484342fb9b0e8bed3c2b
SHA1 f68d019095bbb7df99d101939117eb57086e644a
SHA256 5c3aa907b68e717acb7118a250849f4a1fa1ec04ccd917b008c7c282f768dcc5
SHA512 ff735662db04b12a94f3fb86f9bd5f956e71a937c4155824f12db959dddc84d7030b428e18921e2a5bdb443d6e1b843088d1562b1fcabecbabd041ab9d69422a

/data/data/com.whatev2erwh2atever/kl.txt

MD5 a3c8802ac868f017d4c0cc7954ed12a9
SHA1 ec8f49f40a4a2edb1a087a6caf03016e89f3670b
SHA256 9797a27a6d63da508c87f98357ab007afafd5b7e4ea08384ee12fff331466cad
SHA512 1f488ff5b22dd6b9a2903a8e6f698dae298c7bb89dbff56d923fa9567abaa34e4af4d5a6d48856908c8cb79d8da330cd1880d1e77d3bcb5af2b0c5cc3b72a93b

/data/data/com.whatev2erwh2atever/kl.txt

MD5 5aa1781ff6b8de3408268a8942d88867
SHA1 0a5a2cca0ac69b7e1239949da10ee2f50044d66c
SHA256 162d9a7f07cf146305206cc7d27ccd3ee92d6fcbd85ecf85dbbff92581a5a0a2
SHA512 f92456c2c28222b19d234325ff139b93277f7aa432362663b69103d8a79c5c26ebe0f37795734a09beaf3153d38197f5a2b8077da12216a6036e8b5d6e67fa75

/data/data/com.whatev2erwh2atever/kl.txt

MD5 6e95e011070dd0e5f7896a5f4141244b
SHA1 e20956a760f7c1b40421424e4d48b50b7a300436
SHA256 a1b51bd265bf897a74c6a966fbbc6bb09e8d721d6828146402b366f15d63178d
SHA512 9f685d67a1c0f051ac67ad3ad67887e78703d99a7f79fde4faf92c4ec72be763b17ab4e4b11fb408fe09f5b8e2a73a5805dc4ed394bc9cd244f62bb35ec2a5c0

/data/data/com.whatev2erwh2atever/cache/oat/ntygrhadjbuptz.cur.prof

MD5 70f36ace70f87d99d804ac9061f9ee2e
SHA1 4b2ff9824a00a3df1d7ff9d3ba0ef58ecb65e0f7
SHA256 7a92b426565f402f260bb23d4ea9ae7db0048f8985ca35b1e8fec628ae31cdd5
SHA512 08bf56e94aca923d228ee10c630ca95d81ebf9246c3d61cb2804f7e83904cb5cf80816e2696652b09009bcbed18d4785b35bbc247c8d097657a762bbaa9a35bf

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 22:00

Reported

2024-05-28 22:03

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

185s

Command Line

com.whatev2erwh2atever

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz N/A N/A
N/A /data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.whatev2erwh2atever

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 89divos.art udp
US 1.1.1.1:53 89divos.tech udp
SY 94.232.249.36:443 94.232.249.36 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 89divos.shop udp
SY 94.232.249.36:443 94.232.249.36 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp
SY 94.232.249.36:443 94.232.249.36 tcp

Files

/data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz

MD5 65cb593886751d7394957a9da951aaf8
SHA1 64eedc22cbde9f912d227744f9ebe6b8e6f638f8
SHA256 8a6242f184ede2ac58585af93dc550c4b7a824570bc881222afa5071fb50d4bf
SHA512 13ab53b5c34be5e6a0aa93ee6d8761d8797d1626a9005c2ede2e23547daec56a58902e8e87e13ae7e4540618abbff5857233c7bfdc0601aeeabe263fc46e3766

/data/user/0/com.whatev2erwh2atever/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/user/0/com.whatev2erwh2atever/kl.txt

MD5 336eff83a1359b833ef07c9297c6d3aa
SHA1 a980b66f3f0818d8badf6ec3923d2cf2ae6ea3d7
SHA256 dc94785197863fe5c93dab04aff78ea62db482a2725621d99b5745bc8a369bc4
SHA512 155507664b3bc655c49259604465e5f2201bcd8365b58eac0988d57b947ac2f541b697dcc5badd00f13d33c0e242c546f40587c7a58129a45d76b55277abd172

/data/user/0/com.whatev2erwh2atever/kl.txt

MD5 83e4c95693c4e373f180ddd71ef1e8d8
SHA1 d983e53517f0288ccc339088f2c368561534e2bb
SHA256 fc973707e5e620784cbaf6d44019b965a76bd9041ac636d8d7f36d5763a890df
SHA512 c1d415043ee0609aa1e97a670d4a177705db0e90105870ba42c8d3aab728b5411e89e82df9cf1d314f2e9b3546caf60fc439834adbb414ce8191d0fd13c36a20

/data/user/0/com.whatev2erwh2atever/kl.txt

MD5 b3506b6d4fa1c395fc64af865ff306dd
SHA1 6bc4023a93a757c7e3bab0d78b3c9ca00ff7e8cd
SHA256 3b6297c2f612abaa95868f75597f73dff22c36919ea7f9097ac0d4e530fd7a3e
SHA512 dc4662d7393e2c42d3b7bfc113b964027c8ea11e2390f46d3099463f783473b576b3e51b8cd36c52568bc3116e4d2fc130765fa122a54b005a63d50f19023932

/data/user/0/com.whatev2erwh2atever/kl.txt

MD5 0aa0e50682cfc55d25977718b1928cae
SHA1 a1677f1ad0528d4d187939413c1ce257f77b41bd
SHA256 dedcdf28c9e6cfe204f28947ff70da4899fe7394620b9f24fbf98691bc42f57d
SHA512 61ec7e4ad585f09aa06bb7a92925d1e93d7e9aed8cc78161549c4a7b09b5b16cf5ce3e4d23fbaa5499926e23e455f0af960ee2d2e527039295926d7a754ec63f

/data/user/0/com.whatev2erwh2atever/cache/oat/ntygrhadjbuptz.cur.prof

MD5 eb08918bcef2afa8962b5a56c602d2d7
SHA1 f36cbb96055cec54b0f8586b712c41e55fd4d9fc
SHA256 dfba4c970473672166bdfb2ea78ceab25b15589bbc51153af6e4952872769409
SHA512 4f16d0c358e5754c89d9485362d0e3a8311763698dad1f0c2221bf62aef22459c9cff039ab6e0e5b2e0ab2cf201fc55faf8e150cdc8562350a1d28e5ff0c128c