Malware Analysis Report

2024-09-09 13:43

Sample ID 240528-1wwnhsea7x
Target 6b02cf5510e6ef3c61b6b785ab09d773636ca5e072f1d3d3ef75ae64a147676e.bin
SHA256 6b02cf5510e6ef3c61b6b785ab09d773636ca5e072f1d3d3ef75ae64a147676e
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b02cf5510e6ef3c61b6b785ab09d773636ca5e072f1d3d3ef75ae64a147676e

Threat Level: Known bad

The file 6b02cf5510e6ef3c61b6b785ab09d773636ca5e072f1d3d3ef75ae64a147676e.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Requests modifying system settings.

Removes its main activity from the application launcher

Requests accessing notifications (often used to intercept notifications before users become aware).

Prevents application removal

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Acquires the wake lock

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-28 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 22:00

Reported

2024-05-28 22:04

Platform

android-x86-arm-20240514-en

Max time kernel

31s

Max time network

148s

Command Line

com.themfriend3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.themfriend3/cache/jgipdijdja N/A N/A
N/A /data/user/0/com.themfriend3/cache/jgipdijdja N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.themfriend3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp
US 1.1.1.1:53 adile56tasarim.com udp
US 1.1.1.1:53 7adiletasarim.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 6adiletasarim.com udp
US 1.1.1.1:53 8adiletasarim.com udp
TR 45.88.91.102:443 8adiletasarim.com tcp
TR 45.88.91.102:443 8adiletasarim.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 tcp
TR 45.88.91.102:443 8adiletasarim.com tcp
TR 45.88.91.102:443 8adiletasarim.com tcp
TR 45.88.91.102:443 8adiletasarim.com tcp

Files

/data/data/com.themfriend3/cache/jgipdijdja

MD5 41be45dc021baeed4b7ff86c543b7e81
SHA1 ebbb4386bc4e35fcbc1f3569e16bfe4ade23f1f5
SHA256 507cad08da8b063e1eb7bd7c274a51478b0b14b64378c1125e42d5fb55ee4b20
SHA512 d7d03fceaa9d6ea3c34b93d8e891ed4b80b6298e99950bc3f4d4dec726863a9172a9629d154c9d8c22efdde45785c9cd261847343aa6eae508c9ced4020cf8f9

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 22:00

Reported

2024-05-28 22:04

Platform

android-33-x64-arm64-20240514-en

Max time kernel

179s

Max time network

175s

Command Line

com.themfriend3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.themfriend3/cache/jgipdijdja N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.themfriend3

Network

Country Destination Domain Proto
GB 216.58.204.68:443 udp
GB 216.58.204.68:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.195:443 tcp
US 1.1.1.1:53 8adiletasarim.com udp
TR 45.88.91.102:443 8adiletasarim.com tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
TR 45.88.91.102:443 8adiletasarim.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 udp
GB 216.58.204.67:443 tcp
GB 216.58.204.68:443 udp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.67:443 udp
TR 45.88.91.102:443 8adiletasarim.com tcp
TR 45.88.91.102:443 8adiletasarim.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
TR 45.88.91.102:443 8adiletasarim.com tcp
TR 45.88.91.102:443 8adiletasarim.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.212.202:443 remoteprovisioning.googleapis.com tcp
TR 45.88.91.102:443 8adiletasarim.com tcp

Files

/data/user/0/com.themfriend3/cache/jgipdijdja

MD5 41be45dc021baeed4b7ff86c543b7e81
SHA1 ebbb4386bc4e35fcbc1f3569e16bfe4ade23f1f5
SHA256 507cad08da8b063e1eb7bd7c274a51478b0b14b64378c1125e42d5fb55ee4b20
SHA512 d7d03fceaa9d6ea3c34b93d8e891ed4b80b6298e99950bc3f4d4dec726863a9172a9629d154c9d8c22efdde45785c9cd261847343aa6eae508c9ced4020cf8f9

/data/user/0/com.themfriend3/kl.txt

MD5 8625cc9b0058e08a52ab18fc7fb7a645
SHA1 d2bc36750c9587874e414673b671990ee4ce0df0
SHA256 67dc51fa43d3352de014254460452936821f6a6274a04fc32d01709c275004c0
SHA512 2f8df4f51d6710e1951518614d90020323b22d552b66bf868333e37d5083437695c441c7317d92f0d9c750352ea54840ce65185cfca325c3de0fc14ad094c7fc

/data/user/0/com.themfriend3/kl.txt

MD5 82d65f8516d8dc28a0b0d280ba460308
SHA1 bf352d45afea9bc2979a5b1122e35208c7e91f11
SHA256 4a92ae978409364728e90b14ce9c52403ac3b62a5e6981dfb6ab0d01ecdc2cdb
SHA512 892a11826a2db5ed828836e56ed91a88fceb14cdc2049f88667a715e37173eaa90737312cf56ddf3b14f52ab1ea1fffb93cd85545e76fa7c4ea29847ddbd4d68

/data/user/0/com.themfriend3/kl.txt

MD5 cc95775ba13724ca8de6debeb5f5c2f5
SHA1 a464c485b51bf17d725de0652c5f54c1a7256d05
SHA256 66a17bf7f08bfdff66152fc92ae1f42968da4b49854cd39115b11afc8fd36d6b
SHA512 5bdf6d54f02cdc6dffa10d20d9f60f11ef60befbc03dfe845f785dada885674da0f2806f3ee215fcc0ffb9dd8327228d559bd3321cd45d3b9261d58ba7e5c7f6

/data/user/0/com.themfriend3/kl.txt

MD5 50184e1ebdff48635257cb76d2cb3225
SHA1 c7ddf8d396358db723cda329140c61e7e0290522
SHA256 994cc5c92dbb22aabf956be5ffba08fd440be6e1ca1512c27ce0ffdf7fae64d0
SHA512 5b9a53ab638b372dea0bb09788f4ba611ef7c37501c432e9d4598f03184a8d4b10ad09df4974c375cb09c0b0078d103fa2ddc72e6e1295738f3ca57c3f6363df

/data/user/0/com.themfriend3/kl.txt

MD5 02f82c93bd421e26238240e664563905
SHA1 624e5ebf93883ec8d69dfe4fac149a0ca06cb53e
SHA256 9ccaf68b3c11bdeaf99e29677feae5dff582133acce8d0fbd2ca8304a5d0f19a
SHA512 61aa49c306a13bfa248261447fc3f18888867b8ae0be4f686c272a26948a10a1be76450e9f3b3c38f78f9af1b3e15eb267e602f9ec6ca9abd971e32b79c7a603

/data/user/0/com.themfriend3/kl.txt

MD5 b63b28104cdf682f9ca4ec5cb298bed5
SHA1 c45a5eca264e0303f6200f734e4ecee42a5d48d3
SHA256 6c6bea07f0958b1915d17fb8ca5f41d73ee5fb49ea66462a4102ceb19b7f364f
SHA512 87af43fe05b7b70f81be2dda7fefa0b81f3a57cceaf25e7f9606069c4fe5dfde18d6421dc68d8d6287ed8c066233c5f15aa49ef126273091056dd2bdebf62c2e

/data/user/0/com.themfriend3/kl.txt

MD5 018eb3c7d5fa0c21846b0d65bc05f2d3
SHA1 c0659375d48119028b82fc917c6b00e194105a72
SHA256 784828b99f5df0f9fa048c656b20ae6bc7c280d2971f5edb6bb112b296098878
SHA512 82617d60899411e39d0213c7f96c27d3bf3948249689d066541b97ab2add97ff9d843d1d3e0d13b5fd8af341099740d51b3df75f23bac43bf53d6a674d369712

/data/user/0/com.themfriend3/kl.txt

MD5 e0cd1c36b501736baa771de1d4c2cde1
SHA1 8854bea6cf45424730cc9099a616ac84292a00c7
SHA256 d60ff547f42851ec01b79b6d9ac831aa43784e9b36f384c3aca0876f96e3024c
SHA512 9835396b8c5e41fb7ef7cce73b67e14d8fb50ab3017010225bf1cd1968d85fc9b3add560deeea5177ac7dfc39bfaa469805e328e06ce450659ba6bf670be772c

/data/user/0/com.themfriend3/kl.txt

MD5 46b7d948f994e10039db1cabfaf6092b
SHA1 1f6c6ca7509ef4aa792bcbb13f49ad0b8251fa5d
SHA256 4dd2afbde25ac58961f345ed14d84177c968aa5f8d65ee5a3b8f24794c20bfeb
SHA512 47900fa17da7cffd12337f82a57a2e01eb5686199562186890ac7c2b0957e449bfb85a8aec2f8a4e547593dd0863fc0c61d0a1f22a1e7e7feb0e2b437fdb2d4b

/data/user/0/com.themfriend3/kl.txt

MD5 16e1b7479fd6ff5b15ca4a545f589ac0
SHA1 b74e28044173c467cfad8b930d059faa41e72b51
SHA256 7c8e9c6cac4365ad9c7ca034d671acf5fde09fcaceeed068ff8b164db0a180ad
SHA512 f1f9a94b3dece6189ea8b8dd46a07dbf593f465e64a1803edfa7217b3d956fa6780752becdcc36c4d47e60bdf1fbf24d106078fad3b86cc50609c03d36ea827a

/data/user/0/com.themfriend3/kl.txt

MD5 eac13ec702bd57f0848fb9eecb96c560
SHA1 5693dc478ee079b20dbf0cb03e763c35c6c7a4e7
SHA256 24ffa99f474e9fa2216c20373a6502bde9f9542f7fe5fe6fde298313e07a9a10
SHA512 7c563e6d4d612c66e54fa4ea5073f73f43318f3f9536021296a6b054140831dbf57dc1c1c4c0faac2477e75bd294b657506da7a805283afbc23eaa312876a925

/data/user/0/com.themfriend3/kl.txt

MD5 b1b9dc2e4c6ea92503c0214b0eef1e87
SHA1 0874c3b86c362afc919d1b97beb281351703e072
SHA256 126b5110cdb90972a53a20adbbbdaa4e7486da0865224bf6fd811a63bb6824d8
SHA512 5f158b89bac87b40596a8c288abc5898a35237e399d87e888857b9a8e119877b5135bf57507201b1022207f83623f7cf698ba6830b5892c5137cc8be8bc868c0

/data/user/0/com.themfriend3/kl.txt

MD5 d8169221069832936ab8836c285d72d4
SHA1 db5cdfcfafde31bf46ebba0792bda8b8389fc3b4
SHA256 e4d59b3beec366b9603e2eecc7f05557a495794308fd38a9a62dcb7628bc4aab
SHA512 c849f33fe60cae4a51cea8210ab713e26343bf34e297258f4efceca2be5e3c07128bee02c38d220d26fd004ad9e3f3eda35513a4541ce0284a97b42f328eebee

/data/user/0/com.themfriend3/kl.txt

MD5 b28a1cc1efd4fcc243c4ae484a6f55ad
SHA1 0d6ea90742b48d5370c7ee49be5600439af44adb
SHA256 d863ecadc2639218f1bf6e29a9ea3864be8f5527fb0610bf021ed74c00f34e2f
SHA512 afb02375da0c76e5c154b71ef78977688b7eb72eb5b7243e0461a55aab96f8a55c1d6d9ae364f3f6e02215cd89e10a60712d3593a681ecb5da629e10551e270a

/data/user/0/com.themfriend3/kl.txt

MD5 bb47d40cbab3850d3867a9fe219447b3
SHA1 e7e25ba98cc78975f6d15ac4499ceb217b08586c
SHA256 0cf40e96fb91b60bfdd01ced1e65780ecdc91f24a5e0a55016da206f2d6fd35c
SHA512 dcda46af4562990c18bf531eb6c2ebb2ec44848fba60904961cbefff5747149555fa8ed5c2992ed341aba6f3e8773d26bd2f81ef6cc142160a29122a8d751fa7

/data/user/0/com.themfriend3/kl.txt

MD5 bb2de015d57c468c3f0f212bb1e37ba4
SHA1 84ffa922624b6dba49dc03118f3264c49b9672eb
SHA256 b3fb03abcb3e8bab3c39305faebbe0cff515b15debc575e02c76b5ca1ce28005
SHA512 bca4dc30e5e84baa1ab7359ca2af0777d313024eb9ec6e6c520ad3aa8adead1011085eaa284f3fc26936e8ae8e2dc49ce6a0a8244235988fea1d57c23c1fc622

/data/user/0/com.themfriend3/cache/oat/jgipdijdja.cur.prof

MD5 696b6130774db7f11db59fe276f837b6
SHA1 70fe1a9f937f06c2fb6aacf2c6e98785cacc0c9f
SHA256 7db446bbaae96cabebfe1c053ec752a2f08a40165551b1937b300ce1771e1a5e
SHA512 e273f27e813b0716ba742dd8650bdbd8486a0c9c6ef6134ebc3414f28283a40223ae0fdf607db0fd5a3b1b67c96b629d0f84bcd44057719d004ff4702ab68236

/data/user/0/com.themfriend3/.qcom.themfriend3

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c