Malware Analysis Report

2024-09-09 13:44

Sample ID 240529-z3t8laaa8v
Target 9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529.bin
SHA256 9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529

Threat Level: Known bad

The file 9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo payload

Octo

Requests modifying system settings.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests accessing notifications (often used to intercept notifications before users become aware).

Prevents application removal

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Checks CPU information

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Checks memory information

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Declares services with permission to bind to the system

Acquires the wake lock

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 21:15

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 21:15

Reported

2024-05-29 21:18

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

132s

Command Line

com.objectuplz

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.objectuplz/cache/cappfw N/A N/A
N/A /data/user/0/com.objectuplz/cache/cappfw N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.objectuplz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 2moneycsasfasfh.com udp
US 1.1.1.1:53 2moneycsasfasfh.net udp
US 1.1.1.1:53 moneycsasfasfh.net udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 3moneycsasfasfh.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 moneycsasfasfh.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 moneycsffhgm7.shop udp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp

Files

/data/user/0/com.objectuplz/cache/cappfw

MD5 cc924dc334167c501498c4ef40d59921
SHA1 88a01dff8c8b935bf69a689327b92e2e80129398
SHA256 0f666170c574f1c32d3e0882f6f32706e9c231ec731dd4403806f801dfad7711
SHA512 897b11c0fb4e376d002d22fd85a9c3e81173f9910d3274354ea51ed2b49897c43b0bc3f374d86654337cf887190f3c87dc2249d8f4ead86ab3d90e40b00d1803

/data/user/0/com.objectuplz/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/user/0/com.objectuplz/kl.txt

MD5 fcdcc703df5b59e552dbc28d31338931
SHA1 ae834033b9fd8047a95585f0cf349f2587aea4ab
SHA256 0864e9e2d175a642307ef4550d6710115663cefc540c2ea06b43ded6d72171cf
SHA512 4aa5caa7e42e0f058621f6b88792f9bccd027c9debf9ff9246286d8569b09c967ae4d168dc90ec52a65462b516e9d92adbba37ed6ecfae7a0dd5567c8659619d

/data/user/0/com.objectuplz/kl.txt

MD5 52cf3525079e3012bba32815f4ef6895
SHA1 9a02fe5935bd2d4cc2b333c1b7939d4264de457c
SHA256 74349c5266bab8f15f8472c482bd1f9921af331f7121c9532b730688e6e99b2e
SHA512 64cf15861363a90e91c9f4376d6b285085cc214051c06f7383fea9eb6da8e8d5630d8d5c2aef639712e94c801eea090f10cff0b756cde76083636d0e931d29e5

/data/user/0/com.objectuplz/kl.txt

MD5 12a624f32df756e96632a223e9d0349f
SHA1 5b276e9934b26d5e932660638dfbaa0d68113e3c
SHA256 4bb6d565a24a52bc385598cc9e0f00af6f4fcb18901be88779a0fddcf74691f0
SHA512 9b6515515ea83276291806cad1f33a3313374a78a19e2d378270226d372f98162fd6ef7dad98fb0bf4ca1bfbd2e15eb2c401e15711e890363754650cf1646d28

/data/user/0/com.objectuplz/kl.txt

MD5 db276965d15c9233dc250e0e0f0a74e6
SHA1 7fe752fb22bbd26b97a61a9f4689caaec757b607
SHA256 b63f4c57a0e29fd3c7403c96d0db5bc45ef4bc9ddea9d78e2f1b80ae31283e8c
SHA512 1a2c0f89dd345612de27694b511585b23f544cc083a6b1c10e239f35f210c71e7d5b7b5062381ca97f25c9cf720f82e9151cf14368455f2dbcefd67f0dc2bf80

/data/user/0/com.objectuplz/cache/oat/cappfw.cur.prof

MD5 f0c4015179869f2c089223f800cfba49
SHA1 00b01f52d5d695dced5a0ebb8738c7c347bbd866
SHA256 c13294542091c8e3cf22612e2cb4c1c9a3504050b2ddb9dc051485855d335a1f
SHA512 e1e88612cca4def1ed634cb2bf96ed459eece54b20fd243c195a15b5ac20cb23f6639d9eaeb063b524e29360cf7395c215474a9cb8574dcd95bb17d0c9e4076c

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 21:15

Reported

2024-05-29 21:18

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

145s

Command Line

com.objectuplz

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.objectuplz/cache/cappfw N/A N/A
N/A /data/user/0/com.objectuplz/cache/cappfw N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.objectuplz

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 moneycsasfasfh.com udp
US 1.1.1.1:53 moneycsasfasfh.net udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 3moneycsasfasfh.com udp
US 208.95.112.1:80 www.ip-api.com tcp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 2moneycsasfasfh.com udp
US 1.1.1.1:53 2moneycsasfasfh.net udp
US 1.1.1.1:53 moneycsffhgm7.shop udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.objectuplz/cache/cappfw

MD5 cc924dc334167c501498c4ef40d59921
SHA1 88a01dff8c8b935bf69a689327b92e2e80129398
SHA256 0f666170c574f1c32d3e0882f6f32706e9c231ec731dd4403806f801dfad7711
SHA512 897b11c0fb4e376d002d22fd85a9c3e81173f9910d3274354ea51ed2b49897c43b0bc3f374d86654337cf887190f3c87dc2249d8f4ead86ab3d90e40b00d1803

/data/data/com.objectuplz/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.objectuplz/kl.txt

MD5 12ef99db92bdc3a68449d7d9fdb51bba
SHA1 bad0012807063e0e4ab5c17a67a20163aa24527e
SHA256 8ef4fdebc3ee14d21454a65ac4079416e0de87581aac97f5de78876c3446ecd8
SHA512 4a60c50f30a00f54e319b490be19adc85cd61cb05c20aed12617ba9f7405b2601ccfaf068f67d1fea17cf27c07af67cdcf1186b6830df228198d6d130763737c

/data/data/com.objectuplz/kl.txt

MD5 641094979f7a9fdcbd03f887fa640123
SHA1 1ef65f9e29143ee4824600031f705f1c589d1f27
SHA256 12354593e3f27088d3c563902ce8aecbc2ea00da0edde3248c879ecafc6bd9e9
SHA512 a188e3d79591ada732e65438b94cf8d7c3d9979abdb5480f7f71b7f1f854b0a2d60248dc3670cf830453564a89a61925c48c19ff8b77804b54811aedb6bee6bf

/data/data/com.objectuplz/kl.txt

MD5 f9fdb4e1ec070fcdd2c3151c14faf247
SHA1 34771dde42ee07aead76b0be70bfa27ee39e5591
SHA256 829917f638a15050b2972dff43a25004771272fc4fab5889627016623b9a3d36
SHA512 3b2851ac1ba40ad88c0ed9e0d199f3544b7b32097893103d98193e98c8e6de8a6e7a7fe9a8a791fcef05130a63f24c479e5015544515cc2af82bfad9527d88bc

/data/data/com.objectuplz/kl.txt

MD5 ee8f4f7fee56df5fe0e9f81540268924
SHA1 ed01ec6aa6b2c0f260bba7c4762bc17690585732
SHA256 710f97e43707cae92eddfc74ce0492badfa11cf0209d5f5d007128d1db761f14
SHA512 04bbb0e95135cda2f40b378c501d9b127405727956877d55c2e85849c173d0ea5856cc954a101e8e350f37f73112ce3a3068dd261509aa2702fa32bbc45c5f8c

/data/data/com.objectuplz/cache/oat/cappfw.cur.prof

MD5 8eb104e0dbd44e0dafe36eccae2c37bd
SHA1 ae60625523d53ac4277cc6399af04517672d389c
SHA256 cb2ec7d5768af1ebbfbfe6873039d015c6d925be622d8fc3710fd215605a7473
SHA512 13a6011ff7a8302bee10b09b32fdd4c70928e35975699618eb5d61d5f5dbe587a962e19daf89572db4b8fd71e145c7001b03abf989dabffe013d295bb23f82bd