Malware Analysis Report

2024-09-09 13:48

Sample ID 240531-1356jafb8z
Target cd6551c67c8c020d87b34774ef999d93c823a189295b6e3a9671f400afe4a6f0.bin
SHA256 cd6551c67c8c020d87b34774ef999d93c823a189295b6e3a9671f400afe4a6f0
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd6551c67c8c020d87b34774ef999d93c823a189295b6e3a9671f400afe4a6f0

Threat Level: Known bad

The file cd6551c67c8c020d87b34774ef999d93c823a189295b6e3a9671f400afe4a6f0.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Prevents application removal

Makes use of the framework's Accessibility service

Requests modifying system settings.

Requests accessing notifications (often used to intercept notifications before users become aware).

Removes its main activity from the application launcher

Checks memory information

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Makes use of the framework's foreground persistence service

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-31 22:11

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 22:11

Reported

2024-05-31 22:14

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

132s

Command Line

com.foodthrough90

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.foodthrough90/cache/azerc N/A N/A
N/A /data/user/0/com.foodthrough90/cache/azerc N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.foodthrough90

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
US 1.1.1.1:53 moneyeuroland.net udp
BG 79.110.49.131:443 moneyeuroland.net tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 moneyeurolandbabis.net udp
US 1.1.1.1:53 moneyeurolanddelicim.net udp
US 1.1.1.1:53 moneyeurolandbebek.net udp
BG 79.110.49.131:443 moneyeurolandbebek.net tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
BG 79.110.49.131:443 moneyeurolandbebek.net tcp
BG 79.110.49.131:443 moneyeurolandbebek.net tcp

Files

/data/data/com.foodthrough90/cache/azerc

MD5 cf40e8a2e46aa91654911bd3eec76319
SHA1 f008a04f70e8b4255e3ee35eaa161f42cd34c720
SHA256 6dfb7a147c2abecaf8550b5c8ad4225418120578c21f33b9b2cc777ac12a822e
SHA512 c91cec0f69bb05a1633243f19e0f49abff283489fc263a99baa727f1ac4b93cc4a39836fb5476ce1e6529f064974531292501a1021f95306fad117c0ee5c6918

/data/data/com.foodthrough90/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.foodthrough90/kl.txt

MD5 bebdb3c23221fb3c5ad72741ce4ed34d
SHA1 30e97b396700b637d3e69d7e5eab0e2f3278ddc6
SHA256 39a1b828ad182f969807e4a704e2675fec41587ce64aced579406e5b0bc97ada
SHA512 7b74fd8ff57dd9ed3caae62398766a502018c864f2a08991471bdcc8404518a8eb45830daa0e8ced3c6448ea75c9af6b8df9551897f4679ad16b62610b9db694

/data/data/com.foodthrough90/kl.txt

MD5 fc436856e14d21c8289e8668002ee620
SHA1 e88710faf058270c59feb69b88d277abe262c4c1
SHA256 ae4835736cbc124ff4d2e98ace28008dbbb14689504bcd4c4f8a8515f8482d1c
SHA512 d2f06f9fc64c4808dcb0fc4530e06564bfa87eaa5b224c4c063004f33864efd1400063ff34d5c0ca913fd256b1d53a29939e6bfafe882c7b3ed500eded64c996

/data/data/com.foodthrough90/kl.txt

MD5 9af99998b94a251d896a638e418ce119
SHA1 84f4e4f657692ea30c2e211ac8922cc2ea10ff08
SHA256 bd3a123e285770e780aef7856c9754727f04ad0b48e6edf35574e412ac8feefa
SHA512 87d68b345d36d81af8a390308655b7cc550b19a53954a5034c5997dfd9b5c25bdad56bb007f1a2ea59d1dacdc4d57528cbb30593c79ad2f679ed8fb534d81091

/data/data/com.foodthrough90/kl.txt

MD5 c76748c0ea42bb9f5b2ec1ff90860556
SHA1 d676220e5f04b40668f2a9c373bc33e40598ac9c
SHA256 da8e990d09834bca3e1f7e67a3b4a4d2212d82042e524eeec1e371704f5032ed
SHA512 ba5aed491a7774301054bbce5a5dc5cb4ae995b0594fcdd10fab26042561643271292ac3dc240d395f181a3fd2c421174811bddf7a8330308945c1b2692188d4

/data/data/com.foodthrough90/cache/oat/azerc.cur.prof

MD5 1bf70373265534152e481e990a5df360
SHA1 5bf9fe9b3df4f67256665a187df68cb9e810c6a3
SHA256 ebcf0a6fe2b95bb5c838bc45cdd9dd5dd3070a4b0effb399fddb0671f1501e40
SHA512 9de392e1331e358da18044f768c259595fafd5233b7d5fad2078e2bcb6343ccb06e729ad0b66a76a98cf6dbab2b0ab913781960c8ee694040b82033e5626f653

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 22:11

Reported

2024-05-31 22:14

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

138s

Command Line

com.foodthrough90

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.foodthrough90/cache/azerc N/A N/A
N/A /data/user/0/com.foodthrough90/cache/azerc N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.foodthrough90

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 moneyeurolanddelicim.net udp
US 1.1.1.1:53 moneyeurolandscans.net udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 moneyeuroland.net udp
BG 79.110.49.131:443 moneyeuroland.net tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 moneyeurolandbabis.net udp
BG 79.110.49.131:443 moneyeuroland.net tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
BG 79.110.49.131:443 moneyeuroland.net tcp
BG 79.110.49.131:443 moneyeuroland.net tcp

Files

/data/user/0/com.foodthrough90/cache/azerc

MD5 cf40e8a2e46aa91654911bd3eec76319
SHA1 f008a04f70e8b4255e3ee35eaa161f42cd34c720
SHA256 6dfb7a147c2abecaf8550b5c8ad4225418120578c21f33b9b2cc777ac12a822e
SHA512 c91cec0f69bb05a1633243f19e0f49abff283489fc263a99baa727f1ac4b93cc4a39836fb5476ce1e6529f064974531292501a1021f95306fad117c0ee5c6918

/data/user/0/com.foodthrough90/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/user/0/com.foodthrough90/kl.txt

MD5 46d672838524aa5f129c430a8445f3b7
SHA1 066fbf9a9afd22ffcafeb2cdfccc7c631617ca20
SHA256 d992375da7827ff240e0496e29b1eed762dd2a4b35e418ea368ba797deb20a14
SHA512 a8136d1ce7670045eb3fad3afc8f6d076f9fd92622fcd7e2262070c46c10e509c371931821e8e8c2f8f2379c503830a8ea9a73131df424b1efc9dae2cacdb1ef

/data/user/0/com.foodthrough90/kl.txt

MD5 babbce147229fe1dec2ad4d8b8f5db16
SHA1 dd721f1b971046cf5cf4ff77a6ef6f1fa9532eca
SHA256 b2ac541001295ca9d4f1ae714127e04c568d6a81db7855e69bb5982c9a5a77df
SHA512 664cda868461bd1d2093a928977ea64140b962a1d454a41cb96fd614a7e364f944ebf075ccdba3a14050b6a9bf5c3bde0c21070926f0ebddcd368af1ce659723

/data/user/0/com.foodthrough90/kl.txt

MD5 4d0ef40d5eb60da856ef5404083e52f9
SHA1 c0151ddb2425f3b912925dfe6695eced93e13adb
SHA256 f4cd5f9dcf3b46e7234a216a176561e1a5fcab5c58efc5b1f01417ddf47efe15
SHA512 e72e64596d068c2f1b56e20b04a8f9dfbf43ea6a55b27cc7e14141134a69defaaf9bcaed7f61355734543c95e82f06ae150ced811c07eba24b123cccc331dd85

/data/user/0/com.foodthrough90/kl.txt

MD5 57af1ed0e78e35fc3609a6434f229ea3
SHA1 94706fecd0b39793c886983625dd8c42c1a56c75
SHA256 ddbf75081ce89524e74a9e1ad31128711b7799f92fb2813170b856fe8af10848
SHA512 04d5a749ae1247df20bf734b2e4514c974c258a819dfd40181bd296f0de5e08161104a39c14d07b976fd20d438908f09f464138e74dc187bf2c469e7ad634c89

/data/user/0/com.foodthrough90/cache/oat/azerc.cur.prof

MD5 49404bad3432bd0841c94653af4b580e
SHA1 1ec7db10e9a233881b37ca22deb75952d0a64308
SHA256 0ad031bb278e130e1e828234cbcb07a9d2f5870a17a4fa0c36b9921d6e56def7
SHA512 ccb29c38aab42b76be7717d43609aae2f74c6aad5448ae2e862c9f599a796f092e32c25c8eb73c78c66012678dfcc7f66ef222218804bc848bea831bd44f1606