Malware Analysis Report

2024-09-09 13:46

Sample ID 240531-m817waga36
Target 6b02cf5510e6ef3c61b6b785ab09d773636ca5e072f1d3d3ef75ae64a147676e.apk
SHA256 6b02cf5510e6ef3c61b6b785ab09d773636ca5e072f1d3d3ef75ae64a147676e
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b02cf5510e6ef3c61b6b785ab09d773636ca5e072f1d3d3ef75ae64a147676e

Threat Level: Known bad

The file 6b02cf5510e6ef3c61b6b785ab09d773636ca5e072f1d3d3ef75ae64a147676e.apk was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Prevents application removal

Requests modifying system settings.

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's foreground persistence service

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Reads information about phone network operator.

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-31 11:08

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 11:08

Reported

2024-05-31 11:12

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

159s

Command Line

com.themfriend3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.themfriend3/cache/jgipdijdja N/A N/A
N/A /data/user/0/com.themfriend3/cache/jgipdijdja N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.themfriend3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 adile56tasarim.com udp
US 1.1.1.1:53 8adiletasarim.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 7adiletasarim.com udp
US 1.1.1.1:53 9adiletasarim.com udp
RU 94.198.53.3:443 7adiletasarim.com tcp
RU 94.198.53.3:443 7adiletasarim.com tcp
US 1.1.1.1:53 static.xx.fbcdn.net udp
US 1.1.1.1:53 m.youtube.com udp
US 1.1.1.1:53 images-na.ssl-images-amazon.com udp
US 1.1.1.1:53 en.m.wikipedia.org udp
US 1.1.1.1:53 a.espncdn.com udp
US 1.1.1.1:53 s.yimg.com udp
US 1.1.1.1:53 static.xx.fbcdn.net udp
US 1.1.1.1:53 m.youtube.com udp
US 1.1.1.1:53 images-na.ssl-images-amazon.com udp
US 1.1.1.1:53 en.m.wikipedia.org udp
US 1.1.1.1:53 a.espncdn.com udp
US 1.1.1.1:53 ir.ebaystatic.com udp
GB 87.248.114.11:443 s.yimg.com tcp
US 1.1.1.1:53 www.instagram.com udp
GB 142.250.180.14:443 m.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
US 151.101.129.16:443 images-na.ssl-images-amazon.com tcp
GB 157.240.214.11:443 static.xx.fbcdn.net tcp
NL 185.15.59.224:443 en.m.wikipedia.org tcp
GB 157.240.214.11:443 static.xx.fbcdn.net tcp
GB 142.250.180.14:443 m.youtube.com tcp
US 151.101.129.16:443 images-na.ssl-images-amazon.com tcp
NL 185.15.59.224:443 en.m.wikipedia.org tcp
GB 87.248.114.11:443 s.yimg.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ir.ebaystatic.com udp
US 1.1.1.1:53 www.instagram.com udp
US 1.1.1.1:53 www.google.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 clients4.google.com udp
US 1.1.1.1:53 clients4.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 a.espncdn.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 clients4.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.187.238:80 clients4.google.com tcp
GB 142.250.187.238:443 clients4.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ir.ebaystatic.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 www.instagram.com udp
PL 93.184.223.214:443 tcp
US 1.1.1.1:53 support.google.com udp
GB 163.70.147.174:443 tcp
US 1.1.1.1:53 jyhspqtz udp
US 1.1.1.1:53 ftyyjpi udp
US 1.1.1.1:53 pqalaixg udp
GB 142.250.179.238:80 android.apis.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 a.espncdn.com udp
US 1.1.1.1:53 a.espncdn.com udp
GB 2.16.170.34:80 a.espncdn.com tcp
US 1.1.1.1:53 support.google.com udp
US 1.1.1.1:53 support.google.com udp
GB 216.58.204.78:443 support.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.3:443 update.googleapis.com tcp
RU 94.198.53.3:443 7adiletasarim.com tcp
US 1.1.1.1:53 pqalaixg udp
US 1.1.1.1:53 pqalaixg udp
RU 94.198.53.3:443 7adiletasarim.com tcp
RU 94.198.53.3:443 7adiletasarim.com tcp
RU 94.198.53.3:443 7adiletasarim.com tcp
RU 94.198.53.3:443 7adiletasarim.com tcp
RU 94.198.53.3:443 7adiletasarim.com tcp
GB 216.58.204.78:443 support.google.com tcp
RU 94.198.53.3:443 7adiletasarim.com tcp

Files

/data/data/com.themfriend3/cache/jgipdijdja

MD5 41be45dc021baeed4b7ff86c543b7e81
SHA1 ebbb4386bc4e35fcbc1f3569e16bfe4ade23f1f5
SHA256 507cad08da8b063e1eb7bd7c274a51478b0b14b64378c1125e42d5fb55ee4b20
SHA512 d7d03fceaa9d6ea3c34b93d8e891ed4b80b6298e99950bc3f4d4dec726863a9172a9629d154c9d8c22efdde45785c9cd261847343aa6eae508c9ced4020cf8f9

/data/data/com.themfriend3/kl.txt

MD5 2e8789a02ac5b379c41a3de48628072f
SHA1 9b1a264fe4a8e35f2961dbc3f8132e5199c35403
SHA256 38571fd9b017233079acb537232984b7b94c2b96c23a9e54fc3472ef46515f58
SHA512 71368176c7b6096261a4e6f633d42a33164d7cd3b6f519353bf01e9654df77b31fd24fbf34fc324ab5321eaa453800493405c4a2a6acf7fb4922d32e7d2103b2

/data/data/com.themfriend3/kl.txt

MD5 4479a81cc9ccc1497164d1aa6f419321
SHA1 c4a40d023e345f524ea1e404769e5a476865a7f0
SHA256 a6c45480ae6fc7fc1bc8e9c220246560f9e1ce0b88ca8b37a5a4e365c082b7dd
SHA512 ca658f77fbf09ade4887963f415987c3ebe4c42bb9b394c63dd05651297b81b537e027cc2234a9ea8c839bc3663d0894f4ad654ceca33cad42442aa9b0f98269

/data/data/com.themfriend3/kl.txt

MD5 d2c1858e76fc5b0c546c67cca1166b09
SHA1 058f7b9c506a203806136eec347dfd1b6b54f87b
SHA256 89a32bf41602c7fc59e7d6aaf278fba1be5111e6daad5d3d2977133a65880815
SHA512 a201173d1aac014e49104b05e34d9ff71c9d69d35b95c42a607a4c3cf388e9e2cf44080de26b91b53358b2fa0d23e071da6057d1d17361dddcf3e067cab4930b

/data/data/com.themfriend3/kl.txt

MD5 209987d46664e76a70f0da75b09083e6
SHA1 e7e4fdee7358c5a8cc97d0f5121f2ab9bf40bb22
SHA256 d3ad0ad5129e4d0ea16e1bd5aacea237b932dc6e065a1717c572a875d92a53d0
SHA512 4ba7af9632a1e7c6a287e92ff3872d93a50d6c8490823b554ad7fe8fcccaaac87a3efb00ff442edda4e3971dc93f95173c7506f1cab19b17e714b4ad54cd255c

/data/data/com.themfriend3/cache/oat/jgipdijdja.cur.prof

MD5 42852c40e669b84bf0475c864e6b9fe8
SHA1 60bb567828dd1a60125882f0c8d9731e1b845177
SHA256 615e24db613b9cfff5bbe0c1fa57a734641e052c087774de11ff2d0fd751964c
SHA512 61b7a69e532d0e5cabd89dea263f98ec4057460da0fd5a4e89d05fe97f4a0ff8b6621359ad82f39e4ca85a1634dd193fff7518f3425d7abb0e9c91c67296c7c6

/data/data/com.themfriend3/.qcom.themfriend3

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

/data/data/com.themfriend3/cache/oat/jgipdijdja.cur.prof

MD5 6f4f217b581794aeef885182644ed8ed
SHA1 857bfc50937f3a40dddb3c2697c19fa781d46fc7
SHA256 829b7ebb2ea15c828df129fc42d38fa3cb2f0665f076b7810b7d9f46e9673b09
SHA512 48d8231925bca7baec9d114498ff48bf4e8b8388495b33e88b4480ad110f43ebf33c2b5e7dc599c462804f8c8f2c321eae1ff0b2b3c8a248b71e743f6aa0caf9

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 11:08

Reported

2024-05-31 11:12

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

131s

Command Line

com.themfriend3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.themfriend3/cache/jgipdijdja N/A N/A
N/A /data/user/0/com.themfriend3/cache/jgipdijdja N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.themfriend3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 9adiletasarim.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 8adiletasarim.com udp
US 1.1.1.1:53 6adiletasarim.com udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.187.202:443 tcp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 7adiletasarim.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
RU 94.198.53.3:443 7adiletasarim.com tcp
RU 94.198.53.3:443 7adiletasarim.com tcp
RU 94.198.53.3:443 7adiletasarim.com tcp
GB 216.58.212.226:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
RU 94.198.53.3:443 7adiletasarim.com tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
RU 94.198.53.3:443 7adiletasarim.com tcp
RU 94.198.53.3:443 7adiletasarim.com tcp

Files

/data/data/com.themfriend3/cache/jgipdijdja

MD5 41be45dc021baeed4b7ff86c543b7e81
SHA1 ebbb4386bc4e35fcbc1f3569e16bfe4ade23f1f5
SHA256 507cad08da8b063e1eb7bd7c274a51478b0b14b64378c1125e42d5fb55ee4b20
SHA512 d7d03fceaa9d6ea3c34b93d8e891ed4b80b6298e99950bc3f4d4dec726863a9172a9629d154c9d8c22efdde45785c9cd261847343aa6eae508c9ced4020cf8f9

/data/data/com.themfriend3/kl.txt

MD5 4bd05298df1bc9f9b868638062b4c782
SHA1 7a0566c839fddd28d7d24f25d3e58acc5d13499b
SHA256 7d9f00b281f31400ccf90477a03b8b19541c1bc47afc9f3faef761c6289693a9
SHA512 324d4b783e48231d7d923f1b0725c1e89d9abcabb08f3ecc9fca02f5970d07d453a4ea46f83808f5c9bfeb6594560c4f5abe789d0a3a661d37bc25cf31d25da5

/data/data/com.themfriend3/kl.txt

MD5 df5e305751bcc6e729675044c1936a01
SHA1 d817d42789330a3077a67af0448870fea983d072
SHA256 8ee12786a541769ab5f857eee6679715a5a87e92de8d24c5c3b3c4b8ec0d9860
SHA512 9e0c95538951ae988959a734d0da669cdc610fe064934b0d30669b84273055dca8c1ae2ea8ed15ba25be2a45ad65bc2d2c73af40e70542275aca7826ee5cb5a4

/data/data/com.themfriend3/kl.txt

MD5 676992dee8491aa9da675fb39600ce33
SHA1 5e118f4c28652b68b6355a0796c43c3344a11bed
SHA256 1b2b82a36780904c5bca9299296c2e1290d6b1b2fea1ce494dfa41b1dd899f55
SHA512 5d3f94eb417d2d6fd2bbb1eebd9a426bcb5063346e528e2182e53e41bd56315101617106faae2e5b4a13959553850e3bfca3253367af91b05bd2c91ffcc0d1ab

/data/data/com.themfriend3/kl.txt

MD5 66d043022f7c2df3e77f14ec7ff8d949
SHA1 5fad00acba881d6e1ea2991594219423cd9d712d
SHA256 06ef452c207a87ca02f8ddfaf005b2a06ff81e3ac4e484447ee934b701b18b29
SHA512 b61a7e964390309df67a46169bb7b3f7e2871049a16e500372f738a65647e7c3cfc9be3e1f15621a695d667994b647f2f7f5ab4d2d8e364d2530065413eaab67

/data/data/com.themfriend3/kl.txt

MD5 1df6ad3a1b59c32814f7667ae91931e7
SHA1 13987be46b1519561869b2c42acdc159e8382a71
SHA256 95d8481095903d2dfd69a2c1414f38c5bf36c8ae4ff4de646bc04554c3bfac01
SHA512 4d73d8783898cbfa2b67c75dd77ac4f460613560cce5c53ea09c7bf083c65d0379ad852a18bdd70b09742e19f4a35673d28fa4556fc54123bf1e3e9a12a2d550

/data/data/com.themfriend3/cache/oat/jgipdijdja.cur.prof

MD5 58b0c9ed2249819c28d638320f9d2778
SHA1 f7a04b841a3937bcc4ef54453f0f48be1f73147c
SHA256 62ec1e227e23c4eb1a440604544f6838e0145e45d19c94232b721ed06b7505c5
SHA512 bc6c9e535f69ddee3a69614773ca5a0f6d1079583ba43a3412397e8d3be034fbf1dc086476e27d56c1c18f2ad75c5e847e576a0b5ae3e3c66e67bd922b635ded

/data/data/com.themfriend3/.qcom.themfriend3

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c