Malware Analysis Report

2024-09-09 13:47

Sample ID 240601-132s4sgd5z
Target f030e7a977c686bce05b7c9431ccd48b7a62b237a20d39593f656f83ce6102d6.bin
SHA256 f030e7a977c686bce05b7c9431ccd48b7a62b237a20d39593f656f83ce6102d6
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f030e7a977c686bce05b7c9431ccd48b7a62b237a20d39593f656f83ce6102d6

Threat Level: Known bad

The file f030e7a977c686bce05b7c9431ccd48b7a62b237a20d39593f656f83ce6102d6.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Requests accessing notifications (often used to intercept notifications before users become aware).

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Prevents application removal

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the mobile country code (MCC)

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Acquires the wake lock

Reads information about phone network operator.

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 22:11

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 22:11

Reported

2024-06-01 22:14

Platform

android-x86-arm-20240514-en

Max time kernel

45s

Max time network

141s

Command Line

com.endbetween46

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.endbetween46

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 gecelerisvdmpkiyasen.top udp
US 1.1.1.1:53 izlemebskasiyla.xyz udp
US 1.1.1.1:53 fesatokero.top udp
US 1.1.1.1:53 dlounayyanimda.top udp
US 1.1.1.1:53 kranliktaaradm.xyz udp
US 1.1.1.1:53 lemanobelki.xyz udp
US 1.1.1.1:53 tambanunakere.xyz udp
US 1.1.1.1:53 leardolordoloro.top udp
US 1.1.1.1:53 tutankamunhaci.top udp
US 1.1.1.1:53 saybyebyetohepiniz.xyz udp
US 1.1.1.1:53 yoktuhcfener.xyz udp
US 1.1.1.1:53 astralanahatarim.top udp
US 1.1.1.1:53 buzbuzdagdaglari.top udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
US 1.1.1.1:53 karakapkaraklpak.xyz udp
US 1.1.1.1:53 kefalmefaltefal.xyz udp
US 1.1.1.1:53 bilebilegndere.xyz udp
US 1.1.1.1:53 anilardvrimi.xyz udp
US 1.1.1.1:53 ruhumdnzincirr.top udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
GB 142.250.178.3:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp

Files

/data/data/com.endbetween46/cache/nkbkg

MD5 49942b1e9ef99dd6efd7610e2f4887a9
SHA1 8bda7cb915aba3b7026d8438357444c2f17673f9
SHA256 ffb1d94e8619a2bc50279883c65bd06b3690e5dee35b24b4dd65ef73583ba3c4
SHA512 3f308dc3dd25ff82711749c5ef03c7c9ff73c6835ef4c527a699d75b5cafd11cce9c4f1619200bf9f72c7078a73053f6b601d6dea01f7ce1e98719bf6c4c7812

/data/data/com.endbetween46/kl.txt

MD5 61c10a4def91a48cb7e36c0c4fea3648
SHA1 39f0bf882e35bacb5501e2224d54eac716abc2cf
SHA256 a44ec9d1e9ee1d00b4fd4a601d06d4a65f5196a389a06c2a24080888bd048bdc
SHA512 440d10a92ea53a220047040335df6c6c39d55cc4c454d2de22fa1838b094c19c81ba30949165e74b50724af3360b496a577feb6b0210265393d896af105c1b0f

/data/data/com.endbetween46/kl.txt

MD5 bc7aaf3eb8f48ffab2251ec59e5b6929
SHA1 feef5e2441a3085baba6d3e397c05ab03dd2a199
SHA256 4f7864cba3a294844c2507cd2d5310006832240ff1ccfc487821b599ff5cd5d6
SHA512 55459e2756719839ba42afd63be5ec7c1bae0d3477baf0cc285810362e2f2b848043d2a61e858878b4eec8654605e0469b00b1ae6483f10b7fab5768ebfc9cf8

/data/data/com.endbetween46/kl.txt

MD5 04ccbb88b9937f81a46bd60d6be542a5
SHA1 5f1bd1ffe53cbd8ae93e3d3c355e11368ad4b27c
SHA256 500f36bd7a0bd376ab316af77c39fed93a4cbe5706fe3b4124b605e2316c558a
SHA512 008e28122ef2b4a1d2b6bc8c625c9cd022a44bbda9b419f474bb29339ed194126f82c713e5b740f46067bd77189ac5469ed05212f5b8187704635af147592f06

/data/data/com.endbetween46/kl.txt

MD5 21444fd323b3e59a36d6d9862f5980fe
SHA1 66b6d3f7d35ef0eb419ef47568902aca534d6faa
SHA256 e2670ffd0cbc8e7c941564487cbc23c2f1aed7d886b93273adfcf64ace01e853
SHA512 8b298afac77695c1d8f4580b83b71c38e70adfbfbf0f0b66d4cb90b69d20b63798039d3b46ad12d567668d16ef02213474fad9514e3b1b006ba7a25c181477c5

/data/data/com.endbetween46/kl.txt

MD5 0075998787c2e08ee264b97257e607a3
SHA1 8dc7a8ed788e05046aa7586017430a217a49653e
SHA256 83a4fe4050aa34b0b357c8f53746fd7f8ff178e89a18f13e59128af4867a0d7a
SHA512 796adc056b7de64a76c560542c6ff858e9ebe28624f9257ac49f0cf2026c88acaa414f1059352cc4318b89a465b2f46847d5597b75bc6cda03358ad6867e9f8e

/data/data/com.endbetween46/cache/oat/nkbkg.cur.prof

MD5 dd757110c966a56821d80a0e61f92746
SHA1 f195b23c0e67be261db0e3b14845191fdd5cfcbb
SHA256 de5469d829537d50ed5543050f39d18498df21f94a4b0a2aa737425b933d14d8
SHA512 705105674bd4f62e4f8a80029b8fb2d68ff2ff54abae488ebfd877872728c17c84a9c29010caa8f6522816b6ef2778a5df6d24e09bf56a640244c1414f81faac

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 22:11

Reported

2024-06-01 22:14

Platform

android-x64-arm64-20240514-en

Max time kernel

172s

Max time network

152s

Command Line

com.endbetween46

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.endbetween46

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 hadikapanikapatsana.xyz udp
US 1.1.1.1:53 bilebilegndere.xyz udp
US 1.1.1.1:53 gecelerisvdmpkiyasen.top udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 kefalmefaltefal.xyz udp
US 1.1.1.1:53 astralanahatarim.top udp
US 1.1.1.1:53 yoktuhcfener.xyz udp
US 1.1.1.1:53 tambanunakere.xyz udp
US 1.1.1.1:53 leardolordoloro.top udp
US 1.1.1.1:53 saybyebyetohepiniz.xyz udp
US 1.1.1.1:53 dlounayyanimda.top udp
US 1.1.1.1:53 lemanobelki.xyz udp
US 1.1.1.1:53 fesatokero.top udp
US 1.1.1.1:53 tabukareler.top udp
US 1.1.1.1:53 karakapkaraklpak.xyz udp
US 1.1.1.1:53 anilardvrimi.xyz udp
US 1.1.1.1:53 buzbuzdagdaglari.top udp
US 1.1.1.1:53 ruhumdnzincirr.top udp
US 1.1.1.1:53 kranliktaaradm.xyz udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
US 1.1.1.1:53 tutankamunhaci.top udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp

Files

/data/data/com.endbetween46/cache/nkbkg

MD5 49942b1e9ef99dd6efd7610e2f4887a9
SHA1 8bda7cb915aba3b7026d8438357444c2f17673f9
SHA256 ffb1d94e8619a2bc50279883c65bd06b3690e5dee35b24b4dd65ef73583ba3c4
SHA512 3f308dc3dd25ff82711749c5ef03c7c9ff73c6835ef4c527a699d75b5cafd11cce9c4f1619200bf9f72c7078a73053f6b601d6dea01f7ce1e98719bf6c4c7812

/data/data/com.endbetween46/kl.txt

MD5 9695025652a2e9f7b38c5c33793d2626
SHA1 87fb832eca441fae41df0360e03f61cdf9f04d90
SHA256 f6b76bded7223c12ee9e421b5eb0ef49665e7fbbe35f86c5e16d5c644cc9b580
SHA512 80966d601772c781e131d5c0cd0b9023f45e7739096f93cc9c5ae24b7a166c93c99afc5e451b4f5da75fdbac4bfb68d0306de706c1b1169afef2c6951c23a286

/data/data/com.endbetween46/kl.txt

MD5 e1db9bd1d9584847a152f08d4e7611b7
SHA1 0af2799466d2fa1841077a3833e7f2e526593812
SHA256 3f767a53737f4faf118369e3fa7b7caa1759179d480795f365aa05c12dc95dc5
SHA512 180c8a0c46d5663152b6c6d9466d17efe9511d441213eeb913276b50fd4021c506f523746ac2e7d797bad423e41e9995391a7edfbf9ee013e88e0cc071c674c5

/data/data/com.endbetween46/kl.txt

MD5 0edeb2ffd83de1b6b06aeb72cabccfc8
SHA1 bc7b5dae1dfe397d137dfe7f3ae797d325936f47
SHA256 b229c1fc66abbd125d446eee0c70cc0bc9ab9e1459dbe1bbcbfe1be03514f1eb
SHA512 87cb89a2f4cea17fed28649df15e5529bc574fb4d48d33e3ddfb2d65177c69fd55af667b7ba2a24d20317e679ea3f37ed9613cbe4a54e738679c55d7a19f5792

/data/data/com.endbetween46/kl.txt

MD5 4def0c70795015972ca586328e8ca0e9
SHA1 3b239d316be2dd1e3cdeef654fb229703453e98a
SHA256 c567ca95a31c5d5351962f257f26f9b95de1b570fea616f8e00d7abce13273d4
SHA512 b9791cd8b11d790ff36446e1d3bf23e56cb8dda21fcf105af6f4af3f534fd3ce43ac9d99b53630c3d42936a7569cb2781da67f8c45a11adbc2c2a976a359ca8d

/data/data/com.endbetween46/kl.txt

MD5 bec57eb3749446d189b8d68b46c43126
SHA1 c8102fc8d770b1a046b0e2aac24a106679efd73d
SHA256 8d82a2a6c48371f1925fecb5c3720303a79438e622be4fa345b7702d2acf35bd
SHA512 84aa7abec15136231856e78c33184ec292e8e04018739522ede802b924af4244ab35179ae715b50a026aaa55d597f5163b13f0729d4420581fa1dd0e6a421d46

/data/data/com.endbetween46/cache/oat/nkbkg.cur.prof

MD5 6bc9d56fa6dd1fda59202b97f7db7851
SHA1 bd77b70f9fde85ef76c24c4ecd99e5f1494d7911
SHA256 3d556d710bddd5cbf77f080a82d0e6a6249984d4c05a9b9a5bfa4aa319d79f1b
SHA512 c36799ff1b7403d929fa71eb643747a01cc173125b70540a55a6909d54f29d614e84349db685e585ecf5980041a5c61ca3611c90bf3c4b66ec03dfbb99306d46

/data/data/com.endbetween46/.qcom.endbetween46

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c