Malware Analysis Report

2024-09-09 13:48

Sample ID 240601-2abxnagf8x
Target 8dbc91c4ef1a1b076483d1e238bb518255b29f9c30a373fbca9fdc153aafa3d5.bin
SHA256 8dbc91c4ef1a1b076483d1e238bb518255b29f9c30a373fbca9fdc153aafa3d5
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8dbc91c4ef1a1b076483d1e238bb518255b29f9c30a373fbca9fdc153aafa3d5

Threat Level: Known bad

The file 8dbc91c4ef1a1b076483d1e238bb518255b29f9c30a373fbca9fdc153aafa3d5.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Prevents application removal

Removes its main activity from the application launcher

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 22:22

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 22:22

Reported

2024-06-01 22:25

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

158s

Command Line

com.endbetween46

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.endbetween46

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 fesatokero.top udp
US 1.1.1.1:53 buzbuzdagdaglari.top udp
US 1.1.1.1:53 gecelerisvdmpkiyasen.top udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
US 1.1.1.1:53 yoktuhcfener.xyz udp
US 1.1.1.1:53 saybyebyetohepiniz.xyz udp
US 1.1.1.1:53 bilebilegndere.xyz udp
US 1.1.1.1:53 kranliktaaradm.xyz udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp

Files

/data/data/com.endbetween46/cache/nkbkg

MD5 49942b1e9ef99dd6efd7610e2f4887a9
SHA1 8bda7cb915aba3b7026d8438357444c2f17673f9
SHA256 ffb1d94e8619a2bc50279883c65bd06b3690e5dee35b24b4dd65ef73583ba3c4
SHA512 3f308dc3dd25ff82711749c5ef03c7c9ff73c6835ef4c527a699d75b5cafd11cce9c4f1619200bf9f72c7078a73053f6b601d6dea01f7ce1e98719bf6c4c7812

/data/data/com.endbetween46/kl.txt

MD5 96c6c34581c07a642972455d1533b489
SHA1 abda3195a47e803f3190c337e7a253b8e5e7a919
SHA256 08b78dead94ba1958b36dae222d54a841d530cd14d05f30dcbfa9ef975148a53
SHA512 1fabf491ea957df6325972b09b37fb3fd23a1817785101c62d984baefdc8e5f98b233fb657bd4e71e11933a2db23d6f04a0ce79f61e7ae00651ff5557b56c679

/data/data/com.endbetween46/kl.txt

MD5 a4539006167c2f396b1142420011d998
SHA1 3a1c73fdd0eabd509a153c2e90cab4d269ec865b
SHA256 2d84a7ad8bd4667273aa43e91b453b002573a5cd7ded41fd34366484d9175198
SHA512 b1db076ef2b563336aa6d92a0311b5e001d6d40943803f7c3dd05628a6e3a2323c1e5fe0a4d093f9b9e77dffb7d586fde0feaf3fc3049cc14083e438691c4e02

/data/data/com.endbetween46/kl.txt

MD5 4e5e0840477aa843fbf405ea9665c75a
SHA1 018006ad36a80b9e9e259fdbc6f47c3544be68e4
SHA256 a025d0e7a61aad63c21f2628cbaf74c753110f63273c33a94137c4e7e17ef343
SHA512 119f0ac08cfa69989708908e206f8b7d23d33a4738bfde20f4b89839e47eedeed59ea0b0523a01c46cbc9bf429fb8f213be639f14db3cff0ef0bcb1dee4d257a

/data/data/com.endbetween46/kl.txt

MD5 c50ead3ea19bbed3d7f6bf9a97ae1a2b
SHA1 bdff54e6a88e2f477dda79c6b61ee88ca1ba6f2e
SHA256 5787dde1f0408947fb93f0591c6fd4b74e409c1cd19acf89caa91ed6fe836949
SHA512 a3d556109bb31c90a17b1fbe075264044390b734eead03076af7c40651a23fd1378d1e7d57f4004a98eb0a127a1219f3051771a3631d08797ac8123c99b09c4c

/data/data/com.endbetween46/kl.txt

MD5 031d210f48f549cc7c5841e5c72e06bd
SHA1 e0952fb4633568ad04a0be968448730dc4ee2d7e
SHA256 30574a8b010c2d63e57fae28014735a5c0c417d078820c01fc97ca3b37440565
SHA512 68beed209b18b3cce22d1c18a1175ba6f8623275d65cb64f006f2816fca8fb35ab217e87e01869863e0ef20c19af22961a56d5b1c5c6b599b35d7fb4f983ccd3

/data/data/com.endbetween46/cache/oat/nkbkg.cur.prof

MD5 409abfbca4c7690ffeca7d7908a4eac9
SHA1 91a230ad51877696568b11c3d08a297e4120b020
SHA256 5f4eeb1e880457f2b738ced9bcd332c453b53661f8c73e42bd3c17cc3c4e3dae
SHA512 9d4a087b9ce08b77b92610c0997c4a1d0d5029f35a376de81a1d769345c6977a8ff0aec4481d9ac0b2b9be9ca3dd222ca58fe70d09b06ad2d6f84cad8dd90d08

/data/data/com.endbetween46/.qcom.endbetween46

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 22:22

Reported

2024-06-01 22:25

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

186s

Command Line

com.endbetween46

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.endbetween46

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ruhumdnzincirr.top udp
US 1.1.1.1:53 yoktuhcfener.xyz udp
US 1.1.1.1:53 kefalmefaltefal.xyz udp
US 1.1.1.1:53 bilebilegndere.xyz udp
US 1.1.1.1:53 fesatokero.top udp
US 1.1.1.1:53 astralanahatarim.top udp
US 1.1.1.1:53 leardolordoloro.top udp
US 1.1.1.1:53 tambanunakere.xyz udp
US 1.1.1.1:53 hadikapanikapatsana.xyz udp
US 1.1.1.1:53 saybyebyetohepiniz.xyz udp
US 1.1.1.1:53 lemanobelki.xyz udp
US 1.1.1.1:53 anilardvrimi.xyz udp
US 1.1.1.1:53 dlounayyanimda.top udp
US 1.1.1.1:53 buzbuzdagdaglari.top udp
US 1.1.1.1:53 tutankamunhaci.top udp
US 1.1.1.1:53 tabukareler.top udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
US 1.1.1.1:53 gecelerisvdmpkiyasen.top udp
US 1.1.1.1:53 izlemebskasiyla.xyz udp
US 1.1.1.1:53 kranliktaaradm.xyz udp
US 1.1.1.1:53 karakapkaraklpak.xyz udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp

Files

/data/data/com.endbetween46/cache/nkbkg

MD5 49942b1e9ef99dd6efd7610e2f4887a9
SHA1 8bda7cb915aba3b7026d8438357444c2f17673f9
SHA256 ffb1d94e8619a2bc50279883c65bd06b3690e5dee35b24b4dd65ef73583ba3c4
SHA512 3f308dc3dd25ff82711749c5ef03c7c9ff73c6835ef4c527a699d75b5cafd11cce9c4f1619200bf9f72c7078a73053f6b601d6dea01f7ce1e98719bf6c4c7812

/data/data/com.endbetween46/kl.txt

MD5 9edee35f6b2da1a5d3161ec9caff0d3f
SHA1 40a427ae559859ec72a9e5cd179deeadb52c23b3
SHA256 e80dd841a4f8fa01cbb1621f6cc2705a88f7eae94b79fe5f4c0750e63b79a217
SHA512 8cf3f53d3eeca68fa9c96b84f637d2fc65ac2f24adf0a53d222dc48fd5d268b3efda5b8eaf54d4f5ad906390e5a0204d450d6f6d062b65730db31614af96f602

/data/data/com.endbetween46/kl.txt

MD5 c6ac966a26f851e11a0c7c61011e6be2
SHA1 4a5d1d31c7dcbe7e7b42b78b00650be84ea21d63
SHA256 e7713ec7ae3d7e53cce9c9b5217469903f81f1f80f4d1bf0354930468b823b75
SHA512 459d35b1ee9fc98e0eaa414fb9695b9cafc88f601527893f0bddf26f3c0017e1d48d81f686ab4e6679de0cde978694fb0cc2d55e618f81e2e6fb2544bb06b5cb

/data/data/com.endbetween46/kl.txt

MD5 c50ead3ea19bbed3d7f6bf9a97ae1a2b
SHA1 bdff54e6a88e2f477dda79c6b61ee88ca1ba6f2e
SHA256 5787dde1f0408947fb93f0591c6fd4b74e409c1cd19acf89caa91ed6fe836949
SHA512 a3d556109bb31c90a17b1fbe075264044390b734eead03076af7c40651a23fd1378d1e7d57f4004a98eb0a127a1219f3051771a3631d08797ac8123c99b09c4c

/data/data/com.endbetween46/kl.txt

MD5 2e55d283ad9cc5fb68b48b6119cf1260
SHA1 785db27fa9a8bd7ede881e5011cd143f7ec52821
SHA256 4b424395319aeb1455eaf106a25591008ef511644318f4a5776235885f5cc8a7
SHA512 111b81b456eb5602407c0ac682521e4c2d541235ddf85de383bdf633b765a41ea007c9efdbab700cf4822ac3e66997566745be9146f17e6ae4cd41e7e0c7dd72

/data/data/com.endbetween46/kl.txt

MD5 c89431e1f4e7003723eba7bebd5c0cb8
SHA1 2537c70a2c179c0f7d1c84875e0209079ee1bb2a
SHA256 533f1121fafe45e71f8f9162ab700de495238aee52a3c25038d676254bd6bd65
SHA512 17900409c3674f659b183284d39d96d6ba395594eec4e2b48cc651cab44b2b3f05d9afba505c2a194baa80cc65e27ba546eb7393dcdd8f25e622f91e28b47262

/data/data/com.endbetween46/cache/oat/nkbkg.cur.prof

MD5 89974b72b7f69e9eb8c85aabb5594763
SHA1 da719a2e29d448f2888ebcd86af25392205962a7
SHA256 8afb6b271b555b97b2955e06ce1bb7d872af6af039207a8e7a8a31fbbcc768f4
SHA512 a21804c830d6fff80a551f1fd334b75f99cc30f76481f017604996a62b4f5c8a9a37d77fb9f3255c0ab5b5419f5eebd185e9ea8df1a6005efba447f420cea82c

/data/data/com.endbetween46/.qcom.endbetween46

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c