Malware Analysis Report

2024-09-09 13:46

Sample ID 240601-2ev64aha2w
Target 6834291ee6d694cf5fa1414f312a85ab6e6f86fe2c062f3c748f87b5c9804462.bin
SHA256 6834291ee6d694cf5fa1414f312a85ab6e6f86fe2c062f3c748f87b5c9804462
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6834291ee6d694cf5fa1414f312a85ab6e6f86fe2c062f3c748f87b5c9804462

Threat Level: Known bad

The file 6834291ee6d694cf5fa1414f312a85ab6e6f86fe2c062f3c748f87b5c9804462.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's Accessibility service

Prevents application removal

Requests modifying system settings.

Makes use of the framework's foreground persistence service

Queries the phone number (MSISDN for GSM devices)

Checks CPU information

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Checks memory information

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Declares services with permission to bind to the system

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 22:30

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 22:30

Reported

2024-06-01 22:33

Platform

android-x86-arm-20240514-en

Max time kernel

52s

Max time network

140s

Command Line

com.timemust1

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.timemust1/cache/kebch N/A N/A
N/A /data/user/0/com.timemust1/cache/kebch N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.timemust1

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 adbennaberortak.com udp
US 1.1.1.1:53 7adiletasarim.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 adile56tasarim.com udp
US 1.1.1.1:53 selammudur24.com udp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 yavasyavaslo261.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.timemust1/cache/kebch

MD5 a1a6ef1514a7206f00cf66e7edc2c1cd
SHA1 f03855c5f30dae2f3941db431a8421c00994bafa
SHA256 4ab37b6c912b0057075b4337892e0482865e03a42fd697853b460c7f91820c81
SHA512 1446acb7bee12b2979c37937634d96d6763b86168e5bca89d17a168c33b33c5c6ff9f98bd7c34e63ad9e193d42c6ce5e4973da10f8544b4b2333b31ecbb4d09b

/data/data/com.timemust1/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.timemust1/kl.txt

MD5 1d073d3c9ac38460b1bd04669d212fcf
SHA1 0b0010d3ed982df2679c3fcba9f3d36b86bb8ebd
SHA256 cd7060fe6752227e4776e169e7fdc35b505b3bb1160ce3ac31e00780235a38ea
SHA512 6f23905567760cd2d67bbbee16552a8c273e170b5c8686e0167875b91b2bd3757e1b198df7c7fd55c8432b9df7da36e8ad1504011be4aee9339783261c2793b2

/data/data/com.timemust1/kl.txt

MD5 b4cad783cb2ece2f4a9d2370489f7396
SHA1 09a5d405105e1be8eaf7bb86130160196794b086
SHA256 7b575a8bf2580ec3c485271218c159405fa322274c5d159c73d6a901d680d274
SHA512 f02640ac8044e9bcff83227b6bb682ba034052f01e39f60260ba213147901fe10435ab358c1a49448c93ba6b121dcf0da4770c14cd5b665b4f2993dde29d3bcd

/data/data/com.timemust1/kl.txt

MD5 bb1a783e397981f5520cd3195b170328
SHA1 2390032f0c1bef4f94546bb15ff0693a448052e8
SHA256 3e3f8e694f6efaf3058b82caa3f2afb26d3f184e96f4c1e8c69382c2ce7b002c
SHA512 46b571233231e9a848dc6e1fb23a28f3ecfae690fee13dd44d20109b506f8159687bf30a3563e83deac692232dcb1ca976451236eb6fa2d6c7b749d33d372e83

/data/data/com.timemust1/kl.txt

MD5 888de055bb190bfbb25992d5215a25a1
SHA1 5313af1962f02b73de4c510350c65c8769caa3b7
SHA256 dcf3564d5673daa250d77af0d9e58d9dbc442d2038034169d2ba8ef3d9e55d82
SHA512 5d8c8e326885becb60d90f0e2cb5b01a5bc72b9ef2607f7d49550c4e09c20ecfb7b7177df06bf179b3f31ccdcfba28f3494bf8887609f369a18e82b4d4310ea0

/data/data/com.timemust1/cache/oat/kebch.cur.prof

MD5 71b7853d2da14b9a8efb5774a20d8c01
SHA1 c23e2982a2f6e95dcf73f01625076b627a0973b2
SHA256 771aee9ebc6b3738ac1fc19d29405b89c3fd627309a697524e708d5f204c0caf
SHA512 c5baa4f0faa7d28d94ac17b8fc683072a2b31e572590ef245373c5cdbcf0591359f73670909f22313881516103108ab95922bbbe3f123fc55a14e430d9e05122

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 22:30

Reported

2024-06-01 22:33

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

141s

Command Line

com.timemust1

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.timemust1/cache/kebch N/A N/A
N/A /data/user/0/com.timemust1/cache/kebch N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.timemust1

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 adbennaberortak.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 7adiletasarim.com udp
US 1.1.1.1:53 selammudur24.com udp
US 1.1.1.1:53 yavasyavaslo261.com udp
US 1.1.1.1:53 adile56tasarim.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.187.194:443 tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.timemust1/cache/kebch

MD5 a1a6ef1514a7206f00cf66e7edc2c1cd
SHA1 f03855c5f30dae2f3941db431a8421c00994bafa
SHA256 4ab37b6c912b0057075b4337892e0482865e03a42fd697853b460c7f91820c81
SHA512 1446acb7bee12b2979c37937634d96d6763b86168e5bca89d17a168c33b33c5c6ff9f98bd7c34e63ad9e193d42c6ce5e4973da10f8544b4b2333b31ecbb4d09b

/data/data/com.timemust1/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.timemust1/kl.txt

MD5 e3fcac0ee5bd8355a3e2f13b04b3c11d
SHA1 aa9775bff878553ece1028df1f44a81fe4a04345
SHA256 90fb1e217b0d55b71ce79d997a3d400da2fac94b8282cce19cbbb120a33ffb86
SHA512 4c578b3739502d387f4783dbec9c7e318e7d41391db1086fbc44139e5c1ee0d62954707e1fe2c377bacd365f3a956925e3ae9e4e2a0861be20ec4a60a394072c

/data/data/com.timemust1/kl.txt

MD5 b88184c4428261d4f79363331b354490
SHA1 ab5742c26fcdabc3fe6601ea161b807f0baec763
SHA256 acbcf1346fd15074de20720fae834ba1cd21e175c254e27aff451db3de3c192e
SHA512 3f7a1cb98cc1f4971b0e5983803d295a97a822eab0b12943a4ad9458c6f3a38a8f15328afe63684aac7ae1bb81ce7be746898e8aa7bbd06d8b89817f896ded94

/data/data/com.timemust1/kl.txt

MD5 397d56def4c95cc1e85286a6ee5d6938
SHA1 3265acf3eec328fad08c132fe6d90ef21d87d82d
SHA256 6e3ac9753850efd02358b9037a0839e8c6550c30f962bdf8d63860a8ea25330f
SHA512 921263e4d23f1946772698f3e46fe00db885ddd90a2631d0c5423d7aec481709ea26f982b165f6fe5aee6f9e35f22ec05b6376c902ed92ed9340cac6edd1c99f

/data/data/com.timemust1/kl.txt

MD5 8ffab2319bab97fdbc5089434f2100cf
SHA1 819fa1ffa402ac98a2ffc7ee76960bb0b3ae320d
SHA256 3f75c91878f6356ea17e6fee71565e3105b1d607ba624438cd7698f7c54deec6
SHA512 55f87e2a3fa2d34c09b74126767d070d6ed1bd59bb5be90775540f4f6a6d48cb4a97c4b4fd28d4a03e3a9247e4ba4b8e9ba227d0d9c80e923f827d152a057c07

/data/data/com.timemust1/cache/oat/kebch.cur.prof

MD5 18077516464ed1c693feb565897e0f09
SHA1 4aba7547bba8a5778d47b681c87dc80c52167396
SHA256 20ef8995be41c87cd2fafedf18d36ab969a8ef8e9952d4e52d1ef81fb22a4290
SHA512 42966b0293be2ae2a30b977c138b7bfcaf00cd715279d02a6e96aec8f6a451e3e1bbc477241c29d4a21b1b527fc54ea6f9197e3e9a59c6e5abbc55ced4834082