Malware Analysis Report

2024-09-09 13:48

Sample ID 240601-2ex1pahf73
Target 442b0016120938984b307a5cb069353c09c15f9e05c869b7336e5950272268ca.bin
SHA256 442b0016120938984b307a5cb069353c09c15f9e05c869b7336e5950272268ca
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

442b0016120938984b307a5cb069353c09c15f9e05c869b7336e5950272268ca

Threat Level: Known bad

The file 442b0016120938984b307a5cb069353c09c15f9e05c869b7336e5950272268ca.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Prevents application removal

Requests modifying system settings.

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Checks memory information

Queries the phone number (MSISDN for GSM devices)

Checks CPU information

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 22:30

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 22:30

Reported

2024-06-01 22:33

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

136s

Command Line

com.southend57

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.southend57/cache/lohxfarsvhrdit N/A N/A
N/A /data/user/0/com.southend57/cache/lohxfarsvhrdit N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.southend57

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.227:443 tcp
US 1.1.1.1:53 adbennaberortak.com udp
US 1.1.1.1:53 adile56tasarim.com udp
US 1.1.1.1:53 selammudur24.com udp
US 1.1.1.1:53 yavasyavaslo261.com udp
US 1.1.1.1:53 7adiletasarim.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
GB 142.250.180.2:443 tcp

Files

/data/data/com.southend57/cache/lohxfarsvhrdit

MD5 7752232373663f7c47d885a316254783
SHA1 b9afbff43346ba4d948d8bc310703a39c78027c9
SHA256 1f8c6495a48be3640a2cd50e997d2f0430077461f8a14bab7d7273d1d21be43b
SHA512 94b8a2c7b34c361c36ec3f0c1baedafa74767481f22f16a91b43fecd7053693287c6ab2de96de6f52da95fe1c0d962db3215c0b6b6ee9005911fef808ad3611a

/data/data/com.southend57/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.southend57/kl.txt

MD5 7f9807d031c545ba2ca5b2cab7997bdf
SHA1 92f7981a1354d6126d596a41eee085b05b8bdef0
SHA256 19ef9d36c865f41e36a6adce0f3f4c2b8058580dc6664f808ae2cf2ac371d443
SHA512 ca5dede9cf4a845330edf14ea21acbc90d109d542caad89c53fc8c7ac730f361f8c8543c28891965c63710f3a3db1c7118b91f7490c284cd1f2da5b9efea2459

/data/data/com.southend57/kl.txt

MD5 5a95b3c971ec73cd1f2a66f7bd7956d6
SHA1 869a598d404e52849cd0fbefd24235bcf300d071
SHA256 b353564d72fb115ae01cb599e78ef68bef1c2ef3d2396cc45df55e693407e1ce
SHA512 550d18b7838f93a54f1a7bd03e6272987969a4ac4bfcdd87cf866c285af2ebf2b2a7d0a436bb098b564ce59724a0368aea5fa5650cc8e4890ff53b5cc8d9320b

/data/data/com.southend57/kl.txt

MD5 cf95be8b96fc553220efb2f6cc337973
SHA1 b21d2b2b9d65482832116085f56e13f489888e15
SHA256 175f01cfd85c9f1e94f2151835397e9b499584c3136add2b6499375eafc79bdf
SHA512 e0479db3ac8d6693cf15b3daae974f7a1451de4d86da622e244b0cfdd80f1795c5f87c76c1421b0b8f403daf4b64c381284bee8b54ebcbf503e96c016c95bc3f

/data/data/com.southend57/kl.txt

MD5 d9c9ebffe96fa2ce95eac9557d2b9429
SHA1 97091c7904d997db481e71d234883f5ef8da7569
SHA256 94137b7728243a5943e77bdd895dbb434f88c4afb558df8964a2709b1df7a195
SHA512 04ba88d58ff63b8f76e392d47daf25f66505230b235d611a3bdd446e2ce006af2c71c7aa42b02f4b694747967da6eb6188f63772d5db78cac38aba76713c7add

/data/data/com.southend57/cache/oat/lohxfarsvhrdit.cur.prof

MD5 039d5c269ac492cf81a6099f603423e0
SHA1 85b0b52f6535c4dad2bc27aa431eb3d8ab27dba6
SHA256 3ae089bdc70b116de542c4e9ee11bf2f1a096bdd5d09748d152e9597514b083d
SHA512 f550862d7cb3e3b37a9b2d46390ac3a60b7912df0c696ccced76df98115237bba6e2201bf957e60aeffb3b484c328a1e5a18e9eca7b79fd5ccc21611a68f8c5b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 22:30

Reported

2024-06-01 22:33

Platform

android-x64-20240514-en

Max time kernel

179s

Max time network

130s

Command Line

com.southend57

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.southend57/cache/lohxfarsvhrdit N/A N/A
N/A /data/user/0/com.southend57/cache/lohxfarsvhrdit N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.southend57

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 selammudur24.com udp
US 1.1.1.1:53 adbennaberortak.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 yavasyavaslo261.com udp
US 1.1.1.1:53 adile56tasarim.com udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 7adiletasarim.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.southend57/cache/lohxfarsvhrdit

MD5 7752232373663f7c47d885a316254783
SHA1 b9afbff43346ba4d948d8bc310703a39c78027c9
SHA256 1f8c6495a48be3640a2cd50e997d2f0430077461f8a14bab7d7273d1d21be43b
SHA512 94b8a2c7b34c361c36ec3f0c1baedafa74767481f22f16a91b43fecd7053693287c6ab2de96de6f52da95fe1c0d962db3215c0b6b6ee9005911fef808ad3611a

/data/data/com.southend57/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.southend57/kl.txt

MD5 b5fa61fba0048a4983a14ffccd02fbf1
SHA1 5599deb367366a1f54bc800b08d3abe4160117d4
SHA256 a9bfa05e8aee65adb00d21534f29da16255b44edf025e0bcbde3ed59ed94e2f6
SHA512 082c9162fe753949a19a742857b240921ecdb86969a0147940b1e1e53d86de162f2c73b87e9bb8d416910ab3050d9932e9c390152050e6f7312f5d785f738608

/data/data/com.southend57/kl.txt

MD5 d9d52a87ad86ac2bd94cebc45bad61f1
SHA1 45e114a2886ab3ceac481d79d5d688011c438c58
SHA256 e244b3bf4d21526233f821cdfd4611aabe61303992199efad4775f21753363e9
SHA512 40c5def6244ced1c616b6decec4fbd681d56bc220ee7eb68de40de78a8e70097fbcbfd7f0e051d79dcfc235774e389fdc62f88568dbb45b72f107b052bca7aa7

/data/data/com.southend57/kl.txt

MD5 22a84877afc8a90dc1472c4c351005e4
SHA1 8b6fc74250e66495beb90634d594cb0d1f41d516
SHA256 b4836a2318af3658ed7a9a2d6aa426cae4130f4d1eae55bb78bf1f4d4b7eaa3c
SHA512 b506e6841fb3a2e9b4040a4e78eac5b9a672b932b3668ed14094ab559b8f0a309fb8504113ac88f63f8154a3df5e4d684861e10785746a385ccdd991f47115a6

/data/data/com.southend57/kl.txt

MD5 f702627736d6925d2d8efa2d215f2a4e
SHA1 971252398147f27aeb3e8fe62d6070aff5b24940
SHA256 f3bda0dcf86e7af537f51276d27750dfdfc77075fb2db43b67331d9f8fc54671
SHA512 ae9aff8583fe8be33330c891385c3593a1d969abd2b627b877764a89e383e943caa482e2d68839295171513855250d06ab31406eab0803be4eb98966173774db

/data/data/com.southend57/cache/oat/lohxfarsvhrdit.cur.prof

MD5 5e5895c546646e38b3df76d036dc2204
SHA1 237a47fbd34f1af477a57dc9c311e2cf8c5811f7
SHA256 2ffa67ff8fc1509847991217be623b57e14233c59e330f22bf186c1c74f928f7
SHA512 fd4238f84f1dbb5d86ee4051554ee093ec5cfe1f0230be00aab1a4bc690b993b87da95e30c186125ea57456fab2a0782d7514261b22219c94a05f6153ed3b1be

/data/data/com.southend57/cache/oat/lohxfarsvhrdit.cur.prof

MD5 b58a0702c47a9b0b8ecba40fe11d32a8
SHA1 8f43ba3be8e8644a53c2ab9245e38ca2f193e569
SHA256 b1a31c4052c58799e4998b8fa0c0bb9943d533866c39160a231b59e9f0eb2d99
SHA512 1c7ec67c3c8a987771a3129dc81e504c97c809a38297b882f7af5b15c5cad6e34d06b2aa8baf8deb0e9c67ad4621f0c2e6bd23df65f826db0a11d1ef0780ea40