Malware Analysis Report

2024-09-09 13:47

Sample ID 240602-11yzfahg64
Target ff6859c36e4c14e35851eddf13cf98f870aeaf571882d8a97f3a7821892fd32a.bin
SHA256 ff6859c36e4c14e35851eddf13cf98f870aeaf571882d8a97f3a7821892fd32a
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff6859c36e4c14e35851eddf13cf98f870aeaf571882d8a97f3a7821892fd32a

Threat Level: Known bad

The file ff6859c36e4c14e35851eddf13cf98f870aeaf571882d8a97f3a7821892fd32a.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Prevents application removal

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Makes use of the framework's foreground persistence service

Loads dropped Dex/Jar

Queries the mobile country code (MCC)

Acquires the wake lock

Requests dangerous framework permissions

Declares services with permission to bind to the system

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:07

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:07

Reported

2024-06-02 22:10

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

147s

Command Line

com.endbetween46

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.endbetween46

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 tabukareler.top udp
US 1.1.1.1:53 saybyebyetohepiniz.xyz udp
US 1.1.1.1:53 kefalmefaltefal.xyz udp
US 1.1.1.1:53 gecelerisvdmpkiyasen.top udp
US 1.1.1.1:53 buzbuzdagdaglari.top udp
US 1.1.1.1:53 izlemebskasiyla.xyz udp
US 1.1.1.1:53 fesatokero.top udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
US 1.1.1.1:53 karakapkaraklpak.xyz udp
US 1.1.1.1:53 bilebilegndere.xyz udp
US 1.1.1.1:53 tambanunakere.xyz udp
US 1.1.1.1:53 tutankamunhaci.top udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
GB 142.250.200.3:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
GB 142.250.187.206:443 tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp

Files

/data/data/com.endbetween46/cache/nkbkg

MD5 49942b1e9ef99dd6efd7610e2f4887a9
SHA1 8bda7cb915aba3b7026d8438357444c2f17673f9
SHA256 ffb1d94e8619a2bc50279883c65bd06b3690e5dee35b24b4dd65ef73583ba3c4
SHA512 3f308dc3dd25ff82711749c5ef03c7c9ff73c6835ef4c527a699d75b5cafd11cce9c4f1619200bf9f72c7078a73053f6b601d6dea01f7ce1e98719bf6c4c7812

/data/data/com.endbetween46/kl.txt

MD5 52a6ae757b22849581af03cec6f4e052
SHA1 dc6fd1550e7c7c1e95d7edfc1c1982c832325acf
SHA256 40cf384b3b99281c9adb242771a9614aae6f705b27d76043d28be2a778e433b3
SHA512 38822092ed391ae96311acbf9bf6d0f02552dee76b70db4ca419ed8575f39efb61be41d7731d40cd9d7db783549da0a513fd623eb6d284531466e1b14d781e6c

/data/data/com.endbetween46/kl.txt

MD5 5f9d65e87e666ed4c6b14e0c9ffea0b2
SHA1 434dc20fdf44c384d3894ede9989eec16d45b992
SHA256 5eb409e22e36c88bc6d1bae8005f86d6ff0868afa6d7dd40f8907034dd5daf09
SHA512 54b840a1c25201794d3a60ff5c396974aeb6daf938c64b00e5f29cfae50b246e028a00098aa1c0d0ddd35f3c93ee9210969590182683cdb01c3f25a9406954e5

/data/data/com.endbetween46/kl.txt

MD5 482ea43474dad98836470bc5ab7cf59c
SHA1 a8a76cf40287c954967f74da516d44557359e9de
SHA256 83e28ccef5529baf64665fd758c154f4a395a2e422e08235519da68c7f573710
SHA512 02b7fbf6afdf02b0007a3cb2bf227e743446c96268897c50ed355671a0586c81f1dd2aa5acd3ffbe794290d3cc1e704b21d865fe75922b9ca5b44a1d9a791e2e

/data/data/com.endbetween46/kl.txt

MD5 4ee43c3c68e4cc3fe4627991270371e3
SHA1 da307d8e70ae474d8a53f14e7309dd23cb9d7b25
SHA256 6125c3b38f5d58a85926fe109ad3e321fda792a8fdfeb391086bd0916c48b6df
SHA512 dd48f6ad85ebd48a187ae4ae7a0f674039120235e7158ed8806003578eef8ac2037d64d1a42835ecdd138f1047f3b516719e2127b85df4a80e71667186613425

/data/data/com.endbetween46/kl.txt

MD5 551b1ab75e9f5ea12ee126e4654bbb61
SHA1 457bc8821915e6fa06e7136dac670135e653a57e
SHA256 a67111b14845c24f66b15f3b07a0ee3486eed7f5d4759b7332a6dcd7f57c3ca3
SHA512 66520751fdacc442266e9f993236faa1550d5905938597b4ca27252b59e3b2b842acaa70f7a554b420acb8251cde8af2da670f1818dcd347eb8cce7b376c6d73

/data/data/com.endbetween46/cache/oat/nkbkg.cur.prof

MD5 842add3b02035ce885761b12f2cfebad
SHA1 e9bcbc7e3e4f511c0a40d3cf5fff63d17ce15a2a
SHA256 5c6ec93bba4a9624749b876209adfecdfe034bff8bc49046f33baf8f175755d6
SHA512 ef397c68079bc1a3b3c2b356bda5d8306f86044ecf40be9f404e93e0ba32bc874a448136bae4b72324729745965b607fba7b8228052019450e7a98a72c131342

/data/data/com.endbetween46/.qcom.endbetween46

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 22:07

Reported

2024-06-02 22:10

Platform

android-33-x64-arm64-20240514-en

Max time kernel

160s

Max time network

181s

Command Line

com.endbetween46

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.endbetween46

Network

Country Destination Domain Proto
GB 216.58.204.68:443 udp
GB 216.58.204.68:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.195:443 tcp
US 1.1.1.1:53 lemanobelki.xyz udp
US 1.1.1.1:53 gecelerisvdmpkiyasen.top udp
US 1.1.1.1:53 kranliktaaradm.xyz udp
US 1.1.1.1:53 yoktuhcfener.xyz udp
US 1.1.1.1:53 saybyebyetohepiniz.xyz udp
US 1.1.1.1:53 karakapkaraklpak.xyz udp
US 1.1.1.1:53 buzbuzdagdaglari.top udp
US 1.1.1.1:53 anilardvrimi.xyz udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
US 1.1.1.1:53 bilebilegndere.xyz udp
US 1.1.1.1:53 fesatokero.top udp
US 1.1.1.1:53 izlemebskasiyla.xyz udp
US 1.1.1.1:53 leardolordoloro.top udp
US 1.1.1.1:53 dlounayyanimda.top udp
US 1.1.1.1:53 hadikapanikapatsana.xyz udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.204.68:443 udp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 172.64.41.3:443 udp
GB 142.250.178.3:443 tcp
GB 142.250.178.3:443 udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp

Files

/data/data/com.endbetween46/cache/nkbkg

MD5 49942b1e9ef99dd6efd7610e2f4887a9
SHA1 8bda7cb915aba3b7026d8438357444c2f17673f9
SHA256 ffb1d94e8619a2bc50279883c65bd06b3690e5dee35b24b4dd65ef73583ba3c4
SHA512 3f308dc3dd25ff82711749c5ef03c7c9ff73c6835ef4c527a699d75b5cafd11cce9c4f1619200bf9f72c7078a73053f6b601d6dea01f7ce1e98719bf6c4c7812

/data/data/com.endbetween46/kl.txt

MD5 a96bec671dce94ec3b8f7457b80c46cb
SHA1 d5c72a7e4aac8468929583297f35be37b34bb58a
SHA256 ac6755d9b322a3dbffeabce897929ce14e21a831564234bd54e798198052a7e9
SHA512 8888a96b5434da7a3d076285f8c09ec94adab7f0ac64165ccf314e0f94e4a216d7224c04534ea8348131030c706f42b2ba22220f4684052af3eeb752147f35c7

/data/data/com.endbetween46/kl.txt

MD5 95b788b050b396d67672430882e3dfa1
SHA1 45ed6fa9923c94432b702c7d21ee4db7e9f6d375
SHA256 fc73353d5ff76059861dbf3b78f3c49458298a78efa12a7d8ae50f3fd1874085
SHA512 8ae7a16080038d1be2aed2e7bea14615992471104e1463de2bda4390fa3032b6ddfd056ef286f6e33d031e12a9b5c4c75bc1f3a47193f8d53c93f91bdeb0445c

/data/data/com.endbetween46/kl.txt

MD5 eb18e70375b69acb51dde07691e8db80
SHA1 d9da3242a32ba27aeb4fdb44e362d6d4b27fa3bf
SHA256 fd1ab3f16975517e0cc5e5642359b7cf511eb91ca2d399e1af81843602046d53
SHA512 87aa8a5ad95cce5ba62e8f925c6de0769fbfd3f3623b2356f413ab39154e16e4cf64d99fe0c7f2fe9af398e2160abe98165886a31e3c0cedf55f0287bc88d34d

/data/data/com.endbetween46/kl.txt

MD5 a8b4e3ffbd35d8754a48446c5b35da79
SHA1 a6b5b34a12a6ed94323b5b49a34b5d2dcbab01b9
SHA256 1b26457d7469fc8b175d65bcc1567d4b62a68f3cf7be925ac18542f21d462728
SHA512 e973cb8a4e87db870c86ca856af4785abeea6d7b5cfc191a3e2ad2ba6b29a8034c8e1a880f8cb62526650ed907f09a322b487a19780923c73256413a80e209ce

/data/data/com.endbetween46/kl.txt

MD5 8ca1dabe9f4c55c67771a4f0ca26923a
SHA1 4854835b0fdd804c262c4d92bd137693537d059f
SHA256 c29139ce3832a7b60cb7c509a9a63e30a33fb33e49bfd1908934e4e68b3b3db3
SHA512 a42e24f3334aa29275875ab7b81fce51458baec200fa6c756ee352a235f191651e007f67c9651c251b7d1c835a9d85ac696c421a3144cfe604ec07310bb9a6a2

/data/data/com.endbetween46/cache/oat/nkbkg.cur.prof

MD5 680d0635e0ca5e245cdef623c7e0a44f
SHA1 12ccdb2d11c3eca53979e23e256e89ad2ed18803
SHA256 33301d407d291e14d95ade936f19e597433149b5c44e3875c55e279b8bbfd974
SHA512 dfa699ecace2287237337870eac3cd47d4f06df2cd739d0770ce53ebd978e8db378d9e114237222fd78c1bf83a48c9a2e6c48d80a26457496156fdd059328b27

/data/data/com.endbetween46/.qcom.endbetween46

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c