Malware Analysis Report

2024-09-09 13:47

Sample ID 240602-177j6aha6x
Target 3f5fc47f8d85ca4b4c299368b31a7db137ebf750ae4c4077e2bb972ca46f3418.bin
SHA256 3f5fc47f8d85ca4b4c299368b31a7db137ebf750ae4c4077e2bb972ca46f3418
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f5fc47f8d85ca4b4c299368b31a7db137ebf750ae4c4077e2bb972ca46f3418

Threat Level: Known bad

The file 3f5fc47f8d85ca4b4c299368b31a7db137ebf750ae4c4077e2bb972ca46f3418.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo

Octo payload

Prevents application removal

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the mobile country code (MCC)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Acquires the wake lock

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:18

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 22:18

Reported

2024-06-02 22:21

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

184s

Command Line

com.endbetween46

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.endbetween46

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 gecelerisvdmpkiyasen.top udp
US 1.1.1.1:53 fesatokero.top udp
US 1.1.1.1:53 kranliktaaradm.xyz udp
US 1.1.1.1:53 saybyebyetohepiniz.xyz udp
US 1.1.1.1:53 tambanunakere.xyz udp
US 1.1.1.1:53 yoktuhcfener.xyz udp
US 1.1.1.1:53 ruhumdnzincirr.top udp
US 1.1.1.1:53 astralanahatarim.top udp
US 1.1.1.1:53 anilardvrimi.xyz udp
US 1.1.1.1:53 hadikapanikapatsana.xyz udp
US 1.1.1.1:53 karakapkaraklpak.xyz udp
US 1.1.1.1:53 tutankamunhaci.top udp
US 1.1.1.1:53 izlemebskasiyla.xyz udp
US 1.1.1.1:53 tabukareler.top udp
US 1.1.1.1:53 dlounayyanimda.top udp
US 1.1.1.1:53 kefalmefaltefal.xyz udp
US 1.1.1.1:53 bilebilegndere.xyz udp
US 1.1.1.1:53 leardolordoloro.top udp
US 1.1.1.1:53 buzbuzdagdaglari.top udp
US 1.1.1.1:53 lemanobelki.xyz udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp

Files

/data/data/com.endbetween46/cache/nkbkg

MD5 49942b1e9ef99dd6efd7610e2f4887a9
SHA1 8bda7cb915aba3b7026d8438357444c2f17673f9
SHA256 ffb1d94e8619a2bc50279883c65bd06b3690e5dee35b24b4dd65ef73583ba3c4
SHA512 3f308dc3dd25ff82711749c5ef03c7c9ff73c6835ef4c527a699d75b5cafd11cce9c4f1619200bf9f72c7078a73053f6b601d6dea01f7ce1e98719bf6c4c7812

/data/data/com.endbetween46/kl.txt

MD5 d7cc0d3d7b69d44bf9138c29ecc8bc0d
SHA1 95cdd7fc28b82e0096c7edd385ecb62fc242ecf1
SHA256 661246ce700ee89f0bc1a40f41d6d55ef70b5cdf88d901f44a0ce9763f3e7952
SHA512 20d76647797d26b8efd785044a5aea2c26146a9842292985bd45cb5b70e9726a75c56a666b6762ec3c5c4ea6895d2c80c4f02fbdade46f126bb681694e0a831d

/data/data/com.endbetween46/kl.txt

MD5 df46697c64ccf4b2b13ca376290cbc03
SHA1 6f408fca72b596bcb68199d97eebefc0d486e57b
SHA256 2f086ab5c43ff41edee3507fd7bc29fb478790703f11bd262ae21a47ff50082e
SHA512 a8d6335f918579ad86aca0ad9589fd5b7c5df944e6753f067562f8548a2cbfbd959a3c40259fa5d7b54c968678b19b802c1640c9e181a769c09f2015f4a78146

/data/data/com.endbetween46/kl.txt

MD5 63e246e4737067c433eb2cf1b0996641
SHA1 20af069237051948782832b3ce54f940cbcfd4f5
SHA256 2d836918ffc04a8841ead8dd9270b86dc8e47b72e1832ea9a5e162c22c91538b
SHA512 88231c74bb6c61305193eee52620a873c8b115c66223e3b2a984668dc68bd67e1731fedfb2b972f7338b7d1ff864465e56605e59aa9cb83cdf59b82b4b0ea651

/data/data/com.endbetween46/kl.txt

MD5 99f22db6c3b76c411455500784b8d36a
SHA1 3f5dcf1426b3734a32677d6b0f5387c56a9ba4b6
SHA256 268bb3722d1931c98af6042f60a01600f342a50e623d60eab8892a9e8fe51908
SHA512 442e8836484801e30c5c215dbdd1e0b9b7e185f34c689d0b0b57aca82560653b09f480c4e33ed10d7b341a5dd164db4b759d207fda5b214c307c8b35369bd372

/data/data/com.endbetween46/kl.txt

MD5 82be8d9a8f7c46fb2a07ffd600d4c274
SHA1 774e0e4463db62dd454ad8ad3739ec7c98ae7364
SHA256 bc2a758a7b65117fec36c4e841e8cfcd3e1c79112750f19f391a76845d3dbdd5
SHA512 2c5134a14dbd2f5bd9412a96f0838957fc5c4fbb557787659d997052deb848aab1dab8168597a105f36df00287853afd5c37ff581eb1c7d6f69cefaf67591729

/data/data/com.endbetween46/cache/oat/nkbkg.cur.prof

MD5 89974b72b7f69e9eb8c85aabb5594763
SHA1 da719a2e29d448f2888ebcd86af25392205962a7
SHA256 8afb6b271b555b97b2955e06ce1bb7d872af6af039207a8e7a8a31fbbcc768f4
SHA512 a21804c830d6fff80a551f1fd334b75f99cc30f76481f017604996a62b4f5c8a9a37d77fb9f3255c0ab5b5419f5eebd185e9ea8df1a6005efba447f420cea82c

/data/data/com.endbetween46/.qcom.endbetween46

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:18

Reported

2024-06-02 22:21

Platform

android-x86-arm-20240514-en

Max time kernel

31s

Max time network

171s

Command Line

com.endbetween46

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A
N/A /data/user/0/com.endbetween46/cache/nkbkg N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.endbetween46

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 anilardvrimi.xyz udp
US 1.1.1.1:53 leardolordoloro.top udp
US 1.1.1.1:53 tutankamunhaci.top udp
US 1.1.1.1:53 astralanahatarim.top udp
US 1.1.1.1:53 lemanobelki.xyz udp
US 1.1.1.1:53 ruhumdnzincirr.top udp
US 1.1.1.1:53 fesatokero.top udp
US 1.1.1.1:53 dlounayyanimda.top udp
US 1.1.1.1:53 tabukareler.top udp
US 1.1.1.1:53 bilebilegndere.xyz udp
US 1.1.1.1:53 saybyebyetohepiniz.xyz udp
US 1.1.1.1:53 izlemebskasiyla.xyz udp
US 1.1.1.1:53 kranliktaaradm.xyz udp
US 1.1.1.1:53 hadikapanikapatsana.xyz udp
US 1.1.1.1:53 gecelerisvdmpkiyasen.top udp
US 1.1.1.1:53 kefalmefaltefal.xyz udp
US 1.1.1.1:53 yoktuhcfener.xyz udp
US 1.1.1.1:53 tambanunakere.xyz udp
US 1.1.1.1:53 karakapkaraklpak.xyz udp
US 1.1.1.1:53 buzbuzdagdaglari.top udp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
GB 142.250.200.3:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
GB 142.250.187.206:443 android.apis.google.com tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp
BG 194.59.30.2:443 buzbuzdagdaglari.top tcp

Files

/data/data/com.endbetween46/cache/nkbkg

MD5 49942b1e9ef99dd6efd7610e2f4887a9
SHA1 8bda7cb915aba3b7026d8438357444c2f17673f9
SHA256 ffb1d94e8619a2bc50279883c65bd06b3690e5dee35b24b4dd65ef73583ba3c4
SHA512 3f308dc3dd25ff82711749c5ef03c7c9ff73c6835ef4c527a699d75b5cafd11cce9c4f1619200bf9f72c7078a73053f6b601d6dea01f7ce1e98719bf6c4c7812

/data/data/com.endbetween46/kl.txt

MD5 f964c8d275f0c79db4f37699f952fd50
SHA1 54371e66230f120e6e0185300ea7926c46edccf6
SHA256 b40b48aaa911290dc729333cc30ca4fb7be4fd2e415816b6ae6c26434f1f93ca
SHA512 27734f5455d075953935664b91ead56fe727ed0fa6b8d9e176c15a3ded71efa1e956dc2e8e351874baaf8dd2dd51f2fbabdfac473f0e31ca07963474ce32d711

/data/data/com.endbetween46/kl.txt

MD5 11ba5998805e335c8e225af817aa5e9e
SHA1 98b82e22539686630b0b410101fe279f8d3d2616
SHA256 ae52a91d7e031de504edfa24a9969382b1024363cec2d92f181f60a7714efb0f
SHA512 3142082aa4c0c87f39cea826e373c00344b4d76b3d277b419ceeb2e6e6e8113fe0b8384df5ceadf9df4bb5f0a6855005c9a13f6d93c55786bea8b76f5a70b5cd

/data/data/com.endbetween46/kl.txt

MD5 e1276998fbbab9d0f32099be850f588e
SHA1 aac8c40f5df06ab563063d84d3d193876fdfca9e
SHA256 1dd793ef5a85b0b28624f5b6e8e75e056f65da77de3d7b8b4d123faf9e2aea57
SHA512 21216c7b55675713fe972c41d14649c454cf005d404059f3505bccaa0ee7b14fbf45e8bac4e298e796e7a10c3b805890eed761914eb65402094f3e6fb9b8917f

/data/data/com.endbetween46/kl.txt

MD5 455cebcdcd5a10db6f0be6fdcb46bbed
SHA1 2e92fbbf7858de78a8f4e64183d4fe6dfc3947d8
SHA256 149921ae5212369562deb4a881655aaf90c55fc9530292016b3d4a40f91b9d72
SHA512 34071711f17d819a23ee59fabde737f9d791302afe58faaa770d11d74ffe07815fe2dcea47700f3c272d6b54ab475dd82b410f73fe8411e1b8e6106a4f9a9a91

/data/data/com.endbetween46/kl.txt

MD5 8ddf77e14853a0715fb2a58fd239c754
SHA1 268ece66612f53ca34a717fc32a2e75d65601089
SHA256 9630eb57b68c6457e0852e8a1997522eb9911d95ca4b5ffb05fcc104dee85daa
SHA512 fa65f303e07fa218640aac3038356d4c1aa19a480a5073417f5f1d785c056cb1002ca6d8e0211733df7cb707b0c917fe13a1855e2aad3f6c9bc14e9a6da7d781