Malware Analysis Report

2024-09-09 13:42

Sample ID 240602-198j8sab87
Target 0527acf5d7a3cd7cd4e37bb6515c423c4045b13a7e3a74548f4c6eb6ec0541c8.bin
SHA256 0527acf5d7a3cd7cd4e37bb6515c423c4045b13a7e3a74548f4c6eb6ec0541c8
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0527acf5d7a3cd7cd4e37bb6515c423c4045b13a7e3a74548f4c6eb6ec0541c8

Threat Level: Known bad

The file 0527acf5d7a3cd7cd4e37bb6515c423c4045b13a7e3a74548f4c6eb6ec0541c8.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Prevents application removal

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's Accessibility service

Requests modifying system settings.

Obtains sensitive information copied to the device clipboard

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Queries the mobile country code (MCC)

Checks CPU information

Checks memory information

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:22

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:22

Reported

2024-06-02 22:25

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

135s

Command Line

com.sanatgezgini

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sanatgezgini/cache/ntygrhadjbuptz N/A N/A
N/A /data/user/0/com.sanatgezgini/cache/ntygrhadjbuptz N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sanatgezgini

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 mavideritarak2.shop udp
US 1.1.1.1:53 mavidendercamlar2.com udp
US 1.1.1.1:53 mavidendercam.com udp
US 1.1.1.1:53 kafaneredeciler2.shop udp
US 1.1.1.1:53 karayipkalanda.shop udp
US 1.1.1.1:53 mavidlimanda.shop udp
US 1.1.1.1:53 mahmatagada.top udp
US 1.1.1.1:53 maviderinkalem.shop udp
US 1.1.1.1:53 kafaneredecilersda2.shop udp
US 1.1.1.1:53 hadiordangel23.net udp
US 1.1.1.1:53 martilarlaaraba.shop udp
US 1.1.1.1:53 maviderinasfkalem1231.shop udp
GB 142.250.200.3:443 tcp
US 1.1.1.1:53 martilarlaaraba2412.shop udp
US 1.1.1.1:53 mavidlimanda123.shop udp
US 1.1.1.1:53 beyazgelinlik12.shop udp
US 1.1.1.1:53 maviceketler.shop udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp

Files

/data/data/com.sanatgezgini/cache/ntygrhadjbuptz

MD5 585c5305801a66dd5db937451cbc5a00
SHA1 e877749604418adf661c9ff8c56ac235da62b3cd
SHA256 441ff84a6298054185d667f3065696dd8443c50097e24fc740d78f5161780562
SHA512 fa506df6b4a421cfa54b07ba6f2a911a6253da4c80679923724cb20c6e0913ea64d676abbefe1f87e113f35fcb35b1d7cc8ae9c25f282528c902e2e44f6604e4

/data/data/com.sanatgezgini/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.sanatgezgini/kl.txt

MD5 288a58e49005998c9274875bfce42f0a
SHA1 83c77ee1d135035efa760fafeba5d1bf7dae9246
SHA256 3358480d8be066a8597ee7a0311cfcc1b10ca52f4149d10dd0b314d9071f3b11
SHA512 e7221e4be48ed7d5ffd0f1095d19d91381495451ac4cde61d5486c063b286e755bf6fa68ef4c31d37b915772747a71a2390a263c62f19c242603086ddd653042

/data/data/com.sanatgezgini/kl.txt

MD5 912fd520a928a339ab7dc2e018dfc764
SHA1 dd937cc236c17c3e5d307eda2fc0c128734405a0
SHA256 2ec73e41b9920f4457b101729e7fa5b93d49bef30e97859f573878b6179753d5
SHA512 64f54c628a18860fa9fca27cfad47ae1839c705feb501d6ffe90b933867b2a893b60f0704f80a38b314cc8fbc9a84594c25b03d6a2fe6ed6e34291966d7c2d29

/data/data/com.sanatgezgini/kl.txt

MD5 5def8637ea04e57473ffd4de2d812aa8
SHA1 59c98d0ba28ee113a17cc326e0f3cf54c3e7ec4a
SHA256 9846034b2c6a0fa084f00a89159d65e74a244e71589b4ca0ea2d559f2eb407fd
SHA512 6442ee59335f427b4a43bb9e17595b33d3ebd1407811726c113883c8873274fba506a877e928e4d32d4c2c96ae1d56ab45593a568b0cabc6808ab20ed1922654

/data/data/com.sanatgezgini/kl.txt

MD5 c5b2cb8446fb07d6676eb491c450f241
SHA1 70880e5c9f79a5dd511471ea9364c2136cc8a1ac
SHA256 3047a2c5ee85ba00afd7d5a5b2a8d032fcc089ae77b7767727097ec1d6d5b42a
SHA512 ebd4ebbf82bba5de642e534676aaa57521d5c9da5a561c095ff8587496475d9019ba88480700540fbb675ae4105d4e36aff94ac8e41087ea6d2458ebd951333e

/data/data/com.sanatgezgini/cache/oat/ntygrhadjbuptz.cur.prof

MD5 5371fad212b1b406cfc7323449a9b37d
SHA1 5b9518f5040d55f324591eb7185020826b93b133
SHA256 0a9fd763143fbe2b703e69859a8ddcae2dea64e02860ddd78a5e5b34418f4c4a
SHA512 363b759eb252bc1a306fc69f17585ec7c8cc237ccea3bce960e0305164b3c90e234a91f350d99a8837b59734eecf50d384c65c047ee85a4fda4986aeb6bfcfe4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 22:22

Reported

2024-06-02 22:25

Platform

android-x64-20240514-en

Max time kernel

178s

Max time network

182s

Command Line

com.sanatgezgini

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sanatgezgini/cache/ntygrhadjbuptz N/A N/A
N/A /data/user/0/com.sanatgezgini/cache/ntygrhadjbuptz N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sanatgezgini

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 kafaneredecilersda2.shop udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 mavidendercamlar2.com udp
US 1.1.1.1:53 martilarlaaraba2412.shop udp
US 1.1.1.1:53 kafaneredeciler2.shop udp
US 1.1.1.1:53 mavidendercam.com udp
US 1.1.1.1:53 mahmatagada.top udp
US 1.1.1.1:53 mavideritarak2.shop udp
US 1.1.1.1:53 maviderinkalem.shop udp
US 1.1.1.1:53 maviderinasfkalem1231.shop udp
US 1.1.1.1:53 martilarlaaraba.shop udp
US 1.1.1.1:53 hadiordangel23.net udp
US 1.1.1.1:53 mavidlimanda.shop udp
US 1.1.1.1:53 maviceketler.shop udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 karayipkalanda.shop udp
US 1.1.1.1:53 beyazgelinlik12.shop udp
US 1.1.1.1:53 mavidlimanda123.shop udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp

Files

/data/data/com.sanatgezgini/cache/ntygrhadjbuptz

MD5 585c5305801a66dd5db937451cbc5a00
SHA1 e877749604418adf661c9ff8c56ac235da62b3cd
SHA256 441ff84a6298054185d667f3065696dd8443c50097e24fc740d78f5161780562
SHA512 fa506df6b4a421cfa54b07ba6f2a911a6253da4c80679923724cb20c6e0913ea64d676abbefe1f87e113f35fcb35b1d7cc8ae9c25f282528c902e2e44f6604e4

/data/data/com.sanatgezgini/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.sanatgezgini/kl.txt

MD5 1e913bae09299794e53b9538f7ac4cb7
SHA1 064659ae93804c2f6e606f1e13290b90bf2043e7
SHA256 ab7919bb7abdcffc5d28f63035d758bdb50dd85e44862f7e1fdae5404ee2f593
SHA512 3d694c1f9f87e56b1d112eeb0bfa3c300989be1539631f02063d9f482fd8a858b1316fcf3cc36c4e2a8cfa21a6b5797452739d3624d675edae87593971a609fb

/data/data/com.sanatgezgini/kl.txt

MD5 fa0bffe1596eab729425390264cb5cde
SHA1 a854141dc55aa6223da0e0e54acac760e65b1bb8
SHA256 5f251d6f327c38bb8c41dec6bfc10db2be5faec17d978d952fe6ce29217a7190
SHA512 a37f0949ff5db3eeb5052391eb9ab584986769241ff7bc7759e7cd8dd3ad0bd6d5f5f1d3bfe842b9d516e5abbc2a960bcd648c516e77910f9db29e60036c5768

/data/data/com.sanatgezgini/kl.txt

MD5 cbbe99deaa3abd1dbb80f62b2924270e
SHA1 e9d581268a0529d1dd007b1d1a7837d794983d59
SHA256 f7f96e983812c28e3d5c7d0092a5312093990db9c8669861734e74f5ac89b0c5
SHA512 8a75dcf400137c5aba76c582f74c2e09f8b51cdb3c99bbede9ab6948b08decc21b46eeab556736ddb91667b4881ff2b83fa8131e29e5b6dd686014132f0b1050

/data/data/com.sanatgezgini/kl.txt

MD5 07687f5a9a4e80df302f5da183c9a55e
SHA1 4f08e71a615d510f0dfaae5f2e5e88f9d2a3e585
SHA256 34a2d2653b8caeb970eee52fdbea5689705e53d01927c268b64ed9807162e4af
SHA512 ce53cae618a65d5ddb9ba280025fe2eb6dbfbef2e1c2eb821c1a7ec49710dec0691405b8cfeeabc18cee8f9b0cca933a4e12e924b6b4cab00977ce039c557355

/data/data/com.sanatgezgini/cache/oat/ntygrhadjbuptz.cur.prof

MD5 73c4fa15415bd0f6fcc18ae291a1f9a2
SHA1 3d667d24e1d1d96b0f99263b6d055da118376fd8
SHA256 373507c066418b7f576f9a9a256b7ea3bfa73a7a82632ce1cfa5e31ca17d4c38
SHA512 4226fb35e4fa1482fb3d1558d8c10f762712e76ad0a874fd089b51fd1bb8d96221ba58e3eab14787efc6d262c3734f42f151e69dc4880f41d40731c3d1727d09