Malware Analysis Report

2024-09-09 13:41

Sample ID 240606-g77elsbd44
Target fa4ac39e5f7796a9bf7557703f18544356ddf74e650534974ee91c59f879af86.apk
SHA256 fa4ac39e5f7796a9bf7557703f18544356ddf74e650534974ee91c59f879af86
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa4ac39e5f7796a9bf7557703f18544356ddf74e650534974ee91c59f879af86

Threat Level: Known bad

The file fa4ac39e5f7796a9bf7557703f18544356ddf74e650534974ee91c59f879af86.apk was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo payload

Octo

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's foreground persistence service

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests accessing notifications (often used to intercept notifications before users become aware).

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 06:28

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 06:27

Reported

2024-06-06 06:58

Platform

android-x64-arm64-20240603-en

Max time kernel

145s

Max time network

155s

Command Line

com.pagewas52

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.pagewas52/cache/rzsmaioq N/A N/A
N/A /data/user/0/com.pagewas52/cache/rzsmaioq N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.pagewas52

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 evsizlikmerkezvaz.top udp
US 1.1.1.1:53 hediyesepetcidepoz.top udp
US 1.1.1.1:53 sagliklidayanikliq.top udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 guzelliklervarqac.top udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 hatirlaunutmauyan.top udp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
US 1.1.1.1:53 inandiricibakisvu.top udp
US 1.1.1.1:53 saskinalacagimiz.top udp
US 1.1.1.1:53 gucunuzetkilerqo.top udp
US 1.1.1.1:53 kahvehanekeyfian.top udp
US 1.1.1.1:53 hafizadondurucuq.top udp
US 1.1.1.1:53 isteklergelirgiz.top udp
US 1.1.1.1:53 kelebekleroyunuq.top udp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
US 1.1.1.1:53 support.google.com udp
US 1.1.1.1:53 support.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 support.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
GB 142.250.180.14:443 support.google.com tcp
US 1.1.1.1:53 storage.googleapis.com udp
US 1.1.1.1:53 lh3.googleusercontent.com udp
GB 142.250.179.251:443 storage.googleapis.com tcp
GB 172.217.16.225:443 lh3.googleusercontent.com tcp
GB 172.217.16.225:443 lh3.googleusercontent.com tcp
US 1.1.1.1:53 apis.google.com udp
GB 216.58.201.110:443 apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 play.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 172.217.16.238:443 play.google.com tcp
GB 172.217.16.238:443 play.google.com tcp
GB 172.217.16.238:443 play.google.com tcp
US 1.1.1.1:53 clients1.google.com udp
GB 142.250.187.206:443 clients1.google.com tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp

Files

/data/user/0/com.pagewas52/cache/rzsmaioq

MD5 59cb829b1399074765852caca63c071e
SHA1 8ccfba92ac3610a692d98335c3d79392dd68ab4f
SHA256 610ab53ddf606861bfd14675434e3c01533576b040bb4161f42a9f26cb295314
SHA512 acd390e1485461d2de5a877faa03733363d6594fafee04c28a56d06190c56aec19e192b7cc383baeeae5a3dc13d04d65274c90b242af1dde3b7abde5a0e01cc6

/data/user/0/com.pagewas52/kl.txt

MD5 2a97c51df7cab6554df7d00ef8a138bc
SHA1 2791f1a4a61cd64260d1812149a290d791a5ed45
SHA256 7fbd2cfab627465d8c571bb68bfea4db55eddc7a8e659b3a50f5ef6c97fd11e5
SHA512 9b1e1fcfb99262a29725d2e5f9ef84e4eb66446b7f1f6a553e852810fbaceae346deb72d351d27687de2aed287a0b38afb599c36351de746c437d1bcd2bb4106

/data/user/0/com.pagewas52/kl.txt

MD5 0d80d4d5aee61ae8ea79fb9390e07926
SHA1 c46947d6b79caff39d9e8210eaa74d266c875928
SHA256 c5cc482cd48dba9ba9b160e4d0eea9c737870c55d4f6b396f5a002d034fa647b
SHA512 e48949b6a36a99083b444524317eb2dbf6361bb61d5e2ec59c11f776abc56bfe6514ea46fabfd0b1406857ca77f22fa15d892707c9b5c367641378d50a4be5c3

/data/user/0/com.pagewas52/kl.txt

MD5 ca5f69eb336acfc2dc16f34868132738
SHA1 ec17f9fcb708b3d08964fe96c754297831591092
SHA256 5872d655d70e04785fddc5ec6a7678c3ac818da1dbbf3e0324a7ea44777543a8
SHA512 b351b13b9675e06497cfa8ed7be2867bdf93513e5c7335668acb97e3e42bf039dd3fb61cd276e9e1fb1ea966e97da28fe0d1ac41f2bae84d4147cde243e873ed

/data/user/0/com.pagewas52/kl.txt

MD5 bbbe158afead9d67e947304f54833a3e
SHA1 15e19adf60ae7df93bf86a21635fb1ad7c688eff
SHA256 4f217d9f062f47e4fb29e8b5b3f972bf0212ff27faff29a2dba8c1069c388d1c
SHA512 d30487fcc48dc7dfcd97e1c75beb3047cf665e7757a50f677835b11dac3611d5bb0b093e7d3e660d6d5f7a4171aa49756764a7200884e10d8ac70258f5d3d1a8

/data/user/0/com.pagewas52/kl.txt

MD5 7129d4f4d74c4fa7144f682558d63980
SHA1 ce374af6dd423fe091c6ed0d7132a9d89bf68042
SHA256 1c7a24b9fbf4682981653581de635ac0182da1ca791bc75d08e1f7e01db97a9a
SHA512 b3b8e555aefa51f6ae3039942500cde2a118ac6d24032536da64695a00256d9e0299fc7cea6e9ec7beffd45ad3afba624661bd308067588945ea53c904ea7b04

/data/user/0/com.pagewas52/kl.txt

MD5 018066261c983c8d18428734d805c095
SHA1 ea7e55e4aa6bd8104921137ef777b38d8b13aef9
SHA256 b30ed5e20ae510410bbb3650d56f14f0f79da362906c0b8c1be34ed118b3aa2f
SHA512 333ec80b35bc687b0b761fa0b2f66c2934edb25458779b8d85f0d217b4de5e6999df663696e7e3eee57bdd3679f9071792721a548f578f7bfd20bff3bf46510d

/data/user/0/com.pagewas52/kl.txt

MD5 fc6dc5ffe3adb57ef43568770189d14f
SHA1 fc47f9a4a02ec2d4afab53b444ecf44965144903
SHA256 c8d56c447e18ef8f5e4effe641f64db01e4923ed67a8f69b4ffaea8d6fd78b13
SHA512 d1da70dc214eb238250d3dced4893796af1addcde44603665dba3e1daa51aa2b9ff73f3e2a8b589d806c07cab00a3f1ad99c1f8a09c9b04fbd62f4c6e45b5604

/data/user/0/com.pagewas52/kl.txt

MD5 7c6b498c6c19929153ad4d4da00e523f
SHA1 48626f68972d88606ea20bf860f6457157cc4f7c
SHA256 2d1be8280513fe3ca4c4676b1ff27cfa5ead205104925cf18e8ea7f578aefd3f
SHA512 2685d80a1c2818e4b297baf48b11f73e1c20160b6018e906d4226c450335086ac306ba244b30c7e89f6a48d0396f50a779544597eaa9e4aecf038dd8e89de48f

/data/user/0/com.pagewas52/kl.txt

MD5 949279e6ffd0ad7d45f24f7f9b6fb78b
SHA1 4b21dde97e7754e7985cd59e2015c75ca8ce24d2
SHA256 84a27416795b2874dd7594b253aa7fa95eaab6a874eab804a6df507eff02b9b8
SHA512 54eb357a1259cc73bbef3ccda2d8e33b701f2f5976459b845beca392cacf75af0339ac3e27671afeed70067b7774fdc2f0156894b023bdecd4a63437094a0aff

/data/user/0/com.pagewas52/kl.txt

MD5 4598c62f492dfa39b106a2771911966f
SHA1 c981bcee53574e3d77bce32a7605f999cd40c1a6
SHA256 5a1bda021d94477b249f072d188f52fa1e79dd49acb9d8e89915311aaa6ed488
SHA512 c9c9307a69a4e5d09487e35641cdec41e82a139b5f99585c2f0834ed94ae5cea9c784fd514aacab5e7205fe70d7455ad3c1fac5d7c4022bc850f03f7b8da7bbb

/data/user/0/com.pagewas52/kl.txt

MD5 7b0e16ffbbeb65ebf81497742c8b773e
SHA1 538ef561bba900877a13872d26f06a23443c6e21
SHA256 d7f2347c9e92a25ee420ec30cd9858b0f199bd47c642d2034d4ff4102e464c94
SHA512 de918874af42b98688a407ca136e8e85ef1dc6c95d37ac49d2d865727122d7a3ad17ff9e396ed28d45aa9e3bdafe67995a3dc6b07b564934550d67b777e96a96

/data/user/0/com.pagewas52/kl.txt

MD5 442741e40b82376550c5e571e4fcebdf
SHA1 2b1ebcc22fd0e51f4a76d285f21c7e6e933dcbfb
SHA256 3bd340a49ac0e50a667838501f311de6eb7e155f9aa8452959623cb64fe53e5d
SHA512 5fe9e764f9656089630f8f4a5a1d4dc80cab3d5ad37d1f3b8dfb78a1ce91f7a6e86a078bbd47049dd3208205df05efd5b6ee146d871b93175c916e49861974fc

/data/user/0/com.pagewas52/kl.txt

MD5 95537536b6da8fae42e453142c6dbf4d
SHA1 0b19420640b4fd9e6285f1008b215882dd1fcfbf
SHA256 548204af5248eb0c95f3519d98d385b4ca343e81bb4a87710398fa95401d8be8
SHA512 efd6ece43a3ea661c609f9ae127bf136d739363719e68bf07c88b6c13320416484000dd5f4bb87efe4c2e96caea51bcf89ae4c9e8ca540d81c584fe20af074ed

/data/user/0/com.pagewas52/kl.txt

MD5 a43982a3ff8842136d208ce5c8c4905c
SHA1 851e0cbba74f59b3b575311166015a8e2c8cc630
SHA256 47dcc2fc527a36c7df34ca0715aea6944c1d15d1b1f754049c6911f757f119e2
SHA512 77650c412f029519a219dd8f2bf75037b78a2600e792a5f5577391c699e81be84779c0940f2854190855a7a6c517b5246e4d47185d0f304f130dbba4b0206711

/data/user/0/com.pagewas52/kl.txt

MD5 dd2ed9422a7e07eab5fec61a4918554b
SHA1 ee033d245b8605d7a2e190244220d9ddb379073d
SHA256 b43a701ecfdfe7ac48f9c323c76dee56440a5a3d6a23eca73845bbad2499f13e
SHA512 655f62a1733acf2b4b44979a3c3ae55da4628d96c127c680c3432b78b7c3b8d245a34c0f9f17ecd15acf428efbf744a4790238293596dcdea65d866c65a41ff9

/data/user/0/com.pagewas52/kl.txt

MD5 69725d22f9c3f9b1f81e672c5abbffff
SHA1 a21d38a7eff8e9ad2e2bd46ebf6e6c75bc3a4886
SHA256 fab034b3178444339b6fb3a99caa4f09040bf416414d1fe85509737d76dbf54b
SHA512 675b8cedf71f8e4008f839f54f6be45ea108991e374b7042ddf19735cc5fbf47f1e76dac1533c6104233a7e905385779274ccef614480785578dc720e88e30cf

/data/user/0/com.pagewas52/cache/oat/rzsmaioq.cur.prof

MD5 8fdba9cef269a90e3f38230102d169ec
SHA1 1676dce51d54ca4bca56f625a89e85bb6cd98e3b
SHA256 ccf4adb6070c10cdfd6ab977cd09fc82716fa8555be0c91ae734de78ac5e9c70
SHA512 b69990be71992a2aa58ac398316698cd18573974edccaa80b7785b26e61054a5acec2cd05114fc2cfad7e3ad554dbd3dbe97e4c460691defd7817bb3d18825fe

/data/user/0/com.pagewas52/kl.txt

MD5 ba7a2a2e207c3f931e2141d482985cdf
SHA1 e33b54870ae1e2198ae267c6c87e1a9c2ef63ae8
SHA256 7c19d1537ae43aeff91c587f0d8b1e3c9bb1647fff6dd9547e295276201421f4
SHA512 2dcfcc3c97573a754916ccee79d910c5d894da0c4065db482cfa1cab998473cddf9ae7c64e5da2b2da33475eb5108750a37287de2ffcb2e35f3331dc26620c05

/data/user/0/com.pagewas52/kl.txt

MD5 14a6f17e2204fdf48d0d29eb8655f06c
SHA1 82baf19ff8b76d7bcb0486eead9eb89c09812bbf
SHA256 951e44a9a338d440093657e19b92000de9e5671cb40eb6a2059bce7ea7aa45fe
SHA512 190a7197d6bf9f71268d8059601c27a91629d2b5ca09eff9b0f0f92af172fd7702e0242c37a00383e8992e1303598178f8600661c36b98cc3e107f4af0b2c864

/data/user/0/com.pagewas52/kl.txt

MD5 7cb40dd2fd93ac1530062eb7b1009b22
SHA1 a941712a437ab5f5d5d42758d4bdb9bd86173840
SHA256 659eab0e177f68a7edba49830ccac16bec1eda57afa03a770080ac4ceba08b69
SHA512 794368a78615ea079aed85be6e3a3416259a66bc0eb6cb548d0cf59ecc9df149a640fc402a64e8f967feaf7bd1495d0f4d21e4c0e8720b14e6d08071aef62317

/data/user/0/com.pagewas52/kl.txt

MD5 03299abc4ab383337024317ca03faf7f
SHA1 60c212d36ee6455a06b3977d5308db41a61e2ade
SHA256 c0a93bda8bc6406456bea757f4dfe82b6704d3e1119ad357cd3cfffef7658153
SHA512 4e7bac26dc9889d2298e61f2213dfd718bde81f6f4d83d82dbfd7f237d3b157d651102e86779f11bb7f0dfb3c9fcbd114d23495ec2ceb3395404722dd8fa8934

/data/user/0/com.pagewas52/kl.txt

MD5 53526dfb128d4b43ef75ad9498624699
SHA1 9cdd7b9cb87df12759aff35c5ad335aaf5406102
SHA256 891f9592466c50360c6cf479f65457eda9115e826c165a02bafd54c6857adcb3
SHA512 56f3cce704445584bd76e6c3b6ebae688d85e0c84e1a6f312d430442157225f607e68e62feac4e9b0fe8a616bc0f94e78229a641bb750e666e54769475b11271

/data/user/0/com.pagewas52/kl.txt

MD5 cb8c2cac5d974248911b93d1d3e2bc75
SHA1 b58e68e99b23e5e1572f86ae259160b2d4323031
SHA256 e7b8e8e2869764a59496f4833197f1a3f57944baf6df6dc4eed1bf8667836ba5
SHA512 2edebce948880f0ac48a1d457b57881e81863aa0958cda03a51cc2d778478d4abb9cdf66c15ab5af0a471935695eaed4978e66c70d4a9f20a3a0db0dfc37152b

/data/user/0/com.pagewas52/.qcom.pagewas52

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

/data/user/0/com.pagewas52/kl.txt

MD5 5192c308bedb9e78f152f1e6b917107c
SHA1 d2f1226e0e777d51af0b0b143a5bce036880ebaf
SHA256 3eb14009af8d98ccd0a91d9a6796b1f246e74b46d58e819ece72e3e5adda4cb5
SHA512 d52bacebc09d571713fe781ba30a9d7dcc4cb71243d2eb43d723584ba2ced6532303068c8750ca4ba09152b457056b65a5678fad5e3f2b1ca2ae8fd75e56bbf2

/data/user/0/com.pagewas52/kl.txt

MD5 e97e7bed18e44d96b633231ae12fb998
SHA1 b26a7151bb215257cae890e5dd13d34d608d759f
SHA256 b0c571d28566990f88fea794d6186cafbfb54fa3f5ea7ea288b3177ed691fa11
SHA512 b3100c3a6ecd58d272b7652e28b602d5546e3d1fa0779c662ebe1fced7523cad91be89b93dfd86ac6dff01a3aef3070246dd119026758c6ac3198c59a1b2abb4

/data/user/0/com.pagewas52/kl.txt

MD5 405ec4e08ed2b3e71155e35b0c1d4282
SHA1 a9b8cec18a4dd120936a23ca975fb39e41f76cb9
SHA256 84f03ddb0759360620aa50e222cbd927080920bec475acc3487c959bf75e85f4
SHA512 2077d6b3e7e7e3232cff4f9efe6f329436edd2141db700424a9d1cf1c06b23a6fde3296ca6c0565dc982b2215529d6c6c6f508870a6393f735f751c0240fef40

/data/user/0/com.pagewas52/kl.txt

MD5 d952baf393a228dc7aa533880bfdc5cb
SHA1 0ede37fd15d5562c634cf5de73a059fd331f0002
SHA256 10d0572e9c9be7136ed0eb2463b8dc2c0f6e4bd2fca570a98fb56ff00bb789b5
SHA512 8d4e8e0f4484d1a073cd262c5d86ba5d8a9a27954c873949ddc90319e0f152b8e8d7c057dd35652d265946954d14816aaa17436fd80d01a0db7873379fcc6456

/data/user/0/com.pagewas52/kl.txt

MD5 9bc5db55e1cc422e7cab56b67b01cd7c
SHA1 a2d0ef7ca9f0ec0bc9ea7ce9af4fcda2b25ec90f
SHA256 4bb0e231de83ab9e1d718997ea414ee499b4091f27a8398d5317b802445763e2
SHA512 94c59b7b5a9feb6345926c277604eb129f8c1382f31853d7ca2f7f3ba8a9bfab02da9f6518f5538b280dc313031a90580a4cc36a133057d23fb266f756a352b9

/data/user/0/com.pagewas52/kl.txt

MD5 83343ec845249e80108bbb0772d2a3e8
SHA1 8b66adf8a11ab415c18d0cba555c6da44f20a865
SHA256 fdbbd2d8dcefdf675d3879a898a2f071268951598a7c91a14ef25d2237759514
SHA512 737437f1f752136393df429277c74cc9dcad488ec262fee53048da8454c4d81a0f3006cc64f59bdaed6b58bb9b80f4761a43dd9f60a53a73469ff31d33c94c4e

/data/user/0/com.pagewas52/kl.txt

MD5 76c4f473425e15d35ae9b18a829465c9
SHA1 cad00433bf9220d717f382698a9a7e11ee8c061f
SHA256 6f514d126c0642ba724a975ee6a42a902eb7083c017a69a59b2c51c8e7e0d23a
SHA512 b0c32f8190c7d3d4cbe208e760ed8c3deb1bf908697a5d7fb1d19a26626d820aed5b6027a4b9410343b661d5f7131a430187f8c4081f2f2db1cd6ab8707a49ad

/data/user/0/com.pagewas52/kl.txt

MD5 466f7d25731b5619256b3fc79136cd97
SHA1 79b6f19c06a01aeaaeabcc8024d36501894b7b6d
SHA256 050ee40d1f36d18b715eb69a3f2df5ca6fe1fcbae624fac7b6b9f3868de62063
SHA512 261fd6ae56fc1346f6e96148808dce76af70ee376630f1233034f4291987e31514bd1aecb4363b1399040a795038aec3cbe2cd4998f4c26572f9af52cabded28

/data/user/0/com.pagewas52/kl.txt

MD5 ba498cdbc2fb10a6555fb9f0acd21e0f
SHA1 4a221841139ec9253f9e0b65c61ccba07ab776ec
SHA256 689c60f249b65a994b101e18a2b3170adb0d6384665d7659014dac7a383c31ba
SHA512 f59a9f00e7f1ebf832cd6b5a6a6f11edcf5270679aac72b65bb62f393ee62270333c2de2fb293888fca997f21695db516d8b4dace25f5fcd3136ff8b9faab9b7

/data/user/0/com.pagewas52/kl.txt

MD5 6fcc1d53be7fa43f59a274c1eda8bedf
SHA1 ce5dd6a5f3c8c00642f55213127721255ac157c3
SHA256 8bc1aa8f29706fe27cfe7f66c3d836c7237d60623ce9e3e8755502f3a72363d1
SHA512 da4623bc95743f585f3e96a45919f971b5c34d83ba7f79ac8a6b6db78587e5a4cd2085053dcc9eab4ac50d0e59cc110b9e7bdd66f2652be787a622148cdfd8f8

/data/user/0/com.pagewas52/kl.txt

MD5 604d9c7b8cf3ebce54440d532073a531
SHA1 7c0ea3c09abf0c9d6e898d91ea4237f1007904b7
SHA256 3110c6fabb8921565412ba25f15f6943a2289312ad30b6636ee7962cf7f71bb9
SHA512 9cb2894e5cbfaee3278900fb0fd52ea550d514fa087e9fdc39d152553b881c87640e9d1b98acc293eb08ac3643e1e5586628fa82cd27a427f223c626c40e8815

/data/user/0/com.pagewas52/kl.txt

MD5 e2548b491635bae23cbd459d9e3cef25
SHA1 7603936c062b68212df2b7d49e9a33c452dabbfb
SHA256 079ce6b324bab11bb069e53103a3ac79f8be92260131343e8866ba510d201b71
SHA512 5468b5474054421cccb0d3e9de7b70cf796fc0f74d0ff938f9906fa2c85ce2db267a399fd77dbe0163ef60b80bcfa0e129aeb12c8cdbbd13063d0cc99dd4ea42

/data/user/0/com.pagewas52/kl.txt

MD5 0c9669c7990adee514ddba7175629164
SHA1 31b71dc1446aef5aa6828c385ba132342cb60b3f
SHA256 2277c85e35270fb98ec35be122446f60e537f4d291bb4295fe8993d1e3591f8d
SHA512 ca3adaf8ba33821ade8eb2660767483254fa5dbba738fca6eace8c53f7376fb489a7fecc07cb91bdfc0503f17dc6004f5d467af0419540b8bc7369a7dc72b9db

/data/user/0/com.pagewas52/kl.txt

MD5 efb1367ddaab2befc6318f18af83698d
SHA1 f4fe69ac31c74aa539e9d98537223381146fa308
SHA256 2bbb8338857dc785a648e563b0bed953db537bea9472086e3a95e16e3e728a1a
SHA512 c4a0dd150e6c834a1c30b3e2f60795a26e0f7dd270408919219bd039d5a9bf8d681d25d0aa7333cd959fcc1b0b3d5324539905005d4798cebd86bf6614f18a79

/data/user/0/com.pagewas52/kl.txt

MD5 fee6f478699a2493aa9bdecacf23226f
SHA1 959455e9abd5f5f3bd0462e87945172b8d593228
SHA256 a0d50f2cbe399dae0fac03caf7e49352029644b0f02e3690ddf6418a4145623d
SHA512 0c13f7597c289260ca6d1717c58e9e016d5bf0fb97fd12cb5f029cf56bf42fd8bada852e57777b6fc62edbfaf27f62f739b388ab4272d6c861fafbaa0de4367f

/data/user/0/com.pagewas52/kl.txt

MD5 ffb8b44459b80c3334815b83f84ca0e1
SHA1 72981b7e52a3b83ec5c4a162d2a5a7751aeb0164
SHA256 4dea3e7d705b8fb90ecd1f6d8b15186eff44e25959a11fba5f7f661ea2dfb825
SHA512 05a415a9ed7a5b82c3ffb130d31343b55a1786a8c8e5b34c12fbb461994b3ee92c6e2a5ffbad74cc5e91f9ed402f4241b04b8ff12263b064cd63e3d5a36a52d3

/data/user/0/com.pagewas52/kl.txt

MD5 1242fc86aa3f6735199226db07d31e8a
SHA1 606e02aaed780e6bf319290f2de4519fd1b7608e
SHA256 3645a6679ecae7ce52089dd4c33dfbcbd9a4bcfd58719d6a2d79576b96df29ab
SHA512 99b77502f85734ddb9ba63bf98476f21696cba699aeed5539fe1a8df3db0cf9ca60a12924eb8e27e0d5fa3bf3151c1d4e1eabce2ee9298a1356be49354a6a033

/data/user/0/com.pagewas52/kl.txt

MD5 eebfc353b0d0afedb18dd1c9f2cc3165
SHA1 b55e125c3f8c83c9222bcbf6dc6d8b0d10d55a23
SHA256 e927d32adefd115e5767f49f429bd0b9d16a3d009762e07e3b573ee350ca000e
SHA512 0f6acda978a7fd3796231e72294e101f97a782541a56d587dfbfc35c3b4b9067c8d6f221e6e485b842506b9b64267f51936a21e9d66c8ac016ecef090283f214

/data/user/0/com.pagewas52/kl.txt

MD5 c7288ff06a7694364b3d77e5aba8cbcc
SHA1 ffd48e536d35d84f9b08cb2fc02ec8dccb415d1f
SHA256 18955574359d51017f98e1db136b567eabe38e9346efd6a72aa7f3daeccc452b
SHA512 543931711897a9bd1c10feb5acf5ff0cdecaffcfacf91227d0000cd1cc3b61ca42b8743365bc653b7264eda1783afc1ba7bc2d44a324b7dab9199a0ccfac358a

/data/user/0/com.pagewas52/kl.txt

MD5 c525e312cc0e7f26554c03faa4a8cbb3
SHA1 6c6cbb8ac1f980013e4c6726d895451c01a25294
SHA256 5c77202f82af95deb0ac97a16e3fad93403990f8c6fdce1c87a08abf443d651f
SHA512 55de6c47672e657cfa6bdfd2c263f5d69c2cb8b6c2cd427bc7d964d85944a07fc719cbc4a251d599ece118687cf1c4c8df8cae394eea538ccefa420d8de88906

/data/user/0/com.pagewas52/kl.txt

MD5 5ca6c4997ab795bf30cc60e9c925859e
SHA1 d66e8543086a82d1609be7babea775684008d988
SHA256 c827dabe641683698840c5b7f16d08ab9e47cae3c0d06e768c6f54a8b00ae60d
SHA512 77c0a776231b47bc8703292da0cbd6f68d629c8623505279ec2a63f3241191796c78fd8676cb4734cd8d553ba54d837464682714c2cb9bbc075e2bcf6a709a03

/data/user/0/com.pagewas52/kl.txt

MD5 708cd22a751e8f59abb7d61a23f991bb
SHA1 cd12b422c071d75b998e50a386e0f13b4801ddd5
SHA256 5483f0c83fb6d01dd3e8287e5ebea6fe36f38b24fb4bbf7bf716d89597c77ae1
SHA512 b5d2d1391bb9bbc6dfff31a040f638ddafbe7a3522779ece8281284afe81aec774a16fb93c9a26ac308f2b7af3ef1fa997ccc091b1138dc8c3721080f960ccd3

/data/user/0/com.pagewas52/kl.txt

MD5 bd9e8afef0407896f272b994bd053e75
SHA1 47ab77b7968b34c6e231d5bff475c0380ac9fa74
SHA256 c9dbe12d0b0f210dad12aebf56f933fd33c83809178788a38031d01cf37c77cc
SHA512 75db1031974c40196086d43b73e132311087d5e52908f0734723494acc83c61a03e3e16a0e947cc084353c849ebaf9c7a425727acee7927b281d0951ff68dd1a

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 06:27

Reported

2024-06-06 06:59

Platform

android-x86-arm-20240603-en

Max time kernel

176s

Max time network

186s

Command Line

com.pagewas52

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.pagewas52/cache/rzsmaioq N/A N/A
N/A /data/user/0/com.pagewas52/cache/rzsmaioq N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.pagewas52

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 kelimelermekaniq.top udp
US 1.1.1.1:53 mutlusunakyollar.top udp
US 1.1.1.1:53 hatirlaunutmauyan.top udp
US 1.1.1.1:53 kelebekortulerqoq.top udp
US 1.1.1.1:53 vazgecilmezlikvur.top udp
US 1.1.1.1:53 sorunludavranisvu.top udp
US 1.1.1.1:53 baslayalimcalism.top udp
US 1.1.1.1:53 nefeskesenfirtina.top udp
US 1.1.1.1:53 inandiricibakisvu.top udp
US 1.1.1.1:53 saskinalacagimiz.top udp
US 1.1.1.1:53 nehirkenariyozca.top udp
US 1.1.1.1:53 guzelresimlerqazan.top udp
US 1.1.1.1:53 gizlimucizelervar.top udp
US 1.1.1.1:53 sabirsizlaniyorum.top udp
US 1.1.1.1:53 isteklergelirgiz.top udp
US 1.1.1.1:53 hediyesepetcidepoz.top udp
US 1.1.1.1:53 sagliklidayanikliq.top udp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
US 1.1.1.1:53 rahatlikbuyukuyar.top udp
US 1.1.1.1:53 kalptenbagnazimi.top udp
US 1.1.1.1:53 hafizadondurucuq.top udp
US 1.1.1.1:53 buyuluaynalarqizq.top udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 keskecokdileyipto.top udp
US 1.1.1.1:53 huzursuzoyundunqa.xyz udp
US 1.1.1.1:53 cikaracolukcagiz.top udp
US 1.1.1.1:53 cocuklukankarakoc.top udp
US 1.1.1.1:53 sogukkanlifirtina.top udp
US 1.1.1.1:53 sevgiliaskcekilis.top udp
US 1.1.1.1:53 evsizlikmerkezvaz.top udp
US 1.1.1.1:53 gucunuzetkilerqo.top udp
US 1.1.1.1:53 hayattansikayetim.top udp
US 1.1.1.1:53 kelebekleroyunuq.top udp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp
TR 178.215.236.54:443 hediyesepetcidepoz.top tcp

Files

/data/data/com.pagewas52/cache/rzsmaioq

MD5 59cb829b1399074765852caca63c071e
SHA1 8ccfba92ac3610a692d98335c3d79392dd68ab4f
SHA256 610ab53ddf606861bfd14675434e3c01533576b040bb4161f42a9f26cb295314
SHA512 acd390e1485461d2de5a877faa03733363d6594fafee04c28a56d06190c56aec19e192b7cc383baeeae5a3dc13d04d65274c90b242af1dde3b7abde5a0e01cc6

/data/data/com.pagewas52/kl.txt

MD5 4dd2ceb1b2be470a42d409998f02e5e9
SHA1 d4f10442f2ba76535b435e0ac38149dd9062a870
SHA256 18f7047529828435a242b393a16fe73d593b3d8105ed9930093c51540b2bb838
SHA512 77f159be8eb38db2106b8b5407482fe428ee140c90bbacf2192785f8fb72f298ecbdac606ba216359c642b95b0a813cfd6b3ae292eae3d021b441c7cd4e0aaa1

/data/data/com.pagewas52/kl.txt

MD5 5ab3a61ee3abb29301019f88659b81f9
SHA1 1cbef462e656a193a16f4971b2c8fb1fb338151f
SHA256 abf6ac7df8ea148c8cbefb2aaa8004c959c8749fc38476ad6c7888442f32ce54
SHA512 a3ea5eb78fb29ddfbd681aee051dc2ea7bff2a3704ca284c0a8879faf0e438fbe7f67d9f22012806943f381351c040ece43a8e8c9c483f9cc8e6de545ba02d72

/data/data/com.pagewas52/kl.txt

MD5 e8f655d056949684b3f195e017cb3ab0
SHA1 b24f5b6685f747b9bfcca16a761b8e4801501adf
SHA256 7387eacfddf44e285327003248938345cf11f767237f19a63ce5512a40c84b10
SHA512 078e09d224c4457176eed41ebd2f6a79a6f1338b1c1efd4304f118d3305829844916ec6d7d3835022072487119a7534aa697291af64f934c37d3e56f924e2148

/data/data/com.pagewas52/kl.txt

MD5 0d6349a9fb9fca7198d3311cf362e508
SHA1 4b2e885947654350504ee619786e43c93ab37b4f
SHA256 5c1091ef1101298c8a476b337beebe592e16dc8722cf11e7325411f30fbd7f29
SHA512 b368abc9db6572bad874054ba5350a3f0db1967253d29caeedb3390218c9014fb8f9afc79ccaf4eafd8f4b90935d9d26f21a903fc00bb25fb4dabece0fe3bdff

/data/data/com.pagewas52/kl.txt

MD5 4ac39d47f1ec8bfb760717f40fa40710
SHA1 f4c325646d8cd6ba5ab59eba3cba4675caaa8d10
SHA256 74c373e3bcde324f61616bcc565e4383c8b25490ff044b0b3e61eb1db2343859
SHA512 b10157374a4b36c70bc891b81018efeaf8379b0221d4553af83bf9f5bdeea09c2aed88167f7fb55961a0490146c4463113df9a699604dc0ccc41eb7345e88b24

/data/data/com.pagewas52/cache/oat/rzsmaioq.cur.prof

MD5 8344c57f2ace29607985690419f7d0d9
SHA1 d7ad80766f80e868ceb073af2f93b48dd2c29c15
SHA256 2c7c7427a99d67738657a7b96524cb757c16e70a567b206cacb576ed8d25d554
SHA512 5f50d763922f216e360c509e8cc6e5f83f0eafae0e8594fff1e6f9a2c8d6d7546643a52609ba7e2150582e9db2f4b96d85391cd3375a386b6ed3495fc0e24b9f

/data/data/com.pagewas52/.qcom.pagewas52

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c