Malware Analysis Report

2024-09-09 13:46

Sample ID 240606-mwsd7seb44
Target chrome.apk
SHA256 fb5285d9a5246233433953b031ec02d85859f6a5e882bc02ec631e924e4a1591
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb5285d9a5246233433953b031ec02d85859f6a5e882bc02ec631e924e4a1591

Threat Level: Known bad

The file chrome.apk was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Requests accessing notifications (often used to intercept notifications before users become aware).

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Requests modifying system settings.

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 10:49

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 10:49

Reported

2024-06-06 10:52

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

159s

Command Line

com.groupsimpleam

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.groupsimpleam/cache/dapkrw N/A N/A
N/A /data/user/0/com.groupsimpleam/cache/dapkrw N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.groupsimpleam

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 dvapo05.top udp
US 1.1.1.1:53 junggvrebvqqpo.org udp
US 1.1.1.1:53 junggvbvqqnetokpo.com udp
US 1.1.1.1:53 junggvbvq5656.top udp
US 1.1.1.1:53 bobnoopopo.org udp
US 1.1.1.1:53 junggvbvq.top udp
US 1.1.1.1:53 jungjunjunggvbvq.top udp
US 1.1.1.1:53 junggvbvqqgrouppo.com udp
US 1.1.1.1:53 junggpervbvqqqqqqpo.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.212.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 static.xx.fbcdn.net udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.180.3:443 update.googleapis.com tcp
GB 142.250.187.206:443 tcp
GB 216.58.213.2:443 tcp
US 1.1.1.1:53 www.amazon.com udp
GB 13.224.242.232:443 www.amazon.com tcp
GB 13.224.242.232:443 www.amazon.com tcp
US 1.1.1.1:53 completion.amazon.com udp
US 1.1.1.1:53 images-na.ssl-images-amazon.com udp
US 1.1.1.1:53 m.media-amazon.com udp
US 151.101.65.16:443 images-na.ssl-images-amazon.com tcp
GB 18.165.156.107:443 m.media-amazon.com tcp
US 151.101.65.16:443 images-na.ssl-images-amazon.com tcp
US 151.101.65.16:443 images-na.ssl-images-amazon.com tcp
US 151.101.65.16:443 images-na.ssl-images-amazon.com tcp
US 151.101.65.16:443 images-na.ssl-images-amazon.com tcp
US 151.101.65.16:443 images-na.ssl-images-amazon.com tcp
US 151.101.65.16:443 images-na.ssl-images-amazon.com tcp
US 1.1.1.1:53 fls-na.amazon.com udp
GB 18.165.156.107:443 m.media-amazon.com tcp
US 44.208.177.76:443 fls-na.amazon.com tcp
US 44.208.177.76:443 fls-na.amazon.com tcp

Files

/data/data/com.groupsimpleam/cache/dapkrw

MD5 79c94cdc2a0013a4cbb9653409a92535
SHA1 bff65f825a7515d8da86d6df3b84fafa5aaabc9e
SHA256 390ed03af32ac3d99ffa5ee0d9a4ac4556d6153e3ebbbf60feb0a46e3068a7e2
SHA512 e7249b4c67b6e03fd4742888a369dd139fc49b4181629afd88019cb0389d6de853d4cbda781f5cd0eb7c9f1bc4ed4b890f1e6daa6694d8ded335ed176bd326b1

/data/data/com.groupsimpleam/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.groupsimpleam/cache/oat/dapkrw.cur.prof

MD5 3d925547cfdaae48bfa2b927b0da0351
SHA1 e5cd42dab157307b3d01f6114d41366aacb83556
SHA256 76aeb57d646771d44244a0aaa7a4e0ca58c5b382204588f0bf93d652feb673e6
SHA512 2a512725c0204ff9cad56427fa33def68e96fbd7f145d410c8538f08936caa965c266484f1abaa320e4e2c6fed8a089a4c6472c364d2c2139fcb3f598ec51282

/data/data/com.groupsimpleam/cache/oat/dapkrw.cur.prof

MD5 968f636cdcc0e61a45da548961df5aae
SHA1 8a295b05f51e76ba5124453a2497657cc334f77c
SHA256 d892e237d720f88fecad04fb8dc83a9bc6559337a2f9f6d9634a08ef694f5c11
SHA512 eabb00ddc42f3cc58d3d59ef85dab85d4675ea2d7f2e09dab3adfaa70002dfb89ff445717e028ad06166c3de26528eb7ec5f1389f5b2f5551b45fc9c64ad0867

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 10:49

Reported

2024-06-06 10:52

Platform

android-x64-arm64-20240603-en

Max time kernel

179s

Max time network

132s

Command Line

com.groupsimpleam

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.groupsimpleam/cache/dapkrw N/A N/A
N/A /data/user/0/com.groupsimpleam/cache/dapkrw N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.groupsimpleam

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 jungjunjunggvbvq.top udp
US 1.1.1.1:53 bobnoopopo.org udp
US 1.1.1.1:53 junggvbvq.top udp
US 1.1.1.1:53 junggvbvqqgrouppo.com udp
US 1.1.1.1:53 junggpervbvqqqqqqpo.com udp
US 1.1.1.1:53 junggvbvqqnetokpo.com udp
US 1.1.1.1:53 junggvbvq5656.top udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 junggvrebvqqpo.org udp
US 1.1.1.1:53 dvapo05.top udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/com.groupsimpleam/cache/dapkrw

MD5 79c94cdc2a0013a4cbb9653409a92535
SHA1 bff65f825a7515d8da86d6df3b84fafa5aaabc9e
SHA256 390ed03af32ac3d99ffa5ee0d9a4ac4556d6153e3ebbbf60feb0a46e3068a7e2
SHA512 e7249b4c67b6e03fd4742888a369dd139fc49b4181629afd88019cb0389d6de853d4cbda781f5cd0eb7c9f1bc4ed4b890f1e6daa6694d8ded335ed176bd326b1

/data/user/0/com.groupsimpleam/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/user/0/com.groupsimpleam/kl.txt

MD5 12757892398445a251d77351164cbba1
SHA1 c3bf29a5913b1972a82496f1283a0f07567313d0
SHA256 7ddd7baf51c817d4d889659d544ddcdd4a96dacf365bb793b5548cf67732c8bf
SHA512 14235be4ca301eaee9be95e63828b6c3ea26fe6f31cff6deb80bd470660ea8670ce66560d0a20db4884105e66d6a68706e7ee735e9f7371778317aae7cd27ec3

/data/user/0/com.groupsimpleam/kl.txt

MD5 edd4854c5fdf4636e502a657ebf1a85e
SHA1 d27c278205acafafb6248378fb83494ccce4f716
SHA256 4ac0d8f4435ea5636a6423ecaedd448227971d80425be154e2228047d0a24d7a
SHA512 1edccfa70b84deb919fc3845738160470667d0249becbefa4d3113bcaa77a9e958f934bff8cdb56401d1fe526acfbe03de574fb9e2ca18113c4e4f85e1cd8fe9

/data/user/0/com.groupsimpleam/kl.txt

MD5 a81c6d6e04cc266952c951fb9190c7d6
SHA1 7405f4ce553b0accc635e317bd82af080d8bd8ae
SHA256 879000e50e6d3423b7748d285a7ec9bf47b6a9deb0bcb0494d90368189d041d6
SHA512 23b97112dcc1ed18e6d9d533bc2c19c0db78dd5d5cd6f00882118b25a36f4a4e999330c0af05521df9c369cd056820fb886ae68b6fb17dcc61eceeac58699d02

/data/user/0/com.groupsimpleam/kl.txt

MD5 b777596ead82f5baad31690208b216d8
SHA1 194a9f7e0ba4b993f4825a8e6fc8eca561141deb
SHA256 1e527389b14549a0e7eaf01d137b273e2b5971526b532db8b7487bbb932cf254
SHA512 e04e2c0e6fbceb1e16e123a9328abe4d3643c6334ffad63f537606bd1f7ee3ec0a60b7293ed1eebd27281cd795c0787be1600582853448024280ae4a302e11d1

/data/user/0/com.groupsimpleam/cache/oat/dapkrw.cur.prof

MD5 92e26333ad6918ab3c6547325bdb302e
SHA1 49303e886e681f05fec821fe13a2ed2b44a06003
SHA256 04f70457d459f120cac700d1c12807635ddab1ed6d55173eb3a028f7cb7f2f64
SHA512 ebc6b666d321d007b78897151d2cc65af23764f367841505547a305c9fecce4889abd9995f7f58bee8cebb75d3f684c18c17552c8e1aefe3e1db2e285c9b86f6