Malware Analysis Report

2024-09-09 13:41

Sample ID 240607-mdarfaeg3s
Target 573748f0f1d86998f95a195b0c57661bef7628f616e0600433a1417c2353cc70.apk
SHA256 573748f0f1d86998f95a195b0c57661bef7628f616e0600433a1417c2353cc70
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

573748f0f1d86998f95a195b0c57661bef7628f616e0600433a1417c2353cc70

Threat Level: Known bad

The file 573748f0f1d86998f95a195b0c57661bef7628f616e0600433a1417c2353cc70.apk was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Performs UI accessibility actions on behalf of the user

Acquires the wake lock

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Requests modifying system settings.

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-07 10:20

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-07 10:20

Reported

2024-06-07 10:23

Platform

android-x86-arm-20240603-en

Max time kernel

179s

Max time network

183s

Command Line

com.bluewhomhm

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bluewhomhm/cache/sbmtyustvm N/A N/A
N/A /data/user/0/com.bluewhomhm/cache/sbmtyustvm N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bluewhomhm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 moneyeurolandbebek.net udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
BG 79.110.49.131:443 moneyeurolandbebek.net tcp
BG 79.110.49.131:443 moneyeurolandbebek.net tcp
US 1.1.1.1:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.instagram.com udp
GB 163.70.151.174:443 www.instagram.com tcp
GB 163.70.151.174:443 www.instagram.com tcp
US 1.1.1.1:53 static.cdninstagram.com udp
GB 157.240.214.63:443 static.cdninstagram.com tcp
GB 157.240.214.63:443 static.cdninstagram.com tcp
GB 157.240.214.63:443 static.cdninstagram.com tcp
GB 157.240.214.63:443 static.cdninstagram.com tcp
GB 157.240.214.63:443 static.cdninstagram.com tcp
GB 157.240.214.63:443 static.cdninstagram.com tcp
GB 157.240.214.63:443 static.cdninstagram.com tcp
US 1.1.1.1:53 www.facebook.com udp
GB 163.70.147.35:443 www.facebook.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 66.102.1.84:443 accounts.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
BG 79.110.49.131:443 moneyeurolandbebek.net tcp
US 1.1.1.1:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com tcp
BG 79.110.49.131:443 moneyeurolandbebek.net tcp
US 1.1.1.1:53 mail.google.com udp
GB 172.217.16.229:80 mail.google.com tcp
GB 172.217.16.229:443 mail.google.com tcp
BE 66.102.1.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.youtube.com udp
GB 142.250.180.14:443 accounts.youtube.com tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.200.46:443 play.google.com tcp

Files

/data/data/com.bluewhomhm/cache/sbmtyustvm

MD5 d52344f2e5080ad726553453832031af
SHA1 666a0c31d9b9744a10f7c3a95dddbccda97a41a7
SHA256 22ad91097137e30abd85005cfad189b9fb29cfe6f885a2ec61396438eedfd68b
SHA512 60d714be0256650ed35d60b38ab8ce4066e5feda52bf66d94c66944bc289f48464015e00b1f447a44e42297bb0513c3e68d4fc8d57755177cbddfdcd137c9d59

/data/data/com.bluewhomhm/cache/oat/sbmtyustvm.cur.prof

MD5 b47cfd4a78931feddcbc0992126fb435
SHA1 bebcc94f40aa0ad6e4f04c7ee7c489ccecdd8ebf
SHA256 35076585bd19d242ccd45cd4904901bb6f8bf74265d958f69407b7dc89a54225
SHA512 4b669f6494f43d877be23301f4ac90a7a2737d2e5d8ac6bf5e2d8c0545f16fecbbc0e026d076b3a00f34b7c98e369f1909bf21362c52c40112a863420228e9f2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-07 10:20

Reported

2024-06-07 10:23

Platform

android-x64-20240603-en

Max time kernel

65s

Max time network

175s

Command Line

com.bluewhomhm

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bluewhomhm/cache/sbmtyustvm N/A N/A
N/A /data/user/0/com.bluewhomhm/cache/sbmtyustvm N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bluewhomhm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 moneyeuroland.net udp
BG 79.110.49.131:443 moneyeuroland.net tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 moneyeurolanddelicim.net udp
US 1.1.1.1:53 moneyeurolandscans.net udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
GB 172.217.169.14:443 tcp
GB 142.250.200.34:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 172.217.169.46:443 tcp
US 1.1.1.1:53 accounts.google.com udp
BE 142.251.168.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 64.233.184.84:443 accounts.google.com tcp
GB 142.250.200.35:443 tcp
GB 142.250.200.35:443 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.206.84:443 accounts.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.213.4:443 www.google.com tcp
US 1.1.1.1:53 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
GB 142.250.178.14:443 play.google.com tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
BG 79.110.49.131:443 moneyeurolandscans.net tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.bluewhomhm/cache/sbmtyustvm

MD5 d52344f2e5080ad726553453832031af
SHA1 666a0c31d9b9744a10f7c3a95dddbccda97a41a7
SHA256 22ad91097137e30abd85005cfad189b9fb29cfe6f885a2ec61396438eedfd68b
SHA512 60d714be0256650ed35d60b38ab8ce4066e5feda52bf66d94c66944bc289f48464015e00b1f447a44e42297bb0513c3e68d4fc8d57755177cbddfdcd137c9d59

/data/data/com.bluewhomhm/cache/oat/sbmtyustvm.cur.prof

MD5 56170cbbb001c1ea321505c5bb57f817
SHA1 a3d581fea1c4983920180c1e1309536b0d20c109
SHA256 a7cb0f8502301300216e90ba9aa287c8bb15c6c5cfe84531412fbf833ee89b2e
SHA512 c18fe4a61c3a53843d86acdbf2db486a231733b7c2f4e589f16e070924bc6e41c5e42a201077131aae4f3b7207745e2605d4d2ccc7092ace618709b42e81446c