Malware Analysis Report

2024-09-09 13:52

Sample ID 240618-2d4f3sscrr
Target 437522cc99720b41b64257eb6969a59594a2abf1311ae00afb87e9ceaf9d5def.bin
SHA256 437522cc99720b41b64257eb6969a59594a2abf1311ae00afb87e9ceaf9d5def
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

437522cc99720b41b64257eb6969a59594a2abf1311ae00afb87e9ceaf9d5def

Threat Level: Known bad

The file 437522cc99720b41b64257eb6969a59594a2abf1311ae00afb87e9ceaf9d5def.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Reads information about phone network operator.

Requests accessing notifications (often used to intercept notifications before users become aware).

Performs UI accessibility actions on behalf of the user

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Requests modifying system settings.

Acquires the wake lock

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-18 22:28

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 22:28

Reported

2024-06-18 22:32

Platform

android-x86-arm-20240611.1-en

Max time kernel

178s

Max time network

131s

Command Line

com.hourthrough4

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hourthrough4/cache/hrpahadvinj N/A N/A
N/A /data/user/0/com.hourthrough4/cache/hrpahadvinj N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.hourthrough4

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 biricruelidurdursunloo.com udp
US 1.1.1.1:53 cruelveblack32.com udp
US 1.1.1.1:53 cruelgurcistandaaaa42.com udp
US 1.1.1.1:53 lalagkcvagurcuuuu.com udp
US 1.1.1.1:53 biricruelidurdursunn.com udp
US 1.1.1.1:53 gurcistancruell33.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/com.hourthrough4/cache/hrpahadvinj

MD5 0a7dadac805e32ee652d5ba663591582
SHA1 9ea416f331e8aed61921942e6392966a9648e5ad
SHA256 55a2ad260566dd90d70e60fe8898d4805a9b5d8ef9815f51469f4947ac332fcd
SHA512 185d7f2d23a54f192f046364098de8bf90f1874bb9513609580fe1170dd9af44879d11f4e0595ead113ba92cbfab4cb2417d2fc27c827c850c708feef3e75a6f

/data/data/com.hourthrough4/cache/oat/hrpahadvinj.cur.prof

MD5 01509e920e02b58b91d92dd74c9c1d07
SHA1 1a77a02a3ea66acdb106991a295a7718f937a93d
SHA256 091e2eec7e875e80a844ff2d64eab7cae6eeac0694ace891a4d96c72f2d1d209
SHA512 448b9d292b4b6ee17b096f95055efec9c1b48b503bbd8a30b9beb09cd123862b5d37a5b8ecd127b280c63ee9bf797ed6178746259bd2e98ae8c0340edf5d1af9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 22:28

Reported

2024-06-18 22:32

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

132s

Command Line

com.hourthrough4

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hourthrough4/cache/hrpahadvinj N/A N/A
N/A /data/user/0/com.hourthrough4/cache/hrpahadvinj N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.hourthrough4

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 cruelgurcistandaaaa42.com udp
US 1.1.1.1:53 gurcistancruell33.com udp
US 1.1.1.1:53 biricruelidurdursunloo.com udp
US 1.1.1.1:53 cruelveblack32.com udp
US 1.1.1.1:53 lalagkcvagurcuuuu.com udp
US 1.1.1.1:53 biricruelidurdursunn.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/data/com.hourthrough4/cache/hrpahadvinj

MD5 0a7dadac805e32ee652d5ba663591582
SHA1 9ea416f331e8aed61921942e6392966a9648e5ad
SHA256 55a2ad260566dd90d70e60fe8898d4805a9b5d8ef9815f51469f4947ac332fcd
SHA512 185d7f2d23a54f192f046364098de8bf90f1874bb9513609580fe1170dd9af44879d11f4e0595ead113ba92cbfab4cb2417d2fc27c827c850c708feef3e75a6f

/data/data/com.hourthrough4/cache/oat/hrpahadvinj.cur.prof

MD5 ccfc31f64ec4ebdc62c45bfaa3441d91
SHA1 f87694fe2d6cc22e9be00edf0ebd344ae3e16e75
SHA256 d45571ffe8330bb17fd35c7c8228d983cba5b84bfe455efdfa3c6755f7f1be9e
SHA512 346acfe156297ee7311fc4f4847ee42f95ef6720136a06d51b673efd8d5f54bf9ec731818089ae5e0eed8851b6c04c16b7fa76579ebe3a1520e586c9b2be69d3