Malware Analysis Report

2024-09-09 13:48

Sample ID 240624-1wsa4atfrg
Target 6cba72fb7e59344f77cf8c9c8a0cf7ee193f1def9dbd03d1c2d12288171b00d3.bin
SHA256 6cba72fb7e59344f77cf8c9c8a0cf7ee193f1def9dbd03d1c2d12288171b00d3
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6cba72fb7e59344f77cf8c9c8a0cf7ee193f1def9dbd03d1c2d12288171b00d3

Threat Level: Known bad

The file 6cba72fb7e59344f77cf8c9c8a0cf7ee193f1def9dbd03d1c2d12288171b00d3.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Acquires the wake lock

Declares services with permission to bind to the system

Requests modifying system settings.

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-24 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 22:00

Reported

2024-06-24 22:04

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

184s

Command Line

com.twowantjtak

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.twowantjtak/cache/mafukvvj N/A N/A
N/A /data/user/0/com.twowantjtak/cache/mafukvvj N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.twowantjtak

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mamudoiledostadogru.com udp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
US 1.1.1.1:53 kaygisizamamutlu04.com udp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 mamudoilekeyfyap.com udp
US 1.1.1.1:53 sigaracokhojdur1.com udp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
US 1.1.1.1:53 dertlikaygisiz04.com udp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp

Files

/data/data/com.twowantjtak/cache/mafukvvj

MD5 b664908101212aa74d11d70714dd211c
SHA1 b5a681d46f7665df2069a2d5cdc7e2f4e09ae1a3
SHA256 2d73f38d4010647d13e7abdb33aebb0da75a619b73e7957955a3bf25656527a8
SHA512 4f50c9b1e68ea4df91102bc0d8bf336e6f55a1ed48fa0f4fbbb8b08279adfa99cdf2936844943415a9cf255bc47a0324beea95a4128b2af8cc983c59da830da5

/data/data/com.twowantjtak/cache/oat/mafukvvj.cur.prof

MD5 36dd52cd66c068aaa0e09587df21c0e0
SHA1 24af7cd4c450ab9664664b709004bf4029065247
SHA256 8c68931e9ae213a26daf14fb3a3db040387ea43c11ff235e9efe703ce6db6b4f
SHA512 d9bfb3bcb7f369959a9bbb2344f014ad2dcea73b9844810bb173cdef39f84a62fa3eea6737c4c393a494c53e356f2ed98af9d5b05e4688a45524a75b5abb8438

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 22:00

Reported

2024-06-24 22:04

Platform

android-x64-20240624-en

Max time kernel

135s

Max time network

179s

Command Line

com.twowantjtak

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.twowantjtak/cache/mafukvvj N/A N/A
N/A /data/user/0/com.twowantjtak/cache/mafukvvj N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.twowantjtak

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 kaygisizamamutlu04.com udp
US 1.1.1.1:53 sigaracokhojdur1.com udp
US 1.1.1.1:53 mamudoilekeyfyap.com udp
US 1.1.1.1:53 dertlikaygisiz04.com udp
US 1.1.1.1:53 mamudoiledostadogru.com udp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp

Files

/data/data/com.twowantjtak/cache/mafukvvj

MD5 b664908101212aa74d11d70714dd211c
SHA1 b5a681d46f7665df2069a2d5cdc7e2f4e09ae1a3
SHA256 2d73f38d4010647d13e7abdb33aebb0da75a619b73e7957955a3bf25656527a8
SHA512 4f50c9b1e68ea4df91102bc0d8bf336e6f55a1ed48fa0f4fbbb8b08279adfa99cdf2936844943415a9cf255bc47a0324beea95a4128b2af8cc983c59da830da5

/data/data/com.twowantjtak/cache/oat/mafukvvj.cur.prof

MD5 b78fb60be057153a65aed5a9f5d095ba
SHA1 5e6e95a88852be3039162aafd7d6869cf95ac0a4
SHA256 73269fd755442b3cf12daddb29870e26ca3f3fac6507766c500c0f27f23eda11
SHA512 e66d6226bdafd87b13d3df3db6b596bf033e9ce6b81a3ce76dbb8fe4fa9f6027b07d7a5611cfe63c59f9377c02ae9f91d9af87df1e9bd2f26a05807150bb2e84