Malware Analysis Report

2024-09-09 13:52

Sample ID 240624-r8zfhaxgkh
Target 7ac003b2439dfef2304f0eed41b5767d4a565aa6cb725334618c39d3c878c929.bin
SHA256 7ac003b2439dfef2304f0eed41b5767d4a565aa6cb725334618c39d3c878c929
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ac003b2439dfef2304f0eed41b5767d4a565aa6cb725334618c39d3c878c929

Threat Level: Known bad

The file 7ac003b2439dfef2304f0eed41b5767d4a565aa6cb725334618c39d3c878c929.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-24 14:52

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 14:52

Reported

2024-06-24 14:55

Platform

android-x86-arm-20240624-en

Max time kernel

178s

Max time network

145s

Command Line

com.whiletable82

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.whiletable82/cache/enumcmbe N/A N/A
N/A /data/user/0/com.whiletable82/cache/enumcmbe N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.whiletable82

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ustuneyagdimrmi.xyz udp
US 1.1.1.1:53 verelmsnieldenele.xyz udp
US 1.1.1.1:53 zatenacikmisttm.xyz udp
US 1.1.1.1:53 bedelniodedkicmzynayna.top udp
US 1.1.1.1:53 kraltacikralmisinhaci.xyz udp
US 1.1.1.1:53 sokakdaldiregibas.xyz udp
US 1.1.1.1:53 uzanrmigokyuzuneumutlarm.xyz udp
US 1.1.1.1:53 dardidardomama.top udp
US 1.1.1.1:53 gldigimyerchennmindibi.top udp
US 1.1.1.1:53 sefernakliatfln.xyz udp
US 1.1.1.1:53 chennemburasialmnya.xyz udp
US 1.1.1.1:53 giydirbilirfren.xyz udp
US 1.1.1.1:53 keskinbaltadndu.top udp
US 1.1.1.1:53 senanlamazsndili.xyz udp
US 1.1.1.1:53 amagibikertenkeellee.top udp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp

Files

/data/data/com.whiletable82/cache/enumcmbe

MD5 163a1af175dcc6e79465a14948f0d2af
SHA1 160806021edf038e47f8db0bce96fe6b6cf4135f
SHA256 14e8289b6f8fcbe293a1a645ee5bbcf566543b06310aae5b6875686e997995b7
SHA512 7259335aab5bf353e8722a793d1e20c3f847b20355acf77a0c076c0eafe88d494d9878a027f29481a16f60eae11f0609732dd258c0e2b2d07bffd8b694fe5a57

/data/data/com.whiletable82/kl.txt

MD5 6995425e56ab325a3dcb73fc7ed01a6d
SHA1 430dc426c1b9b997ab5dcd583a852d1bdb2fefc5
SHA256 9a132b6366d8772c4f051488a8b8cdaa67053f5c900d8fed6f57ff8ffe8bf0e1
SHA512 166df834473b1ec00124672bb50c62678c0405dda4def85e779e04caf38c64151114158603d8dd3ca1abc320979be42b945b091cf061f5884cee2fb07cc59318

/data/data/com.whiletable82/kl.txt

MD5 6029ab5a4e0345047935c51c1eff11f2
SHA1 d543f17a36513d51692bd16d8d2c7af5cdc33f4e
SHA256 56fbe89a687225fe273062706f79c03b1dfad59be42b1532e88562ff03cb47c2
SHA512 5088e0bb9fa54f45dbce11e8d05980431aead49202e18f980295fbc378781a029ef2c644295c5d97d45247706a80a49fa9b73845867ff69d4382778c126d54cd

/data/data/com.whiletable82/kl.txt

MD5 30300d7dbc95009936ebef42b56d1902
SHA1 19c1b98a51c0190be1644854545fcbc139041760
SHA256 102976f9d736e485f21eb05c89ab8ea5e81c6f2f51c3625f8f0902fe972b3bfd
SHA512 e85d7d6860dc6b3d1ca9c6383a7158705b997c4c1f42a02283635a048e147b21f4ef02665e8afeb7d42c9270e0f500e88521a00cc6eb862a752cbd954a56facc

/data/data/com.whiletable82/kl.txt

MD5 ddf1892db33ddd3820f865603ba0433f
SHA1 b0f3cc85f1fe2411e6b208549f82a9aee353662c
SHA256 24a91890f12ab21cb92a26f640d0092833f6316af501bfe9531fa49c110c803b
SHA512 d8ea812951bf0ed45a96d313af9924e5a7c842ab0cbfbef38de65952f9e4f9a7aae01584682437799ef522aee12d0db7d7267173993af754ca117b88051e9a2d

/data/data/com.whiletable82/kl.txt

MD5 ba4b06012ae97076456f98e3aff3739c
SHA1 5021eda34d57bb6df812de44f0b4f8dd78be79c7
SHA256 43330eee66ebc592eb87f331a192e4880156b7d1c49d66163e08864bfc75506f
SHA512 fed62d60e31b257258576b1557354cc1f0f0c75b8310ab55bd5edf132b6c105a9addef0754412cc7d31bcac278c7eb17d6a4b00771f20a68f47904f4cacd854d

/data/data/com.whiletable82/cache/oat/enumcmbe.cur.prof

MD5 79d1d5c582b3bef61987442156b11b1f
SHA1 98c397f90d2890d9db5a23bc788e1b7153a42059
SHA256 eedfd8e3f68551f2cdefbb02499e419a3372f9cba4a33ed8d5b1da22033489d5
SHA512 21a24d0b9c998266c0ee695d59253734693f223ea51e651fec8504f6d5cd927ecfd2455a270d326ee916cafde8b561cd169e5544ce134c3fe5d49a153ee54501

/data/data/com.whiletable82/.qcom.whiletable82

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 14:52

Reported

2024-06-24 14:55

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

186s

Command Line

com.whiletable82

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.whiletable82/cache/enumcmbe N/A N/A
N/A /data/user/0/com.whiletable82/cache/enumcmbe N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.whiletable82

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 amagibikertenkeellee.top udp
US 1.1.1.1:53 gldigimyerchennmindibi.top udp
US 1.1.1.1:53 ustuneyagdimrmi.xyz udp
US 1.1.1.1:53 uzanrmigokyuzuneumutlarm.xyz udp
US 1.1.1.1:53 sokakdaldiregibas.xyz udp
US 1.1.1.1:53 bedelniodedkicmzynayna.top udp
US 1.1.1.1:53 keskinbaltadndu.top udp
US 1.1.1.1:53 giydirbilirfren.xyz udp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
GB 142.250.187.227:443 tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp

Files

/data/data/com.whiletable82/cache/enumcmbe

MD5 163a1af175dcc6e79465a14948f0d2af
SHA1 160806021edf038e47f8db0bce96fe6b6cf4135f
SHA256 14e8289b6f8fcbe293a1a645ee5bbcf566543b06310aae5b6875686e997995b7
SHA512 7259335aab5bf353e8722a793d1e20c3f847b20355acf77a0c076c0eafe88d494d9878a027f29481a16f60eae11f0609732dd258c0e2b2d07bffd8b694fe5a57

/data/data/com.whiletable82/kl.txt

MD5 1f6bd623db4f8ecdc19eadf4044a03d3
SHA1 3de7dbbfc1874f27b2f80c8c6cf1fef2dc2a5cb7
SHA256 156abd2c4a11546ae1810d5906478bfb016ff0961e765a7aaae2b367501af15e
SHA512 31eaf70b640904713e8485a5a70b6e49a84b3a81db36fac0ac1bf2be02e2d1506f8a5f2790aab8824bc4a248a3a08ad8a8de983223aa57e93d24828f1e11f34e

/data/data/com.whiletable82/kl.txt

MD5 af32865aff04249f650733fd5bd4587e
SHA1 9298b9ead2bf252325761fe8dc10d785589e45b0
SHA256 a2e41a050b4d08db0063f258cef1ffcff713b750cd513dc63388bee3de511dbb
SHA512 c7fe75fbfdf18385805368d0e34fd0ee723851c019f90f2cf6bb0428ab774f55a3236a396c82cfcb50f9ebdbdd9bb23b6ed1902ca3582948c3c2b569472d5ca0

/data/data/com.whiletable82/kl.txt

MD5 ddf1892db33ddd3820f865603ba0433f
SHA1 b0f3cc85f1fe2411e6b208549f82a9aee353662c
SHA256 24a91890f12ab21cb92a26f640d0092833f6316af501bfe9531fa49c110c803b
SHA512 d8ea812951bf0ed45a96d313af9924e5a7c842ab0cbfbef38de65952f9e4f9a7aae01584682437799ef522aee12d0db7d7267173993af754ca117b88051e9a2d

/data/data/com.whiletable82/kl.txt

MD5 7304bb57f8d430a0b7cf4da6737fdb21
SHA1 e8ed4eea5ef7a0ccf1d457b7406d203f3fec0a4e
SHA256 57842a3c414caf11dc7dd522b883c7b6ec1b2a20a89340317b288e23c14cdd5d
SHA512 4f63339333538ae562b885a2c291470f0e621ff16dd4d69189289a6fdfbdc430b5b917ffb23ad37b9b38cb1930a8e67fa5c9a0f690f8a08d7f505bd8f8330175

/data/data/com.whiletable82/kl.txt

MD5 2cac596ee48aab3d30679ea29bd8f108
SHA1 561e5163f5c8e578d5dc6d818aee4b8961712bbc
SHA256 106854ea27695f6bf0bb43b69d4cc3cc359bdf70d12aa5b7f6050accbf8e35d8
SHA512 b07164455fee4267a7dbb9bcd3c70c86a30c8e3419818159b72c3969772733b41a5dca671869f86fd24f9dfc2d3070dd6767b5d14f14a1db243fd36d42140004

/data/data/com.whiletable82/cache/oat/enumcmbe.cur.prof

MD5 8f31e29a7600e1fc76c069de8af66b73
SHA1 a81c153b7a034451cb40f86fe7edf05cba6a766c
SHA256 21d948c0137b33fc6fcfbff20acbb50ec11830f3f1e83ed4338d7ec9f1efde5e
SHA512 2dff2a5d0c80653bf50a17f8db2ea9c3ee47396ffe629f91e1cb7c3987b9feb5b652e46b226877b0d266264bfa39af8b6f10c6deb98edff43b6141228f868ddf

/data/data/com.whiletable82/.qcom.whiletable82

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c