Malware Analysis Report

2024-09-09 13:51

Sample ID 240624-sa1fks1fll
Target 5cd14bbae697c73169736b5722a4a80f876a6899e858e97212e6d9c68e2ab6ad.bin
SHA256 5cd14bbae697c73169736b5722a4a80f876a6899e858e97212e6d9c68e2ab6ad
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cd14bbae697c73169736b5722a4a80f876a6899e858e97212e6d9c68e2ab6ad

Threat Level: Known bad

The file 5cd14bbae697c73169736b5722a4a80f876a6899e858e97212e6d9c68e2ab6ad.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Acquires the wake lock

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Requests modifying system settings.

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-24 14:56

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 14:56

Reported

2024-06-24 14:59

Platform

android-33-x64-arm64-20240624-en

Max time kernel

178s

Max time network

185s

Command Line

com.markotherxntw

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.markotherxntw/cache/xjdekutitl N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.markotherxntw

Network

Country Destination Domain Proto
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:443 udp
US 1.1.1.1:53 dertlikaygisiz04.com udp
US 1.1.1.1:53 mamudoilekeyfyap.com udp
US 1.1.1.1:53 kaygisizamamutlu04.com udp
US 1.1.1.1:53 mamudoiledostadogru.com udp
US 1.1.1.1:53 sigaracokhojdur1.com udp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
GB 142.250.187.228:443 udp
US 162.159.61.3:443 udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 142.250.180.3:443 tcp
GB 142.250.180.3:443 udp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
GB 172.217.16.228:443 www.google.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp

Files

/data/data/com.markotherxntw/cache/xjdekutitl

MD5 5b2ecbeb48fbad95fbe2b9acdadeea91
SHA1 7f3a3e228d6fa35469de55dd54b955b7c1ed8279
SHA256 292b8654a77047f3f2d7bdf3819353ba7ad8fc2c3a9887c678849e1df57c94b5
SHA512 7aa328ca858bfc5d7b5035be5b57596846b56da856cde8a23b26983b0fbd61ab4cbea60153261295212f61f0148978dea2bb98267271bde3696815f8c720a0ba

/data/data/com.markotherxntw/cache/oat/xjdekutitl.cur.prof

MD5 7ecf4db3e601163ef5d70500a748a50f
SHA1 af642f0e5b62e6692dfe92c4a4e494ce953d495d
SHA256 8914caf9f2c4e46f93cafc3e31535a6c188c5d2675464a1e19827116b56e50ee
SHA512 0fc4da2e5ee1843ecf63880ae35deec250d75e42220a6983726a5b0121e2263ffd87868059ffb04ac2b4986af94343b1f36a2c8a644b2acebeac99c652391d36

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 14:56

Reported

2024-06-24 14:59

Platform

android-x86-arm-20240624-en

Max time kernel

178s

Max time network

183s

Command Line

com.markotherxntw

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.markotherxntw/cache/xjdekutitl N/A N/A
N/A /data/user/0/com.markotherxntw/cache/xjdekutitl N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.markotherxntw

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 kaygisizamamutlu04.com udp
US 1.1.1.1:53 sigaracokhojdur1.com udp
US 1.1.1.1:53 dertlikaygisiz04.com udp
US 1.1.1.1:53 mamudoiledostadogru.com udp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
US 1.1.1.1:53 mamudoilekeyfyap.com udp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp
RU 193.143.1.9:443 mamudoiledostadogru.com tcp

Files

/data/data/com.markotherxntw/cache/xjdekutitl

MD5 5b2ecbeb48fbad95fbe2b9acdadeea91
SHA1 7f3a3e228d6fa35469de55dd54b955b7c1ed8279
SHA256 292b8654a77047f3f2d7bdf3819353ba7ad8fc2c3a9887c678849e1df57c94b5
SHA512 7aa328ca858bfc5d7b5035be5b57596846b56da856cde8a23b26983b0fbd61ab4cbea60153261295212f61f0148978dea2bb98267271bde3696815f8c720a0ba

/data/data/com.markotherxntw/cache/oat/xjdekutitl.cur.prof

MD5 5a95de2067a00eaf7b5178cec27ad4d0
SHA1 290ab0f4fafce1b91b71706644ea297fc5be6f3f
SHA256 41e5a5077036f08bfca5c70c612d54760a2a0983bfe6431ead2d37197bd6904b
SHA512 da8a49f5e1184d1f35df9491a9cf381ceed99391a04b3b24ea2149c7dd85d5198356bc28d6bf2f0c627e548bd0c7d033981af263bd6eaf14dc254de5a8a98cf8