Malware Analysis Report

2024-09-09 13:41

Sample ID 240624-se329syare
Target 858d49b3da526254854c52751d2fa17463d4e1592ff113eceb9db02e28213cb1.bin
SHA256 858d49b3da526254854c52751d2fa17463d4e1592ff113eceb9db02e28213cb1
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

858d49b3da526254854c52751d2fa17463d4e1592ff113eceb9db02e28213cb1

Threat Level: Known bad

The file 858d49b3da526254854c52751d2fa17463d4e1592ff113eceb9db02e28213cb1.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Acquires the wake lock

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-24 15:03

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 15:03

Reported

2024-06-24 15:06

Platform

android-x86-arm-20240624-en

Max time kernel

177s

Max time network

146s

Command Line

com.whiletable82

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.whiletable82/cache/enumcmbe N/A N/A
N/A /data/user/0/com.whiletable82/cache/enumcmbe N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.whiletable82

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 dardidardomama.top udp
US 1.1.1.1:53 birdnbireoluvrdihrsy.xyz udp
US 1.1.1.1:53 ustuneyagdimrmi.xyz udp
US 1.1.1.1:53 keskinbaltadndu.top udp
US 1.1.1.1:53 sokakdaldiregibas.xyz udp
US 1.1.1.1:53 amagibikertenkeellee.top udp
US 1.1.1.1:53 verelmsnieldenele.xyz udp
US 1.1.1.1:53 zatenacikmisttm.xyz udp
US 1.1.1.1:53 bedelniodedkicmzynayna.top udp
US 1.1.1.1:53 gldigimyerchennmindibi.top udp
US 1.1.1.1:53 sefernakliatfln.xyz udp
US 1.1.1.1:53 chennemburasialmnya.xyz udp
US 1.1.1.1:53 bilereklermibildiler.top udp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
US 1.1.1.1:53 senanlamazsndili.xyz udp
US 1.1.1.1:53 avmevsimibsladikk.top udp
US 1.1.1.1:53 uzanrmigokyuzuneumutlarm.xyz udp
US 1.1.1.1:53 giydirbilirfren.xyz udp
US 1.1.1.1:53 tlefondingalokimo.xyz udp
US 1.1.1.1:53 kraltacikralmisinhaci.xyz udp
US 1.1.1.1:53 gozlermkankrmizisi.xyz udp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp

Files

/data/data/com.whiletable82/cache/enumcmbe

MD5 163a1af175dcc6e79465a14948f0d2af
SHA1 160806021edf038e47f8db0bce96fe6b6cf4135f
SHA256 14e8289b6f8fcbe293a1a645ee5bbcf566543b06310aae5b6875686e997995b7
SHA512 7259335aab5bf353e8722a793d1e20c3f847b20355acf77a0c076c0eafe88d494d9878a027f29481a16f60eae11f0609732dd258c0e2b2d07bffd8b694fe5a57

/data/data/com.whiletable82/kl.txt

MD5 57ceed05c90e16380f08ff3504eb7824
SHA1 a3ba12489b954be081ec883790e435ac3eb02086
SHA256 d9861f135733b295cd6fb5226558b6164c43d0d05bb76e74d4fda1b488fec032
SHA512 280b55528b48dbf0d7a6b2022d15b987327a9ddf742e6abee9a4aa6c2d479903b5a9a3f889302b162d7326c57af4e15b2a503e8f600d20f3bf0ee3f7eb2cdb1e

/data/data/com.whiletable82/kl.txt

MD5 852b5f3c6eaef8013a44ea33c2881303
SHA1 8c6f1caaf3e4a54adeaa9203d40a0086739e6439
SHA256 c6b3fedfc9a1c406e46de677056e89c63cf55f3a033603e00cf830f5cf99016e
SHA512 c346d6226635d2d95382222c63a7e554a39fb08df0062b376c05d42da8dc77a0e772eb28094e7ff27c587cd798eef1fb780de4b083beb61ce266a99fee8d6ad6

/data/data/com.whiletable82/kl.txt

MD5 728ef12d27e11be6a86acc16f8d2ce08
SHA1 5bda693dea88bc417bb81b071a506555ec1a9353
SHA256 7b8b64e10242f9b455a657cf93431ab544c7708c53ea7cf47822886e68dada0e
SHA512 53e33d592eba7fba6ce428fdc23ab7dc2ed86c887598e9d1a55c749720b8cc5ba1f61f4101b2f9412c0556b34feb4119b8167801511532506403fbea5f70b311

/data/data/com.whiletable82/kl.txt

MD5 e5ed1c9d5dcdfe6a52e6c7b01d4f9b09
SHA1 3af28b31f9c919f125bf9fee0283b1f3155587b3
SHA256 36399ac6a608afe827b6207d450966e6cc351ad3a57d2ae7b915cc74c1b0f083
SHA512 2e214ff59610ac2cc7b9cdccf807d2e8a2a79665770532ba5309da5700bf602e538188c5397db2ffd9fe2a8b5371967362339db2eaad4432138148eb3e0c215c

/data/data/com.whiletable82/kl.txt

MD5 88fd30097823cbd52cdef3004e71ae8f
SHA1 3d771d9dd8b42a6a47c6e70f0902006b73fb9bc7
SHA256 56e9bd0acaf306bb34ea31acd6a331aa82e07a950098843533a5f5b8be0378e3
SHA512 980753027521d181b9e63a674950045deb342cb4e6df868ef6d88e0549cded7c6c931694d15a49d87544c4846bc1ea5f2e20429cc2e520610ff30eb887f9d1e4

/data/data/com.whiletable82/cache/oat/enumcmbe.cur.prof

MD5 6a1187cfedcb42f46366e011395608b4
SHA1 6e7115cd282185082bebc5ba304fe578d7298284
SHA256 b7f28d02e11d8d566254bd34c1994c15b21b75bbacd2281fd75fefb84380fe47
SHA512 50013e1ed71038424acabefa6d0717b117fb2d78965bede2cc877be600f2d28c9020c3c9b301663f7b99cc5ce39e7ae08b7b3c7cc25a1cebdf3457b5875d1ea6

/data/data/com.whiletable82/.qcom.whiletable82

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 15:03

Reported

2024-06-24 15:06

Platform

android-33-x64-arm64-20240624-en

Max time kernel

175s

Max time network

175s

Command Line

com.whiletable82

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.whiletable82/cache/enumcmbe N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.whiletable82

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 chennemburasialmnya.xyz udp
US 1.1.1.1:53 zatenacikmisttm.xyz udp
US 1.1.1.1:53 verelmsnieldenele.xyz udp
US 1.1.1.1:53 ustuneyagdimrmi.xyz udp
US 1.1.1.1:53 sefernakliatfln.xyz udp
US 1.1.1.1:53 dardidardomama.top udp
US 1.1.1.1:53 gozlermkankrmizisi.xyz udp
US 1.1.1.1:53 keskinbaltadndu.top udp
US 1.1.1.1:53 senanlamazsndili.xyz udp
US 1.1.1.1:53 uzanrmigokyuzuneumutlarm.xyz udp
US 1.1.1.1:53 sokakdaldiregibas.xyz udp
US 1.1.1.1:53 birdnbireoluvrdihrsy.xyz udp
US 1.1.1.1:53 giydirbilirfren.xyz udp
US 1.1.1.1:53 tlefondingalokimo.xyz udp
US 1.1.1.1:53 bedelniodedkicmzynayna.top udp
US 1.1.1.1:53 bilereklermibildiler.top udp
US 1.1.1.1:53 amagibikertenkeellee.top udp
US 1.1.1.1:53 gldigimyerchennmindibi.top udp
US 1.1.1.1:53 kraltacikralmisinhaci.xyz udp
US 1.1.1.1:53 avmevsimibsladikk.top udp
GB 172.217.169.74:443 udp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
GB 142.250.200.36:443 udp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
US 172.64.41.3:443 udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.179.227:443 tcp
GB 142.250.179.227:443 udp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp
GB 216.58.204.68:443 tcp
BG 194.59.30.2:443 amagibikertenkeellee.top tcp

Files

/data/data/com.whiletable82/cache/enumcmbe

MD5 163a1af175dcc6e79465a14948f0d2af
SHA1 160806021edf038e47f8db0bce96fe6b6cf4135f
SHA256 14e8289b6f8fcbe293a1a645ee5bbcf566543b06310aae5b6875686e997995b7
SHA512 7259335aab5bf353e8722a793d1e20c3f847b20355acf77a0c076c0eafe88d494d9878a027f29481a16f60eae11f0609732dd258c0e2b2d07bffd8b694fe5a57

/data/data/com.whiletable82/kl.txt

MD5 764d9c01c1250ba7980dd3edd99e7a4a
SHA1 b241d4d5572a0895ff3381f82ae07508eed773f2
SHA256 ad0b4677b1f7c6a9df843797769f54bb10a64d13cdc2bc179218d53fc820f22d
SHA512 110d71bbe009a209db37689249aabe093db3596395d78516fe37489313ddc723935dd5f7656ced80998de0a796ae2a9d4062a7760e287d5047ab19ca6f1522d6

/data/data/com.whiletable82/kl.txt

MD5 a5cff2c4ab9c856b516cf3a2a6b2e730
SHA1 1214f07a155dfb0ce723f7c1e2c4952b228d568c
SHA256 08a010a4a40c615b9e4b7f9f5c953debaac4960e5ae507f6ff75552c0c4c16ce
SHA512 6a6bf4e3914ddbc35d13aa73c90be592c9cca832df0d10787fa42e98729d07664853f40e169ee5d394c310262fda96935a6ac4e7ccf488a6eb5f49e4b0180a92

/data/data/com.whiletable82/kl.txt

MD5 ac98eee20356fc12489a49ed48399420
SHA1 2d6755ffa708bf5b02fa738d47d0362e320d1189
SHA256 0db8666de4614b01532ec71dde0821fa2154d1ccb120a149418df57c81d60ddb
SHA512 5a0291232667e36ad0da33da6033493bee7c25f4a2e62d6d824e02c36be7b31c4d4e245cec81ea7dae76d53fdb74d8ad8a452509cacc904abcbc234d430ac021

/data/data/com.whiletable82/kl.txt

MD5 321a36acd2b9d0e8e2105ed5f5b1766a
SHA1 2ea2c0008d4ffc7d685ed8ae022722f7be9ba6a0
SHA256 4cd4f5a1f53922743750b511cbed8cfcec6e89524542f69cca3c7ec0648282af
SHA512 aad295c44207777bace42ee4b95c5ba5410f3cfabac39bbab382a02ff393ee53b6ce5f4d488d2d1144715753e85b699bb24676e222473d94a1934e230b4ce192

/data/data/com.whiletable82/kl.txt

MD5 d2ea0dc4bb8486d48b8bc5c01017e31a
SHA1 187fce56954f78b420794bcd213583f1b4f248ea
SHA256 e885cbb05ac07be6710592ec904660a68fecf93119eef79a825a90bdd2495338
SHA512 3779815737be013bd211f5b8c0652c49503411e22639efadb8b0c506827012b7c20a13c20e635171c33ec697a4a44546c2816ad84eb30ceb701551b71486fdcf

/data/data/com.whiletable82/cache/oat/enumcmbe.cur.prof

MD5 2459533ec94bda582108ce1c8ffa20cd
SHA1 a72658eb172e9dd63f24267b2cbcaf227200f93a
SHA256 04338558ad9c5e97592fe97637d56a747f383633923fa10245f395cd85ca4ef6
SHA512 42358f16fa3c3c6ae5954150072a93b34909deb11c1efc14c3dfa73a35623b770d82ddf21976d7b249cb7936f5f78498c963990e5d2b7803924255e63b5b5657

/data/data/com.whiletable82/.qcom.whiletable82

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c