Malware Analysis Report

2024-09-09 13:41

Sample ID 240630-14sxlaxcme
Target b9bbc7219caa86952062dbf717ba5640fb8a2a6c73765c8a5cc0df8bf9088474.bin
SHA256 b9bbc7219caa86952062dbf717ba5640fb8a2a6c73765c8a5cc0df8bf9088474
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9bbc7219caa86952062dbf717ba5640fb8a2a6c73765c8a5cc0df8bf9088474

Threat Level: Known bad

The file b9bbc7219caa86952062dbf717ba5640fb8a2a6c73765c8a5cc0df8bf9088474.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Requests modifying system settings.

Requests accessing notifications (often used to intercept notifications before users become aware).

Performs UI accessibility actions on behalf of the user

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-30 22:12

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-30 22:12

Reported

2024-06-30 22:25

Platform

android-x86-arm-20240624-en

Max time kernel

178s

Max time network

185s

Command Line

com.likepower5

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.likepower5/cache/otoldkpbbkjxq N/A N/A
N/A /data/user/0/com.likepower5/cache/otoldkpbbkjxq N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.likepower5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 usomapompaliyorum.com udp
US 1.1.1.1:53 basgaaanpompaaa.com udp
US 1.1.1.1:53 biribasganidurdursunn.com udp
US 1.1.1.1:53 usomukarimyaptimbasgaaan.com udp
US 1.1.1.1:53 bassganndomaingitti.com udp
US 1.1.1.1:53 basgaancosturuyor.com udp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp

Files

/data/data/com.likepower5/cache/otoldkpbbkjxq

MD5 f622adf41258559be800657401679fb4
SHA1 4a6f62b4e4a962293f6c7d89e7d53f714efc673f
SHA256 5ef51cfa64a0ed13c6965721837eb455ddd9d3d9172e059a8955457141778daa
SHA512 355f3283a47d9112b0500de70baa08e7a4de75407e4497d5bfaadc5f5b86d155aa8e4bb26a7c9915c95daaa9a548aa83ae489808c340a43e33be3dd3becc1c58

/data/data/com.likepower5/cache/oat/otoldkpbbkjxq.cur.prof

MD5 2dd78aba18faf1914f291eef8696f4a7
SHA1 79c3995cfae30e727ca3fad3c390c19dc4c97ffa
SHA256 794586eabd1f02f3f21ff731e605ff0127cb71a63db96d4bf98116115a183b8d
SHA512 e587b76ef44e0e8d80be149f2fea9a384c082200e4c449f2d3d97b40bc4d148fed4488be54d8e6fb14cb7fd8527a70411b8d8d7fdd7749fbd457afe6be61d89d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-30 22:12

Reported

2024-06-30 22:25

Platform

android-x64-20240624-en

Max time kernel

178s

Max time network

187s

Command Line

com.likepower5

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.likepower5/cache/otoldkpbbkjxq N/A N/A
N/A /data/user/0/com.likepower5/cache/otoldkpbbkjxq N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.likepower5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 basgaaanpompaaa.com udp
US 1.1.1.1:53 basgaancosturuyor.com udp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 usomukarimyaptimbasgaaan.com udp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 bassganndomaingitti.com udp
US 1.1.1.1:53 biribasganidurdursunn.com udp
US 1.1.1.1:53 usomapompaliyorum.com udp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
GB 216.58.212.206:443 tcp
GB 142.250.200.2:443 tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
RU 193.143.1.9:443 basgaancosturuyor.com tcp

Files

/data/data/com.likepower5/cache/otoldkpbbkjxq

MD5 f622adf41258559be800657401679fb4
SHA1 4a6f62b4e4a962293f6c7d89e7d53f714efc673f
SHA256 5ef51cfa64a0ed13c6965721837eb455ddd9d3d9172e059a8955457141778daa
SHA512 355f3283a47d9112b0500de70baa08e7a4de75407e4497d5bfaadc5f5b86d155aa8e4bb26a7c9915c95daaa9a548aa83ae489808c340a43e33be3dd3becc1c58

/data/data/com.likepower5/cache/oat/otoldkpbbkjxq.cur.prof

MD5 608c4a5b203b466ca2c15f5d38106ef5
SHA1 a709f46fc1856206e607b62d144c5ca256fe45de
SHA256 c168624a92f97a5e7b6eb3812ae9a0604367da9aa794199493201057bdc6d850
SHA512 4d4687e76031f4e7a61d2448d858385befd5b47f21f5aab9b8576b448db79780393addc1c2946d8d3bbb583de7ac2cf9cec935d0a6a71d274cba77145c7b0a7e