Malware Analysis Report

2024-09-09 13:49

Sample ID 240705-mza94azblg
Target 89198e78d1b86dbf25e078023cc583fc.apk
SHA256 89e4dd013e4573f80d418f29c6334cadb9ee260a4c5aadf466222d4df4e6f910
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

89e4dd013e4573f80d418f29c6334cadb9ee260a4c5aadf466222d4df4e6f910

Threat Level: Known bad

The file 89198e78d1b86dbf25e078023cc583fc.apk was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Acquires the wake lock

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries the unique device ID (IMEI, MEID, IMSI)

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests modifying system settings.

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Performs UI accessibility actions on behalf of the user

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-05 10:53

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-05 10:53

Reported

2024-07-05 10:56

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

139s

Command Line

com.slowshel

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.slowshel/cache/cedzzialvsni N/A N/A
N/A /data/user/0/com.slowshel/cache/cedzzialvsni N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.slowshel

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 basgaaanpompaaa.com udp
US 1.1.1.1:53 usomapompaliyorum.com udp
US 1.1.1.1:53 biribasganidurdursunn.com udp
US 1.1.1.1:53 bassganndomaingitti.com udp
US 1.1.1.1:53 usomukarimyaptimbasgaaan.com udp
RU 193.143.1.9:443 biribasganidurdursunn.com tcp
RU 193.143.1.9:443 biribasganidurdursunn.com tcp
RU 193.143.1.9:443 biribasganidurdursunn.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.9:443 biribasganidurdursunn.com tcp
RU 193.143.1.9:443 biribasganidurdursunn.com tcp
RU 193.143.1.9:443 biribasganidurdursunn.com tcp
RU 193.143.1.9:443 biribasganidurdursunn.com tcp

Files

/data/data/com.slowshel/cache/cedzzialvsni

MD5 d2e9bee71e1b1d930a57571a43ea9d52
SHA1 816ba2a8e769871b069b4b95e915f7c2590961e1
SHA256 aac193050bee17d91817a743dc17fa95b4e32f6dd8dc09a36669d4beb56bc113
SHA512 943ca0d549e162bb582487471ede2c8cacb549719f94e645a1dc67f9bd7e3abf2414a64c4195073f2c0f7e20557acbeb7d39f5083b50e2c9361ca4a10d2e10dc

/data/data/com.slowshel/kl.txt

MD5 cea6364dfa6d7c06da25425107bbacc2
SHA1 b199c9061913ecfe4ba19422250edb16a9e1d333
SHA256 c44a395bbc159bc85e68410f9df7506d61fab017bac2694fff65c155ac4be1ee
SHA512 0d70c72d887cf666485311fc093ed92633bbff78e5c4a1ae83e2ea14a35ae045557146584a16abf9178dc9a1e1916901a5987bdea8f506ca65d47f0bf4d3b84b

/data/data/com.slowshel/kl.txt

MD5 fbf03fd03ec9f74f8318215d35f209fd
SHA1 317ea4b5f485539ea471ceaf18ba57a18203042c
SHA256 93bbdb85322ff030bffa55f1c7dc5615adbc1e0b2a4de0aefeab884a055a9c53
SHA512 f42db6a8e26c206f4c96cd7afade7865b3a84206e476617843cab7cc041813241ea66054f043ec5def9d134d4a7777bd142ca4256c954b43e7bb8e34659ab76d

/data/data/com.slowshel/kl.txt

MD5 b9687b4e38f7787005798e9100eab126
SHA1 0b54052faa7c26513b5a774989452bde00220a50
SHA256 63e1c2ec9036393a35f09e287333761f04451f781c0ee0d257b4a7e648ff033e
SHA512 262d7b17e2fe4092daa08d4dd91879a4da91bdf9346be18c1149584e4f402b92caae33dc1e66c276e27e1df0b65acf5f1f432fd93e529e2f4c7b288d493a31df

/data/data/com.slowshel/kl.txt

MD5 89e76c3ebd61857251201aa6637895c7
SHA1 524757e1e8360ba520b08b1ff0e37812e6052829
SHA256 1d934915bb2fe1c325c4f8151661592c8fb5432df4796cacde3c7ce99881d057
SHA512 300db8b20e455709825a661b73080901f106dad45c8bae74c812b22d40b617760e1b3333d2ebc54d26ab263e5cdd1f51b93c7a2e40417f3887a4c5800f66950f

/data/data/com.slowshel/kl.txt

MD5 105e58044860effaca2e5067ff108ff8
SHA1 281cbede308548254c62a2e8da97727561aca6a0
SHA256 e0d87f1626925ac84ea6d6b7a889429b79cdd41ea86a823fbf62e2d3694fa571
SHA512 8a74f2a29fb8705bb78320d13eb71a02c8042eca0d0553e481e716cd9a321f14b18b195e2758a2c6d20c9ad1fbefdf370574859827bbab3a0f7a68da9ad69f8d

/data/data/com.slowshel/cache/oat/cedzzialvsni.cur.prof

MD5 cfea5dd53591ac7e8b1ef3c1d1f22085
SHA1 a53c9f4fcb61ad03ebc954726909aa1817bde46c
SHA256 45ccbfe7d5464b6359e05d68fcb6cbac4533ec1a24276b24a0716815d6053f85
SHA512 a2cc9565640740c793b0ca998909c265452e591e8be3cf757eb6e5d6bd76e8f67204961f4b8b2c18f24ac9c8ab249d9610040faf6714a58172796c7d7b1b8ad3

/data/data/com.slowshel/.qcom.slowshel

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-05 10:53

Reported

2024-07-05 10:55

Platform

android-x64-20240624-en

Max time kernel

7s

Max time network

71s

Command Line

com.slowshel

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.slowshel/cache/cedzzialvsni N/A N/A
N/A /data/user/0/com.slowshel/cache/cedzzialvsni N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Processes

com.slowshel

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 216.58.212.234:443 tcp
GB 216.58.201.98:443 tcp
GB 142.250.180.3:443 tcp
GB 142.250.180.3:443 tcp
US 216.239.32.223:443 tcp
BE 142.251.168.188:5228 tcp
US 216.239.32.223:443 tcp
GB 142.250.187.206:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 basgaancosturuyor.com udp
RU 193.143.1.9:443 basgaancosturuyor.com tcp
US 1.1.1.1:53 biribasganidurdursunn.com udp
RU 193.143.1.9:443 biribasganidurdursunn.com tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 142.250.179.234:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.180.10:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 173.194.76.84:443 accounts.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 i.ytimg.com udp
GB 172.217.16.246:443 i.ytimg.com udp
GB 172.217.16.246:443 i.ytimg.com tcp
US 1.1.1.1:53 biribasganidurdursunn.com udp
RU 193.143.1.9:443 biribasganidurdursunn.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
RU 193.143.1.9:443 biribasganidurdursunn.com tcp

Files

/data/data/com.slowshel/cache/cedzzialvsni

MD5 d2e9bee71e1b1d930a57571a43ea9d52
SHA1 816ba2a8e769871b069b4b95e915f7c2590961e1
SHA256 aac193050bee17d91817a743dc17fa95b4e32f6dd8dc09a36669d4beb56bc113
SHA512 943ca0d549e162bb582487471ede2c8cacb549719f94e645a1dc67f9bd7e3abf2414a64c4195073f2c0f7e20557acbeb7d39f5083b50e2c9361ca4a10d2e10dc