Malware Analysis Report

2024-09-09 13:49

Sample ID 240709-1wnmxazdrc
Target 0f23af4442014bcfe79a75cbb224ed6d2235edf41f665488b5a31d142bc63ae2.bin
SHA256 0f23af4442014bcfe79a75cbb224ed6d2235edf41f665488b5a31d142bc63ae2
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f23af4442014bcfe79a75cbb224ed6d2235edf41f665488b5a31d142bc63ae2

Threat Level: Known bad

The file 0f23af4442014bcfe79a75cbb224ed6d2235edf41f665488b5a31d142bc63ae2.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Requests modifying system settings.

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Makes use of the framework's foreground persistence service

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-09 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 22:00

Reported

2024-07-09 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

178s

Max time network

138s

Command Line

com.inchfound38

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.inchfound38/cache/xzcgbuemyuylk N/A N/A
N/A /data/user/0/com.inchfound38/cache/xzcgbuemyuylk N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.inchfound38

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
RU 193.143.1.24:443 selamcanoonaber.site tcp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
RU 193.143.1.24:443 selamcanoonaber.site tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
RU 193.143.1.24:443 selamcanoonaber.site tcp
GB 216.58.213.10:443 tcp
RU 193.143.1.24:443 selamcanoonaber.site tcp
RU 193.143.1.24:443 selamcanoonaber.site tcp
RU 193.143.1.24:443 selamcanoonaber.site tcp
RU 193.143.1.24:443 selamcanoonaber.site tcp

Files

/data/data/com.inchfound38/cache/xzcgbuemyuylk

MD5 91cd9612f3088e0804ddb961b055fd1a
SHA1 9bd8aff002cb32bfaf19bf52180b584783c3320f
SHA256 1f4924811ffe211203a492b13ac4e30ed1e81a14cf874c1b85d593a5657b91f5
SHA512 f084a09b9c6e31a0b19d6b3654aba84762cf3c26b2225e4b22b04b88c2dc31a06a1e8d953adece1522657af3cf9dbacdd5799f4fdf2766f7b208d3bd3da1c732

/data/data/com.inchfound38/kl.txt

MD5 f95794cc14d2ffeac02101176d09d53a
SHA1 6eeabfdfa3ef03e0297d37b665feb0e126bbe855
SHA256 49e2b0322fa5d50a64e0c660ce583b4dc0e7969df155f45393743ed770137d20
SHA512 ec981850e97300ff0a43a46579a901b593071cec2d608ba741f6f219d055e4ed9dd6aad795cf9ed0ae695b6ebbb04f60f92fa59c322f23dc981645b88f14332f

/data/data/com.inchfound38/kl.txt

MD5 517d92f085ebdde0b51d02899c850444
SHA1 0d79bba15b9d3053c58e52c99deb1562a04857ab
SHA256 aa917790b0d56e4254e34df446b5866f70ae0eb2eda2adf10106d4c920f3e77f
SHA512 cf331997cc0b1cd0e450cc0ef494723ebab3f1d7872f67fb7e2b8827cd192e16aa82563fd60406cfe314b1dddd00356f388e9218ba13022d786f4824c89b214a

/data/data/com.inchfound38/kl.txt

MD5 27de7bf51924fe29ab81b54a3c6210c9
SHA1 b824ddb63383053a9a5468284c1c6ac8490e0396
SHA256 c717d52c51fe228266dc1b5e656bdca252721f8115ca83c6e71c69b023e0c9ac
SHA512 9fc5307176cf43381407962dbaaad0d600119cce1ce0d833d7ad6222b195992abe8e3ac4270834132a896509e5ef56d0815171291cb7af52f58b7d4ae8ac454a

/data/data/com.inchfound38/kl.txt

MD5 9e753e65393fb5f8260ae121ee446cac
SHA1 eb6cb43c15f528ea16dc471e15576fc173b3235f
SHA256 b21fe4855888436b4c9ef9408ab339753a8f2a8268829229a3625d01b7911739
SHA512 24461affa4f7290f04e3219ba983cb2b84eecb3b7a1895e62fb771b1d81f9b5c97df87723f3152fe44d086ceb48ef4b5a976061e25a5addf021d03d0979b09c0

/data/data/com.inchfound38/kl.txt

MD5 192988a9f0d6ab170cafc2a446e5c78a
SHA1 d4a0a4e0ae0e1d9e680cc0bd6d9ff854c41e2ad1
SHA256 3b4389be27dfd779897d29c0d6c3dddacb51bbd135d14c1e0977928a1de7892a
SHA512 70cbdff535e17135eef1cba7b2a16421db3dd8423210c8862cd38164706677562e12a2cb225825ecbe708129989168633011ed5f9297139cba79845624e037fc

/data/data/com.inchfound38/cache/oat/xzcgbuemyuylk.cur.prof

MD5 9028a89ac5519e644cd5fd7d1f515c86
SHA1 c7cb57677980f6c0e97e1a1dcb53800b763f13fc
SHA256 8cb1d82e667e0bd41acf1348af68db9fd1723633845bdf13ce308938c6cd9801
SHA512 e45f190b8b2319aea040db8bdc7c2cfdf423c0d7dabf49f74d51ec356b77fde0c9778829009cfaa321706c18c3a4ea26a40e01a28968b0089747544687f11091

/data/data/com.inchfound38/.qcom.inchfound38

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 22:00

Reported

2024-07-09 22:03

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

147s

Command Line

com.inchfound38

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.inchfound38/cache/xzcgbuemyuylk N/A N/A
N/A /data/user/0/com.inchfound38/cache/xzcgbuemyuylk N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.inchfound38

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
RU 193.143.1.24:443 selamcanoonaber.site tcp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 1.1.1.1:53 hava540derece.com udp
RU 193.143.1.24:443 selamcanoonaber.site tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
RU 193.143.1.24:443 selamcanoonaber.site tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
RU 193.143.1.24:443 selamcanoonaber.site tcp
RU 193.143.1.24:443 selamcanoonaber.site tcp
RU 193.143.1.24:443 selamcanoonaber.site tcp
RU 193.143.1.24:443 selamcanoonaber.site tcp

Files

/data/data/com.inchfound38/cache/xzcgbuemyuylk

MD5 91cd9612f3088e0804ddb961b055fd1a
SHA1 9bd8aff002cb32bfaf19bf52180b584783c3320f
SHA256 1f4924811ffe211203a492b13ac4e30ed1e81a14cf874c1b85d593a5657b91f5
SHA512 f084a09b9c6e31a0b19d6b3654aba84762cf3c26b2225e4b22b04b88c2dc31a06a1e8d953adece1522657af3cf9dbacdd5799f4fdf2766f7b208d3bd3da1c732

/data/data/com.inchfound38/kl.txt

MD5 8012e0af3fc502d88e766cf1d637e155
SHA1 e0811dc6491cf8c1c4e19fb02070360fa66922ee
SHA256 79dfa455fa652c8e17376238375e82083423cd2bb57f596c9678073a91b6baa7
SHA512 be2769575305a41d47f39457c1e2b0a25332fb1ffc913330710c7887369269a0d767e83a95c5fd8c0d7788e38f49dbcb41728e1f0d9ceb380c9dff84568735fd

/data/data/com.inchfound38/kl.txt

MD5 3578bcd8f853b7f2dd45e339e2144f37
SHA1 2ae1f87476237f3bb0abff7de6d1a71dbe11dc79
SHA256 fdaa4dafcf09a251967998a32a88fdeef6ee9a00f33ff7c891b9098c0ba4187d
SHA512 fc344f565d04df5945ec91de5f5f8286635cddeccc32068c6251dc6bff2f0da3886e78f841cfad7dc45692cb290217db504fd7327ac60421a44969f33a07dafe

/data/data/com.inchfound38/kl.txt

MD5 d4b2eabece817f71c1d7725c01e5c7db
SHA1 ad7fe120e26ed34d98a3b6094f2cee4d09e242c7
SHA256 b9b67f5d1c047b25245d95b4553e5a44e702b2479c22eacb03f610f0c1f07b76
SHA512 2c4b3f9d0378da3dfee4dd77083a0cad1c8bc656a6ab3028cbd43e243507d1a771010e64efb7addafa41bbbb4c51989fe070833e46d54a6edda2db197c99f07f

/data/data/com.inchfound38/kl.txt

MD5 d07cc88f8e051e747851946a9c73bdf0
SHA1 f4ad3d1fbe1369bd0ce29ad118a0a56dfb8fe654
SHA256 6f92b69f164c326a37188bced9806015a03af07d80265250d317fb98ed4521e6
SHA512 3c87447b4b9015ad10827b2ba036c5a7caba0977816df3458e82ed9b6e47c5c000ca47170e36def954a5278fc344313a42b336bf924b73947c4d84952b09af85

/data/data/com.inchfound38/kl.txt

MD5 066ee26d5b43169a39d62a520fa7f0cd
SHA1 05fb733e73c893993e964c87dbcb712546b0e4ff
SHA256 a53c790a22afed7ff1d0b2b86d133ccc2629d96db5a3c989fd222462b065e507
SHA512 8bbf57f2dbbd8c272d58810ac11aa231ad360c4bb07fee133f75656dbf4e5909bccc90ca5b4c066600018baca035d424271babe12bbc115be888e8388747b14d

/data/data/com.inchfound38/cache/oat/xzcgbuemyuylk.cur.prof

MD5 5b89c1a05cf3c7c55e039e28fedda76c
SHA1 d72e82fbc01af6ed9088a5b87c6055c38988c8a2
SHA256 2a7ce88e427cad01fa20d825053028bd91101c546efa3e077122e4e333a99aeb
SHA512 6f15f4607bfb47dac10d43e1984b679cf24aadd2f37e86db90f4eb6906a926a676419fec632e3a65c667ff28c70c5f52989d0118be8f87a73cff2a49b793f550

/data/data/com.inchfound38/.qcom.inchfound38

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c