Malware Analysis Report

2024-09-09 13:50

Sample ID 240710-1ww92ssdjr
Target ca9f8cc74dee381acdcd6b7a8f06e8282565fd078331ef6d14ddd4137b2b2b15.bin
SHA256 ca9f8cc74dee381acdcd6b7a8f06e8282565fd078331ef6d14ddd4137b2b2b15
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca9f8cc74dee381acdcd6b7a8f06e8282565fd078331ef6d14ddd4137b2b2b15

Threat Level: Known bad

The file ca9f8cc74dee381acdcd6b7a8f06e8282565fd078331ef6d14ddd4137b2b2b15.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Acquires the wake lock

Requests modifying system settings.

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-10 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 22:00

Reported

2024-07-10 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

31s

Max time network

135s

Command Line

com.sittimeok

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sittimeok

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.sittimeok/cache/wzwhjihbarcsmac

MD5 77b539739727e2901d3c700dcd1e949a
SHA1 a7a4eda43acc667a5175fe37a18a0a3d08ac7ab5
SHA256 883a898b2b24a9072b529f878eaccbeed7c005ee89123378857618f2af267fa5
SHA512 c188525efb6df631a6ee931f82366e84b86687613102032945b08de504b6eca0d448eab68a1b7ca51a170c7f1d05a648a8ef2ae1a9bec0e7aaeb58360580d1c7

/data/data/com.sittimeok/kl.txt

MD5 8266c19a8cd98142cb274f5f947f9e54
SHA1 aaa6f9bda3fed44f3febabfe90ebeda304c34ba1
SHA256 221866e7a0dfbecaa3922525825f2d32c9411b103e0f90c82343b2b8b9719509
SHA512 2547761260d2ab700cc6593d1850beac1dd6031eea009333ef99a16f9567474c1acef69f9155178b252b10bfc97bd73c8c4e4be67b0ad57c89c0d44610220e2f

/data/data/com.sittimeok/kl.txt

MD5 99000e95d87fb3d4cdf1b2557509ed52
SHA1 7c5392391957c8b7ec120b932034553c4b9a7747
SHA256 d49a046f1eb1bbf76637154896eaa41d7992853b7a5adfa6072dfbf8a67809ce
SHA512 2be47ce43f948cf1f4fd622a0ff8cbc4749f22ec122be8d82d0ebcd4683d075a587f2c7e22f55336c1079ef201dcbebae56cfbd2ef2487b73bc7085391fa9d25

/data/data/com.sittimeok/kl.txt

MD5 53051b1e10e08dfa720e6dfeb15c5227
SHA1 f72ec22e903dabbb2a62079a7a116cfdb24fe939
SHA256 95178482887ab3a84a4bf5426215d5b6e3463a4bdfd48052b24642155a259631
SHA512 0c6f4146700e869ab70386d89bb67229cc97b3a42934156b50f7cfe181def52d065fdea5e832123de93862130e20cc3151ba69d9bd8a68a3243f3ccebec859e2

/data/data/com.sittimeok/kl.txt

MD5 254e33bfecdae4bd434089b9e7d48271
SHA1 f715ed0ee9bac35dd3c09d8940843a5ff21f10ee
SHA256 7011b8b923317e8feb0376a798f3f119060d16807d2a2857ddf141c1d9d1b387
SHA512 d9f6f7d9529051e884eaf27f1cac2a785b9ffddfb7cf1527b1a70c7fc10d7c4d609261b1dd240c62a12c2d4f6bae0bad85f685096e6d0004d0cf9387c233e593

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 22:00

Reported

2024-07-10 22:03

Platform

android-x64-arm64-20240624-en

Max time kernel

171s

Max time network

148s

Command Line

com.sittimeok

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sittimeok

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.sittimeok/cache/wzwhjihbarcsmac

MD5 77b539739727e2901d3c700dcd1e949a
SHA1 a7a4eda43acc667a5175fe37a18a0a3d08ac7ab5
SHA256 883a898b2b24a9072b529f878eaccbeed7c005ee89123378857618f2af267fa5
SHA512 c188525efb6df631a6ee931f82366e84b86687613102032945b08de504b6eca0d448eab68a1b7ca51a170c7f1d05a648a8ef2ae1a9bec0e7aaeb58360580d1c7

/data/data/com.sittimeok/kl.txt

MD5 43a1c56d9ec7d3f4fe966c3f56cb3d12
SHA1 053bc4f22a9733e767b8e3181fd651ebde26f887
SHA256 b205e7e4e727ec296a3153b1de693edbf2fe00e1640a6774ce1bd673d690af96
SHA512 70f178284dc5f8eb52d322aab284216258f3abd0120f6d6d491aeea71aa428a08a0cce0d3714abfdfca777fdcbd41a97e229dc5a3cdecffb5ac1ceee384088f1

/data/data/com.sittimeok/kl.txt

MD5 34d823fb32d07c6a85b3b9c2f87a00c4
SHA1 39a4d834f735cf2d5aa7fd083bde73feba9731f1
SHA256 7d0b5caaaeb07910be873ac41fb738e5fd61059cee01daf3a2fd5a39c11aa4bd
SHA512 97e169b9152bc378631b5a5f9897289c72d9185889f771ccd95a5ad5b6f8e373b4fb7103e37f9b1f270edf9df66346d7390a0d6363abd5e6b24046f0137fcc55

/data/data/com.sittimeok/kl.txt

MD5 70169dd3698123b3f74469b96069b6f2
SHA1 b6ab5cac9a870248d27ae71012fb6330eed399a5
SHA256 ffcd08afb3c60b1158d4457f89ef6ee5e57f13141b7ad3654aed6b891b984b83
SHA512 a32fe16e0511fe794b0e012c841df5f703370d609c625b800cb78c25f14d42002de93099939658f83a74f1eb0120eb317e2a4315086866d056d7f4cd8f10d327

/data/data/com.sittimeok/kl.txt

MD5 5d0b7a51a8b5f7324669057a1e6de333
SHA1 eea1d57b0e7d1b94c34ef698ba0f667818ff1801
SHA256 e5a01b6fa1f22f2ec7b9c2f906e125773e0f33ea69f0fb8b42e9d5a4f11cc10a
SHA512 a62248345f550e95b16dcfea48f7c2a9904a229c3f720dd3739190d162c7b232aa75a98a4bd1386af010babe7ae0fc9c40edda9debbca6d25e2ce72c0d698380

/data/data/com.sittimeok/kl.txt

MD5 27ca2dcddc32ecff0c98a61d162a93e3
SHA1 2b38b7d7246f5a15f0e560e122d1db5cfc42e8b4
SHA256 5dd8c4949c81948f0df7bd916e99fa7c7561706b59fb10794eeb806c16c10e67
SHA512 4a9903a73429cc90b1b33d82bf03d90d54ea090a278a81e244de6d997b0247ef01a414c3cee267e2da92ab6fb32e1d567e6b924ec6bf88034910e4c50096f360

/data/data/com.sittimeok/cache/oat/wzwhjihbarcsmac.cur.prof

MD5 533e118fe7c9c05e4005ef228ffed5a4
SHA1 971f212fe259921bfc475c56b0c1365ca8a7cd5b
SHA256 6fe42658523623e1b54d5fd99ce226dde95ea974dbdef463ed8bbbafcd3c1259
SHA512 d195313f20e4ad80d9224ce4e53f2e17c09879f07854c7b8b04ba9c8b20e5ddd365c504eda4b9512dcc52c140ecb3e31000fc3df0fb55409660a47da14e45884

/data/data/com.sittimeok/.qcom.sittimeok

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c