Malware Analysis Report

2024-09-09 13:51

Sample ID 240710-1xcxssvcne
Target b7c6877a9cb4adc927214dc35154fb92041f6a97abfb9de1d8dc49139ce43a71.bin
SHA256 b7c6877a9cb4adc927214dc35154fb92041f6a97abfb9de1d8dc49139ce43a71
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7c6877a9cb4adc927214dc35154fb92041f6a97abfb9de1d8dc49139ce43a71

Threat Level: Known bad

The file b7c6877a9cb4adc927214dc35154fb92041f6a97abfb9de1d8dc49139ce43a71.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Requests modifying system settings.

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-10 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 22:01

Reported

2024-07-10 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

174s

Max time network

142s

Command Line

com.sittimeok

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sittimeok

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 hava540derece.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.sittimeok/cache/wzwhjihbarcsmac

MD5 77b539739727e2901d3c700dcd1e949a
SHA1 a7a4eda43acc667a5175fe37a18a0a3d08ac7ab5
SHA256 883a898b2b24a9072b529f878eaccbeed7c005ee89123378857618f2af267fa5
SHA512 c188525efb6df631a6ee931f82366e84b86687613102032945b08de504b6eca0d448eab68a1b7ca51a170c7f1d05a648a8ef2ae1a9bec0e7aaeb58360580d1c7

/data/data/com.sittimeok/kl.txt

MD5 bcaea6bec33144431d66af389f3f5082
SHA1 b32a41fc48488cfe16d6021939c37fb3af80aecb
SHA256 54f523eda3f9e924348950455e4816fb2ff9e13d18a1843c97af882a04cdc030
SHA512 f548298b92ff5cb32d7d2e65b5668642c4a80b20617087ddb1b1034e68d143c27b5e005147d722eeeb36009bdf927ac498445ff199b1c19ece0c6afba33047b8

/data/data/com.sittimeok/kl.txt

MD5 c05797b40358866aae0bd56f150eeb54
SHA1 261524e17caadd900f729e2f51065ef5db847b84
SHA256 390478ff55be7aae5aacbadb7d8d66a31f6dd5f49dccc77feca2cbf5219e9c2d
SHA512 dd727246c7afafe159cbd888017ac21155656aa46077606966bac694bfba1b13b169e2953e7a026c5d953cb9558470b4f436633dc75055f9ae52f272ce8569fc

/data/data/com.sittimeok/kl.txt

MD5 a033ec0606832747158c5a306278deea
SHA1 5a25e6de6188e33aa3cba0db756e2f8935a14d52
SHA256 80184ab69a085b9a8aa579efc707ed19c00378c33137f661fb8cf7fd578f6413
SHA512 b66b8506d8f1ac1cc683af1c2a9d73e9207cbcb1ff9a57490aded89dc997047c3645ac579901c1c5cde4ebf206233584d9ebecef236dac041da2f70a750f53d3

/data/data/com.sittimeok/kl.txt

MD5 bf1bc1b4bc21f21a19c2bec7fe06b950
SHA1 2bd05f50309877b0329376cf00e0379408424c83
SHA256 64053b349c83d99fe9c9fefde2d2eceef7aa7b63f85e0ba2e3d900d98ea8be4b
SHA512 1db147cde35494b37a421a32b5564f7947790e94b4e1a83b9d283ee14f1611d11253d919dcec1d9830b5447694a3f13004e3cb44a1f05e45be3e8c5d750ab9b4

/data/data/com.sittimeok/kl.txt

MD5 4417bc19191d6c76945f89c4648aeb79
SHA1 662f714c33a82969e41aa1c0bd2f0b3213ec3e77
SHA256 3c937105d3a60f8ff3a5d28f438954b65caffbef344b9dbabd11c447b3681b40
SHA512 56d68f04fe87850728bdde9ad2fcfa0d58129d2a43e38fa49497016703371e87cbaa48d97d192fa263090f3ce9c869a6385fc7908275fe994f8cef205cd47d27

/data/data/com.sittimeok/cache/oat/wzwhjihbarcsmac.cur.prof

MD5 aea35edca448c50b6fe520098b9629b4
SHA1 034cdf1646f0e8b06dc6e7a90a49de32e37fc131
SHA256 7df1941a962fe78ae508e11242c023ea249ea475f2bdbf16622e108e3e462104
SHA512 64ab41f10b14a6c3c49c092757724d2f2ee92723153d368eeedf63a2be707821a80fdd8689d9dc1ce845d01ef2eaee2b2654b11a5156c7336a88073bdd26c5ef

/data/data/com.sittimeok/.qcom.sittimeok

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 22:01

Reported

2024-07-10 22:06

Platform

android-x64-20240624-en

Max time kernel

43s

Max time network

148s

Command Line

com.sittimeok

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sittimeok

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
GB 216.58.201.98:443 tcp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 cehennemdirloo34.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.sittimeok/cache/wzwhjihbarcsmac

MD5 77b539739727e2901d3c700dcd1e949a
SHA1 a7a4eda43acc667a5175fe37a18a0a3d08ac7ab5
SHA256 883a898b2b24a9072b529f878eaccbeed7c005ee89123378857618f2af267fa5
SHA512 c188525efb6df631a6ee931f82366e84b86687613102032945b08de504b6eca0d448eab68a1b7ca51a170c7f1d05a648a8ef2ae1a9bec0e7aaeb58360580d1c7

/data/data/com.sittimeok/kl.txt

MD5 405915b995b0792c5df8f8d47568b5d6
SHA1 0aae7c8b474e94e5d583a366f26515718c4fa024
SHA256 172281cb84086bc136fee1aa29399e2cb16845bf1b2958c3b1f703abe0d7aa51
SHA512 338427a017e9705cf57da4b5d20012df432d4267077c4685b9b7a9794e5f9d1ae96f8a157338b07b31efb41ab7e21c526996d380da600ca239934f1f2beaa5a9

/data/data/com.sittimeok/kl.txt

MD5 ffaa38e97d317858712b324fdce1bff9
SHA1 93406547817517d7d97a26a968b8ce6836d87529
SHA256 9f422a53fbc1505a2a8ac955fb53b4bccce1acd10a5789da2c73a4740087c961
SHA512 403b6352f22b33c3bd2e7e20f0d496d772b46018d5965376f6f58ea8fa5cb76ec0be867e12a1f6978c8096375f51c0a3992488b246ec55c090bb90ae5a22bb2a

/data/data/com.sittimeok/kl.txt

MD5 caf593eb96944c70ba8cf6bb3ad49aaa
SHA1 32077339a867ff7d95146c5176697dc90c7ef400
SHA256 265bb84492195d6ad35e9088561c5863ed253034943dfb15c98b2bda705b5bd2
SHA512 81ccde81892b68d9bb90c592b9321e8f82255d14cc1a4e4cfc4a82cf5b043f672b64610033e3112be64b6a0132dec25b47d11116c8533264abf9b3d3ab10434b