Malware Analysis Report

2024-09-09 13:49

Sample ID 240710-1xdjbsvcnf
Target acde63a15e888817b6e8364ae38f314d27503c4f9c8a2fbc08bcf6457a7cb605.bin
SHA256 acde63a15e888817b6e8364ae38f314d27503c4f9c8a2fbc08bcf6457a7cb605
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

acde63a15e888817b6e8364ae38f314d27503c4f9c8a2fbc08bcf6457a7cb605

Threat Level: Known bad

The file acde63a15e888817b6e8364ae38f314d27503c4f9c8a2fbc08bcf6457a7cb605.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Requests modifying system settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Declares services with permission to bind to the system

Queries the unique device ID (IMEI, MEID, IMSI)

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Acquires the wake lock

Requests accessing notifications (often used to intercept notifications before users become aware).

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-10 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 22:01

Reported

2024-07-10 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

178s

Max time network

186s

Command Line

com.realsing1

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.realsing1/cache/tsfnruacvdexrn N/A N/A
N/A /data/user/0/com.realsing1/cache/tsfnruacvdexrn N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.realsing1

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 kesmecekarpuz145.com udp
US 1.1.1.1:53 kesmecekarpuz8455.com udp
US 1.1.1.1:53 kesmecekarpuz878.com udp
US 1.1.1.1:53 kesmecekarpuz.com udp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
US 1.1.1.1:53 kesmecekarpuz.site udp
US 1.1.1.1:53 kesmecekarpuz5446.com udp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp

Files

/data/data/com.realsing1/cache/tsfnruacvdexrn

MD5 1581b5c2b64065a768fa60b5a6893bd1
SHA1 f03b8a15489a42e203a8634be85bcbee8fa279ce
SHA256 2bf909f06284800863cde93c145a93b4fb131a53bfcf2fe53d987dbc9de23648
SHA512 ccc4a1f1b6b7d2006a321a7701e93f6068ee10245ddbda5acead5e72cb44cc92cab0a9c2fc47a5c53b7baea38632abbfab55a2adad6a01df453b796e726d2b19

/data/data/com.realsing1/cache/oat/tsfnruacvdexrn.cur.prof

MD5 569cb26b2d6ba39d836c87d11128a44a
SHA1 960dd6e03f389f4bdd18091b021e5bc87ce7b4b4
SHA256 68f7d732b45fd255663e15bacb5e8504815f5bc1ddd6b44b4ee44d9f2f612d98
SHA512 010d00a8ce790b609e639c96f704f838ad68935ab7c0a2e164af69b6fc1ef22b0abe5fb3315269f5391336da89f7b6f70437a906076e2b0774ee225ed9ebe2f3

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 22:01

Reported

2024-07-10 22:06

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

185s

Command Line

com.realsing1

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.realsing1/cache/tsfnruacvdexrn N/A N/A
N/A /data/user/0/com.realsing1/cache/tsfnruacvdexrn N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.realsing1

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 kesmecekarpuz878.com udp
US 1.1.1.1:53 kesmecekarpuz.site udp
US 1.1.1.1:53 kesmecekarpuz145.com udp
US 1.1.1.1:53 kesmecekarpuz8455.com udp
US 1.1.1.1:53 kesmecekarpuz.com udp
US 1.1.1.1:53 kesmecekarpuz5446.com udp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
GB 216.58.201.100:443 www.google.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp
RU 193.143.1.9:443 kesmecekarpuz.com tcp

Files

/data/data/com.realsing1/cache/tsfnruacvdexrn

MD5 1581b5c2b64065a768fa60b5a6893bd1
SHA1 f03b8a15489a42e203a8634be85bcbee8fa279ce
SHA256 2bf909f06284800863cde93c145a93b4fb131a53bfcf2fe53d987dbc9de23648
SHA512 ccc4a1f1b6b7d2006a321a7701e93f6068ee10245ddbda5acead5e72cb44cc92cab0a9c2fc47a5c53b7baea38632abbfab55a2adad6a01df453b796e726d2b19

/data/data/com.realsing1/cache/oat/tsfnruacvdexrn.cur.prof

MD5 be53de24a6a75cb68590583b2896cbad
SHA1 ea0a716c3116a110af381599ec79c9eda0f503df
SHA256 e9feebe99c3a720d0ad23566a72fada31608a94a9802e775d3f672cc565570aa
SHA512 cfaa207d9129a4047d42cc98ae43ef94a2807e5a155dc88c6a0bd89b72a09dd3d8214876e2f35088c8f421446c751e4d6efb28f0a7933d73bf90ab29a2ead8d1