Malware Analysis Report

2024-09-09 13:49

Sample ID 240710-1xk86svcph
Target 92fe64d2dce46fb56c9b72bc7fc3fbcbd824b40f3f8c0d2ae471c2c0dfab0099.bin
SHA256 92fe64d2dce46fb56c9b72bc7fc3fbcbd824b40f3f8c0d2ae471c2c0dfab0099
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92fe64d2dce46fb56c9b72bc7fc3fbcbd824b40f3f8c0d2ae471c2c0dfab0099

Threat Level: Known bad

The file 92fe64d2dce46fb56c9b72bc7fc3fbcbd824b40f3f8c0d2ae471c2c0dfab0099.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests accessing notifications (often used to intercept notifications before users become aware).

Performs UI accessibility actions on behalf of the user

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Requests modifying system settings.

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-10 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 22:01

Reported

2024-07-10 22:07

Platform

android-x86-arm-20240624-en

Max time kernel

175s

Max time network

142s

Command Line

com.sittimeok

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sittimeok

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.sittimeok/cache/wzwhjihbarcsmac

MD5 77b539739727e2901d3c700dcd1e949a
SHA1 a7a4eda43acc667a5175fe37a18a0a3d08ac7ab5
SHA256 883a898b2b24a9072b529f878eaccbeed7c005ee89123378857618f2af267fa5
SHA512 c188525efb6df631a6ee931f82366e84b86687613102032945b08de504b6eca0d448eab68a1b7ca51a170c7f1d05a648a8ef2ae1a9bec0e7aaeb58360580d1c7

/data/data/com.sittimeok/kl.txt

MD5 aed9f87c971e059986a969fb33e92716
SHA1 01e0ae1466690d4f8a39ebfc2817a50f493ca5fa
SHA256 c92d6873ab2986fc05a79ec1ea5554f144c5d5c998354413d00f062923ff35da
SHA512 0f440734994a1f5b208c05467d15857dd78d49ed6c3e0daf884a66185acaa289deb9c5edee1b5afa5a1f928ad9ad87a1ac42151d5bc02e2656bee975ff610018

/data/data/com.sittimeok/kl.txt

MD5 27bea9c57716e5747f94d2c5bdd84774
SHA1 149e0a8ab4d7139676baec94de1f1dd1b2b5e206
SHA256 5b44d5e244034a36d7d32b78cdfc7ec83a57c65edfb177dd8dc51c4f2c4feec9
SHA512 f38ef1af4911008f35311ecd80b3bba460fba35a73269297c9d50f36ee7c156d273a8e5d77e5bd88779510530a79f9bba5a83b4a37cfbe91a4f27cf9c61610da

/data/data/com.sittimeok/kl.txt

MD5 4ad6aa999b4ccbdfeebedaf9bdcf345b
SHA1 7b4b70c62a318f8d5825b21fd0cf625809f217a8
SHA256 e42e94bf0662c29229191fce8783afe3d717d38d97844869fcc6406e1c393aad
SHA512 5f829e4c547f8b26c20bfa6c5cae0dc9783f6791d66a2f05ee62ec24496f045a55407e34e509837a2106613e2d96a447ef8d3553f37433c7a6b51b9980ce9245

/data/data/com.sittimeok/kl.txt

MD5 c43c2feb9e1a9fcdf4bf803d58b7797b
SHA1 53876fab318cdbf8ff0a8cad7ce545246704f883
SHA256 c4ce5f1934439ce1f1786e8634f2cd69b76e1dcbce5e3e06ed708445f7a6c1bf
SHA512 6be1997bdb92148ba9c1bb1076bb1160bcab56d05fc89432f460232814f1e3b6b0e6012eb6e38c9247670e01859dcf6fe7c10b629c231c86cc8261b445a54ceb

/data/data/com.sittimeok/kl.txt

MD5 8a8f56e9a64a170e9ea13e716528d5e9
SHA1 fc9e4d39e63a3e7c7b24cf7fbef75ef8b82bb42b
SHA256 1a1dd03174c21b884d6f392c58c787efd12023cb769f925f58c6113e6777adbe
SHA512 ef25b9c48ce0be734d93f01c2d46f7b7da4339152462365c77c7e6537a678968030a6c3b5b8bf9357f3502058191c6e529303c0bd7ebfe87ee0daa44b8c62109

/data/data/com.sittimeok/cache/oat/wzwhjihbarcsmac.cur.prof

MD5 356d1ca56a004778f9dfebafbf66ac23
SHA1 ef3f5142842dfedd40c96c83c020f8b862b12e26
SHA256 e8efe784bae3bbff6105970f8baa3d6262b92bd960052107c67fffa0067a760e
SHA512 a9df1279a1bdfe3db536ef53a7ac1d2c872964a074764622d05404bce75d78826feb34d4e8edf20f3d2ee12c44404804d21a36267ac4d641b1a300a97d8c3e33

/data/data/com.sittimeok/.qcom.sittimeok

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 22:01

Reported

2024-07-10 22:07

Platform

android-33-x64-arm64-20240624-en

Max time kernel

178s

Max time network

142s

Command Line

com.sittimeok

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sittimeok

Network

Country Destination Domain Proto
GB 142.250.187.196:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 tcp
GB 216.58.212.238:443 udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
GB 142.250.187.196:443 udp
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.204.67:443 tcp
US 172.64.41.3:443 udp
GB 216.58.204.67:443 udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.187.227:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/user/0/com.sittimeok/cache/wzwhjihbarcsmac

MD5 77b539739727e2901d3c700dcd1e949a
SHA1 a7a4eda43acc667a5175fe37a18a0a3d08ac7ab5
SHA256 883a898b2b24a9072b529f878eaccbeed7c005ee89123378857618f2af267fa5
SHA512 c188525efb6df631a6ee931f82366e84b86687613102032945b08de504b6eca0d448eab68a1b7ca51a170c7f1d05a648a8ef2ae1a9bec0e7aaeb58360580d1c7

/data/data/com.sittimeok/kl.txt

MD5 26a8e400359e54bc5af55eb3090d82fc
SHA1 59be8131c4fb73e3ac1651629c84b20345717918
SHA256 1679bc806b573cc7bfad987c156740409e18c07514b6c51acb75a1fe819a1c76
SHA512 ddbcfd98ee4355505bfa4edbcacfbd36913bc9a617843ad9d7a77fda4edfbb467b721a4fa83acb26574b5ad3c372b8bcb1bbd264a206c24c2f8cb243fb00bebe

/data/data/com.sittimeok/kl.txt

MD5 4dda4886a91f982e71a8a045513328c4
SHA1 7df7ae8dd96fc01d5ae0d56771aeec3016bb0232
SHA256 114ef6c3277fd31ae026c0725515294d135167a07b4afefda6ff1a00e1c16fd9
SHA512 5fdd05c4b6a6a2c31e8f571aa86546eba6a7917c883b238fcd1509c92aaf5199481f4d629b6c124b151bcc323e143737466b5929f5ca956dd030383dd8101564

/data/data/com.sittimeok/kl.txt

MD5 3508ca831dc20fcd54eab3c5d998393a
SHA1 06eb250a569da5fd0b01cac173bf265158624a72
SHA256 e5d8ef743ae11e61825fd2df13f1c07f9c38b9d6f5d9e1795b70a2a099e4476c
SHA512 a5767cffa3da734a55bdb7703aa12b632fc40dbdab72870c2365dcb10585a9a46708add59a69875cfd7f6bec80d6bc986a819948047ac095c942f7415a02f165

/data/data/com.sittimeok/kl.txt

MD5 bedda3a95077d2cc3505b7de4177dd92
SHA1 4108ccb95da4e48c0e5962bf75c1e7cb3f54c26d
SHA256 d0e61a813a54fcb460a42bd1f61e02bc2d694f65756587eb10652af35da9c223
SHA512 68ab101e46fa80696bb91cfbbdb48033547fbdd1a996e8da756b2c9fd0652252c07355cc6eb7fab21e99a11597a74fc3698465078d9fc7dc9a66e3260d24bbac

/data/data/com.sittimeok/kl.txt

MD5 ce46576b1294a9dd72da91b4af49d8d6
SHA1 c59c386ae37c52b8a4d34ce1f81d772a0418cbcb
SHA256 f3780b7cdcaef4a2f966a5c5d1a7afb457df2aed9cde97db5ec9cf0e3a0b2166
SHA512 4e70ffa19b0f1cda9488211dbb3b1a816c4a2a53d243b4b928bb02efb74f0f78e059038661a79a633b0722d2ec919307e5b624bbadd70a49a11c7a92dfc83a2b

/data/data/com.sittimeok/cache/oat/wzwhjihbarcsmac.cur.prof

MD5 85b395f20714ece95088ecd9f8c06c82
SHA1 9f13f4f4a6b16cd403661564168aa43e915cd697
SHA256 94aebfddf65cc9ffec1cdccd67e7b6380aecaaf7d89e9d43a121e331d209d5d1
SHA512 7dc4ae1188df38e47591063b877d2e93006e7cf5384c25f35adb4a1407f4eaa0eb7d2dd2eaaaff818076937f64030af8383f2075fecb321b9479bc36de0b2cc3

/data/data/com.sittimeok/.qcom.sittimeok

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c