Malware Analysis Report

2024-09-09 13:51

Sample ID 240710-1xzfssvcre
Target 7a0f9c6c940085723f2690107ecd52201903b71787cf93be8f7950b9bb98eb15.bin
SHA256 7a0f9c6c940085723f2690107ecd52201903b71787cf93be8f7950b9bb98eb15
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a0f9c6c940085723f2690107ecd52201903b71787cf93be8f7950b9bb98eb15

Threat Level: Known bad

The file 7a0f9c6c940085723f2690107ecd52201903b71787cf93be8f7950b9bb98eb15.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the mobile country code (MCC)

Requests modifying system settings.

Performs UI accessibility actions on behalf of the user

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-10 22:02

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 22:02

Reported

2024-07-10 22:09

Platform

android-x86-arm-20240624-en

Max time kernel

171s

Max time network

135s

Command Line

com.sittimeok

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sittimeok

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.sittimeok/cache/wzwhjihbarcsmac

MD5 77b539739727e2901d3c700dcd1e949a
SHA1 a7a4eda43acc667a5175fe37a18a0a3d08ac7ab5
SHA256 883a898b2b24a9072b529f878eaccbeed7c005ee89123378857618f2af267fa5
SHA512 c188525efb6df631a6ee931f82366e84b86687613102032945b08de504b6eca0d448eab68a1b7ca51a170c7f1d05a648a8ef2ae1a9bec0e7aaeb58360580d1c7

/data/data/com.sittimeok/kl.txt

MD5 50833f3a4aca2163bbd3e1081cf10e73
SHA1 76203b149ccf38043ae7e2af230c4a0a1e428e63
SHA256 6bcc5c1f0f93eed191202b7f31af0c75c9ea5ac16cba4efc4ce549501a99f1a8
SHA512 cf2ee4e79db04fa95cc526ead7d0970d816cf68adb900e8fa5c6b0183efb30e1a623eeee56261849b5ab27b23cadffe60e05a0383c6e0ea83daf4950fb2c8dfd

/data/data/com.sittimeok/kl.txt

MD5 69189ba7f7f15a685170cdaaa080fb90
SHA1 6b6cb0236ba968d66d10045384457ff7e6188fc9
SHA256 d589d89dfd13eca5e77829c6b2801f1761913b88cf980c721133be8dab4f3b43
SHA512 ec1fa8318a1770443d36d1357decb385bfbb14befc26a43c32807e5c3ba2de757622a4000d47107e4d7c65f14afc759ed5091f892b635a88b06a711c731b1226

/data/data/com.sittimeok/kl.txt

MD5 49c4480454f47e0972ec8ea9635d7432
SHA1 ea8c49f17e46afe79a991a1ca6a989b1da2dc638
SHA256 a5e46a913a2b50785822616a229e23890cf6f6fa952b5cddd4ca68656b32763a
SHA512 fe5f15fe2bbedda88eead52b6aa1f9de2c1ff1b382ff2dc18a85d43952bf53eea17d59c6cec4965da1cb760bbd2d139216dc441a99263844665823ba980a0cd6

/data/data/com.sittimeok/kl.txt

MD5 e45c4b8ad7a24cf5966dda964261cec2
SHA1 50b4b34712621759a36ea99778ca1bbc14562a53
SHA256 ab76b84765a3773ff961f8845dbed2442b272c41815d2bdca9005ba9ad38946a
SHA512 b731eb902957524b42444094f1393ac7fb2f0ac736d526580cfbf16a5969f1ab89bc33be3481e8d642e5b4c1f2720e3c29774dc77d4e4e005df7caad540e689e

/data/data/com.sittimeok/kl.txt

MD5 a545a28f8185fdad893214857807b46d
SHA1 addb6bcbd1475a4c7c9132854a42810e6c665470
SHA256 1e6956340496facc534811b98967816e434948bd10de3bf8c86d574add5aedfc
SHA512 3b37a70cf78587e238ac88dc36bfde4a7a54f7e718acb69cbeca2aa69f1fb21002b5d64a85a4a516262fb965b5d02515c0fd8149eff172b1ba7bb596bbcb024f

/data/data/com.sittimeok/cache/oat/wzwhjihbarcsmac.cur.prof

MD5 d9cd35086c7b5f946536f89f5d648771
SHA1 5d322d5b7d00547a6c8387afe3235e90880bb121
SHA256 102d3774dafd6b936b376d382483da72531543efb67d56e0aad63736bb402bf1
SHA512 33ce3728c0d5a3d5d4a46d6e1b01e372be63be64ac45d3fb4edda13454c07b01c1a6cfa80c425a01d68358c01afdcdbfd9ade64ba6f1695d4055cd0e2d80555d

/data/data/com.sittimeok/.qcom.sittimeok

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 22:02

Reported

2024-07-10 22:09

Platform

android-33-x64-arm64-20240624-en

Max time kernel

175s

Max time network

142s

Command Line

com.sittimeok

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sittimeok

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
GB 142.250.179.234:443 udp
GB 142.250.179.234:443 tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 1.1.1.1:53 hava540derece.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 142.250.200.3:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 162.159.61.3:443 udp
US 34.104.35.123:80 tcp
GB 142.250.200.3:443 udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.187.228:443 udp
GB 142.250.178.4:443 udp
GB 142.250.178.4:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 216.58.204.67:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/user/0/com.sittimeok/cache/wzwhjihbarcsmac

MD5 77b539739727e2901d3c700dcd1e949a
SHA1 a7a4eda43acc667a5175fe37a18a0a3d08ac7ab5
SHA256 883a898b2b24a9072b529f878eaccbeed7c005ee89123378857618f2af267fa5
SHA512 c188525efb6df631a6ee931f82366e84b86687613102032945b08de504b6eca0d448eab68a1b7ca51a170c7f1d05a648a8ef2ae1a9bec0e7aaeb58360580d1c7

/data/data/com.sittimeok/kl.txt

MD5 f930e4a5d9320559fdf91726cd9ce130
SHA1 c5b69553dc97d3c4eb87526533bf7b550523d933
SHA256 98061a911e48a5e04e3f10a318ce4420149736ff6e2ab4ef5bb9a6ec6840a9af
SHA512 1542436937b680b0467f9b70d3b3e56f5df95dd5b21836bca7c390729f979ac24f595f685f3fb24de522eb70133c821df5b22875e2c6cb69270c8cc7749058ef

/data/data/com.sittimeok/kl.txt

MD5 e52ddb0eed69bd5385f7a712ca5a1a44
SHA1 4e2740992bf5a0e4a65a8c6e14a3cd6ad2f5ed82
SHA256 dd475a11f441b229182d1ce1641e967bd140bfef1f5d709233d05e115e001e78
SHA512 3d5fed3db4ed57613ec9f92d45267076e496481c413f4ce12d7a50ad95f0d8781ef3e3ce3ddfada7aca6e60bc2cfb43bbf2918443a480904e7258a8f454b4d3c

/data/data/com.sittimeok/kl.txt

MD5 430a3c268a36ef70ee29efa644357d34
SHA1 721682878294badc7d096e1d38408ed85715fa20
SHA256 d3061239d65f901699f5419c3d8af1fea7e7a3f3d909f8c152a480f8ee1718d2
SHA512 7fc7f6628739f4724e4bf4d4922904f5c577cb48b4b09f30e466e7692ca31ef9056d9c3a77d97d381eb7209a978b558cc5ab24a5af81e8e966504aac61433369

/data/data/com.sittimeok/kl.txt

MD5 27d3367cbfb0f7bd488fafdbcb8ada39
SHA1 94599f50ee967a03c3185c3046699c1c4ca7fbce
SHA256 7eaa0bbf92db32cd78b06d38b01278ccca25be31e1e85a215a63d10c4120ab60
SHA512 30b09f0d0d7f453def17a306608f6e547879efe298e0c57ffb842578fa952c3aa60ccb1b9927fc2a915162c6ecc74028af6fedb11b11a5e1202bfdbd47f5d166

/data/data/com.sittimeok/kl.txt

MD5 cfabbece4c992275aa77f8a6451fa544
SHA1 94ad05d8fa6c00f8cc8487e29890b787f0e5140f
SHA256 905d531f73fe193667a778e7ae8b51b060bfedad463bb03316342cf64ec9ba56
SHA512 d14c81efcbc15277769a428c19ebc21c357a1e5ea4479b2b044771e11076a605325cb45c7bbb12fc497935cd11af39f3e1707ac5eb9bfc382c566d06fb18f345

/data/data/com.sittimeok/cache/oat/wzwhjihbarcsmac.cur.prof

MD5 ebea6870d13c147113951616aa356e16
SHA1 5a0e6d14a5a6a491b902dc585f774ef7f8f43395
SHA256 dd9ab3681f236b6a6d799a12d1948b93fe3a55ef5fe629173cd736bd50c38461
SHA512 869c9a3b6c6770bb61a4dd270b6a818e376d168212ae5ee958f9e75adaaf9f527e40318ed7f5c329a6a4042884b1d4d47e2c0e37f3a811cabcb68d0a25b0d82f

/data/data/com.sittimeok/.qcom.sittimeok

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c