Malware Analysis Report

2024-09-09 13:51

Sample ID 240711-jdj4bsycjd
Target 5b79995e97163006aacaf285076d6dde.apk
SHA256 1eeac092537fcc88ae707fe2fd43d5cb6562da67d7a7988dda03e00b90b5aacd
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1eeac092537fcc88ae707fe2fd43d5cb6562da67d7a7988dda03e00b90b5aacd

Threat Level: Known bad

The file 5b79995e97163006aacaf285076d6dde.apk was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Requests modifying system settings.

Acquires the wake lock

Makes use of the framework's foreground persistence service

Requests accessing notifications (often used to intercept notifications before users become aware).

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-11 07:33

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 07:33

Reported

2024-07-11 07:36

Platform

android-33-x64-arm64-20240624-en

Max time kernel

178s

Max time network

137s

Command Line

com.boyknowtwe

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.boyknowtwe/cache/bafhfjlubnwq N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.boyknowtwe

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 lolo2naberlo.com udp
US 1.1.1.1:53 mutocosturoyur.com udp
RU 193.143.1.25:443 mutocosturoyur.com tcp
US 1.1.1.1:53 gurcustill254.com udp
RU 193.143.1.25:443 mutocosturoyur.com tcp
GB 216.58.204.78:443 udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.212.202:443 remoteprovisioning.googleapis.com tcp
RU 193.143.1.25:443 mutocosturoyur.com tcp
RU 193.143.1.25:443 mutocosturoyur.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.201.99:443 tcp
US 172.64.41.3:443 udp
GB 216.58.201.99:443 udp
RU 193.143.1.25:443 mutocosturoyur.com tcp
GB 216.58.201.100:443 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
RU 193.143.1.25:443 mutocosturoyur.com tcp
RU 193.143.1.25:443 mutocosturoyur.com tcp

Files

/data/data/com.boyknowtwe/cache/bafhfjlubnwq

MD5 7247d44533a7f6efb46f39d406af92e4
SHA1 5892dd7fd09f9dbfcf71bd06ad82fd46242bf0f5
SHA256 188ab41991099c74ed779d0bfddd9b00578fb9a21b5b1ab3ae57c90c233b7e3b
SHA512 92a51adbe3054dd93dc4c9701f4d7c1bbfd18185ac60aa83b8f4db719f3f1830f28992e1e9614f37da24dacbe95206e5c3d37ff842aeed8766ae98a1eacd354f

/data/data/com.boyknowtwe/kl.txt

MD5 2baec631c569a1c7fbc64cdc66953d48
SHA1 69c541894c4659cedb21d3ecde89dcae9f4992b6
SHA256 7d45a73bb1ebbfb0580645c8b68037e212ee64c859d1411ebc94bb4f02b84562
SHA512 0fddb0d75c2247fa0e2676a89985206e4db7a403ad2a28f635c9cff08bb05d83989af7d38ed7ae284117a571c3a52d19e68bf246e221012984c75a2b679115e6

/data/data/com.boyknowtwe/kl.txt

MD5 7f233d1bac350d8d9d58766427d0236b
SHA1 5907150694620aafa9eb6ff2f09fd875ee50a723
SHA256 9fb74baf11811fe91abf6a156b41235876799843a46c254e5799a0a0f53a94ee
SHA512 f389c243f864d3f622682fc0d54189e4439c19b598ccad9cbdf69b202ae31d821243fab814f3a45a4248bb6acd1d6be6b5ddf04ff871570b07c2a591ad26b21b

/data/data/com.boyknowtwe/kl.txt

MD5 34b1b2d7e39caae8368d61a7817bf548
SHA1 220c409e486001007a7eb9a63380c7e3cde2ed0f
SHA256 3799f8e7b71711c001c96fcfd9d707eaa3fbad5dadc2b2f8f52bdf319811e9eb
SHA512 9e117b20701f638f6cb196429479c9e157fa22b50824155f1b7712f4f8c79ed992fc5c69ce7b8d88de81fa43586e98936797b8381e65c868092d8e246c7e303f

/data/data/com.boyknowtwe/kl.txt

MD5 1f78b8b5aa0aa628e0af6e99e0ea0a64
SHA1 ab787c8b107764efbd8717bfdaa800bc9633d475
SHA256 7e0acded9fbc7a785a8abf298a8cba5470f5243fd11c735cda2ebd6d9e048ad9
SHA512 188c455cda7a4b82c20db543928baee8aaf25ab5bf071463c935b5cb5d489e2e872ed4fa73fb952b9253aa89fdc7a4e3ee9580fe7f041d3b661ef7cc4ab5a7ff

/data/data/com.boyknowtwe/kl.txt

MD5 ba13560ee7c3adc41b00c940098c9175
SHA1 c480ed3878b790ff1661a27bc3462a39114009fc
SHA256 fe8c5235a1f15296b1d55aa473f318e1a26bddbccf4e4803bce97e75d803ffbc
SHA512 19b3712450f872040d9f73e027f4a2e2167df1552f51ac024edc37a65f1b433b474fdf3e5672912983200949806762dc0d9b89c0d109f4dbf697b6dcea09acc9

/data/data/com.boyknowtwe/cache/oat/bafhfjlubnwq.cur.prof

MD5 cb0a9bfacd4a6505dcec63e719de7ebf
SHA1 120a7eed886291f6938a080eaaaaf1465c742e30
SHA256 9cfc947dd836da20ddce430e07e1712628db3fc1b793b09cadf3746c0f59c783
SHA512 97061dbe4cd6281fa6746b985a51e3298dd5ea52f40b2b51d63d5963eaf76bc9e395b3550350ef168fcd6bf6826656dd53c590422d44a19a165fa6a2343df35f

/data/data/com.boyknowtwe/.qcom.boyknowtwe

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 07:33

Reported

2024-07-11 07:33

Platform

android-x86-arm-20240624-en

Max time kernel

26s

Max time network

27s

Command Line

com.boyknowtwe

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.boyknowtwe/cache/bafhfjlubnwq N/A N/A
N/A /data/user/0/com.boyknowtwe/cache/bafhfjlubnwq N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.boyknowtwe

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 r4s5t2t2fa.com udp
US 1.1.1.1:53 r4s5t2t2fa.com udp
US 1.1.1.1:53 r4s5t2t2fa.com udp
US 1.1.1.1:53 gurcustill254.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 havalarsicaktir.com udp
US 1.1.1.1:53 lolo2naberlo.com udp
US 1.1.1.1:53 mutocosturoyur.com udp
RU 193.143.1.25:443 mutocosturoyur.com tcp
RU 193.143.1.25:443 mutocosturoyur.com tcp

Files

/data/data/com.boyknowtwe/cache/bafhfjlubnwq

MD5 7247d44533a7f6efb46f39d406af92e4
SHA1 5892dd7fd09f9dbfcf71bd06ad82fd46242bf0f5
SHA256 188ab41991099c74ed779d0bfddd9b00578fb9a21b5b1ab3ae57c90c233b7e3b
SHA512 92a51adbe3054dd93dc4c9701f4d7c1bbfd18185ac60aa83b8f4db719f3f1830f28992e1e9614f37da24dacbe95206e5c3d37ff842aeed8766ae98a1eacd354f

/data/data/com.boyknowtwe/kl.txt

MD5 4038593dd53ece6ee2ef2e8ca31a0656
SHA1 5bf2eed1a664703c0d3fa655220cfcd3249d08cc
SHA256 ef9e8b0ad3cb4f8ab224b05b76cfc34005996a5708fb8e56e63f1618fc1db61f
SHA512 a736f03b2433269fb878269d06db82adc56eec1713bd93a78ccdec8a1ff8bf2f4a65edbd2f0af4400cc8ffc582a92adb6069a0f896b9256fc78356ee674f8f09

/data/data/com.boyknowtwe/kl.txt

MD5 2cf57277618cb45d714b89e6e235e6d8
SHA1 ab41a9aac0fc33edccfb208fa31c5a65d3b53ecb
SHA256 62dba774d24e48c6ceee2ea5c98cdb99b4a7bc27cd016da0b29cb1ece36fff19
SHA512 ee4ff5cff885cc5eacc94d29c5e0eb7e7e50c9066cc301564ec34e36fd6bbd9a66a6bbd8d835a635730cf87b6809d7526487913038477541d86065e38397fa83

/data/data/com.boyknowtwe/kl.txt

MD5 a0dceca361d35fab1f7a2e006c392b34
SHA1 c962c75fc0c4d0fa04a0edf8b34fa9e9cdd54823
SHA256 1760d3bc7d30397dc55e353e0f87f1edc806857527dace9fb83f04a136a93556
SHA512 a3271809a005ab9b8766e85ca7474c6b8bb879774c8830dc16c9576d13666b7edd2b86d173b3431f37316a78ecaa7d20a47a7bfd851daeb85743be70b849836b

/data/data/com.boyknowtwe/kl.txt

MD5 227601749a7ff57ee0049545b355b6fe
SHA1 e6a77cba6416abc9892979682d62faa7387aa4fd
SHA256 33b1418a58c41ab1dfe9b5f890e86d3e893cc98ab09be2f6183a9d01dd52c9f4
SHA512 c59fe7d5ebd18eafee85de3488652429e8f0429fcc4594f17f8ed5335c00a24a91967f264c57ddecba8f9200f0ce87da87996e3532e8a5dfd867290906fb3c12

/data/data/com.boyknowtwe/kl.txt

MD5 06225445bdd57df6880d1c5802ff0a10
SHA1 535d1f623e42bb55a05ef5028a04eb277315d22c
SHA256 0b56d23afc060f13aa6298fb4d956447f562cc393b9526e942ff7da615354235
SHA512 bcbd9627a78e5b3eabf06d9a42ab77e987381659085aad165036ebb6c63591b2064f8c3ba3b78354798ea3d55ac2ff56f2c4855b2e997842a00bad218ca72015