Malware Analysis Report

2024-09-09 13:49

Sample ID 240716-1wmevavelb
Target 5d27c96cc91058e6e6e3a3933ede4995d4a25af73ff32bb3fc6e146f04cbb554.bin
SHA256 5d27c96cc91058e6e6e3a3933ede4995d4a25af73ff32bb3fc6e146f04cbb554
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d27c96cc91058e6e6e3a3933ede4995d4a25af73ff32bb3fc6e146f04cbb554

Threat Level: Known bad

The file 5d27c96cc91058e6e6e3a3933ede4995d4a25af73ff32bb3fc6e146f04cbb554.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Acquires the wake lock

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Requests modifying system settings.

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-16 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 22:00

Reported

2024-07-16 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

47s

Max time network

147s

Command Line

com.threecare0

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.threecare0/cache/fhhshhvzvzq N/A N/A
N/A /data/user/0/com.threecare0/cache/fhhshhvzvzq N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.threecare0

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 hava540derece.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.threecare0/cache/fhhshhvzvzq

MD5 36bb608c08869c8d4c1d9e9ab0d54861
SHA1 fbbeffb3053f9091652c59fc4ba2a71dd31fef85
SHA256 bd38271888fb69e4659fe9efeb7f54ac1ae7b259cf126d6489aa8c3e3f8b7883
SHA512 5939398b7190b2e342997fdec2f3ebe1de8e0e360facaf65436209d61194480feb2494fcc43e54c810496f196ffebc6153eb3b87a5157f83f942ac07d1b5d6f3

/data/data/com.threecare0/kl.txt

MD5 ab4b9c7eabe5ba87901424642fac6c5f
SHA1 e88654322d0dcdc78185ab5fae53ac1c7b92052f
SHA256 131d057af7ebfbd074e8fcac3293a0436595d962f32e943ce2451c5d1288d0d4
SHA512 9856cd4137ed301ab5fd9476858dd45b05d109770e143c66c487d663eb3bb0f4dfb61570b3eead4095503b54ef057dbcb26b12fb9b34dbdb2a2f47f9c063568d

/data/data/com.threecare0/kl.txt

MD5 805bc1f9e22e7b568503d37b5c52d2c6
SHA1 28bd4498c1427352616af7dafc420773290811d0
SHA256 2c4bdabbb9335d28eacf9daca665ccd83222e138273a71692e7b2ab069f7c33f
SHA512 fe2ffedd8cf7b59bb364132559686ec561653091c936727b782710ac830b81152e116735697ae4c630f7f0d5470fb590b8c384bfdf588f0ad2bdfaf3e51d2a28

/data/data/com.threecare0/kl.txt

MD5 e54af8451f8c39f5c1e130c9a9271d92
SHA1 3400d5ce7afd6edf0a93a39d1ff818184c3c7f39
SHA256 e48155d31dafc3d78399cdc7f3d7f384247da3ecd43f58e67196f8d0d3318cbd
SHA512 11f55156685a33c48a79b2b6083a6218202766056b297c2930957745ed40201d6e740079c7a5cb7e329731c8ccf51132b12931449e64d7ca8f73c3aff8ec5aff

/data/data/com.threecare0/kl.txt

MD5 a3d28081741e711138a5b308a64fb509
SHA1 f717a342b315116f80b354729b1228106b41bddc
SHA256 1f045d6eedfde90bb56a07267b53e7ae703a80fe00116b5747624294063c2fd7
SHA512 056ba985336ec3d627fd6ab7b5ec70663390948d1749c07d551082b92898f09389146c1233d5c2bf5e6b06a464fdefbee4e846a9559d13b7394f902deac3aae7

/data/data/com.threecare0/kl.txt

MD5 8fb15a7eda274cc338dd5b23419dfc66
SHA1 718ee0bbe998ac052426437677c7b57d3c9669fa
SHA256 2ba0fefcb024de4d787b852f8997465f12a309814b76bc530577169248053d15
SHA512 4b437ac22704786a7084be01a2c914e8566d6b3ac0d8ab00a9b1c8729bfc3be78c51a34a139f635d7bdc516f897cccb5869929fcd6484153385f32a91df1f2e8

/data/data/com.threecare0/cache/oat/fhhshhvzvzq.cur.prof

MD5 57ac8d3dc4fdfeb63ad994d74dace5fd
SHA1 a0c36b5706f65f150ce5fe350861f4bf0d341bcc
SHA256 ad3127f739554c16ca5294f25bd59beaea4d3f8d8894ecc869558c29d3bcbe5a
SHA512 412cb53723f63316cffc68e57ce4f39e674cc3e8173d25449a4a04da6171f0f70a7d35531793a30b89567a5b4a6dd2ff629d83f6032867774139a0d8785709e7

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 22:00

Reported

2024-07-16 22:03

Platform

android-33-x64-arm64-20240624-en

Max time kernel

175s

Max time network

147s

Command Line

com.threecare0

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.threecare0/cache/fhhshhvzvzq N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.threecare0

Network

Country Destination Domain Proto
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
GB 142.250.187.228:443 udp
GB 142.250.178.4:443 udp
GB 142.250.178.4:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 172.217.16.227:443 tcp
US 162.159.61.3:443 udp
GB 172.217.16.227:443 udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 216.58.204.67:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.threecare0/cache/fhhshhvzvzq

MD5 36bb608c08869c8d4c1d9e9ab0d54861
SHA1 fbbeffb3053f9091652c59fc4ba2a71dd31fef85
SHA256 bd38271888fb69e4659fe9efeb7f54ac1ae7b259cf126d6489aa8c3e3f8b7883
SHA512 5939398b7190b2e342997fdec2f3ebe1de8e0e360facaf65436209d61194480feb2494fcc43e54c810496f196ffebc6153eb3b87a5157f83f942ac07d1b5d6f3

/data/data/com.threecare0/kl.txt

MD5 6e6f7a3612e0b78a1433cae8058750dd
SHA1 12230cf363e242941f3fb757d007eb7ec1eafebb
SHA256 89d072c1ebf5f7e006222a11f1f8ce3c06082a49567796a55618507ca4b547f2
SHA512 473d731d9d6994856aa845ab1a69e50f313729ceeec16b5922ee918b7e93193f214bc744814e137482754294d5dd079f0af20d611ba47a4e8347fbc1162487bb

/data/data/com.threecare0/kl.txt

MD5 149c03d5c2c8230f2396b8827e340877
SHA1 faee0726fe0d7615a84297be959a211b718cacfe
SHA256 e62526faf690dc5b78f04059f4d68437c2b0e887f9662ae37a218cc816f8852b
SHA512 2bea3277b56598d1aafa1d5d4bcf020ad72fe831d83c8a4b6759111a6078ad2244ad4ad889a8dd0e6332f394c1ac989dca5e5c9b3cdce5ff4d07e51ee35dc084

/data/data/com.threecare0/kl.txt

MD5 5f102e435b123e2f55f32dbc8c6003cf
SHA1 1d2bca691a7727d7a18947dd6bd7805524c020ee
SHA256 bc81f78bf1c0c30367376f93f26d668c8cc6a1c325c9400b83efd63c6eddeb08
SHA512 d485a94ebb487691ec41a5ebbbc0cfeca38ed9a50e1618f812eb406846d01421020ce9dd2c8dd36e5b35b9d594e0b5c8b393127d4234a7bab852c97cfc679963

/data/data/com.threecare0/kl.txt

MD5 21cceec3017b629c08d848ea848a9f3e
SHA1 871d7d14c28cd1b73a23d62bc02766f3516af829
SHA256 e77e52f770de01eef2f651b1403dfc0f4ae4047d30e5e4f50238d79d72b2bc30
SHA512 c2c1e109cb98d1e72f3ab93a453fa11cd7951a62059ef283bf2024025327eb2f1f2c51686966084c7fb1206009bc46f53d829518bc83748672114b8a2c202eca

/data/data/com.threecare0/kl.txt

MD5 42d68866141b9d7fe71b268779f7a736
SHA1 68033f869bd301b14274a3ab19d565ac5b91838b
SHA256 e6a043ac92788cbb989b856f456d47a222391b05b69a8917f3bf774d194bdb51
SHA512 8aac62c904a65130f00fba76460acc1549b5ff91636ac399758eaa5f85afbca33cbe870f02849e6b50009ab62cddbf0f5899cdb542f824285a00ef13140f61ff

/data/data/com.threecare0/cache/oat/fhhshhvzvzq.cur.prof

MD5 278e4b1f242b294cd299d7e982ce1cbb
SHA1 ef25484b5011fdbd643c88e5a84529d1ecc8b66e
SHA256 adc7b4d4f4ff6d1614d8b0af42539c5ab1280f038fb67d8e76b6426fbd40dcc5
SHA512 dfd3f28d5124261675e2a8ba0893775864dc138addd45e23036b262086188b00d5cbe017800f9c1b1d0672452d22483063d0bd9155544bb92d0337baa60a1b9e

/data/data/com.threecare0/.qcom.threecare0

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c