Malware Analysis Report

2024-09-09 13:50

Sample ID 240716-1wnb5ssbkk
Target 5d1aced8c499709ce15fa1156446b29ca055729dfb34c98ee25d50a6d40c05d2.bin
SHA256 5d1aced8c499709ce15fa1156446b29ca055729dfb34c98ee25d50a6d40c05d2
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d1aced8c499709ce15fa1156446b29ca055729dfb34c98ee25d50a6d40c05d2

Threat Level: Known bad

The file 5d1aced8c499709ce15fa1156446b29ca055729dfb34c98ee25d50a6d40c05d2.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Acquires the wake lock

Declares services with permission to bind to the system

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests modifying system settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-16 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 22:00

Reported

2024-07-16 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

48s

Max time network

147s

Command Line

com.househome3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.househome3/cache/tzduuqufvphxa N/A N/A
N/A /data/user/0/com.househome3/cache/tzduuqufvphxa N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.househome3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 1.1.1.1:53 hava540derece.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.househome3/cache/tzduuqufvphxa

MD5 4f57cbe23147d1ebe5b8053c5d8b48da
SHA1 a9bc5388042dffb72a8bea227e841441c9ca4017
SHA256 7b9d3e3a37a67930688aec6f01ee3d02eb9201bfdcede5a06efb61882093474c
SHA512 db2c1fb01ec81f01e6d12be8953f1a6e520d024184f6e629082cb7e2538e4ff21b8d3348b54224425af0164478f345259999414db9da39e8773203d5ff98b893

/data/data/com.househome3/kl.txt

MD5 fb4b2918dfd4785ad9cdade9d681a517
SHA1 f3d40706de3f323d4790305a1f87bb832b842873
SHA256 5ec7b9b82e4e3d82fa3dc2a842eb56da46ac4eb8d814fe0a0284c3db9c8d9126
SHA512 0182a4cb03b0cc672574e53c0b89a14673fd27a030a4b560670fbe25786d43161bb945d1a94087c3994d2a34f9557988335e4a5350448f7d71fb3c2829d968e3

/data/data/com.househome3/kl.txt

MD5 cc5d0f7c4a86226c0b6f6d46e0d37916
SHA1 8936e8c488fb9d14447091c4bb96d31ab2c5dc23
SHA256 63b0877bd65c5eb998f6f1c8050d6ab7b819149ff8bd077331a9ac63a71ab738
SHA512 7264d27f49c0f4de6d85e5c78eea349af46507556187944256e24f763b426e8380a7098657bb644f5e04cfa2e6a2d055641a6ebb57cc89458f95fdbafa96625b

/data/data/com.househome3/kl.txt

MD5 da282cce4934179e269ffb8d68a51e19
SHA1 ab3af582700df8904f5e07b300da87e5c4f1044d
SHA256 1138def7ad23e5315868ae6faae3f8efd5a3dca0534957d9a00e5d960aa92076
SHA512 63294d3fbb1596992f729b8ec7d84536efc06e24337133ccb9fa6f7656fd905bb3eb66856be4a5d85a3e222e341ac7caca1bb5315e1e621556cd37db12d58fcd

/data/data/com.househome3/kl.txt

MD5 f865a3c036f5cec34dac8a415415c5b7
SHA1 3769baab4edeb7d22ae546af50ba256d52ccd789
SHA256 3d26e36809dd0fbcb8e952a13cb6378267d6b8873d6fb134d05035828dd0d3ae
SHA512 dd96dbcba06f8796b260a8cddfa03bb6be4be3a57b0705291ff8a131257ea7b6fb2c5522c926ae3b93654d185e0a1a93372235fd2798226b72446342b65bf0e2

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 22:00

Reported

2024-07-16 22:03

Platform

android-x64-arm64-20240624-en

Max time kernel

172s

Max time network

156s

Command Line

com.househome3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.househome3/cache/tzduuqufvphxa N/A N/A
N/A /data/user/0/com.househome3/cache/tzduuqufvphxa N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.househome3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 hava540derece.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.househome3/cache/tzduuqufvphxa

MD5 4f57cbe23147d1ebe5b8053c5d8b48da
SHA1 a9bc5388042dffb72a8bea227e841441c9ca4017
SHA256 7b9d3e3a37a67930688aec6f01ee3d02eb9201bfdcede5a06efb61882093474c
SHA512 db2c1fb01ec81f01e6d12be8953f1a6e520d024184f6e629082cb7e2538e4ff21b8d3348b54224425af0164478f345259999414db9da39e8773203d5ff98b893

/data/data/com.househome3/kl.txt

MD5 2aed403a99e08eeafbc5bbc5ccd3ecfd
SHA1 c2186415bf994a328e4b6dbae1ebc4afd304b2f7
SHA256 efc33d5266b9734942c05caee3d55d38f4af4c0a8466767d9dd2a61b24b0d208
SHA512 68e69f904d402e9a5d75f56c03a3be84a8fbaf61dd1b7e2d99eea6e359b7a9e2e49acc23680e4f0145af45d562890e721b0aa48a71dabb118901bec2122aae8c

/data/data/com.househome3/kl.txt

MD5 76330537392f8441748eb3791792525b
SHA1 4b98e459dd5635054ff540e2e68f7cfbbf6bc548
SHA256 4a66c3773b6970341020607472d51d718febd486afbb0fba25f4c4e166a4d2b2
SHA512 d10deb22e18503dff3bd15f8b168722d203378bd65797e0bbc207a05ad6518daf74e51538be2606fe7e24d7f70b747d38a8b4210d6af467fff785417b9cd7fa6

/data/data/com.househome3/kl.txt

MD5 05106759bcac39135b1d0a4f49cc771a
SHA1 5af0d560281c19e5c2de9b6711d26b05918dadda
SHA256 36b0615db03b6bb9c8e3c6278da237e5fb472efd7c8ebcb1a69a33d311efbd94
SHA512 d27427e7528f8f12b4948dcce2352a4d4d4ea777f6d983b3868426c9ec332b0065869605ec821a530bea7592304ac97bb4a9bd95fab864735dc6ddd8d81f0a0f

/data/data/com.househome3/kl.txt

MD5 7b214cd701ca5a441c876533a14a2047
SHA1 ad443ff5ff079e7fff38ea8e5c1ca0ddbc447c01
SHA256 2236034326708d08064e00ec6776eda913e4b1e0ee537a2dea739c875625507b
SHA512 beb3184caf54bd044be85d69b74255fae3008a2aafb35edc3c9281d2ec799dbfd7aabadb6134dbbb5aad6329030e3d691b778521cfcf8ee7818d14146ff02402

/data/data/com.househome3/kl.txt

MD5 5c162e5055da0853cd74576ad8c7719d
SHA1 6d270ff22a22430f5357b6d14c55a57b4a63c376
SHA256 f93e3cbd4a1c64f88ae94e48448e00750787c71d00586e31e0b6580737b23091
SHA512 13d59019d995993ec43997913c2ab33c83115f7c9353dd2faca7c23f580d39e63fe0865920c39df61c0495b8d97d350937ef230c1373247927b6a744422dfa4c

/data/data/com.househome3/cache/oat/tzduuqufvphxa.cur.prof

MD5 3dfe46f2de456d5653153cde11b04d0b
SHA1 c64994fe14f8bc6a205e56f8fd9f054c7b5c4081
SHA256 6c3626d11415dc2065677123798333e662e6646ccdff86ad3d339eac09fb95df
SHA512 99dfc181ea04cfb3089e1973ae043c2bfc35fa1207352665233769fe79016adb0a76544750e328929b2ba96a68369a97ce683cf541cb253f70ff132d6c54174d

/data/data/com.househome3/.qcom.househome3

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c