Malware Analysis Report

2024-09-09 13:49

Sample ID 240716-1wqghavele
Target 4a5988aae7cbd7720d852efd50fc5386ee7d1b9594456fe4d45157f1971b3bda.bin
SHA256 4a5988aae7cbd7720d852efd50fc5386ee7d1b9594456fe4d45157f1971b3bda
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a5988aae7cbd7720d852efd50fc5386ee7d1b9594456fe4d45157f1971b3bda

Threat Level: Known bad

The file 4a5988aae7cbd7720d852efd50fc5386ee7d1b9594456fe4d45157f1971b3bda.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Acquires the wake lock

Makes use of the framework's foreground persistence service

Requests modifying system settings.

Declares broadcast receivers with permission to handle system events

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-16 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 22:00

Reported

2024-07-16 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

49s

Max time network

144s

Command Line

com.fieldabout2

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.fieldabout2/cache/pdauwwgkbo N/A N/A
N/A /data/user/0/com.fieldabout2/cache/pdauwwgkbo N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.fieldabout2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mutocosturoyur.com udp
US 1.1.1.1:53 gurcustill254.com udp
US 1.1.1.1:53 havalarsicaktir.com udp
US 1.1.1.1:53 r4s5t2t2fa.com udp
US 1.1.1.1:53 lolo2naberlo.com udp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp

Files

/data/data/com.fieldabout2/cache/pdauwwgkbo

MD5 44652c376a64287ab5d3672c4b743d6d
SHA1 2deefa4fe9a2dd18b692c6db0e76e3efb45d4c5c
SHA256 002b760287061cf36e6c775f0d2f9673e68a8256a4ec1688a01f0095b7e8bff5
SHA512 d3b07128848ff076ede2b596f9c670edd974a9be4c80d740e23c9fc022e564475711d0173a51618d0c6716de795d81787f7ae726c1db17ccc9dce41f6405ae77

/data/data/com.fieldabout2/kl.txt

MD5 c870a02951c4c88b4777eb74832eb73c
SHA1 a01b91ce0730394ea1aac71163381aeb26b917a0
SHA256 397379e704ddf92278e2192bae80481fb61f6daab2bf197785be60c04d1a1854
SHA512 d4d39d4adca66ac07433199067bcdfffa05819880a4d255946a98d9f6efe5e2605ff1a1a41e5282bbf4fcd6667d9caedfec499addb28d79c032cd5f007bff2f7

/data/data/com.fieldabout2/kl.txt

MD5 cc5d0f7c4a86226c0b6f6d46e0d37916
SHA1 8936e8c488fb9d14447091c4bb96d31ab2c5dc23
SHA256 63b0877bd65c5eb998f6f1c8050d6ab7b819149ff8bd077331a9ac63a71ab738
SHA512 7264d27f49c0f4de6d85e5c78eea349af46507556187944256e24f763b426e8380a7098657bb644f5e04cfa2e6a2d055641a6ebb57cc89458f95fdbafa96625b

/data/data/com.fieldabout2/kl.txt

MD5 da282cce4934179e269ffb8d68a51e19
SHA1 ab3af582700df8904f5e07b300da87e5c4f1044d
SHA256 1138def7ad23e5315868ae6faae3f8efd5a3dca0534957d9a00e5d960aa92076
SHA512 63294d3fbb1596992f729b8ec7d84536efc06e24337133ccb9fa6f7656fd905bb3eb66856be4a5d85a3e222e341ac7caca1bb5315e1e621556cd37db12d58fcd

/data/data/com.fieldabout2/kl.txt

MD5 6d9ebb23e822b927223a4dbe4b8378f8
SHA1 d68afb08a009b149779a7437f22c9b6949d004b2
SHA256 111715f60e5b6827fbdece3c29b11f6b78ab5f5512133725efc5e6fd2bc39f30
SHA512 fe24ce5144e9b42ce6f349ae1d3f11d8a1478da73254a733c1e18b45dc63e8a81abeb84aec76240a8a4ed6a41260c0bb01a0c51e70c18f88c9bf1a86a0ca824f

/data/data/com.fieldabout2/kl.txt

MD5 db0571af0c70f6860ad004773b41471e
SHA1 e45be0bfbb61476a82eb74cc2ec5c182f56dd0ac
SHA256 28883ebbece6ded0dbe43da8635a18e1fd62a26f9e19e34fab9cc37317b06d65
SHA512 16f2cf4fa7c9fb1008b52cf544d50dabe2799e263eab247c71e8dbc3f2a909cc9368d01e9416e1a72e25bd8ef3c0e1da3857814bc360ffc7df809185f1879319

/data/data/com.fieldabout2/cache/oat/pdauwwgkbo.cur.prof

MD5 a2aa9daec8b895451d79fcb3fb80090a
SHA1 bad128e9c5541c181ae404f52710241ab9fd3139
SHA256 f740bad7b6391ebe6428320ef5b71fb9caf02a9b707177445af89317297140a5
SHA512 f5936adb1c2d59a2d396904785db6649eccf3598bdde0045c1a24faebf279d215db651a872a8e61ff8e3e072f60d54b1e643feb9fa354467b1247b65a8fc0e46

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 22:00

Reported

2024-07-16 22:03

Platform

android-x64-20240624-en

Max time kernel

173s

Max time network

174s

Command Line

com.fieldabout2

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.fieldabout2/cache/pdauwwgkbo N/A N/A
N/A /data/user/0/com.fieldabout2/cache/pdauwwgkbo N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.fieldabout2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 lolo2naberlo.com udp
US 1.1.1.1:53 mutocosturoyur.com udp
US 1.1.1.1:53 havalarsicaktir.com udp
US 1.1.1.1:53 gurcustill254.com udp
US 1.1.1.1:53 r4s5t2t2fa.com udp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp

Files

/data/data/com.fieldabout2/cache/pdauwwgkbo

MD5 44652c376a64287ab5d3672c4b743d6d
SHA1 2deefa4fe9a2dd18b692c6db0e76e3efb45d4c5c
SHA256 002b760287061cf36e6c775f0d2f9673e68a8256a4ec1688a01f0095b7e8bff5
SHA512 d3b07128848ff076ede2b596f9c670edd974a9be4c80d740e23c9fc022e564475711d0173a51618d0c6716de795d81787f7ae726c1db17ccc9dce41f6405ae77

/data/data/com.fieldabout2/kl.txt

MD5 2fbd5ae33880f2290550c09455267cf6
SHA1 76809a57e972fdeb129101ebec3e8651a37e7464
SHA256 9f2a8d2cdd57916907376c684e5ef1e1bb462477d587fbe6c4a31b6c7b3bbd26
SHA512 cb0bee1b88c3c226ad65bf637f67af405ef4d98101ef6e0149494de0ad639d919bcd99030cbec599efb6c71211828d58e24f0fe1f09a55ef743feaa22081f0b0

/data/data/com.fieldabout2/kl.txt

MD5 a4ecac38a686305a7f4cefad6996a639
SHA1 b2fd3b6af231c078fc88afd26813549b4438f5d4
SHA256 1ba817501fa26ecfc24a49794e1e00d9e9e7dc7f46f52aa733536f7f2efcade5
SHA512 cb6b7911f5ca51542609b3feba76c892517a7c035585f0d616fcebdf1ceb83448f56519ff27f94c2e168b3a92ee674c30df5d761670f7fd777528b47816f8bc9

/data/data/com.fieldabout2/kl.txt

MD5 d733ff5c5289df1c3ffb707d5c7a6ab6
SHA1 4152007cb6907ae986565055ac261767b356c887
SHA256 06472c2008347422e43a5ea515753e977fc4b912ef72f7fa4d92ea5be7b3473d
SHA512 c66a9d192f1209e2129f17f05a8f8bb6596789d00508d46a4103745f6dc54008526ba06df6fdea524d25c69accac813803813509b5d7e64cd402f23be75ae412

/data/data/com.fieldabout2/kl.txt

MD5 b26f6c0fb87a9c119e98b5bd1c599801
SHA1 813628724b160130426cc7bea068db33ccd3313b
SHA256 22d6ac83ccaddc4f74cbabcff77f2f7e356c0c2bc149d0c708cc8a5dd22c7ee2
SHA512 b36a9b028fd23fb1dbc94013c8e112403824902e5761cf2a8dc0a39be6c34a2cf6838c643a2373243672c94cbe538532586e8feab2e68165a0a1d8b8f9fe2b76

/data/data/com.fieldabout2/kl.txt

MD5 427a2c7a91dd4a204ee9a31a9ad42430
SHA1 fc5f26b72355d2599e1927d961c89aa162dec269
SHA256 cdbc35c824291ec642fdd61cba4a2728bbd1f7fb1d3791ab77d4d1e51d1d1bda
SHA512 4b96b06c8b404e12e573f9496104ca0b2d4ccebc897aead7278d56dd8820fa20600542b70629e638a94fad56868802b0c21cfb93a7aa3339b91b66fec175e165

/data/data/com.fieldabout2/cache/oat/pdauwwgkbo.cur.prof

MD5 5f5cdb47f75cd054e8122ff9c34df7ab
SHA1 ec3b2201f9fd8a7ec5e98518c39bebe3474353a2
SHA256 f102336ac575706a0bec58ed483c93836379b92a8d9173b935be73f904221f50
SHA512 131e0c80a5708adc42837793c6486099917c5a32b8240eef1df467e2f82bfe928b9099457667d56eb7e8ab1712825ef4f666466ea62bd75ad04b35cab6d4954c

/data/data/com.fieldabout2/.qcom.fieldabout2

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c