Malware Analysis Report

2024-09-09 13:50

Sample ID 240716-1wrdssvelg
Target 330b967d2eead8e702407b514c1dd4a04f3b3a3f75dcb08836004500fd95515a.bin
SHA256 330b967d2eead8e702407b514c1dd4a04f3b3a3f75dcb08836004500fd95515a
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

330b967d2eead8e702407b514c1dd4a04f3b3a3f75dcb08836004500fd95515a

Threat Level: Known bad

The file 330b967d2eead8e702407b514c1dd4a04f3b3a3f75dcb08836004500fd95515a.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests modifying system settings.

Makes use of the framework's foreground persistence service

Acquires the wake lock

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests dangerous framework permissions

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-16 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 22:00

Reported

2024-07-16 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

45s

Max time network

146s

Command Line

com.moneywhere3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.moneywhere3/cache/srcrlowsn N/A N/A
N/A /data/user/0/com.moneywhere3/cache/srcrlowsn N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.moneywhere3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.moneywhere3/cache/srcrlowsn

MD5 36a6730ae2860d25cae3a1ae6fde11aa
SHA1 7597dc72e253cee5a4b1f02544be0e63aa868081
SHA256 776d09656339ec2be9e3e050655a8b97873018b2653782eae2134a3fb7ae7c69
SHA512 921d6d97be3dd5b68994d808c2498403d8a9de9c8bb53b0bdc1a52debc36ed5d5da38ec458e19d0d3df19bf9f62e1924d962ea72dca41eb1d172f18876c20f34

/data/data/com.moneywhere3/kl.txt

MD5 e0f6198d71c771b3c46351683da748cb
SHA1 f81fef43c769d72d60de7ea5b567014141c10003
SHA256 021da39792f7dac507660135184451d1f9078b20bfa951a6841d6337590addf9
SHA512 feec50ca972a5adf5ee271122296d009a017be676e020ee3625ab749ad1c8b1de408c9706f21287d8ba0db19c6bf9c2c672d46f1d3ec044a0e61c03432969343

/data/data/com.moneywhere3/kl.txt

MD5 3ccb932d49800a0afdb81b853fac661b
SHA1 8cbfeb7607bde33897f9b001f685192cd9ccd610
SHA256 86a7b20b07d6d5cf8ffbac756f0b0da3eedccc984b17d54238727a2fc695336e
SHA512 ab535a1874da6c7573a70becdc16531eadbcc2b7fb922ef4ec16d602bddee55bd92088fd9d553bec42b9e701401fb75ab8698b63f2cd9dbe0760f81f35dd93d6

/data/data/com.moneywhere3/kl.txt

MD5 2a631e852b92d32ed0ab33dbb5a07678
SHA1 6e772d527fd2e9a53e3b02e0539c349c28404a5d
SHA256 df22ca6b01a45dc79d95728417f8233c852e41332cc0fdcbe0e9f8f5db4c844e
SHA512 c6a02d75e0d14a056c4166f3e19eabf330a672fafe9a6e1c22ae5ac92c4f8887afa9e28e7c04eb7f292c1ad2d54a931c9d5419128856437108120a08f04a97d1

/data/data/com.moneywhere3/kl.txt

MD5 2275b7535b6f22d62825f733211414e7
SHA1 0a40f7a90682f2a74fb3cb9074feb90009b248c4
SHA256 e110786b10abb5529e80e3e8fd00f63f08ce5987420f7800ff029370fb6e2a46
SHA512 477af4d07465663bb7ba30208ac8f2cb1cdcf65f62e02f0d3b7ca82af1e6695119ad84c3f121e1016c7f94241906804b3bc05b52f86aee6d04661fb2b93fa2eb

/data/data/com.moneywhere3/kl.txt

MD5 d1242d1b66a73c17cff4403d1182f64d
SHA1 e77aafb375c67a119cdf5465a1b4efb887b5b3c7
SHA256 9cfc5df7899b9b02de527e09880cb900c3106246c948191824d292bdc1672ade
SHA512 b592de21b5866bb3a2d9bd35fcd4b40a4022439aa84ddaa45264b2d38b9d2e1aeff869e18fd46fd839dbe86b680b09a7b7dd676f63d0ea910641bfc09e0d0bb2

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 22:00

Reported

2024-07-16 22:03

Platform

android-33-x64-arm64-20240624-en

Max time kernel

176s

Max time network

184s

Command Line

com.moneywhere3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.moneywhere3/cache/srcrlowsn N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.moneywhere3

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 216.58.201.100:443 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
US 172.64.41.3:443 udp
GB 216.58.201.99:443 udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.212.202:443 remoteprovisioning.googleapis.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.moneywhere3/cache/srcrlowsn

MD5 36a6730ae2860d25cae3a1ae6fde11aa
SHA1 7597dc72e253cee5a4b1f02544be0e63aa868081
SHA256 776d09656339ec2be9e3e050655a8b97873018b2653782eae2134a3fb7ae7c69
SHA512 921d6d97be3dd5b68994d808c2498403d8a9de9c8bb53b0bdc1a52debc36ed5d5da38ec458e19d0d3df19bf9f62e1924d962ea72dca41eb1d172f18876c20f34

/data/data/com.moneywhere3/kl.txt

MD5 90f6d27759707710a1e7678e0d51858a
SHA1 09d8766301c0b383414ec59db67ebc379fb7b4ef
SHA256 6973093a935f124c929abee5ca76d7d21b8f2a709edda7fa733c79f8f24a66d3
SHA512 faba40d84eb12385fcb0744ed0c069c35317a91df87b411f4d92f845b1f054c149601c3e0da4e044654c3f1d4f25a0748bb0d9da9bff86bbdfa454f2d5aaf086

/data/data/com.moneywhere3/kl.txt

MD5 cfb51829182a77cf594883e308be45d9
SHA1 f03465a28b275e471c05ed5990f1e5bb84005a8f
SHA256 b40f048ae1404a10832040295e2f2887c43ed999de740a492ccd00543da1f6b2
SHA512 2339a70444e082d3dce7327a75ed934b4ac5f0876eadd3ac2194fc5f5108ec109373e883d04c511723f10b36759194452123c506be4317432014ced30865d697

/data/data/com.moneywhere3/kl.txt

MD5 b8d4522e2c0a86b179a790bd06a2172e
SHA1 dcd160f691f2fc010813d8024a1019f5fdc5ba3e
SHA256 14514b1b021b9a6926a43ad60a4566488128aef094c350dfcac9c83056761039
SHA512 16ccdb46dd17c3de0c6a8e02c91e10181a36319c61c56be575a9ea0133ea6cc2c11e3b74991959fa7277b075e6dbb93c4a1ed49e86498f156782bd36f998d9c8

/data/data/com.moneywhere3/kl.txt

MD5 89c8fd2678304226170942c86c4d3a1b
SHA1 b4626990c7720c6d51233b9026956f03d79b1c3a
SHA256 a646d2601e6e61aa1819f58c87ee2523d7a7d9acec18d48431c6eb92fa04d96d
SHA512 95a3afd949dc50084b44f3cfd079bdb2ed1609e03d64f36c5b0f6715910b10d45ee566d1e5ef8cca316d777eb48361f7cb68d0d57be92913622b8ab91376ed37

/data/data/com.moneywhere3/kl.txt

MD5 6ec4bb3273f8d9f453e85e5b1b2d7289
SHA1 694f8d2d15003f433cbecf4c05c8bcb8f3a3956c
SHA256 93b7fa086fb5108a16cbace7fe65e13cf01e8b44fd846752e4ef393b35d4ad6f
SHA512 d090868cbbe00ae08ea9a0a17711237288e443e2400bc7440a43d0ad07556bda9dae6095ca01fb1fbf144963e149033e3e72326e0581b62b404e9adc26f348a6

/data/data/com.moneywhere3/cache/oat/srcrlowsn.cur.prof

MD5 35dd20de12852fde8f336f39eaf48cf6
SHA1 5dae0b8766b350368a4c741f5f2ea8580b2f571c
SHA256 86cb9422e9107a1b74c7be326413f4a5e19a01212ac02b1877186b40d96b9e6b
SHA512 f76b2c1fb5546bc22de536f93d8933bb8e6e9d0c21749480e4bb37c0c7a1303bf5766a8ebbde100dadbc2bec3e18331225a03aaf2bd605dfb5a09e428554b262

/data/data/com.moneywhere3/.qcom.moneywhere3

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c