Malware Analysis Report

2024-09-09 13:51

Sample ID 240716-1wxwkssblq
Target 154136f872be4c2c0e22320336d9df9b08e7f84fd7fea88376b66ce3c2a8a579.bin
SHA256 154136f872be4c2c0e22320336d9df9b08e7f84fd7fea88376b66ce3c2a8a579
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

154136f872be4c2c0e22320336d9df9b08e7f84fd7fea88376b66ce3c2a8a579

Threat Level: Known bad

The file 154136f872be4c2c0e22320336d9df9b08e7f84fd7fea88376b66ce3c2a8a579.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's foreground persistence service

Requests accessing notifications (often used to intercept notifications before users become aware).

Acquires the wake lock

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests modifying system settings.

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-16 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 22:00

Reported

2024-07-16 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

170s

Max time network

140s

Command Line

com.markbook77

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.markbook77/cache/tobyqog N/A N/A
N/A /data/user/0/com.markbook77/cache/tobyqog N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.markbook77

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mutocosturoyur.com udp
US 1.1.1.1:53 r4s5t2t2fa.com udp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
US 1.1.1.1:53 havalarsicaktir.com udp
US 1.1.1.1:53 lolo2naberlo.com udp
US 1.1.1.1:53 gurcustill254.com udp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp

Files

/data/data/com.markbook77/cache/tobyqog

MD5 509b7d8c17c68d495a59b5fce46019e5
SHA1 843d5b0d0ae2734358889ec056187de8fd3f7aef
SHA256 f0f9266c7918cd61b7a86ca71dfc7e5bd232028cb603226d4e9c78295c112356
SHA512 e2753ac61d843d9814b83526febb001181d1d00f3af8f4db3c5c1c9e44c1b54dfec3dc2ed4c154e2a145f2e51ecdd5e2642e6c928ebc5c357abe06bc4b8acb1e

/data/data/com.markbook77/kl.txt

MD5 8cb6e9b975becb1c10090aa0f3451dc0
SHA1 ea9444e95c3082d5c56350d7c88eafa2c140813f
SHA256 fef89a71a39122eb77cba1767ce831a1f45b80b59708abafe6edfec9804f816f
SHA512 79c4ef14841a18b564345d37ad071082e1d7098a4e3031478dddd5472d1f2a33b0978dcbddabf17f334a1923afa0975031e6fd39a50d69d5fed0e28f385e791e

/data/data/com.markbook77/kl.txt

MD5 9ae12bd27a2ccb537ce90da5a791d72e
SHA1 58e5edfba570c6a56e024867b2879084df985863
SHA256 8ddb86a0889b5f8a136eed55b35350e3fbf2e098d832e84175a8d35e3c97ebcb
SHA512 7fea557801227bb9db1cc004e7cb08d552ce4a1ca5afcc28822bccc6865f40efefb901fca53993d5c3699eb983f1bc6830d93c18a5b2167fa66284965cc45b42

/data/data/com.markbook77/kl.txt

MD5 f5ead284ebd34e6b585bbb4a196ab3b0
SHA1 4b031a0b99f8dec87dd2c7c558f9d4ff3dd21154
SHA256 4c9f868075e8c861655730b068d931bdbad33995fd70c620dcb60085ae6f4434
SHA512 37973d67f93324f088b45a99b9ef9d91df8f802ce05584c1ff86a8e37693b7ffd633e0e9db840bfa4e5b8309be4ba801c321eb8c4d66db122a4056db142bfddd

/data/data/com.markbook77/kl.txt

MD5 465af54e04b1bc1346db26e5e5549ab7
SHA1 0bb5cb3fc2c5a6eac92de37f803d68ff52d06de1
SHA256 ccd1f30ca4ef7476b6d2e50a650dcde0eb0502aca2e638d570c89b8e4b4b71ee
SHA512 a87d477eedd4126555c42d8ad3e1410d6c9fef15339b2626dfb634970d06a4c0e37a58346d9c471edd49dc59d8033a4212e97b4fb6bb67059c76976957fb0b62

/data/data/com.markbook77/kl.txt

MD5 a92392192fc6296b054cb3bf6b9b7678
SHA1 d30356fd1a45c7c23088b64978664cea72f27f60
SHA256 a1f672a83565e2d137f124da2302119e76fa8bd5d6b7fbbf4d77207c27505119
SHA512 b6e7c708503f4aef9f51b03a844396653620a82a5223c12463829f9e77363b8b0864e19a48c846bd9e7adbdce7dc4ce42469b19e05b8ac312a38e594c4488753

/data/data/com.markbook77/cache/oat/tobyqog.cur.prof

MD5 ac6e42155e0a26746db7f84c8041ff95
SHA1 924fcde6b0dcd5cf0f0747d33060b6cf08c771e8
SHA256 254ef64a08bf0ba587b1060d9162ee4136708b8b62a80e1dd22f1e9044488650
SHA512 1f562f0e2c9eb053620a12d2f9b29e3501a8f9d098e9f5a95ed8e3755573eccb438f0da9c524b7051560c4d23d53b127fcec4ebfeeb3c6cd1702c96474c55651

/data/data/com.markbook77/.qcom.markbook77

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 22:00

Reported

2024-07-16 22:06

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

170s

Command Line

com.markbook77

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.markbook77/cache/tobyqog N/A N/A
N/A /data/user/0/com.markbook77/cache/tobyqog N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.markbook77

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 havalarsicaktir.com udp
US 1.1.1.1:53 gurcustill254.com udp
US 1.1.1.1:53 mutocosturoyur.com udp
US 1.1.1.1:53 r4s5t2t2fa.com udp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
US 1.1.1.1:53 lolo2naberlo.com udp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
GB 172.217.16.238:443 tcp
GB 216.58.204.66:443 tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp

Files

/data/data/com.markbook77/cache/tobyqog

MD5 509b7d8c17c68d495a59b5fce46019e5
SHA1 843d5b0d0ae2734358889ec056187de8fd3f7aef
SHA256 f0f9266c7918cd61b7a86ca71dfc7e5bd232028cb603226d4e9c78295c112356
SHA512 e2753ac61d843d9814b83526febb001181d1d00f3af8f4db3c5c1c9e44c1b54dfec3dc2ed4c154e2a145f2e51ecdd5e2642e6c928ebc5c357abe06bc4b8acb1e

/data/data/com.markbook77/kl.txt

MD5 5b64c537d1b5311ea9e3339b8c91254c
SHA1 b71e54ec39b66611cdda6eabb3c5aad54c4f073d
SHA256 cbd184d39d4a1798dceeb26b74550f71faeac35920cda7b79a8d449e4eb00df2
SHA512 48d42bf2fc4fb9207d182813d84ddca71568fefe7e0fc101180514d3de370c56e453d55ad579d6f3bfdf0847d29181a87c9471c4befce7e8ca66cf27a8349eeb

/data/data/com.markbook77/kl.txt

MD5 14e52db48e75829ecdf1cdc5f300a39c
SHA1 e760f5a429e49aa2f6bd1e83defff6e8c427c4db
SHA256 e455938ab62c662b8c3c1e0e4572e99905a8dd28116751ec274e21b8f5f29b86
SHA512 cad90e5efe88733b8d5f791eef152e528fb46d2c1edeed306ae0f86f1facd8078f8cdb2020ccc740d51fd42c5e98fd6a195c152e12b72556d62c046b82cc3958

/data/data/com.markbook77/kl.txt

MD5 c3093cc8d11922af80f743a252a6ce64
SHA1 9a6ce79f068572bb2f203dd011956c316ce6f22e
SHA256 efa5ffa2a1445b6626b8ab77206305b1db8b000f22d63d5e90fe46c734675773
SHA512 6fd9d771432ebbebbfdf91b7bb21be60ad61063a7f6c1aada1d865dac559db725dfef267b480b58063c92cf9d78bfaea13efbc4aaf2a079b989affaeeda77797

/data/data/com.markbook77/kl.txt

MD5 e68d6cb953a2ee60ef575e7fafcee76a
SHA1 f285d40e57b991966d7a40198f8fdcb3c648f248
SHA256 71178e5f6461bd13b167fe038038334a6b189c2679bba03ccbf6d63a954fc058
SHA512 458e461255f7e7bd16c901c8531809ef07c3236e748f7e07d28629bfc2a4f7c893018626e65030c2fa1180fa3eafa4bd89e85db988190c4be6a5a7334ddf6412

/data/data/com.markbook77/kl.txt

MD5 3f67866573ecdfc19aa5fb5e3325daf7
SHA1 d4a34aca2cb29b7429ccd45349241719468fa369
SHA256 4fc18a0d491f1904606bfe4d3e503f2472cd8e08697400fcf2c3b31b0c6449ad
SHA512 631514df1eb40e8bea77441c5d204421056eb0b6800de6038f4c147832ae683f52ec5150ca216692779ddd7b3a867acc89c03924ddb34aee3ef83fd92d9cf55f

/data/data/com.markbook77/cache/oat/tobyqog.cur.prof

MD5 44d91ec0c29f4bc7f34cdb131b299961
SHA1 db61fb35ac985eb168ea67f0fba34646bff393b8
SHA256 4361d6c017d52df5eecea2079f3562ca2b76c62d7dc7cedf22dfa93459da94cd
SHA512 7b487596f09837a4e3be0383d5c06bbb7bb458cd967527a2f8e53a72d4c8f510079af3b9279d91e29d09ae20088f4b3f8f012c5d2ff2cf00c1855eb79d50d9f0

/data/data/com.markbook77/.qcom.markbook77

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c