Malware Analysis Report

2024-09-09 13:49

Sample ID 240716-1wy4mssblr
Target 03b027dc82f9b115a615d167da4092d769b53f9a91b23b087ae6cee650b55143.bin
SHA256 03b027dc82f9b115a615d167da4092d769b53f9a91b23b087ae6cee650b55143
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03b027dc82f9b115a615d167da4092d769b53f9a91b23b087ae6cee650b55143

Threat Level: Known bad

The file 03b027dc82f9b115a615d167da4092d769b53f9a91b23b087ae6cee650b55143.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Requests modifying system settings.

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-16 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 22:00

Reported

2024-07-16 22:09

Platform

android-x86-arm-20240624-en

Max time kernel

171s

Max time network

150s

Command Line

com.objectno17

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.objectno17/cache/mzrdbwuppw N/A N/A
N/A /data/user/0/com.objectno17/cache/mzrdbwuppw N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.objectno17

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.objectno17/cache/mzrdbwuppw

MD5 6d05248f7acb847f04a9490e3f29f933
SHA1 d1602ac95c4ee20342b3ac8c03b5836dcd111d61
SHA256 39dfd62bf30545e15c0abac0036ce1f29552fece8a56d7aa490736deb794cc74
SHA512 43087460a04c47b40f0a9941752d10be4ca1ee40c10e6f32d0b9ba961e2c921eed921a7b72643ac5e9a2a85ff7f26a0b65c20895521fd0ef263a850a8dcf684c

/data/data/com.objectno17/kl.txt

MD5 f9e939718a1f1ad61fc04a8fb3360887
SHA1 fc91687210a7684642e817cc9913a04f23c49128
SHA256 46224f6a668a59a5ff783073f23d51ed30830b4b555b267a78423dd5b7fb2ef1
SHA512 4cb74219a9e396d272d4c62bc7808ddfbc529ed1f7be0b91d8fdae74b2723897264e584d02dda5d1509f7561edeb930fe7c82808b2666c6c780a46abe25a6656

/data/data/com.objectno17/kl.txt

MD5 901bd967fe9404394ad1098862127f09
SHA1 8e10c17b9447f51f7023d4c9564683b6353affe7
SHA256 5326c18bbf627a8ce4a91e5c85ae53b1c66d31df3f485d37c629123805702f9c
SHA512 615b9ad482426c2aa4e30382b216efc7a6324d1864d3181a08dc60f6341dccdd4b9dc4d0db7bf44dc43eac73cfebf05124c51c4aede1a7e79cedf9f99f503f51

/data/data/com.objectno17/kl.txt

MD5 5cecd17438bb72c021cf56c91944569d
SHA1 069ca2062ea78f3bfa0351a54ef608962be13c8f
SHA256 9aed4469f817339bbe41b44f908e9ce58ace5f5566cc5826d2af0fe64da62a77
SHA512 f16e64bc200491516bf760523859193eb6cad60de12cab51d0ec58ae1a2d15590bfe49292a99076ef3262dcb9a7a107ff8a952963ecc13140a2691abc74f74e1

/data/data/com.objectno17/kl.txt

MD5 f16b5461fc7afab523f5307d2c4368b1
SHA1 d6a7e19f550e3269101564f22464fb7123a5aae3
SHA256 4729daa7c558e0787163be3193ad3ef892485ef370a12ed941d3d047eb4083bf
SHA512 f7b69b6625d79d70ada46682adb9e6a31632cf4bd2b2c4b694f140454f75673d177a893a498b3533d4f1a8e63d52d7d315be1c61f367c183c7a9efe27c6ed024

/data/data/com.objectno17/kl.txt

MD5 e7a7a3820d0439816ddb25260ef5e800
SHA1 bddfad0dc88cb1ab19c48068bcf6d79006e02b5c
SHA256 b17518646168445efd987ef7c6eb441ffdd3814d2e8a05eeca097c1bd8500b4c
SHA512 bd8e11ff9f279f9057008172aae3d8ddd740bc7582d114868a32f386609645462466b99cd4d965e4268d90eb707b9ef73b7d078086dfbf04f011c1e74b388a92

/data/data/com.objectno17/cache/oat/mzrdbwuppw.cur.prof

MD5 383cb820cfdaca3ccdb0376461f839d5
SHA1 9d86c4a7dc18f5a6283c72a51f1118b132b03ef4
SHA256 5ca5abaca8605ac39edbfa100a0e77141a853cef0cf0d3d0e2752c18cc3f681e
SHA512 75dbb41e6dcb8a45306b6d17db407b4b7a785fc220be4e585582e47982816935faf034111db22f9f409f7f92d36db2b01e51e52dcd2eb5a8b4877902131bed43

/data/data/com.objectno17/.qcom.objectno17

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 22:00

Reported

2024-07-16 22:06

Platform

android-33-x64-arm64-20240624-en

Max time kernel

178s

Max time network

142s

Command Line

com.objectno17

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.objectno17/cache/mzrdbwuppw N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.objectno17

Network

Country Destination Domain Proto
GB 142.250.187.228:443 udp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.187.234:443 remoteprovisioning.googleapis.com tcp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
GB 142.250.178.4:443 udp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 172.217.16.227:443 tcp
GB 172.217.16.227:443 tcp
US 162.159.61.3:443 udp
GB 172.217.16.227:443 udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 216.58.204.67:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.objectno17/cache/mzrdbwuppw

MD5 6d05248f7acb847f04a9490e3f29f933
SHA1 d1602ac95c4ee20342b3ac8c03b5836dcd111d61
SHA256 39dfd62bf30545e15c0abac0036ce1f29552fece8a56d7aa490736deb794cc74
SHA512 43087460a04c47b40f0a9941752d10be4ca1ee40c10e6f32d0b9ba961e2c921eed921a7b72643ac5e9a2a85ff7f26a0b65c20895521fd0ef263a850a8dcf684c

/data/data/com.objectno17/kl.txt

MD5 b0dea315965e8ed659fddfc3eefc825b
SHA1 08b3a083b6f0d1252bb1ddbb62247a5efba4a7f0
SHA256 1ed6fcd6e41f247b4d22fde3304e23f0867bc6cf8817da6261acd6fbee9d99bc
SHA512 0288cd7f7ab6150b7e69ba8b7a3a6ced2535bcf28f68e9990ac8f783afe2db4189cdaed072f6a18f90cff5abf2c8dbda03e7a89ba58cffc1d4690881260eab43

/data/data/com.objectno17/kl.txt

MD5 a30de0524457e6668fcab7edc4ddee39
SHA1 8aa5c6a1a80ecb6794a3d029651b135d82f6d665
SHA256 3845f9356d520ae92d67eb5896bd04c6ab42b518a7496e6a0cfa7cb8f93c7b84
SHA512 9303f2794d21f8d12eb09e85b7b72d7e36f6d85f17cc1f1a3e0d3bb490c7eb612053e9babc86c19d83ef4f2862cf26865a7f19532c9203e9799c95feb4619ad6

/data/data/com.objectno17/kl.txt

MD5 60c2b5a1a4450706b37b04852251fe90
SHA1 c9fe5870790dfd8725496f5d1457e27651a69ed0
SHA256 40aaa587a9dddb8642e5d00f26ce373339ad97080213bc9603e4dffe76eb63a8
SHA512 d2b9ff94dafea610dd711d782ee790537058cb21fa8c810b04ae96154b239a98b8923ff56f672e4720667deaa2c226225e9eb0d83553517c968d493afa0961d4

/data/data/com.objectno17/kl.txt

MD5 55a634cfd37eb0f3d81697c52b6a1add
SHA1 1ea2423ccc630e4d1f83f35b0b19ff64df32bf4f
SHA256 b80befb3b4c6fd83a8182557a52aa386de146042880af7fc3649139b6a458642
SHA512 171cb9f7bd3e1ac4e7e46280c04c307fd4f83325c3a4132c431f825617efea91cfda058857a1deebd90ba4356eaa2a608226ee91b93f3649053cf3292fbfc492

/data/data/com.objectno17/kl.txt

MD5 2c2a09cb053f506b65339e3fc35f632c
SHA1 dd6c8d3d32ec1b395c8ebff04f83e176da03e6fd
SHA256 309cfd1be1f0b8f2a6e7d97a1b41b13ded68b29652ce8b867160bfdd2b34c4df
SHA512 0e87b5b7f9a5470cee4b27d1330f37f70328c1a9f9444919a41aa7cbc0291d7f870c7952c32dab19f115a01c63d1a9404fb39e3e2942d7a9b0acb8fff4c28c1c

/data/data/com.objectno17/cache/oat/mzrdbwuppw.cur.prof

MD5 19202a1f659faf5b11ab29066e9c3928
SHA1 fb31ec5455e4c7849fecace9f1675a51978b6be2
SHA256 6959fd9a658d6c4c11a19cfcc9db1eddddc6812c32115b4508bb2c0dc1e59b25
SHA512 2c790033085e304c02f7c34b3e7e3addc4109f661de6172d4610437b0b9540fdef5b849010a02b03f7a5d97b75319906f53933da7866c63cafa64f669fd51839

/data/data/com.objectno17/.qcom.objectno17

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c