Malware Analysis Report

2024-09-09 13:51

Sample ID 240716-1zlygsscqn
Target f9e17c77f61b5f248620f9b5e29a1d4ef72e963cf677abc84c0f76649460062b.bin
SHA256 f9e17c77f61b5f248620f9b5e29a1d4ef72e963cf677abc84c0f76649460062b
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9e17c77f61b5f248620f9b5e29a1d4ef72e963cf677abc84c0f76649460062b

Threat Level: Known bad

The file f9e17c77f61b5f248620f9b5e29a1d4ef72e963cf677abc84c0f76649460062b.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests accessing notifications (often used to intercept notifications before users become aware).

Acquires the wake lock

Reads information about phone network operator.

Performs UI accessibility actions on behalf of the user

Makes use of the framework's foreground persistence service

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests modifying system settings.

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-16 22:05

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 22:05

Reported

2024-07-16 22:25

Platform

android-x86-arm-20240624-en

Max time kernel

171s

Max time network

139s

Command Line

com.warmoften35

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.warmoften35/cache/ntcxahfdrjya N/A N/A
N/A /data/user/0/com.warmoften35/cache/ntcxahfdrjya N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.warmoften35

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mutocosturoyur.com udp
US 1.1.1.1:53 gurcustill254.com udp
US 1.1.1.1:53 lolo2naberlo.com udp
US 1.1.1.1:53 havalarsicaktir.com udp
US 1.1.1.1:53 r4s5t2t2fa.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
US 1.1.1.1:53 havalarsicaktir.com udp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp

Files

/data/data/com.warmoften35/cache/ntcxahfdrjya

MD5 77431e7769c4c11e4523c0ac2982d3fb
SHA1 a4c69daf67ac821d11ab664015e499cad49e1a29
SHA256 fc8c9365709b96defd6ca3ac445351101d4547766fd757cfefad64922185cdff
SHA512 414a30f909838a882195a5d950c6ebf4503ebd65ca4942dc6eba882cfb965bb7b8f9a0552d9a749e0a5a8ea54fb9a52507ee7e939127c2b1cced7b69e769430e

/data/data/com.warmoften35/kl.txt

MD5 45c10562434cc1f29d498b66ea35a926
SHA1 a4f0b2e55c1774886d56f3173e89f8ac8ddff70b
SHA256 0c3dbec4ce22ce581077ab9425082443ca2fa95f3c3ecdd8aa852a4a9725c1de
SHA512 a812b0058c8778df5854df00c73db5a44d844611359789dac09eb0004f5b490cc3c18e5a120d40d189ddb6b186fa7278e0e309a0a29d369a7c1255f501461910

/data/data/com.warmoften35/kl.txt

MD5 44063b0d335f145d7bf67000a99b258f
SHA1 8de1ea843206191512690851674ef4f84691409f
SHA256 6b0a3f79e31aa16c4d0f9764bf70cde48b98b6e03e2b78d141a7b6b6a7433385
SHA512 44a6cc2dbb668151fef5bdb814a3bcd8e4fef62dec3867e18416270b3b05c55c0816297ed4302b60cd4a3ceb36935aa0bbeb814d0b797a8a5197cac4fcc27d2d

/data/data/com.warmoften35/kl.txt

MD5 9b85b11c74cf8e58a60a3616cc4845cb
SHA1 345f2ea06c601b8b2b0273244ddbc941c90617c4
SHA256 d31b05ba0d5464b3b3d5ea72182775dc7233187f8f37709047ea37a34e3f4b63
SHA512 90ab62fb278d98c7da424363038158d6c6fa10258d9f12abb79794695f686c2023b1f6dfe60e869cbe46432243e8976c8257446053f30be3a151febd724cb6fa

/data/data/com.warmoften35/kl.txt

MD5 5ff08f72452c1c348cf505e5134acdf5
SHA1 a959b1584c72cc8e71885c65367f37dec80e546d
SHA256 c4ee5573b3eaec8adb6322941e5a068656e476b25180b3cc0fbe1f939e187014
SHA512 054f526278c6d6330ed8b185fa5081b9b91cc0435d210efe1eaf13743766899e2a59b6b6fc35fb803ba6b449851579773fd6c4bf08c95979b002cc5715ab1022

/data/data/com.warmoften35/kl.txt

MD5 63813e3ad0799543b8bcba9f71198e19
SHA1 c50d9d1ccb8508140957f7a16a1724176a936e8d
SHA256 b2f3eb4f1597d53f64bd9b281f95821d026397434c8a693e5dfdf9b3e83a138d
SHA512 4150531d629c730f9df114501e05651d232238323c15569ec1c101d16c44a7b0a88ebf568e90bc5b356e7420126ee14acb01a3b2fd2be8ed46bb6163bd83b062

/data/data/com.warmoften35/cache/oat/ntcxahfdrjya.cur.prof

MD5 63a2fc015f0bf003b232ec4168d423e7
SHA1 cf8b36328eb7618bbf12f7415ed63e29e1883ea6
SHA256 845ea0c4f4187d686205d825e7b5a7fdea0cb8d3aa6d4a9175729cc4b9655d2e
SHA512 77ed630c52e428750a7f36ce8a43b7e2bc9915a062d7eb8e012193a2b5e62b234edf7c97c55bf84a0f677809e744f07567d3ff99dfea1140a4313f0ee3fa9472

/data/data/com.warmoften35/.qcom.warmoften35

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 22:05

Reported

2024-07-16 22:25

Platform

android-x64-20240624-en

Max time kernel

178s

Max time network

152s

Command Line

com.warmoften35

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.warmoften35/cache/ntcxahfdrjya N/A N/A
N/A /data/user/0/com.warmoften35/cache/ntcxahfdrjya N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.warmoften35

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 lolo2naberlo.com udp
US 1.1.1.1:53 r4s5t2t2fa.com udp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp
GB 172.217.16.238:443 tcp
GB 216.58.204.66:443 tcp
RU 193.143.1.25:443 r4s5t2t2fa.com tcp

Files

/data/data/com.warmoften35/cache/ntcxahfdrjya

MD5 77431e7769c4c11e4523c0ac2982d3fb
SHA1 a4c69daf67ac821d11ab664015e499cad49e1a29
SHA256 fc8c9365709b96defd6ca3ac445351101d4547766fd757cfefad64922185cdff
SHA512 414a30f909838a882195a5d950c6ebf4503ebd65ca4942dc6eba882cfb965bb7b8f9a0552d9a749e0a5a8ea54fb9a52507ee7e939127c2b1cced7b69e769430e

/data/data/com.warmoften35/kl.txt

MD5 a494590168d196bb33d72c0efd55ed71
SHA1 c5105f4f87437e2ff1470623e14c9a274993c62c
SHA256 4d46635cd8742529061a99ad3d15344b2be41a21c9a73eacdaf422c24d745f83
SHA512 4f0b050b91754e1d6990fce3a7f8fb6a19a833d3303c96724c68c6b9ecb7446be4c0ae579a0e0914bb063f6384de8fe67ee1c589e7af4b373c8724df7fe9f6c5

/data/data/com.warmoften35/kl.txt

MD5 7810a54136a4726fa6289f8055005d84
SHA1 a588e4bd402a47329b70a2a705862f2ed625165a
SHA256 565e9e9d1255709ba612e72f7ecdecc1f8d0887325d66d7f0518383489a3d375
SHA512 c9effc7d97c6344a1053c7c122482c75c79a35197e2e29c4ba46fad48a6979e936f11ed96b8a323dbee0f1dcb3d09e7c0068451e26743e0f6e4d76c3d3212afd

/data/data/com.warmoften35/kl.txt

MD5 fdb76efa5d883eb98f8d9c590a3fecb3
SHA1 c59c113d797eb1a23badd92c4c36adcaee898925
SHA256 e3e9f4af0db873c505401da9982e6d2739c92a74dc7a59124db2edb467533f13
SHA512 beffd233e670ef9611773c387d9a589273d084e76c45d34397d2e0e9df80d2c631ec8bec0f512738290c97d846f5849fc6a69e3239069f88808fe053a573d294

/data/data/com.warmoften35/kl.txt

MD5 f3cf9e6417bb98da0cee6275ee8eb6da
SHA1 017d169e6ed13d7d5cec23918016c8930bcdb79b
SHA256 d2badcb1a1db7b058b7f0c6a482667e3d00feafffc2e85b66f7b55512465c96a
SHA512 42454f2a9777dd9a27e29a6ab88de8e816394c8c33d3b83cc34202ed3edf69a2418a3ae327306a7ca46b122d39951db874a32a80d5e0a59c39e2324da77e2a73

/data/data/com.warmoften35/kl.txt

MD5 e413ea59cdbf8353ef9a28349431d1aa
SHA1 a93d61440863fc2f6d9e602dd4d52652004856e8
SHA256 3e6eb4b38ad896c08814abbacf7727b809401d13bcdec8f1b44c856cea06ba69
SHA512 502709da96dae21eeb02d5c4cfcbf136fcaa20b8e469cb6c3482bc33bff8f728dacff1ffdc8fc3458a8a80a1582034a79a57452d7901404492e0a398664f52f9

/data/data/com.warmoften35/cache/oat/ntcxahfdrjya.cur.prof

MD5 d218b495495fe012b1ae4aab4180ec14
SHA1 8fdc4699529976965eae45a71b43a08375850b1f
SHA256 760c1f8890a4262fc3ca75250ef27ede5f0d5770b550a7b55853ad5ddb7fd8e8
SHA512 bb4650e6ce510549d89100064f91c29fd74a3f413ab221af06d7c3cef7a2699318f45fca5793ec786bf88fdf148e520866a4ac66ff5cc4cadefbb0260aeeb961

/data/data/com.warmoften35/.qcom.warmoften35

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c