Malware Analysis Report

2024-09-09 13:51

Sample ID 240722-1wnynszgna
Target ba26ff02c0654d5d1401d9e0479575a456fbfeca122857d0e455251e0828f050.bin
SHA256 ba26ff02c0654d5d1401d9e0479575a456fbfeca122857d0e455251e0828f050
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba26ff02c0654d5d1401d9e0479575a456fbfeca122857d0e455251e0828f050

Threat Level: Known bad

The file ba26ff02c0654d5d1401d9e0479575a456fbfeca122857d0e455251e0828f050.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Performs UI accessibility actions on behalf of the user

Requests accessing notifications (often used to intercept notifications before users become aware).

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Requests modifying system settings.

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-22 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 22:00

Reported

2024-07-22 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

53s

Max time network

148s

Command Line

com.overoneoyx

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.overoneoyx/cache/cpatleppudple N/A N/A
N/A /data/user/0/com.overoneoyx/cache/cpatleppudple N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.overoneoyx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 cehennemdirloo34.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.overoneoyx/cache/cpatleppudple

MD5 ba08e5cf0f7dbb46ee2c7ea143a39271
SHA1 9707321a03f1c64fb60fdfa1d524b009cdcbd153
SHA256 26e5c13379780572824641f2aecccea4ae2d901a0eed4eee34d39b9be302fe9c
SHA512 c6fff686a8a572bbc7936d0f63a38da80dbcbfffe8c5744b5caad1a480c93be6ab28c6556f8cc82ac5a96f234888c84b77aaa4b15cd9ef65e6c3c5416c7bdcec

/data/data/com.overoneoyx/kl.txt

MD5 f76383b40590c668f4d5b0b9a0c698cb
SHA1 1d2fb3190108e243071ac293314d220ac67a0c0a
SHA256 689647e629beac7de8b26ac907ace07d4d3ff619d6ee045f316ccdc030ff8ba2
SHA512 b29abae639661257c0c5e46ea2dff57fb14df75afae7cb4bcd93999758682d4dffc09ea418405f9ed780e8872023b1720577c7df7b5de9ec130a8a1566246861

/data/data/com.overoneoyx/kl.txt

MD5 1961e8affd41dbb0a4df271419f99eab
SHA1 ee732fa67df11809369d11d7ac048ba1239d51d7
SHA256 fccb635e9ceb347b7adea5830d676057270d0a974284047a47711ec2be39af63
SHA512 e63b13b9c79258a8883c0fdcb94e297988c60dd318f42c4e96606c6c80f3447fecbc18b4c203a3c58a98d5eb827ebc0fdacb92011f63d8b3894590f7e2ddc3aa

/data/data/com.overoneoyx/kl.txt

MD5 66bfd5ade36c2345aecf9e019620f854
SHA1 92df5573e49cd491f314a3e30576d16e03386372
SHA256 c65af401e625d23731f7ba6fcfad80b97c7992b9e64fe13c263cbd4de430c40f
SHA512 de868ffe4c3bbff8818a8caf068b818f4fe714048af5f06b66ba1ac138e9bcc2155ca4b84120f7a14872a4b8294920a2ee1813c573a577e35507b5a2e1358eed

/data/data/com.overoneoyx/kl.txt

MD5 2432d34e5710c2e7daad36fe6f9a1654
SHA1 a3b1c939c49802220f3c845fd553b1433913113c
SHA256 e48b67ba0a3ddea4ecc476b37d5a4ef4de33799740aeb33ee18878fefa6ff209
SHA512 9eca5b3dfde5b6ec679ab4c142b1d9f80c240baedd0c83d731521b0831f6cd6c4ece2126ed272cffccecbae91767965cdf05f94d7a6d07645a413d385c2894dc

/data/data/com.overoneoyx/kl.txt

MD5 52762ae17900b984140eabd24ba047ea
SHA1 589fd5243b681a8300fd19c1953e36186544b3b7
SHA256 ac0c5e057270a739fa48c68b2da58641a30d8a6505c017b12ede6133620b1f60
SHA512 8944d4bd20dee79bbb17dd84764436ed721030d0ed090237f643e6459077e609c3c8636e6c10c2e5bfbd30cf3b37f3fa08407683ff9d1bf6144822799cc06533

/data/data/com.overoneoyx/cache/oat/cpatleppudple.cur.prof

MD5 8d95fbaa242c156f7b7009e065f4cdfd
SHA1 796bf9ca983dceb7a39a34bd499fc41dbe42119d
SHA256 9390e6e064d26cbf5671acb5d9ce95f48c60cb5efc7822d08b0f396e6f65c134
SHA512 6565a919e2093a56da2d667b60a3709698924dc6d72059d50712c59ce4779eb05f571a4859a79103664943aab481cc43f18ed44bd32b47d480ad50863124f12d

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 22:00

Reported

2024-07-22 22:03

Platform

android-x64-20240624-en

Max time kernel

73s

Max time network

183s

Command Line

com.overoneoyx

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.overoneoyx/cache/cpatleppudple N/A N/A
N/A /data/user/0/com.overoneoyx/cache/cpatleppudple N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.overoneoyx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
GB 172.217.16.227:443 tcp
BE 142.251.173.188:5228 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 64.233.167.84:443 accounts.google.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 216.58.213.10:443 g.tenor.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 172.217.169.10:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 172.217.169.42:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
GB 172.217.169.10:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 lh3-dz.googleusercontent.com udp
GB 216.58.212.225:443 lh3-dz.googleusercontent.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 1.1.1.1:53 i.ytimg.com udp
GB 216.58.201.118:443 i.ytimg.com udp
GB 216.58.201.118:443 i.ytimg.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.overoneoyx/cache/cpatleppudple

MD5 ba08e5cf0f7dbb46ee2c7ea143a39271
SHA1 9707321a03f1c64fb60fdfa1d524b009cdcbd153
SHA256 26e5c13379780572824641f2aecccea4ae2d901a0eed4eee34d39b9be302fe9c
SHA512 c6fff686a8a572bbc7936d0f63a38da80dbcbfffe8c5744b5caad1a480c93be6ab28c6556f8cc82ac5a96f234888c84b77aaa4b15cd9ef65e6c3c5416c7bdcec

/data/data/com.overoneoyx/kl.txt

MD5 1c90990a3a8cf34fa096d0f4969262d1
SHA1 6cf035bc90d2aec7b3a84561f3e9edef0bed886b
SHA256 ac8d47202f1ef12175197519fd2e52a4681d435c61152216f199c02f8c253a5a
SHA512 01808712beb67bcce15197c1cb4185720539b25cf52333b7e28f720b4589292a1c673f0025886e357dd027794474fcfc87ac3cccb5c289a47675cbf4baa5b070

/data/data/com.overoneoyx/kl.txt

MD5 05d9f632948edcd0b41bad6ad2e505ad
SHA1 d3290e06a935067259eed1535fe15af759c85cb6
SHA256 7f596daf2d683bed776100dfcc2c744c807dbbe994733576b5bc026ed45eef13
SHA512 7a869a52c9a814759dd33748de5f94efe2ff4efa5af9aa5006af573acdaf99e68ccb3cecb736a507db162f48aa693961f850143f2ad36ce4bae7d7f3b559eced

/data/data/com.overoneoyx/kl.txt

MD5 7eedf9c3e4f024d8fc2e69924e1029a5
SHA1 b3b32bd4e88dbd5a4b4277316debfc881dfe479d
SHA256 c58d0efd383f7dc4d0fb7a46ac02810c0655ab5037675d24f1e463e1a8a75ce2
SHA512 4cce1c5a2073233235cb4f012e86c55c6286d2b5f6bec5a9e5e8b1ee1136116e558e6a776cf2f2779e771308066d4c9126af4d7ac534f16dec23984e9c1e3b75

/data/data/com.overoneoyx/kl.txt

MD5 8597da611a7dfadc770bc6a4900daf54
SHA1 416f5e56d3d5137fc56b4335a5bb4c8e6cab1c93
SHA256 1686dbe70e58937eb506ce0786daf749049fbdc62004c1a4209d7c29983edb65
SHA512 d90afd4418682a3308dac30ab8c120d5c8eace4eec304e1076f84324c01b5d5c70e75e9318cb9bafcb3bc18f92b6535433d8d077e879ef70b750df6efc364d1f

/data/data/com.overoneoyx/kl.txt

MD5 069e73064f61acf6702efee665296869
SHA1 0c66a5016703f2ff20a20b39d3687a2517330324
SHA256 9eddd8d50c2e813196b1027337f777e1428c990a4f1d23da2b9254a1e2a11575
SHA512 36dc1adc27914ccf9c2bde3fb693f4a8bf80dd935939dddef9dd2619ca92dd02e1ddf2e08ef3d720d00566595d1367764da8f74836c4e98bf84c9933e819d8c3

/data/data/com.overoneoyx/cache/oat/cpatleppudple.cur.prof

MD5 4b07f5e4ad899b46b68a526540b5b3d7
SHA1 ae8314271a2fc17c1a2b1f78b786e70fa3b18f24
SHA256 eee079dc81f903214086d36d5c2586328aa999837435ca9453ea2d09c761639b
SHA512 3cb5422c6ec45aa92fd36f2d878c8aeb7986e1cfa67857199b9d30e46b4e476f0a2561e8e98768df4cf11a3768db3953b51cecb440bd39e218d6380b85a6d74f

/data/data/com.overoneoyx/.qcom.overoneoyx

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c