Malware Analysis Report

2024-09-09 13:51

Sample ID 240722-1wp6qszgnb
Target 9108546446e25cc744c97913558eb766673a7644992d8533d6b1a6b5b523cb9c.bin
SHA256 9108546446e25cc744c97913558eb766673a7644992d8533d6b1a6b5b523cb9c
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9108546446e25cc744c97913558eb766673a7644992d8533d6b1a6b5b523cb9c

Threat Level: Known bad

The file 9108546446e25cc744c97913558eb766673a7644992d8533d6b1a6b5b523cb9c.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Requests modifying system settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-22 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 22:00

Reported

2024-07-22 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

51s

Max time network

169s

Command Line

com.nothingfoundtbs

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nothingfoundtbs/cache/puyyhurwtty N/A N/A
N/A /data/user/0/com.nothingfoundtbs/cache/puyyhurwtty N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nothingfoundtbs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.nothingfoundtbs/cache/puyyhurwtty

MD5 fcb251c7d2928980eb9c9543d831da36
SHA1 8bdfd86d4fc08335626c8654feb14b1f6ed3b856
SHA256 279c1daedd03eab66344f8b48ce9d6620dd5f0a8aaf9f5c38bc287c56919d9ba
SHA512 842d01bf684551f0ccef2bf2c0487921df45b8f42373df8786df013f8f08a795fed2a6da05c9529f4936a8b305cdab443791f25f28466d6f8483eef5e501d090

/data/data/com.nothingfoundtbs/kl.txt

MD5 763518ad2752459b693e338d3e08a3c1
SHA1 c8249b6663027ac2746514691dcfb7852f76faef
SHA256 fee8f5bfc4a08cd28ebf39dff720fe4305b59c0fb2e12d8c9fea1d199febe5f9
SHA512 f688dceec43f6a7be9cea050e9029629dda11d5ac7071c96b17e22697e4e0e24e79025d86b2997ea9eabd17f31961fe2f0a4af640fef05d009a8d6c29a22cdf2

/data/data/com.nothingfoundtbs/kl.txt

MD5 4b792da1c64b72c62bffe32cac07a3ce
SHA1 5e65929c662a3117b34795d7726b770322920682
SHA256 ecf284233da1fce12c16fc9861d9d41367a7af5d7481e6f087512d498779b6f9
SHA512 469810c6bc60511a410cc7f236e45a9bfa0a023c04d8333d7c1142116791be01090043f5b57068a2648a0f44e51d9a38b62f891d909f08488d0e982f4bef6db7

/data/data/com.nothingfoundtbs/kl.txt

MD5 4d824fbae7982a6284037e63f9f3a2c9
SHA1 0d6bc5c74e12dd45eb4dac0f5f72ed936f275c29
SHA256 a59cae6effee9c4879b98e52bab147a305bae54fb6b8ec326cb1901cf5d46f1c
SHA512 6e1c65026ef0b5d83d824a5c43174b8bdd918476d9c4ba913be51b3d89b798f071306d83e699d5cc83546cc3e40a8b76c4b6ab562187a1888a581dc83dde459a

/data/data/com.nothingfoundtbs/kl.txt

MD5 eabd4d0d4310df17810d474f699592f4
SHA1 b548850163ebc50e36728d50189bb0f1b8aa5366
SHA256 27a12f07a181ff9b312e76d4d6908d286ce33f451ffd390660e125df676aee53
SHA512 81aebb2d8e70d0bba67599489ef820e94930c04c375c19a011f8a61358ca35509686c443b9d0dcb126e4f94b086d4914cb2850de687653844029b32a0e345cdc

/data/data/com.nothingfoundtbs/kl.txt

MD5 1c3343f1723dae6a7d74458349f8acc7
SHA1 b67d93c3905b54d01b153047005184288258676c
SHA256 60af6b17671c8ed29de7d11412e79219d94b3098198332b0013005c1a340e2fc
SHA512 908b1ad128c30530e381862aa731295469e427fe7388e44185652d47c7c39063a63f1c71cad0b8dc52d6f8dc74d7e94ede48e472ba67532bf8b8eaa275df7164

/data/data/com.nothingfoundtbs/cache/oat/puyyhurwtty.cur.prof

MD5 5a01018ef0586af37e31403f9e76b573
SHA1 93d06a0ae065eb02eab9694140b158526432d4b9
SHA256 08c5d782c9515277ced87940cc5448b10d967fa6a010f35ced31eaa124278e1d
SHA512 257949319f7773b74b03d9a00af9e788898b24b01f2b7bf3f3987ec25bae1287b616bc9c08310b29d0f626f407f4528e978cf252bd824bcf7c9bd3db196cdd74

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 22:00

Reported

2024-07-22 22:03

Platform

android-x64-20240624-en

Max time kernel

173s

Max time network

148s

Command Line

com.nothingfoundtbs

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nothingfoundtbs/cache/puyyhurwtty N/A N/A
N/A /data/user/0/com.nothingfoundtbs/cache/puyyhurwtty N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nothingfoundtbs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.nothingfoundtbs/cache/puyyhurwtty

MD5 fcb251c7d2928980eb9c9543d831da36
SHA1 8bdfd86d4fc08335626c8654feb14b1f6ed3b856
SHA256 279c1daedd03eab66344f8b48ce9d6620dd5f0a8aaf9f5c38bc287c56919d9ba
SHA512 842d01bf684551f0ccef2bf2c0487921df45b8f42373df8786df013f8f08a795fed2a6da05c9529f4936a8b305cdab443791f25f28466d6f8483eef5e501d090

/data/data/com.nothingfoundtbs/kl.txt

MD5 5ffedbedb78a01396b68c27c60d3f38c
SHA1 06291a061129bc8752540820a04c88b3b6079a90
SHA256 14d4f5a6dcd9834058e25c29396a41d2718a2534c7b8bd846cdfc15ce2551a41
SHA512 dd126f90370822ff88f77f3451b1780cd5b81147cf459aadbc883558728ccf2bc210d32700948ec323abad80f1b17487dd2ebc9b6a08d5a4a1631ce598dcf689

/data/data/com.nothingfoundtbs/kl.txt

MD5 2432d34e5710c2e7daad36fe6f9a1654
SHA1 a3b1c939c49802220f3c845fd553b1433913113c
SHA256 e48b67ba0a3ddea4ecc476b37d5a4ef4de33799740aeb33ee18878fefa6ff209
SHA512 9eca5b3dfde5b6ec679ab4c142b1d9f80c240baedd0c83d731521b0831f6cd6c4ece2126ed272cffccecbae91767965cdf05f94d7a6d07645a413d385c2894dc

/data/data/com.nothingfoundtbs/kl.txt

MD5 4d824fbae7982a6284037e63f9f3a2c9
SHA1 0d6bc5c74e12dd45eb4dac0f5f72ed936f275c29
SHA256 a59cae6effee9c4879b98e52bab147a305bae54fb6b8ec326cb1901cf5d46f1c
SHA512 6e1c65026ef0b5d83d824a5c43174b8bdd918476d9c4ba913be51b3d89b798f071306d83e699d5cc83546cc3e40a8b76c4b6ab562187a1888a581dc83dde459a

/data/data/com.nothingfoundtbs/kl.txt

MD5 8e27a38a946010c4cd05206110c6962b
SHA1 f30564f664906d65cd024a7a0c991bd05dd63b37
SHA256 fdd204112f67bc80304f4bdc3c11d881cadd8f3c331ebf362a3808efb43f79b4
SHA512 8f74175bce4a9bce4281b53340daf7d2a59565b9f7d98e5ba85a7801e55e9d03621324a97e9349a33d8ec9e9d9e937393d44961fe4ef9a03c9c39dcd8dfc8b06

/data/data/com.nothingfoundtbs/kl.txt

MD5 e576e952e434b0ae3dbab8dbcb8aa88d
SHA1 21327b535c15ad073c7708e3f7503e6c96ba0ec3
SHA256 415bd052716d0fb1f9e409890cd4991b7e2f289609a10c8ddf7831e5cc5ec4d1
SHA512 5da5b72dc89334f61a589b8f20c6386d2c7e25122fd59ff1072f8dd719ca7620869c5790f60045f3079b18a58d9a5d7b261df41a87387b8d9eae0400f8c5f2c3

/data/data/com.nothingfoundtbs/cache/oat/puyyhurwtty.cur.prof

MD5 9172d0440e6324ef80ef8e779ba15899
SHA1 3f09d183ddb63b12dd71f09f73dd413b57e83b30
SHA256 a9af9020036d7866c923f33128a97538e0c9d8f27b6ace75acb51611d9d03367
SHA512 24095c7af2a2e51089d2e9c01714c63b416fdeebf69f3baebfef2b06298992942a48707a033445ddfd0e8f7cb4ba46c087cfc2d4f3265443bedd43f6478052f4

/data/data/com.nothingfoundtbs/.qcom.nothingfoundtbs

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c