Malware Analysis Report

2024-09-09 13:50

Sample ID 240722-1wpj7s1cnl
Target b83d09a0072a2ac2ff0c2d7e26493f602ab0c153c6ada828427e07a3e5d2e68e.bin
SHA256 b83d09a0072a2ac2ff0c2d7e26493f602ab0c153c6ada828427e07a3e5d2e68e
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b83d09a0072a2ac2ff0c2d7e26493f602ab0c153c6ada828427e07a3e5d2e68e

Threat Level: Known bad

The file b83d09a0072a2ac2ff0c2d7e26493f602ab0c153c6ada828427e07a3e5d2e68e.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests modifying system settings.

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Acquires the wake lock

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-22 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 22:00

Reported

2024-07-22 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

52s

Max time network

146s

Command Line

com.cartenmw

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cartenmw/cache/hubtrtje N/A N/A
N/A /data/user/0/com.cartenmw/cache/hubtrtje N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cartenmw

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 selamcanoonaber.site udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.cartenmw/cache/hubtrtje

MD5 df09685f5f07dbb4c2b13f285d2270f2
SHA1 3e07c1c516b3ab67b50878c0e94e3af70adbc250
SHA256 cce86d538f6957e6d107a0ab35ad8808cf25629149763c25742228825be5a677
SHA512 320535f1b794071bcd7fbae3e6ce6d32ee416d52361c27ece99a50969297b9e0d363ed8e70d72ff4187079e139c1dd95f672f18d2c16c8204aa1241aa32ce29d

/data/data/com.cartenmw/kl.txt

MD5 4adcdf902e5090c529fe15dff96f761b
SHA1 831419784a38a1ff3785addf6fe9d8c04fa99b37
SHA256 0de5c5484379f926aeb6eca67c90fb1bb7b040abf53b234414a834c5f7c67f7b
SHA512 3f1aa43ee6aa1820af018b0f27b83657066a3db068871b661e4c3b4bd5c361d4a10027916fd84d4c380d3d543a261bd7455b0d6524eafab88443282058420cc4

/data/data/com.cartenmw/kl.txt

MD5 b165fc8fa7a057c4d4b72e13b290eff0
SHA1 4d94aeb5c9ef74a57fb300d8a33e85f2ea40c319
SHA256 aa66d54f8f9c8f0c1850cba8412a1b2b99583278704157c1f19ab1cc5e314e27
SHA512 45ee5ae902e14ce7eccdd37da57a315950604b2439b4b31294d9cc7e307b5210902732b2034fbe8ea26f6a97c2c6db7bfb00984d2173ab86a44685fc1dee8655

/data/data/com.cartenmw/kl.txt

MD5 eabd4d0d4310df17810d474f699592f4
SHA1 b548850163ebc50e36728d50189bb0f1b8aa5366
SHA256 27a12f07a181ff9b312e76d4d6908d286ce33f451ffd390660e125df676aee53
SHA512 81aebb2d8e70d0bba67599489ef820e94930c04c375c19a011f8a61358ca35509686c443b9d0dcb126e4f94b086d4914cb2850de687653844029b32a0e345cdc

/data/data/com.cartenmw/kl.txt

MD5 7d46312b92d846fd9606c39a6c1595c6
SHA1 db04185c58f420bfbfad70b9646d71911ef4cc9b
SHA256 68030ccde102c0cd8dceb86d9e7ae389926300de8765ae596f22638526f33580
SHA512 1b4bf4b916fb1fad8e6256110e1f09491cfa7ab0182d6d8a02a3d542806c2301a18ca2b775d9428b36b030f212937655e3994957bd025d63a31518787fffdc15

/data/data/com.cartenmw/kl.txt

MD5 88eac629c383d501be6eeb91b24a4779
SHA1 9c2fc1928e4c5e958167b74ca3f029ca857b6d40
SHA256 61d8102f21f561525f64903405210c645082619673cf416b331e08325a7915c6
SHA512 2bde8c973d02168017b6dfc668143f067cd736eb2bae22cb79a731bb39644caae82534d7434af25843ae0f88b8daae628077dd90e22818c0c0a44dab07f6e87a

/data/data/com.cartenmw/cache/oat/hubtrtje.cur.prof

MD5 02869eea1df6f60a862a7410a0ec380a
SHA1 74cc6d64816606b5d5d926c675e44e5e75483db0
SHA256 967651f7e88da00f3981aabc477b7cddb4497bccf25ec2815369ea88b04722dc
SHA512 a1b1dfccade21d2c9954e29bdf2a2c26a3c0f57ce621dd872605a2aa485e52abb4fcf1fd55533d2c9591861cba0421e22deb26cceb9b0c2276c9c8867c9f06db

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 22:00

Reported

2024-07-22 22:03

Platform

android-33-x64-arm64-20240624-en

Max time kernel

179s

Max time network

180s

Command Line

com.cartenmw

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cartenmw/cache/hubtrtje N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.cartenmw

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.180.10:443 remoteprovisioning.googleapis.com tcp
GB 216.58.201.100:443 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.180.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.180.3:443 udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.cartenmw/cache/hubtrtje

MD5 df09685f5f07dbb4c2b13f285d2270f2
SHA1 3e07c1c516b3ab67b50878c0e94e3af70adbc250
SHA256 cce86d538f6957e6d107a0ab35ad8808cf25629149763c25742228825be5a677
SHA512 320535f1b794071bcd7fbae3e6ce6d32ee416d52361c27ece99a50969297b9e0d363ed8e70d72ff4187079e139c1dd95f672f18d2c16c8204aa1241aa32ce29d

/data/data/com.cartenmw/kl.txt

MD5 61c665c1f398ec6bc92442cc9196c2bb
SHA1 31eaf759733c98c3166f5e316fbfd0224d1f00a4
SHA256 c5760415c4f6d17f972c4651eafa9375c90a98f1756a4f047c065d3409a8ffe3
SHA512 b929a06f18c0d016c77e2b8da0251ae08117df2b40921e9af6a568797222dcd670c2740e43b59646e6c24c47bf62b90caf129f6b4495eb1a4db0f9df2037316a

/data/data/com.cartenmw/kl.txt

MD5 99a84fbc525d595205294437d4d72af2
SHA1 a7a7ccae34baf659c9f41f268d80352aed802bf5
SHA256 94657f02558a3c27b350f9cdd4ea9f7995e0526638e5659a9bd6184bfa1a77be
SHA512 12a6ec5e72010df8ebe4385ebacd8ce59adbc4974692fa3b7753562e6587fbabd69661069ebe202a1814701096c0a6a0a26624cb243c592fbc24fb050a9759d4

/data/data/com.cartenmw/kl.txt

MD5 a943b9ba13dd8a8c7c95ddfb9500da08
SHA1 ced95bb176d979d40dab1ee7d7c4d18ad13a5bbf
SHA256 5006a864cebf5a9468e6111832f13e9f4205cb9a393d382078d80eeb85899e3e
SHA512 3f1238d3e5a9229a29ae120603dac2587549422585034e592a0200aa574bf7e707d8af47cbedeb3caaa2881ab536c862f294966b03e287a807492d613bc32626

/data/data/com.cartenmw/kl.txt

MD5 b28d35ffdf2b3cfd7fb6e89e64f29547
SHA1 c102b4b8e7880f5a40df8e93fd75989901542470
SHA256 a97dd21598edec375f8f6c31f219f0a369a778c0fda1496764e601cdcfabd017
SHA512 8afb7af6fa209485d890404257b028673a94dcdd05563fdcab1ebd965c298f3349c25b762f2874220af3e55fe4a857a4458a7ccaceebb10608d674ac82bc8c40

/data/data/com.cartenmw/kl.txt

MD5 60d62d212808f2322ce2edc781e31de3
SHA1 e40cff2b3de66d7ee435a0d39a517b6734352795
SHA256 02ae8bdefd74dcd2aa412531de8d1074b14691192028261d361db7d010f225bb
SHA512 abdec19f900af714dd69c3caa70e7dcabe5d682626a202a00969267f717a33f740288049b3d52b67331ca83b073263f74ff76c6a151b6c7d1df7ebde95b395f8

/data/data/com.cartenmw/cache/oat/hubtrtje.cur.prof

MD5 16478ccdf4a77e346a2b332bdcce3bed
SHA1 fdd5fa03e0c06991ead66da5791fb2ee79347c0f
SHA256 5da831a00a81e98fc51feef1c167ee4088771f65a3fe56ae2828788ded1ad514
SHA512 542d5ddcb39387d22f232fd66adb9db27547771c02f1467859a03cff98b64a340be988b7275129f917b36fa04b20954d1a72b8b048c74ae459356654982b930b

/data/data/com.cartenmw/.qcom.cartenmw

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c