Malware Analysis Report

2024-09-09 13:51

Sample ID 240722-1wyswa1cpp
Target 201c8ad3e26eaf5232a20abf13591574f828b0f2120465c7ff592f7772fe7b4a.bin
SHA256 201c8ad3e26eaf5232a20abf13591574f828b0f2120465c7ff592f7772fe7b4a
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

201c8ad3e26eaf5232a20abf13591574f828b0f2120465c7ff592f7772fe7b4a

Threat Level: Known bad

The file 201c8ad3e26eaf5232a20abf13591574f828b0f2120465c7ff592f7772fe7b4a.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Performs UI accessibility actions on behalf of the user

Makes use of the framework's foreground persistence service

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the mobile country code (MCC)

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Requests modifying system settings.

Declares services with permission to bind to the system

Acquires the wake lock

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-22 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 22:00

Reported

2024-07-22 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

37s

Max time network

142s

Command Line

com.thoughtgo8

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.thoughtgo8/cache/eamujbfceu N/A N/A
N/A /data/user/0/com.thoughtgo8/cache/eamujbfceu N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.thoughtgo8

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.thoughtgo8/cache/eamujbfceu

MD5 9f8a6069eedfd51cbac793a29d6f04c0
SHA1 222f4a21483df1780dc84e11e222456820949685
SHA256 153527a2ca06ef6379341484beb4383149bdcde92926828bfaa1e8396d3c13cb
SHA512 0fe75adbe2d120e84e453447d09d90b4fc0e57043c459b21191087d1ff66b65993ba7c8a4ffecd0b0fe9de67cd29f2bd1c5fccbe9a626b95fab35ff0eee79389

/data/data/com.thoughtgo8/kl.txt

MD5 169934240b7cf9729a963645f747160d
SHA1 eb648317dd536bd9b4e720ec3d6b02114ef2e3c1
SHA256 5a76e63afcd4125574b6005ca7c0e544439941cfa1a40821d2adadbfbc9f23cb
SHA512 d4bf68872c47f9c035676e5a00a8ed586d5db5e4c833a0b4258c8aa448ba1bdd70f7ff16cc2ff618a8ad27271ef7d5d084f98c34ded5f7101554464440086e6a

/data/data/com.thoughtgo8/kl.txt

MD5 3e9a4d0aa27337da05a6bcb135912c03
SHA1 118322fe197b547dade52d89c86be23411483f8d
SHA256 c34a50c50bbd5af7d521d0b88dd63bb87578a111a9e315b52d76c29314274ea0
SHA512 fa4b4b01703709ffb5a2be466ed43ba71bffec694ff416d161ce73ed3b1bddc47cab862bae634e37cfb1968e3f17a1f91017911d14e862f33303a8714a79f373

/data/data/com.thoughtgo8/kl.txt

MD5 39af6870c81bece0d27f1f2033cb4817
SHA1 bdcbc98548b41719dbe0ed9b3f5712b6c97b8de8
SHA256 e44a525b21bd973e6d6c37139b5b71ea5179f9fb9996f8ebfa1135ae6325f3b7
SHA512 eda7dc7d500d804886d1d5ffcf20cc1535af7376cce34ec1d07183efe1df0c98790fff623a66815031df3976c31d37fdde3327dfee49db32ce1841adc6d89066

/data/data/com.thoughtgo8/kl.txt

MD5 abb4f200be444caa208f5fc636482440
SHA1 1a99dd0c9b5c1241b9d48ebedaaa4f042cdde45e
SHA256 c9209daeedc086664cb24cba8747cdbbe1167a2de418716af374b9ff91cf8e0d
SHA512 3bc03d94782c1a626aa5286ffb86b197cb5881688586846746de52b28676076e1efe15684b36eabe45f9f0064ae5fe317341b6d62520982cb288aa4f39027b19

/data/data/com.thoughtgo8/kl.txt

MD5 72bcad49b5811dea04966a8bdcee9d0e
SHA1 d305bea5ba74ae9be8e6ab5b31b4a9164f52c326
SHA256 604284dbdc67cc9788619e23c77b82196597e921b0348daf5b035c367b4f92f0
SHA512 ed89791d73da70e603a166eb7153c3d443cadfa918b5e535e21dea12ad2ca9024949ed9a815830871bcdd0b4386bce12d5b5d045d3012bec02bd96060f80c1f4

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 22:00

Reported

2024-07-22 22:06

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

140s

Command Line

com.thoughtgo8

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.thoughtgo8/cache/eamujbfceu N/A N/A
N/A /data/user/0/com.thoughtgo8/cache/eamujbfceu N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.thoughtgo8

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.thoughtgo8/cache/eamujbfceu

MD5 9f8a6069eedfd51cbac793a29d6f04c0
SHA1 222f4a21483df1780dc84e11e222456820949685
SHA256 153527a2ca06ef6379341484beb4383149bdcde92926828bfaa1e8396d3c13cb
SHA512 0fe75adbe2d120e84e453447d09d90b4fc0e57043c459b21191087d1ff66b65993ba7c8a4ffecd0b0fe9de67cd29f2bd1c5fccbe9a626b95fab35ff0eee79389

/data/data/com.thoughtgo8/kl.txt

MD5 9635b5635d86b79a08cdfa1537e1d25f
SHA1 37d258e9877c522279cc09d178d4309f35d11097
SHA256 e145b73467d3f95cd91bf033ad1d4f9c5e65a0e32dee34ae472bd56288188411
SHA512 fdd75615d1f7106e8469adb8e11447741f3ecf0a09a4c4f59968904c2b0d546daefa45cb98a5ba28b8d0f8f56ab9b6050d28ee90fdd124f49bba64a9872b7552

/data/data/com.thoughtgo8/kl.txt

MD5 40a94e60038198ab20eb7e8df83c8714
SHA1 69f89719ff8f3c89b4b3a5a5f1536ef9084409ed
SHA256 413e3c7758fc0997f07c6ee38b7f9367703b9b04c1b55ad5a6092e7623aee717
SHA512 7d32c3f23080e9df731de2503cc56a1bf155e53a1182941e8c7acc9aab4dab1527ac555689f655ac3758b63be80bb4701790cdb7dd4aee912eb32fac4a835283

/data/data/com.thoughtgo8/kl.txt

MD5 d177a14ace587791bf4ac3e6e5ff32bf
SHA1 30133432791dff0c7e1dc74f6ef89dc0419b16fa
SHA256 0d04c6cff14c1a656c31eabcf7ab6a4c917596e750fd70d53921c9faf6b2b382
SHA512 d1da21e480039a4b062eb9007cfdf39421e62a1c41cd8486fe2a2e3faadf0392d4e3e1a74af3aa4d307a4af72bfd3b20adab92a9400e9a1d1a73f500728e69f8

/data/data/com.thoughtgo8/kl.txt

MD5 9f1fcde4e9c07e1ef9ed6071a926bb06
SHA1 0b109ed988f3ce3e76cba1192341526969ee5d75
SHA256 7b3107b08c71c6be516910cf32f71510b97caa0c33610a55222b97b2cb61b297
SHA512 af6dde9415c5e603b3cc8af7dd59c72c942e9a90d34ac6228d11e81b6e853eeb0834c5d7de5e29bc8bd2981a23863ad1e063848ba719a19a8e8593d50443641e

/data/data/com.thoughtgo8/kl.txt

MD5 264d80035a0417f5082408ccbbdccfc4
SHA1 65e54dcca78af54ad44defd438a66e9f5e438662
SHA256 513fc71a282bd335983588346892530328f5b07b68b6486498b572e196eb180c
SHA512 127143ab928650c1e3cd077783f2a7ca50b9c204e7491b856e617611985cac23101f5d3f7ddf82f1d5a5732899bc528d39f33b09461e6a4fac32185a726c35ee

/data/data/com.thoughtgo8/cache/oat/eamujbfceu.cur.prof

MD5 4ba40c8b6fcb44aff4e73adbaca6280e
SHA1 34d19e3676bc06bebbfe1be9ce8956a74c6e970b
SHA256 60dd7e3a0a20f0f51755282702da47b2b3fcec1eb3fe2d5c2c32d77d86cf28f1
SHA512 ceec362cab5472b0e1e3ee1a8ef1db285076db42417bb363fc2d9e324f072c36fc3473fd447c9bf31eb6635e87aa13771ca40660934c6aa1df6c3251851aafa6

/data/data/com.thoughtgo8/.qcom.thoughtgo8

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c