Malware Analysis Report

2024-09-09 13:49

Sample ID 240722-1xd5vszhjc
Target 4a8f1d55f1bae3d35766899dd6fd7507f2810793567e8052b6faee63b5569936.bin
SHA256 4a8f1d55f1bae3d35766899dd6fd7507f2810793567e8052b6faee63b5569936
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a8f1d55f1bae3d35766899dd6fd7507f2810793567e8052b6faee63b5569936

Threat Level: Known bad

The file 4a8f1d55f1bae3d35766899dd6fd7507f2810793567e8052b6faee63b5569936.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Acquires the wake lock

Requests modifying system settings.

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Requests accessing notifications (often used to intercept notifications before users become aware).

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-22 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 22:01

Reported

2024-07-22 22:09

Platform

android-x86-arm-20240624-en

Max time kernel

32s

Max time network

138s

Command Line

com.sittimeok

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sittimeok

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.sittimeok/cache/wzwhjihbarcsmac

MD5 77b539739727e2901d3c700dcd1e949a
SHA1 a7a4eda43acc667a5175fe37a18a0a3d08ac7ab5
SHA256 883a898b2b24a9072b529f878eaccbeed7c005ee89123378857618f2af267fa5
SHA512 c188525efb6df631a6ee931f82366e84b86687613102032945b08de504b6eca0d448eab68a1b7ca51a170c7f1d05a648a8ef2ae1a9bec0e7aaeb58360580d1c7

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 22:01

Reported

2024-07-22 22:09

Platform

android-x64-arm64-20240624-en

Max time kernel

170s

Max time network

150s

Command Line

com.sittimeok

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sittimeok

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.sittimeok/cache/wzwhjihbarcsmac

MD5 77b539739727e2901d3c700dcd1e949a
SHA1 a7a4eda43acc667a5175fe37a18a0a3d08ac7ab5
SHA256 883a898b2b24a9072b529f878eaccbeed7c005ee89123378857618f2af267fa5
SHA512 c188525efb6df631a6ee931f82366e84b86687613102032945b08de504b6eca0d448eab68a1b7ca51a170c7f1d05a648a8ef2ae1a9bec0e7aaeb58360580d1c7

/data/data/com.sittimeok/kl.txt

MD5 50d9e225c66e9328fc0f7b03d2c7d820
SHA1 844a92f77b07bcb9d630f53762b1add22c3a28ca
SHA256 aa14b84dddca7e314028ec4980d31138526a42db98a31565a57b3d406cb1b43c
SHA512 49de0513b5971a7ef9dfb306126c56fe05efbb4cccbb5751c43a640d2e558896fa1ac353f542c83285f4870627f6dc940b5d0b0274a6ad1c1e74492455b6d2eb

/data/data/com.sittimeok/kl.txt

MD5 b16f9237c80dadde455f53458e23434f
SHA1 14710e8e6250cab7602b15e878b8b3aa881cad45
SHA256 00700d6aa274def61151589aed8e9fe6e86057664a05bcf2a33f829908b7e874
SHA512 79180ccd9ffeddfab21dcee5cc1da0f9a4bbd481778b7aa2b0e2e193bf72a3e350a34b31561cad2d264947851eddbc303db89537eec2164fa9ace05ee1b1ccb9

/data/data/com.sittimeok/kl.txt

MD5 eda972ea79c066044fb4982d3f0c3ed6
SHA1 08715491ed6b0c918750a80afd13b402dc2cbeb3
SHA256 6de4514172e28bba3b42ad084f1d07403acf8f8cb3720e9b75d6c0066c11be8e
SHA512 5d9fede962583bb1cb62c5f0b6b5cc227be90adddc5b926129680ddefe602f9aefbac3529b6a037a9ec2e9cec70db5fadbd76843f98f51bb14a2250a927b59a5

/data/data/com.sittimeok/kl.txt

MD5 1df874d5b1b6428412455a68cfa189ad
SHA1 a59674ce039add8bd1b754cf022714ea67e3a4a5
SHA256 dfb7bfed83869e156eec4afa65f047bb0ae3ac92475c61dc405858a318f8cefb
SHA512 785611c54228e1e7e7e20a091635dd4a4b143e89f3524de6b0fdf5627fb1bbc2e8590bdc5ad32f7e49c16c270195fb6641a7f87fec146b55f083fc45e2d5c041

/data/data/com.sittimeok/kl.txt

MD5 1acf2c4f0d159425fd3a87b8ac83f04a
SHA1 b44958b03b14733fb5f9cf903796a864c000bede
SHA256 a2ba77ec754a8bc9579e8f89840b0559caa89cfacfe7704bdcce5bce7352f484
SHA512 74db3fc4eed29a237a72e81d47e007deda5a142e03265c1ff0e3f77e737053d7967e4402de0b1407e07507afa64cb6752c656f53ef5bb4c1a04d714a9d8aa916

/data/data/com.sittimeok/cache/oat/wzwhjihbarcsmac.cur.prof

MD5 dae42a8941835563c2c76e691a6087ca
SHA1 433919fa5e7d21faf637bbc3e71203870f35b46a
SHA256 63c93ccbceef10134d062e76174c1b5470006e96fba0e478188fd296291b03fb
SHA512 e3686351fa73ab680674e935f20ac0e99f4cc232a5d5b6f14426b6cf862f230c1d9b8e165c6b4016faf418c226816e4664f153f8c6a2486f9caab733ff62079b

/data/data/com.sittimeok/.qcom.sittimeok

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c