Malware Analysis Report

2024-09-09 13:51

Sample ID 240722-1xkbwazhkc
Target dc7ced6d5e6fa248ed2409f188956cc8fcf920300f1ab6b3402ddd2b58e49efb.bin
SHA256 dc7ced6d5e6fa248ed2409f188956cc8fcf920300f1ab6b3402ddd2b58e49efb
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc7ced6d5e6fa248ed2409f188956cc8fcf920300f1ab6b3402ddd2b58e49efb

Threat Level: Known bad

The file dc7ced6d5e6fa248ed2409f188956cc8fcf920300f1ab6b3402ddd2b58e49efb.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests modifying system settings.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Makes use of the framework's foreground persistence service

Requests accessing notifications (often used to intercept notifications before users become aware).

Acquires the wake lock

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-22 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 22:01

Reported

2024-07-22 22:09

Platform

android-x86-arm-20240624-en

Max time kernel

172s

Max time network

148s

Command Line

com.sittimeok

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sittimeok

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.sittimeok/cache/wzwhjihbarcsmac

MD5 77b539739727e2901d3c700dcd1e949a
SHA1 a7a4eda43acc667a5175fe37a18a0a3d08ac7ab5
SHA256 883a898b2b24a9072b529f878eaccbeed7c005ee89123378857618f2af267fa5
SHA512 c188525efb6df631a6ee931f82366e84b86687613102032945b08de504b6eca0d448eab68a1b7ca51a170c7f1d05a648a8ef2ae1a9bec0e7aaeb58360580d1c7

/data/data/com.sittimeok/kl.txt

MD5 9e06055cdc2bd423d23a37d6f26b8bad
SHA1 4f9cfa02b2ec7e4650a5a471b9bb6a295e796677
SHA256 dcf4b3c5ed60ea6967c1f9cd791b8e0f06c1a5a39f19fe9fa9f2303aba476d96
SHA512 8a72c00184da6993623a285729f1a8af5f707410f3a7b49453d9dfbe7939feba5fe012778e4a0d1510acff8f80259a71466aae0fc552fa0e856335dcb9a5c307

/data/data/com.sittimeok/kl.txt

MD5 15b29cfcd111895dae7708b8306fbac2
SHA1 0014eb26e30051056de70bd30013a1182af3eeae
SHA256 23895de98f8d771351bea2f646478b5706961edcf899dadefb6ad4aa8da54705
SHA512 778ae3b05ac5c7dbc5143de3a2d2f823d3b14eac3acc48508a345b5288a7b28eae56c6adbf6cba63ee1049ca1846733c93c5e11cebc3c87a2ffcaff862be8eaa

/data/data/com.sittimeok/kl.txt

MD5 aa853de6aca6e9b0bcfde65e531bbd03
SHA1 2732ac7b8d4ba528c1ef7f74aae5593ef42fe4c2
SHA256 ac8245944cfcb175fd9895710bf4e05d8ddd229cc887023a6996ae8b26004b62
SHA512 55f994e763c3067b9c9829ee54403e9ec71d5c2736f3ebb0b54473161d5e183badc414b39d3c5f029fa72f6f29cc0a78368d746730d9b25d71900df31622ceb4

/data/data/com.sittimeok/kl.txt

MD5 3f0c8c7189cf60af3d4c01709bcab91d
SHA1 7898925c4ad873222dbc411e11decbd787c7b86d
SHA256 368e5bd533c2b64b3a658ba579d44072844513d1cc234d9cd90c0260f1988ace
SHA512 bc05ee6370b866ef6499c66c195f7603413f62a2583a48096d5bcc6917f8770052e55f777e63d0488bfda06e4cb2ca307ebc6dfdd7e5969b0a90c074f648042d

/data/data/com.sittimeok/kl.txt

MD5 34a977e5ec12599342d291deff80813f
SHA1 03cb65f50033ac781f3997dfaad0dfc5abb12a0c
SHA256 4573d92b58e6195062b0e44be31854f947f3cbe000208fa6f4ecf773ed994111
SHA512 576bb0b56d8746f219c53ce107df4882d46abe54ab4b7dfdf5030da5d64cbd00aafbd14f8f3e14955f7363dae52f1969a049607c1b94fdc30af1e5cb56042366

/data/data/com.sittimeok/cache/oat/wzwhjihbarcsmac.cur.prof

MD5 69d0a774df1579254b8c6b58edca6704
SHA1 07ce9db658544f673d3e2a37e678711a57570e30
SHA256 8cc03863bd12af32994e6eb2ca7ca6ff3b0f24a1fd5ebb570ca14d2f16a101ac
SHA512 ce5e809418b46f91c52e6a80e6a85dddbcb2056e318f52fa6fbd8439a92cc332860a36175b9f36b3013c0b75a620826fdb2a2175714505bc3d4937eaf26d02af

/data/data/com.sittimeok/.qcom.sittimeok

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 22:01

Reported

2024-07-22 22:09

Platform

android-x64-20240624-en

Max time kernel

172s

Max time network

149s

Command Line

com.sittimeok

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A
N/A /data/user/0/com.sittimeok/cache/wzwhjihbarcsmac N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sittimeok

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 hava540derece.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.sittimeok/cache/wzwhjihbarcsmac

MD5 77b539739727e2901d3c700dcd1e949a
SHA1 a7a4eda43acc667a5175fe37a18a0a3d08ac7ab5
SHA256 883a898b2b24a9072b529f878eaccbeed7c005ee89123378857618f2af267fa5
SHA512 c188525efb6df631a6ee931f82366e84b86687613102032945b08de504b6eca0d448eab68a1b7ca51a170c7f1d05a648a8ef2ae1a9bec0e7aaeb58360580d1c7

/data/data/com.sittimeok/kl.txt

MD5 8a191aa12da8e26bacf5d31de3754a08
SHA1 db36d7156a54d6fe7c2b8301923d7e4768d96323
SHA256 2029cfda4b2a9bf5fffe26da8b80a5e117c79bd1f1d0b7ea94eb96c47322c942
SHA512 51b87b898046aac39c6f99bfd1544719d1257908028bc5d31ea393c112fb60dc11554d1e20c86ac4f3af84f67ec4f5b209a092897a323f4267deaff20b0e7b4f

/data/data/com.sittimeok/kl.txt

MD5 8134e3dd27dac41d938c79ebb4d04fb3
SHA1 7047f327b553289e3306e2905fcb47bc1e3d691a
SHA256 72d0b9ff05a4d536c52d8852377b9120ba62260416373d84034da1603a0d213c
SHA512 5a02a4696a90b33d2923bea9f4a1a485786ee3246e0815f3857b28943761b88f544ce32fc879e7bbf8a683cb5f7e5ad2e5cea685d936444ba49a4c24056727cb

/data/data/com.sittimeok/kl.txt

MD5 dd023e3c7362693514ef17638dae8ce1
SHA1 3c8057dec1dacc2e897277c83840795207c49282
SHA256 df14b34dd58f53e45cc14b3a78bf8454f3259debf6a603e9a57311fcfa0c61c5
SHA512 c20c4377b196593f673b7bd84ded24fc86d1f846f206c1d445a0dd46701f805a1c3d4ecd2f11563572793f89f2a2d014b4ded7a88e0b12bb4c5d0883b4e0f5cc

/data/data/com.sittimeok/kl.txt

MD5 55fd0dbacbd54b52825bd8c77368203d
SHA1 dae915ff0aa65059e934afaeb1413724b2e7fdee
SHA256 f86d9843b0abf445be67f47e27adaa8e51bf7a74abf176fb9438d3b6cc9e82c4
SHA512 c0e101387bb77e1fea7424ce8f221d36e9d8aa451aabf74a3de25f8c1d00ba82289e393d301c767757d34a56ed4b2ff4b9f68405abc5c2da1ab7267ada88dd81

/data/data/com.sittimeok/kl.txt

MD5 bea2bbff2b864cde62ff7f318678c8d8
SHA1 a35da0071a7a4bf54680aa546c16784a69982097
SHA256 ee78726cb24a76fa7ac02fc2f75d765432e8c5af89d3007f585fd70ac333b162
SHA512 4c8b996b36e28ccfe95a99a91ecbb4ef975dd174cec4d0115159c38db077e556cc6ffb6678560b476f3681b8587a2e20d8adad9c8943084a03f531f43fe06465

/data/data/com.sittimeok/cache/oat/wzwhjihbarcsmac.cur.prof

MD5 91424f209b16d2edee2f572df27371a4
SHA1 3e86fe01c93d208c60981c8f2d63de1c43c02cdc
SHA256 fff19534346a5d3248d6b51eae581903fc2a6d3c9186d90516f8bf96d51ff9f1
SHA512 2ddaf8096145d35483b0e366c26f84d03fb07f8c8fa7627e0c2f1ad5248c4444ab8072c4a43380d9968768e83411ab37594b3c08630f42c8b271ce30fc19c751

/data/data/com.sittimeok/.qcom.sittimeok

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c