Malware Analysis Report

2024-09-09 13:50

Sample ID 240724-dm1vjsvdqk
Target ca3da13d69ce07ed9b31314f2404f9c6a2235067406b545d7b00517258cee9d6.apk
SHA256 ca3da13d69ce07ed9b31314f2404f9c6a2235067406b545d7b00517258cee9d6
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca3da13d69ce07ed9b31314f2404f9c6a2235067406b545d7b00517258cee9d6

Threat Level: Known bad

The file ca3da13d69ce07ed9b31314f2404f9c6a2235067406b545d7b00517258cee9d6.apk was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests modifying system settings.

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the mobile country code (MCC)

Reads information about phone network operator.

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-24 03:08

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 03:08

Reported

2024-07-24 03:11

Platform

android-x86-arm-20240624-en

Max time kernel

178s

Max time network

135s

Command Line

com.atlotzowj

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.atlotzowj/cache/tqampnkfskbkj N/A N/A
N/A /data/user/0/com.atlotzowj/cache/tqampnkfskbkj N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.atlotzowj

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.atlotzowj/cache/tqampnkfskbkj

MD5 6092d6a7e87603379faa309d45961349
SHA1 242d8827535e1519e130b6211e3469fccea05bcd
SHA256 f3fd9598445d565a0620cd3e97408168cc812b39eb459d4a3b8b0d4d5cab3b25
SHA512 98243ac2cbcd8ccb39fcfe380caabdd7e764fa8656288ccb69fae29278c546f67c57089e8683538578b944cf0e45573771fdff40f8056e06901bffb2417aad7f

/data/data/com.atlotzowj/kl.txt

MD5 11653fd3f48b7986a185176bdd7cd1e8
SHA1 c6fdaec4b4a5f2471a2ff238c1c854c48c0a0ca5
SHA256 ee60603712cc69dc62c776a7e4c544d4d9007039e5ee3ca594504c50bfde8cbf
SHA512 bb0d360721ef6644c1aeea05b28ac9e47b6a36919df593d44521ee2015c97985234069c51a00e306eab7b4b7e1d1c4c7e6617c60f104c8639abb70e0b7693d18

/data/data/com.atlotzowj/kl.txt

MD5 a344f638e22554edced9a2478a5bed08
SHA1 75483219af4e53b8e504ed24f9524c8f2b5b6d14
SHA256 25780ee98193854c9ef8f61cd6a085a787cde4ec0fa67163cae18111af4eded3
SHA512 929c5d6b073c13a7510f3d655ca093a8cb82fa841b5c57454580887d65ae6e467a588e4ff158c22847dc56add1da03c635df8092c3095d476865fbe07ef0d321

/data/data/com.atlotzowj/kl.txt

MD5 e2e53261336dfbea0d250f9f470fe3ef
SHA1 d14993601772029e371e92c29e06481efff3a2d3
SHA256 63f6a1d0157cca3c4a3af03e61e5b5c73254a5965dc1d926e706a60f1d1b2c51
SHA512 60f0435a02d5a9d777510fe8091ba574d79ff761ad1ed4a69ad597a459cea5ca3b7ac977eed62669a58f1d4a3c6394df22cbe3b0d20179b63144e7f222a41670

/data/data/com.atlotzowj/kl.txt

MD5 83ca67d90970414022bc8203c66ed1fc
SHA1 f5e73ec0bf8e8587f507097d8a6fe3e4d5a4d8c7
SHA256 457d8d2f2df85d8d3b9b5f230db8a9d519240b383aaf7079b4c0bf3ca36b2900
SHA512 a58ad130bdda9ab64332499ae204285c77240ba2b3205c7fab7d66f2c517ddb912e9298891f2ea898d81ba40db3688678912d0bd9412f211d17d37f52706da6f

/data/data/com.atlotzowj/kl.txt

MD5 97dcea219d964e4d7a134cb043b637e4
SHA1 a5c528acdd242888b74058c965c492ce535843c4
SHA256 14fc809b9f9e171d304fb26c7ddbc3ff47db3582d82754a457507b398f3bea9b
SHA512 b6ed5f72fc551f571175f462d93b53eeda3ce4f2ccfe7385e6003fb79246abf58b124e620e19716d74643da5838b1a068eb8387db9aded4e30d7a14c490dfb0d

/data/data/com.atlotzowj/cache/oat/tqampnkfskbkj.cur.prof

MD5 532eda0f96144d0b02a96d3e1b124ff3
SHA1 3d3e6f9cbcd810340c4a71fb7f1b3901ce3d13c3
SHA256 0547d527280b985b00cff66a11d2cf729f9506d82a2cec729d92ab5635af0948
SHA512 74d8c8c7a7ccfb8e99b5b9b22aa6c82f5921a127d95db588108152680c4b0f87068dd9d15364200983236b2ed77918b4aceba08c84471d075b2da412634eb907

/data/data/com.atlotzowj/.qcom.atlotzowj

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 03:08

Reported

2024-07-24 03:11

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

147s

Command Line

com.atlotzowj

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.atlotzowj/cache/tqampnkfskbkj N/A N/A
N/A /data/user/0/com.atlotzowj/cache/tqampnkfskbkj N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.atlotzowj

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 hava540derece.com udp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 otururkenterliyorum42.com tcp

Files

/data/data/com.atlotzowj/cache/tqampnkfskbkj

MD5 6092d6a7e87603379faa309d45961349
SHA1 242d8827535e1519e130b6211e3469fccea05bcd
SHA256 f3fd9598445d565a0620cd3e97408168cc812b39eb459d4a3b8b0d4d5cab3b25
SHA512 98243ac2cbcd8ccb39fcfe380caabdd7e764fa8656288ccb69fae29278c546f67c57089e8683538578b944cf0e45573771fdff40f8056e06901bffb2417aad7f

/data/data/com.atlotzowj/kl.txt

MD5 8988d850d0edce5f4172c91ca6a1cfc4
SHA1 2c48a70a3329e5b11ecad72c21e876acb5988015
SHA256 6ffa1006199038c4d64a0eefab1f8faa07c48ec8f81241e8a88d48ea2232e710
SHA512 20750a4530b4bdd1c426a39c6ac2f512c69505f52405039fb8c41f63c6cc97d710aca553690f0b345a4fc37fe5f594694bf0c56beb8c44a65a03b37f1ce1c883

/data/data/com.atlotzowj/kl.txt

MD5 50accf9b163f8d4848aeee4fef272cc8
SHA1 b3d3468568b5a014887e9ee4c19ab48cc2de733b
SHA256 b04bc5bdf68dabaadd7610a4be1cc1655784c07545479f6fb5df19339ce78991
SHA512 a6473d15466d4f99b38a3e6d48756d0bf9b3dc307c73200303151c6f46c4e9fd300cce7a9d762a2f7995541bacb1fecf440661cd2ba38a309be777a0d11b22d3

/data/data/com.atlotzowj/kl.txt

MD5 f83015db4e0915acdd700cc45f75518b
SHA1 c899627169696519e9832227f16d91bb6c1549f9
SHA256 5e2e4258268dcb69c55c9faa354be1a86c003747aaecd7e0ede9961bad33b4e5
SHA512 65362500bfa70cf2d5bdf78386825b15a1ef976e9533cb3acad7d8b228a1e04457e5d5d2a1ea93f7af96ee24833ed1eff1c8a705c8b339c6ad9535eb7d996247

/data/data/com.atlotzowj/kl.txt

MD5 c953aec073933be06fcf6e0e695aab02
SHA1 c54f16d93bc61df07d227cee0ec30bb6b38f28a7
SHA256 2899e21ed334cbf4a27f296c66222cc6be38abb5795b1ac10b62f3e15850af52
SHA512 4da7c8d85fbb7b8bd5061760e21020ce9e2d1e2b7de8a79ba970bc9fdd275bd3bd6c0782e91774218376b2f80054633ee6edd0b7368a3135245e0b15ff573f3a

/data/data/com.atlotzowj/kl.txt

MD5 7ff4632eb67a9d52ce4890ac0de490b7
SHA1 a76bb1e39e75433fffc7f70cdcfdd347c4257071
SHA256 cce2f61e451751c5eb2d00451efa4de677c9233c9b52141830c137e3f66403f9
SHA512 0221dd538595635ab52f682b9f1b39ee357b5ddf372565454f7e26f5788babc71a60b2b0b7e584e3d46251b3ca50a85a1a6cb541b117c29ea69f0cf89b5bdaae

/data/data/com.atlotzowj/cache/oat/tqampnkfskbkj.cur.prof

MD5 b13c1ec8e9d17651156e5af73be789fa
SHA1 7113d0f925fb10f3c4c4a01efb57847027a12a5f
SHA256 59afb1a3653b57250c345cb9cdf7b4380965ee6cd0d9c48f23e192714060ee91
SHA512 798bdb332713e95dc4308534ac49337559d18a3af4e97b78c4f9340a72e0f5e262119d91aa34d70003fc035fcff0768022bbbf4f320978a80b4fae9620491f21

/data/data/com.atlotzowj/.qcom.atlotzowj

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c