Malware Analysis Report

2024-10-19 12:59

Sample ID 240823-1w8m3s1fpn
Target 3d322a68b974d5bf10752b01a0b7bdf3261db2bc3beb0d6a5d4f86b56afbc18a.bin
SHA256 3d322a68b974d5bf10752b01a0b7bdf3261db2bc3beb0d6a5d4f86b56afbc18a
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d322a68b974d5bf10752b01a0b7bdf3261db2bc3beb0d6a5d4f86b56afbc18a

Threat Level: Known bad

The file 3d322a68b974d5bf10752b01a0b7bdf3261db2bc3beb0d6a5d4f86b56afbc18a.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the unique device ID (IMEI, MEID, IMSI)

Queries the mobile country code (MCC)

Reads information about phone network operator.

Requests modifying system settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Requests accessing notifications (often used to intercept notifications before users become aware).

Acquires the wake lock

Makes use of the framework's foreground persistence service

Declares broadcast receivers with permission to handle system events

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-23 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-23 22:01

Reported

2024-08-23 22:09

Platform

android-x86-arm-20240624-en

Max time kernel

48s

Max time network

142s

Command Line

com.driveseemkc

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.driveseemkc/cache/cxkoafug N/A N/A
N/A /data/user/0/com.driveseemkc/cache/cxkoafug N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.driveseemkc

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.driveseemkc/cache/cxkoafug

MD5 6c4126fb1357363137cb045d8609842e
SHA1 22b2d87c5e53c469c3a8a8c006b5e303fc78808a
SHA256 72bb2047e1e9e5dbebf305e02e01e144318faa89ccfaecc6ca5496cda104ffe5
SHA512 de391bf2e273e3e341fd4784a038f7e2d55ddecb51883790a088ebea2b84e43341533db19663a3f9a4725e047cfda76bb30b94b37c2183520a6f9c00ba1467e8

/data/data/com.driveseemkc/kl.txt

MD5 3c8793dc7f7d4561a90031d3e5a7f225
SHA1 d3a9e48d3891eb618d5f853f7321ed77caadaad1
SHA256 11210a2ab4519f6ead10878df90c916cd75d2597258c976d3e0787dd251606c6
SHA512 92d33d024b6da3dddb3cea308a33c2e6d44036b7f481d31064c57d6a7de1818cb762f5a8ccbb56c7a7989fb455a80f46cebcf8676174d2e7afd916d33de1516d

/data/data/com.driveseemkc/kl.txt

MD5 608bbf41fc47fd58670a99cad626c9bb
SHA1 5d26292e245d25e8fbb19c45f41e06384fcce436
SHA256 1afb4ec4e77f3fbe203c3e3946987c0115af79ec84db293efa0981da32e7e25f
SHA512 cc63bbba1271983b2963cbdc29797100157a5420cec735a06f29a16d0dd0d7d67576b67cfbd2f33fddb3e6ccda07204e16478121abc662065d958f1f6301762b

/data/data/com.driveseemkc/kl.txt

MD5 82d408ee14918e03f100df1a237e0d0a
SHA1 2a3d3977913a45e797433ae9c98740d997c9012d
SHA256 ad6285675051bf8bba3083b38e19cf19d4c9d09c58148c836986f95b222fd0cf
SHA512 877d7a8fd9fa54343eb702cc0e2512d0e4017c814ae30aac8ff416bb847eed7571a86faa891d34a7d30f01c7b16239b08c8079aedf173bd4af963bd929ecf2a4

/data/data/com.driveseemkc/cache/oat/cxkoafug.cur.prof

MD5 039fd3def8a6a2c67059d5221d4ad1c8
SHA1 8201500726ea05538445f4ec6e873ed39bd1f867
SHA256 9013cf3ba6763c4a26d2f7fb982835992a46b799e40d4f9cc29427f15a897921
SHA512 1dd9159cf134ec0d6b9a69040cc92ab21ce50e9747b935cef1b16532e0807ddbf13f8b3f3a5d96662f66ebb933f4057b3760318335eb1129efcc54f42e8275eb

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-23 22:01

Reported

2024-08-23 22:09

Platform

android-33-x64-arm64-20240624-en

Max time kernel

178s

Max time network

153s

Command Line

com.driveseemkc

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.driveseemkc/cache/cxkoafug N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.driveseemkc

Network

Country Destination Domain Proto
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 slmla6242nbr.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 hava540derece.com udp
US 74.119.239.234:443 hava540derece.com tcp
GB 142.250.200.36:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.200.10:443 remoteprovisioning.googleapis.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 172.217.169.67:443 tcp
US 172.64.41.3:443 udp
GB 172.217.169.67:443 udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
GB 216.58.201.99:443 tcp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 1.1.1.1:53 havasarinliyorla234.com udp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 pikniktupu2534.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.driveseemkc/cache/cxkoafug

MD5 6c4126fb1357363137cb045d8609842e
SHA1 22b2d87c5e53c469c3a8a8c006b5e303fc78808a
SHA256 72bb2047e1e9e5dbebf305e02e01e144318faa89ccfaecc6ca5496cda104ffe5
SHA512 de391bf2e273e3e341fd4784a038f7e2d55ddecb51883790a088ebea2b84e43341533db19663a3f9a4725e047cfda76bb30b94b37c2183520a6f9c00ba1467e8

/data/data/com.driveseemkc/cache/oat/cxkoafug.cur.prof

MD5 cb9aebb143a1af38b9516a593be629bb
SHA1 1520320926ad27e56f95a7ddd68b96c0f6275d78
SHA256 42872b6205648d572798e675467180df48978d8f1b080f283e0035c2dc5580e7
SHA512 5377ed4afdd4152fc6fd93fc770c4ffad25c0f17f6593d17f8ecdcb23828524bee506845996d997f3c93c0372cf9643bb560a48dd5b91ce64c09d333c5956dd8

/data/data/com.driveseemkc/.qcom.driveseemkc

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c