Malware Analysis Report

2024-10-19 12:58

Sample ID 240824-1wm2dasapa
Target 12268135f55631a1888c59f5388b4d16d146dff38bcc25f96750969955cceac4.bin
SHA256 12268135f55631a1888c59f5388b4d16d146dff38bcc25f96750969955cceac4
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12268135f55631a1888c59f5388b4d16d146dff38bcc25f96750969955cceac4

Threat Level: Known bad

The file 12268135f55631a1888c59f5388b4d16d146dff38bcc25f96750969955cceac4.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo

Octo payload

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Acquires the wake lock

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests modifying system settings.

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-24 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-24 22:00

Reported

2024-08-24 22:03

Platform

android-x64-20240624-en

Max time kernel

45s

Max time network

157s

Command Line

com.tryfish79

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.tryfish79/cache/vchyoxqxodfbcts N/A N/A
N/A /data/user/0/com.tryfish79/cache/vchyoxqxodfbcts N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tryfish79

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 hava540derece.com udp
US 74.119.239.234:443 hava540derece.com tcp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 havasarinliyorla234.com udp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 172.217.16.238:443 tcp
GB 216.58.204.66:443 tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.tryfish79/cache/vchyoxqxodfbcts

MD5 bb440973066aacd08956f1559668cd40
SHA1 33eb86483c38a4dc198bc19c5d6d74fa3d97823f
SHA256 e56db52d2e8f6df7b8650ee558741e7d08d65c18b8edfdd5f2d79d97d750be0d
SHA512 d8599e22b651cdb41784bdbb3079c57ecdd712642c613fad890893d2e18f98ae0dba382c2daee552431f312ae532bb1f5556a4ec43fdf2d226b894fe0749265e

/data/data/com.tryfish79/kl.txt

MD5 e51423d33ab15c6cde6e1577e5195c89
SHA1 74f905973a688a796eb3d530cb80907eaa1528ab
SHA256 7d14a14c1dbfce2c837ae3ff8ece9c0fe64eecf129ba287ba09eda40c9dc63d8
SHA512 49d4b5eab23b7f72c7575b95af4091d26f1f6f6a3db1e45a1a1d08c963fbc6491cf886ab7e608e6efcb292753ea080b149e27d6cac886cb095e8b666a1aa9453

/data/data/com.tryfish79/kl.txt

MD5 84dda2a712cd16230a601ab1ab6ea10f
SHA1 d6711e908ff352bbd6bb9a6edf54808f04e30ffe
SHA256 92801510b07fbc98d078b6b0fd435474aa73e73cf9ded641ecf28720438a0078
SHA512 829825e9f9ad6da8ac1a8311c4c23abf32299c24a54017b8f608c6179cb96c77dea9a7d6b4f6beab8d7faa3ba4ab782e32d1d81802673c7cd241ddde89554bf1

/data/data/com.tryfish79/kl.txt

MD5 bd0ef9f09ec58966ef4690ef4785e740
SHA1 c8c47048d7d66555384d5169429eb5a725636ea4
SHA256 fe25bf8bc5ee9fed78612def67255853cbb5953d919517c7e3095949f1a18e08
SHA512 1a247776b3e9c886a8eb89424902bc3e14f0ea65fbd801b505f3ceb8efc806ac83f7a570cb0b830a3d45a77b3120c49d483de2138201f129fa5f0a09e5730689

/data/data/com.tryfish79/kl.txt

MD5 4e4dec11ead04668f1bd228d1bb1f600
SHA1 05e93ae086e64ce20b67d729a8c1e64549570748
SHA256 c8dd115144189305df6fdaa313b1c0fad76f4715314d28c8682bba8a9ee1b7aa
SHA512 b83319c40883eb165e7ed2de88ebf0cb56c4efe70d4758054decd32f37b34fd6940e5ea5ef1149576fb3862f70aadee854a9db3ff8e0d529d43b61d9e4305635

/data/data/com.tryfish79/cache/oat/vchyoxqxodfbcts.cur.prof

MD5 f3d1992f140fab124a0229e10b9d4281
SHA1 acbeabba360b7687ce9f1c050e39b29c3ae9a427
SHA256 7dcc48d1983d351b6edeec6999d84bc7451276bafaa58671107153b54231c61a
SHA512 fec3fa978eba42510dad36955602a032ddbfac140719cb9ecc3770c476dfd929b7d205aacad22219f97ddb98f83264c89dfa9ce7617d2f0b81e5fca91b6f3ec9

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-24 22:00

Reported

2024-08-24 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

44s

Max time network

166s

Command Line

com.tryfish79

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.tryfish79/cache/vchyoxqxodfbcts N/A N/A
N/A /data/user/0/com.tryfish79/cache/vchyoxqxodfbcts N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tryfish79

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 1.1.1.1:53 pikniktupu2534.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 havasarinliyorla234.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 74.119.239.234:443 hava540derece.com tcp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 havacerinlii34.com udp
US 74.119.239.234:443 hava540derece.com tcp
US 74.119.239.234:443 hava540derece.com tcp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 74.119.239.234:443 hava540derece.com tcp
US 74.119.239.234:443 hava540derece.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.tryfish79/cache/vchyoxqxodfbcts

MD5 bb440973066aacd08956f1559668cd40
SHA1 33eb86483c38a4dc198bc19c5d6d74fa3d97823f
SHA256 e56db52d2e8f6df7b8650ee558741e7d08d65c18b8edfdd5f2d79d97d750be0d
SHA512 d8599e22b651cdb41784bdbb3079c57ecdd712642c613fad890893d2e18f98ae0dba382c2daee552431f312ae532bb1f5556a4ec43fdf2d226b894fe0749265e