Malware Analysis Report

2024-10-19 12:59

Sample ID 240825-1x59cazank
Target ee6995e3afdc287f85907cbad3ee2500f0494fd5947f1f4643efe9e5640f0352.bin
SHA256 ee6995e3afdc287f85907cbad3ee2500f0494fd5947f1f4643efe9e5640f0352
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee6995e3afdc287f85907cbad3ee2500f0494fd5947f1f4643efe9e5640f0352

Threat Level: Known bad

The file ee6995e3afdc287f85907cbad3ee2500f0494fd5947f1f4643efe9e5640f0352.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the mobile country code (MCC)

Acquires the wake lock

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Performs UI accessibility actions on behalf of the user

Requests modifying system settings.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 22:02

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 22:02

Reported

2024-08-25 22:13

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

165s

Command Line

com.busywatchk

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.busywatchk/cache/mqtennxqdrnlmw N/A N/A
N/A /data/user/0/com.busywatchk/cache/mqtennxqdrnlmw N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.busywatchk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 slmla6242nbr.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 pikniktupu2534.com udp
US 1.1.1.1:53 havasarinliyorla234.com udp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.busywatchk/cache/mqtennxqdrnlmw

MD5 9d40348bd88f6ca6e8782c1222c3cd0d
SHA1 6ec3e66a616b12df55f9184110036fb836eee04b
SHA256 cb4624021fd4f6474d8ad22bcee86ac6cec3f8b00ab7ecbd9a1025447f62f389
SHA512 234daa82f0a60aced56b53df8bd42e24a97b2c7966576587daf08353b670de6ab57fedaee2c3049a8f2e5fc7ae559e35f4bd604673e06672dc3e4ea0cc00f514

/data/data/com.busywatchk/kl.txt

MD5 64d9cc95f7952cdbf498649f9e8cb18d
SHA1 d5164d215e2ac278d4e776903be2649441ec1690
SHA256 350f581fe9b47b5df46ebcfea848ffba2bb913b216288342a6738694d450b446
SHA512 cae1a27bf328da6fe768c3574523e030b20ec6a4d0c78d2c138ad1c67ed72ca80c1dd82442cd4b39c7f941ccbeb84f094434b16e497343edbc6db93414ac2f4b

/data/data/com.busywatchk/kl.txt

MD5 e5b9d1a363ca822bfcec0547cc812348
SHA1 bb1a11b51ef9cac4ee336850a1bc3586de942a23
SHA256 904992abe4effc067c526f0952701300df5503b1d5dbff194429ae3f908f2713
SHA512 9f0303b8b9b8c671c8a9a679549c99877cd12da6770f52934bb4c37f7a83724cbba56a4ae0c13947222c5946dde19d7d9e4e11daffc6fc2e2d760be2657e13ce

/data/data/com.busywatchk/kl.txt

MD5 317feda573568940d9fa037dfa4fe3f4
SHA1 41d66ef20a1bf993f695e2e396b4937b767f93f1
SHA256 9baaf101d6e2a1b11dcae0c2b26490ae30d28e4fbf622ba4fb3232a060e456e9
SHA512 637c1ad4e284fc75e0a49551ad54fc3010f319db503c2941dcfed8e3929d1fff826b9af554cf41297435a3e46caabd3d15996e4de8534cbbc731fa0b5dff777c

/data/data/com.busywatchk/kl.txt

MD5 c6167146242dd4b9a267b2d98568b375
SHA1 19f725497cb9ff3efee46adbf376571ba36d87e0
SHA256 42a9456c78e10af2a09f3ab741a1fae499a54c4248f1e683642c5f47317bce97
SHA512 026560e57f059f25014765c4a7bdd89fd7cdedc4ca75e1b79916be648ce365fbac34a3574d4a4ed8fc01548d63e8f82ecc28ba7d8288a6d2725841888447fcda

/data/data/com.busywatchk/kl.txt

MD5 168f1df95d338c43ae6dbe3ba95960a6
SHA1 d615fe4624d1827b26f069fb1b997ebfc39474ec
SHA256 96508304a1829c4684033d6998de9687b92e228585ca6b4078ddc13a42530d44
SHA512 973da377d5ff564f1a5a40d90e40a100bf03d1cbfd298942308c0fe0cb770f6ae6bd82146ba68cb56dcf29987fa41362b70ed293da8778dada5708c9fc9a3e9a

/data/data/com.busywatchk/cache/oat/mqtennxqdrnlmw.cur.prof

MD5 30ecdd0bafbb3a7a2d33d9e3ea7c3577
SHA1 df18b7493ca09b8e066b235967cd893626b30eeb
SHA256 4ec6f52c3c4f86a9edb17ec3137fbe0ca422c0239ec32dda151c346813c3ab23
SHA512 5229e7f3805c3b70d28fcb46e9e64420dd5b2f24b0c596e86702e54615e1c3acc3f68f00be6156b0c9f43bcfbcaa44c5199d33c2f3ae5b8e2096ca1f4b318ae9

/data/data/com.busywatchk/.qcom.busywatchk

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 22:02

Reported

2024-08-25 22:13

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

158s

Command Line

com.busywatchk

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.busywatchk/cache/mqtennxqdrnlmw N/A N/A
N/A /data/user/0/com.busywatchk/cache/mqtennxqdrnlmw N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.busywatchk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 havasarinliyorla234.com udp
US 1.1.1.1:53 havacerinlii34.com udp
US 74.119.239.234:443 hava540derece.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 havacerinlii34.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.busywatchk/cache/mqtennxqdrnlmw

MD5 9d40348bd88f6ca6e8782c1222c3cd0d
SHA1 6ec3e66a616b12df55f9184110036fb836eee04b
SHA256 cb4624021fd4f6474d8ad22bcee86ac6cec3f8b00ab7ecbd9a1025447f62f389
SHA512 234daa82f0a60aced56b53df8bd42e24a97b2c7966576587daf08353b670de6ab57fedaee2c3049a8f2e5fc7ae559e35f4bd604673e06672dc3e4ea0cc00f514

/data/data/com.busywatchk/kl.txt

MD5 d59b460fa5609cea39bcb8fdb93e57f0
SHA1 795bbe55d872ffbb7b8256eca1f2113cf935cb66
SHA256 71fe9e0083df035c251ae3fdffceebec0e2d9c1a708743d80008ab7ae3896572
SHA512 db77fd84149aecfe649c8556cde19427aa01a05f459c91879f72759d03a85deaa951a8a0e83a79f65e2ff0c0ca1017bfd67d4da3197689ec6d30f03133dbf5db

/data/data/com.busywatchk/kl.txt

MD5 ba49b72fd49ae980bf52ac86509dc4ce
SHA1 5a77718f459e5dca2169864389403e5f13708c07
SHA256 589afb86dbc88d7e7878fde773f95400636bf4b1ba6f498c58cfb7246e7b601c
SHA512 2a96b16600ca628a65f50616bce4d0667b5c65df01c4af409bbfcdb01957809c57f4b219e87988d8e7e407d3c0277fbf43caa692307d1d430af8857bb8555b41

/data/data/com.busywatchk/kl.txt

MD5 733f747e34f2a925b053cd16812a3895
SHA1 c9f744e83a05018ee68f8f60155e0b2516d4b076
SHA256 759c7450acc2c0d135307a03e3ade4c0438525b1ba663292612ba9f375ff2b36
SHA512 990258925ce5cb7c5d0ca2f2e8250d4925e9ce89476acc33c707d4abd95a93ea23d16c47503c488449712ac556e251ed357112ffdca7aea440a10d461f92d9f3

/data/data/com.busywatchk/kl.txt

MD5 29e520c6c6aa11c4f6aead0fc5cc0c3d
SHA1 485ad15c29e55285d0ff1d64eedf13fd55028182
SHA256 fe4c92ca5fafc1bdec86bffa9d150cda362593f6b92e061a0f10c6a8c6bc4848
SHA512 a13e42b667cf2ecb0790d14f6d6024cce259bd8f509e243f01566a03a7d428d73e1c3dbc0416403e959b93e9ede4b3be029b59408798e8ef201fd67d35ee5f33

/data/data/com.busywatchk/kl.txt

MD5 4fdfa733a62a1fe1290e178b0772292b
SHA1 21c87c55818acd46cf6837749253b9c4e2c3ac80
SHA256 5dd7ac4d0da89f48ea1a48310c306cce298159020fc36d35bcab73a44d9ac072
SHA512 c94b5e6cb3769b4c101ac7c4294b8498bd2a9d498bf48420564d74412705b70e50ee5d2eb160d4fbadf9f8b6055b302b018b5f271a9af9ca08b3855813268fc0

/data/data/com.busywatchk/cache/oat/mqtennxqdrnlmw.cur.prof

MD5 c2fd11e1ffc57c1f126e930d80c5e0de
SHA1 ed2ef4ab3008b230c8dec30cd3ac6777ad903eb8
SHA256 5655047aa6dc5afd48ce20f6cc1f8a091f63f207c03bdcd06885a3f69af772f9
SHA512 a9687e419437356632a24bf8eaf346e4b4982e652ce8d27b31ee673ee95902e8de845398c0e0da29056b60e2484381bca93402d235063c48e6dfe96462d9ec15

/data/data/com.busywatchk/.qcom.busywatchk

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c