Malware Analysis Report

2024-10-19 12:59

Sample ID 240825-1yb2wszapr
Target ba287e1b3f16c05b43cb0a4cc02f20a233242d3f470f3d21a5cd230eb16728ab.bin
SHA256 ba287e1b3f16c05b43cb0a4cc02f20a233242d3f470f3d21a5cd230eb16728ab
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba287e1b3f16c05b43cb0a4cc02f20a233242d3f470f3d21a5cd230eb16728ab

Threat Level: Known bad

The file ba287e1b3f16c05b43cb0a4cc02f20a233242d3f470f3d21a5cd230eb16728ab.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Queries the unique device ID (IMEI, MEID, IMSI)

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests modifying system settings.

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 22:03

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 22:03

Reported

2024-08-25 22:15

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

142s

Command Line

com.schoolyearpog

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.schoolyearpog/cache/kfavaqnjxm N/A N/A
N/A /data/user/0/com.schoolyearpog/cache/kfavaqnjxm N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.schoolyearpog

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 havasarinliyorla234.com udp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 havacerinlii34.com udp
US 74.119.239.234:443 hava540derece.com tcp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 pikniktupu2534.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.schoolyearpog/cache/kfavaqnjxm

MD5 62404d59c816fc9b3d48832c31032f46
SHA1 b3b0a88f03f4ecd09ab6d100f897749b5cddb2b0
SHA256 a86a1b6e0ea3e5d12a00ab7d08f655cf8fdbf17b82915639c29b65feb6965fa3
SHA512 9873db172f9bf80d9c823e9a42c111a60c9c9c6cff3f0e9d7a682f602cfdaecc76256bddad402066e0a8712a29c76960a2bac5d9feba0df1f31f4cde00e55557

/data/data/com.schoolyearpog/cache/oat/kfavaqnjxm.cur.prof

MD5 3a52a14cddc29fb58e1702ee8728b0a0
SHA1 2da09a57d2cbda8e9986454904c6017bb4096ee5
SHA256 c6f6c618dc9eb2d1ede4732fcba1e994002201f0a95660d103068d4fc6294287
SHA512 a85fbbaea4f5d28a95a42783a7038f43b4a0a4bb7aa1ac2efb0a8dc52efed08c8e65481aac3f4122ee8076800e72f2c25b3e676b4bb63696d36230a3385de45d

/data/data/com.schoolyearpog/.qcom.schoolyearpog

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 22:03

Reported

2024-08-25 22:15

Platform

android-33-x64-arm64-20240624-en

Max time kernel

179s

Max time network

167s

Command Line

com.schoolyearpog

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.schoolyearpog/cache/kfavaqnjxm N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.schoolyearpog

Network

Country Destination Domain Proto
GB 142.250.200.36:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 pikniktupu2534.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 74.119.239.234:443 hava540derece.com tcp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.179.234:443 remoteprovisioning.googleapis.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 142.250.200.36:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
US 172.64.41.3:443 udp
US 34.104.35.123:80 tcp
GB 216.58.201.99:443 udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 142.250.200.36:443 udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 havasarinliyorla234.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.schoolyearpog/cache/kfavaqnjxm

MD5 62404d59c816fc9b3d48832c31032f46
SHA1 b3b0a88f03f4ecd09ab6d100f897749b5cddb2b0
SHA256 a86a1b6e0ea3e5d12a00ab7d08f655cf8fdbf17b82915639c29b65feb6965fa3
SHA512 9873db172f9bf80d9c823e9a42c111a60c9c9c6cff3f0e9d7a682f602cfdaecc76256bddad402066e0a8712a29c76960a2bac5d9feba0df1f31f4cde00e55557

/data/data/com.schoolyearpog/kl.txt

MD5 54b5ddc3085caece08bc1f5abca55f6b
SHA1 6709393223a18edb895e081eb459ed380b8e71b6
SHA256 a9027c30f7fdf7154f36f1cac3acedca7db97eee019ea2ec791fbb7ccd54e5b4
SHA512 9919f00bde129288504dfbf1ab9badfe294260dda36268407d29f21e2782becf62f36a74fc7fff2fa0d2dccfd5da68ecd1ee69bc41b3e32dabc226ac27ad5d57

/data/data/com.schoolyearpog/kl.txt

MD5 72fc83abe09d4ba38efa18109164699a
SHA1 b4d7b438d7ccd47a6ff1a9ac2b8ebb7212909346
SHA256 35f4f3ffef3187e7d0e02fd40a146aebc45aedeb2baa18fe3cc9f504eabeb598
SHA512 722eeabf5c9dc90adfa864124b0d61568270a7d291b73c573f6d293e11a5b15c3b1dbabab6e651eb33ed835291ed56f9002102bea90b7e16f334e58833870c59

/data/data/com.schoolyearpog/kl.txt

MD5 2a8c2eef6e2b238b3270b7d288101377
SHA1 1edc2673545866597426fb834d724fb6162cc159
SHA256 63075701cec825c72bfa70ac991088d6e6ab09bc4fe76bd6b9b2e151c6986d92
SHA512 85faa028083fb928d181a069785e7e19a20e2dd988f543b2455ba84064046ebf9011dcbd74e365e7f99ad617d91b3a383d20b326676666b12ffb74d39046d331

/data/data/com.schoolyearpog/kl.txt

MD5 4239cfc6888bda6d4a84a0dd93ab7ded
SHA1 408f0db4cc0a6b3dc20ce21e76e33385b567156c
SHA256 6f307776ebdd34dc600fc22cb42793d3008210aab2fbced0a44427e3335cb1c1
SHA512 d3b51187b4fbc646fbd99c44f522c2eddc5b5969b1fe9e1246e247f068104f00371d60d89550138f86a62359da2ba2de323dbd39d7bc9f04ba0bbb0ee04f67bc

/data/data/com.schoolyearpog/kl.txt

MD5 69a06c98496c00af27d437f62bdc39ee
SHA1 8702bbde43d410e795a4ca43147b6d5e3b4e0092
SHA256 222762f0b7dee93a5fffc2fa566ab1e664baf3e49d1bc0728f6f4ee719b6ee07
SHA512 d97458c4b025cae8a14dda3d2704e81ff4c9af91f2100141e283e499156e64165ba8952f6204e5649a1917e5bd094961138bc5ceb46f3d3eddbf764a6a41e506

/data/data/com.schoolyearpog/cache/oat/kfavaqnjxm.cur.prof

MD5 f64a659ced20ec73d03d4bf822c509e2
SHA1 b3d55fa8869a1364e1e40adbb183acaebb576133
SHA256 5de02f9d9d72aa7e66b6782400fa1896d30073781b049806cf420c94090de2ff
SHA512 437d5e97ae62bcccba3b9add960d465636e98472f6cdb7439ab3eb92219fd9847954e96dd91be77c90524ce791c5e14ce77d5a80fbc37ca146a0a7a958494d57

/data/data/com.schoolyearpog/.qcom.schoolyearpog

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c