Malware Analysis Report

2024-10-19 12:59

Sample ID 240825-1ytxpszbjm
Target 945643c6b12904539e620a2854b741ec611ba068a5d1286a2b5b052c2006560f.bin
SHA256 945643c6b12904539e620a2854b741ec611ba068a5d1286a2b5b052c2006560f
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

945643c6b12904539e620a2854b741ec611ba068a5d1286a2b5b052c2006560f

Threat Level: Known bad

The file 945643c6b12904539e620a2854b741ec611ba068a5d1286a2b5b052c2006560f.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the unique device ID (IMEI, MEID, IMSI)

Requests modifying system settings.

Reads information about phone network operator.

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 22:03

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 22:03

Reported

2024-08-25 22:16

Platform

android-x86-arm-20240624-en

Max time kernel

170s

Max time network

151s

Command Line

com.farmrememberp

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.farmrememberp/cache/ynglzthhmq N/A N/A
N/A /data/user/0/com.farmrememberp/cache/ynglzthhmq N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.farmrememberp

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 slmla6242nbr.com udp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 pikniktupu2534.com udp
US 1.1.1.1:53 hava540derece.com udp
US 74.119.239.234:443 hava540derece.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 havasarinliyorla234.com udp
US 1.1.1.1:53 havasarinliyorla234.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.farmrememberp/cache/ynglzthhmq

MD5 0215b3971dd5eee24cc0c08021a3c2d8
SHA1 951dcf2303c4735ae112e6dc4b0c84159acf11ad
SHA256 735cc8f4340dcb2321fa337aa20cfc4c178eb499f9801bb56377902a6d455683
SHA512 4ec4c37bd9878a2adb70e30bc18adbc60f997c74eca3c37640653499a779169caf6482c9334af89961b054e522645fb0dc2c129104b7324ddaab757b22eb3d8a

/data/data/com.farmrememberp/kl.txt

MD5 f7460ba78224e1fd9b23de35120517f7
SHA1 7f43b343795b11a7aa3f205c3a14622719f2be6a
SHA256 84ac17b4048333d02909fdb12b92fdac00f52645f2909ce15ac233bd4072fdd0
SHA512 8e66f69fefc2ac322cbe00949987062187315ab9481af551b60264f4f1c654b0d87dec408bb0784d093833fe72639db8c9e6c011656722c61f7b3d2c896e925a

/data/data/com.farmrememberp/kl.txt

MD5 e6f97f0a871f82f64bc8dc65014fbb6b
SHA1 2935da5ed2c83ad0281eba58116c53aa86acf225
SHA256 12a8fb489caea7b251a12693b8747209789e8de6f7c63c6b5c98152f27919438
SHA512 e3bdc23206788b21525667716eb5ef319d75dc892e71b8a114fe12cbd404950de1f5102ee21b51c4c7b31be3f2941f20a26f7fdc2782c97749300b9508dd0eb2

/data/data/com.farmrememberp/kl.txt

MD5 65b56e530002ad6cadef64d4f28d6145
SHA1 bb7d0b28ae0900a5a81c026fba7f6b195c00ba40
SHA256 c85223aa4edc5429447a5ec699108c52ac53e22cd28253529d6310f03946e4b2
SHA512 c820675a2f8ee5c8a66d7353ec62d26bc182584018b7601c4c15a072bd2b2f216a3cefa7ddb1546faa584f346a41e80e2258c3f31bf47b0278a4f3d9a71e63e2

/data/data/com.farmrememberp/kl.txt

MD5 1b38b95a4c78f9fb6726e4518cfb2546
SHA1 3e069ff1cde9a6d684ef3ddd71f6be4eafd15505
SHA256 0e32c456aba910fb0a8e97b751a3f9d132169285ca5a0dddc860638708378cf6
SHA512 0427f010d5394292a05df2bbda3071a4fa03b76188cd1f2410e636ab898651dcaec4cdd677616f556d6a28cf29f589a02d600e0e4dee61b2f7819675d99171fd

/data/data/com.farmrememberp/kl.txt

MD5 aa07cf813882f9fc45bfd40483200a1d
SHA1 d9c28a7a93955f652bfa69e335a9fffff7df2d4d
SHA256 b1393dc878526d386f6c924f02308da7c1736a65028500536142abc402dfb285
SHA512 310bcf786219b2eeb64d02fdc03841add8ef28318ac03ce3387fa64d8e4b4a077f0e9a989cf22739800ae66e30833f35d77c86dd50782e88665c19a8d0c37d37

/data/data/com.farmrememberp/cache/oat/ynglzthhmq.cur.prof

MD5 2d03a827dfe5a8dd5e2ba1b96ddb5771
SHA1 feb9ee47f20a001db8b96c2b75a40d049824d958
SHA256 690985ed254508212cca4c1efb753f838778fe98b6716e91c4cf29903fc5c642
SHA512 b39b4c20f619c4ac4a5c8fb77700d66234dc169f3e2725db63b1a0e9efb0511e497374e0384ba78a271ece525befa89b191186d27fd35592b030a22950fe5cc8

/data/data/com.farmrememberp/.qcom.farmrememberp

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 22:03

Reported

2024-08-25 22:17

Platform

android-33-x64-arm64-20240624-en

Max time kernel

179s

Max time network

138s

Command Line

com.farmrememberp

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.farmrememberp/cache/ynglzthhmq N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.farmrememberp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 1.1.1.1:53 hava540derece.com udp
US 74.119.239.234:443 hava540derece.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 162.159.61.3:443 udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 142.250.187.228:443 udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
GB 216.58.204.67:443 tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 pikniktupu2534.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.farmrememberp/cache/ynglzthhmq

MD5 0215b3971dd5eee24cc0c08021a3c2d8
SHA1 951dcf2303c4735ae112e6dc4b0c84159acf11ad
SHA256 735cc8f4340dcb2321fa337aa20cfc4c178eb499f9801bb56377902a6d455683
SHA512 4ec4c37bd9878a2adb70e30bc18adbc60f997c74eca3c37640653499a779169caf6482c9334af89961b054e522645fb0dc2c129104b7324ddaab757b22eb3d8a

/data/data/com.farmrememberp/kl.txt

MD5 adf640eeab64516d4b9ce1c442993fcd
SHA1 232a8549a6a180c498715a0cc0b6c21fe6bc43c5
SHA256 6ea8957db8bc9e9520afce7568731ef601ee24a6375aea6aef3444c8a899579e
SHA512 38445513adea5c4af2aadce6c5ef11dbd5ca87ded34a6bd05bea6a420e0ecf4f097df1ac6edf261c012fc016b1a28b0bacf2db56546333e1232fe586b40fa795

/data/data/com.farmrememberp/kl.txt

MD5 7a6c9a775a0f7a27cfdd238d33c30ac4
SHA1 a8f7756147813af6764b268e236dcc1adabbb2c5
SHA256 f87ddc326b0b5b875a725ae924c3b22899010ef4b3641fd46257bb324b8ea4ab
SHA512 78d4da6d8c6d8aa8ca894cc85a017f29057a8743b338e696c07f5a0f8db4f67a40b4c06632d07fe4e1ab75568de6960e3088436e5e93af5d1a65832ab2afe2fc

/data/data/com.farmrememberp/kl.txt

MD5 87211b16a716e905cc263362bf757569
SHA1 8617ddd474d9bd43c67585321a59add018b8c5c5
SHA256 74f43dfa841baa1a7b713c6da0187282dd76d88cb2606c9eeaf40d2721bb2b80
SHA512 f2caa47f6024c17b0c37930c48b8f5bb74ebc778a41f5b3760c5380f33db2bd62dce3b7210478aafeaebad6f904e70a3997f04ba427841f37a2470f306c9129b

/data/data/com.farmrememberp/kl.txt

MD5 d470fda4521bc8483c10c77deb72a6c1
SHA1 c77b035a272c7bf1a866d91834c200471b9e032c
SHA256 2ee37994171b2692abd74823b547dce93b7f6236bd8c16cf6860b27a8cc90d8c
SHA512 2f200806a7e3f91984a3a733b09d3661a68fb1d01f09a3865cd159b7ba5c8f824058eacb96af4557a4caf7206a741fcddd1961cf771991e1d1ad8dd7a51f3e1c

/data/data/com.farmrememberp/kl.txt

MD5 d5a2f00da39d2758f9a8b647fbe20374
SHA1 2f5c5e0162e75836c69c1a4127bc22b9d0e7413b
SHA256 21ed9b39d138b6a02a8d7117671f0edf7fe44ca207ac471a6ed0de9fe3127f15
SHA512 f18b534252dd1cb2d5e00aa5be88c3fd47741049b1a57f66f5d39fed8da15f99d6d4f105451531b0a27d07d6c37f21372d97ecf1c5793380256a9e03a78d43af

/data/data/com.farmrememberp/cache/oat/ynglzthhmq.cur.prof

MD5 664e10a75cec6487d9b847640fe2b043
SHA1 3c3eb6c6f15e8aea7e2ef1efe7541a63a31a7b27
SHA256 acd387260753007f223a542557321ee706988635a0860eae63a0a1e34842d074
SHA512 413beb183f3e5dd0d97e0e0abf0fdd782e3f99ae997bc287e63baf802dc71eb0a4827fff2b5152ea1ad9837d2da81579ad8571ca59a9908beebed441fd54d804

/data/data/com.farmrememberp/.qcom.farmrememberp

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c