Malware Analysis Report

2024-10-19 12:58

Sample ID 240825-1yxctszbjr
Target 8b75305a362fe31a971d6ddeeee22e4265f363114b37e1e43cc3e773d22a36ad.bin
SHA256 8b75305a362fe31a971d6ddeeee22e4265f363114b37e1e43cc3e773d22a36ad
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b75305a362fe31a971d6ddeeee22e4265f363114b37e1e43cc3e773d22a36ad

Threat Level: Known bad

The file 8b75305a362fe31a971d6ddeeee22e4265f363114b37e1e43cc3e773d22a36ad.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo payload

Octo

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Acquires the wake lock

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Requests modifying system settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 22:04

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 22:04

Reported

2024-08-25 22:17

Platform

android-33-x64-arm64-20240624-en

Max time kernel

179s

Max time network

140s

Command Line

com.questionfood0

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.questionfood0/cache/rqzvng N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.questionfood0

Network

Country Destination Domain Proto
GB 142.250.187.196:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 tcp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 havacerinlii34.com udp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 pikniktupu2534.com udp
GB 216.58.212.238:443 udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 hava540derece.com udp
US 74.119.239.234:443 hava540derece.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 slmla6242nbr.com udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.201.106:443 remoteprovisioning.googleapis.com tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.187.196:443 tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 142.250.187.196:443 udp
GB 142.250.187.227:443 tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.questionfood0/cache/rqzvng

MD5 d57e7c0a5145d005d41eb468faab0573
SHA1 dee3f8d82a8cc7ba140140d4322d8dd5a9e4111d
SHA256 d0e30200a183e16b5fd67c55c8a9721582d6584cc4bb2ef734e83bb71fb5f4f3
SHA512 a25496950c2fd0eb8f8995bc382202b40edc9c0200ab8c657e227541a2cad6450c6ea3d2caa441d702c6f1802c85f9776d8112096c295551d13b7538e66a638f

/data/data/com.questionfood0/kl.txt

MD5 9aa2ee63efd44d61fe6b9c7b41163f0b
SHA1 ade798519ea34a27989881925e6b80a4ffa05bb3
SHA256 5a884dc981f6d44fa96b8d42a7de54a59bd2c703b0a234cd1238435ebf683a32
SHA512 7390e42c3bfe0f9c691a60c295360c3b0f6de0f91f1d7819ab9a30fc120b711d13bbf6112d38d0e207c3a70359eb97d0730364ec03a06a220047de31b6a8a203

/data/data/com.questionfood0/kl.txt

MD5 727357c64999a60c4198ba9a5033a1a7
SHA1 20e712ee17caf8dc4d97f15ef43c7f3c447291db
SHA256 6066284a238ef1ab1dafdb03c3eb04d42ca9344a8c21dbf322e53a34401e0c0b
SHA512 d8f44440f83f7124471d67dcbfe3b16ee145c29dab6870b82f314e54349c865e3046aeacfadad3f495be2b902e43ef9b08bf191a2030176b2f9e168d1ddc534c

/data/data/com.questionfood0/kl.txt

MD5 6bfd5b0dfd61996eb0eaa4c4dc86c40f
SHA1 a33a5fa671d09b51c6299126adc8f3ad15dbddc3
SHA256 d581e5e059169cb147a1db97f49f5bfe446eb99a21c4005c81ae3079978cc0c9
SHA512 21bca352d41ba7964a55f59e015b4e18e00f259e2ae9db2ed90444418bba7777c8f05f86fd93d84b5fbdcfd3b186c25c940c2b8b5a589f3f67c0222520742af2

/data/data/com.questionfood0/kl.txt

MD5 50ada0af4528e099b96c561ec481c6f2
SHA1 a6d91e7c55a571c1a74a6d4f41b1562e8be6a920
SHA256 c810f1694d519f55cec99a7d53030c90a1f0026e94358bcbfa3d5281ade03ed8
SHA512 aecdaccd2b6d4b3442b0f76be8a96dc70616de739f38f4715409db9ed1a761cd252a84b2b7246bf974d5502d8ec341e4303d0ff6a82c66e43e2b5925f81f886c

/data/data/com.questionfood0/kl.txt

MD5 b121365b3eeab6e003901dbb64efc8eb
SHA1 141e448ae6491d519368611aaa9506b11d6c6f49
SHA256 d2ce98174e51ebbb8793c340a1d858d5139ab6d84e0c9faee699bf11ba9354d2
SHA512 b2f2908d22a89014ee93586c0455325df0273af22924dc814ed809d89645b49d822b411505de4b89eb8d7898342a8ce0f6bbd8c3a9eec93d9a6dcb8469c9104f

/data/data/com.questionfood0/cache/oat/rqzvng.cur.prof

MD5 05c4394f18224c1793858d3e14c0deda
SHA1 2f36a0d3842cb68daaf13cb7574ce99ad4b056a3
SHA256 1f3d246baf7fe07278f5563c8c51cf06e418824cfa99afd6293ac4745f1f1b47
SHA512 b6039974668817df7dcbe005ab47131d3f0f101dd2a2c4f68dd0f8212b3491fd483a810175b867744a51e675edfa813ec092b4c23cda4881eabdbea72e1bce3c

/data/data/com.questionfood0/.qcom.questionfood0

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 22:04

Reported

2024-08-25 22:18

Platform

android-x86-arm-20240624-en

Max time kernel

52s

Max time network

136s

Command Line

com.questionfood0

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.questionfood0/cache/rqzvng N/A N/A
N/A /data/user/0/com.questionfood0/cache/rqzvng N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.questionfood0

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 slmla6242nbr.com udp
US 1.1.1.1:53 havasarinliyorla234.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 hava540derece.com udp
US 74.119.239.234:443 hava540derece.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.questionfood0/cache/rqzvng

MD5 d57e7c0a5145d005d41eb468faab0573
SHA1 dee3f8d82a8cc7ba140140d4322d8dd5a9e4111d
SHA256 d0e30200a183e16b5fd67c55c8a9721582d6584cc4bb2ef734e83bb71fb5f4f3
SHA512 a25496950c2fd0eb8f8995bc382202b40edc9c0200ab8c657e227541a2cad6450c6ea3d2caa441d702c6f1802c85f9776d8112096c295551d13b7538e66a638f

/data/data/com.questionfood0/kl.txt

MD5 9592a0b1f555d3113738675efa8601de
SHA1 031168c8b33faf9a5a73f3744ea41938cf76c47e
SHA256 aa089aea30f12cd260c14863aaaed4568b04a28cbae32536bed4e6e4c288b1f5
SHA512 3c8772c8f4a403b653d8cb8a9712e9d35b5f03459b558ff59cf0064335c5d4cc454642f8e3ca2d7c8d5f835f2930dfdc8ce60c8455ea6ac2c620fe65eb8a9392

/data/data/com.questionfood0/kl.txt

MD5 67ef703a65a1e818438fda871be31aed
SHA1 34650b7be20057c986133ff20939c76c09b4ec1c
SHA256 8b563fff3589a60f72d2b9d37ff28fb376e106adddd989d33653c7effa8a3513
SHA512 a6cc6b70047250eb78b46035f54405ad693d851e52e09b65e30271dc4aae7762d0fbe7e7d04b47c9d1a6ad626bc7697d97800b698b24ef5d54dce4fb164a9900

/data/data/com.questionfood0/kl.txt

MD5 0b5568c8159b18f0df3eb0de239146be
SHA1 edb9b25e4d5f5eb373de0599c62f9dc86da52ecd
SHA256 286ed251d228299a61f51d2846e879877482e188a60ef764363ec0f34664bfdd
SHA512 3484b84a64cd947bc27cb89ff3e2689e5c6af139715e7e918b4762a22a20099759148f8ca7b95fbbe203af890aeec60f79cae88e25a9deaa9aa4ef5d93e50a5c

/data/data/com.questionfood0/kl.txt

MD5 003659ee6977268082fc9177452ae1e1
SHA1 136dd4aba78cbfd3eed8261a2ecc14e7d0fc8185
SHA256 19bddcfe398a320faa7b2c9e9612352e2cfc98d05f66c9a7fe9c6beb596cc92d
SHA512 9af3cf3017c9f9cb1bd722625fa36dbd7ffe2ffe0a27e97ab307a1291f3e6a3b19235f492d1ccb35dd0c6a2019ecc1df44ad7f0e691d71f2e5bff5af030012eb

/data/data/com.questionfood0/kl.txt

MD5 6c5da95f43c5b9c242bda9fb9f6a58b7
SHA1 b1da6cb69cd56abeb16456a68ff161b90062124f
SHA256 9738af6742b100f1d0e943db169c6fdaa132eed3a1182119f73cdc04575eab9a
SHA512 7f531ce018f725726b1242fb8adcd75bf5dac1df2092bb98bdcccb8ba71dfa3a941296b3f3ac046ae2b566232f19dfd113731ac9df8259435c82e8d01bf686c7

/data/data/com.questionfood0/cache/oat/rqzvng.cur.prof

MD5 9c5e68581283194721d55dd1010f1727
SHA1 a2c19d38168d0e418d97e37d35fb274741ec3c47
SHA256 6e0c0992b520ac3c68c47190649544c2dfbefdc836bbc2f609ca74f32482c781
SHA512 a8fb5de86f9aef87997df3dff67dfcef711fea72a233d2861d6fc6f9cdba4b7557d88b3c2a1683603ed204c416445c3fb877445501b7e796e9397f83aea8d84e