Malware Analysis Report

2024-10-19 12:59

Sample ID 240826-1ws8dsyhmp
Target 9151d8926bb0768b7c0c1bde7ce88ca3f1cd55bbf487273311935f36b4d55ad3.bin
SHA256 9151d8926bb0768b7c0c1bde7ce88ca3f1cd55bbf487273311935f36b4d55ad3
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9151d8926bb0768b7c0c1bde7ce88ca3f1cd55bbf487273311935f36b4d55ad3

Threat Level: Known bad

The file 9151d8926bb0768b7c0c1bde7ce88ca3f1cd55bbf487273311935f36b4d55ad3.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests modifying system settings.

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Acquires the wake lock

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 22:00

Reported

2024-08-26 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

41s

Max time network

135s

Command Line

com.greatwouldmu

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.greatwouldmu/cache/euoys N/A N/A
N/A /data/user/0/com.greatwouldmu/cache/euoys N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.greatwouldmu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.greatwouldmu/cache/euoys

MD5 1b206ca7482850762845e38dda392660
SHA1 ce06671ff58958072a66b82504b5da808e8d214c
SHA256 1875b9609e49b27c4b972afc0da4c2a12aefc22f411995da012bd1e1588906a9
SHA512 828d1d658dab52f526d808ba778fdb36ae369e99cce567317b97c0820cf099b4608a9941c90b9d95cdfb89215e6e73b163b89a32ca1a9b85edda839a27f7e44c

/data/data/com.greatwouldmu/kl.txt

MD5 a297d87c948a256caf7da730c33770d5
SHA1 c31756a4745fc7376faafbd965482569f4db1a5b
SHA256 468e138b25f6b64c199a442b316ae4243e922453968d87b4b0ebff723dd815d8
SHA512 20b94281438e6aa0f715335a1ddf9b93f84ad53fe663e69262ca2c3311fb9523fe3471a816b544fb80183978d3b728b12b74aa9badae8837f1ff4a3244b3209b

/data/data/com.greatwouldmu/kl.txt

MD5 57f9820a6fb42201d7bb7c2e2079bcc3
SHA1 873ac1c9e07cb5961042210866aee16d8469b85b
SHA256 4daf6da7bd93fc33e764a0393bd1d615aae6815f541aa45db1d2ffdb08c0de03
SHA512 65fbc09cddaf8c786b8f6c0c166169974fdc7ce43f9774d32a1602042c388f33aac173c3c148584fed9ac4cea2e0d06d99bd63ccc5ed9a4674d11476c274d89a

/data/data/com.greatwouldmu/kl.txt

MD5 422313e89604ab3fbca357a98015c0a6
SHA1 8b5c0f528a2946dc6ff5c9fb7fe2871b9d6ca035
SHA256 e8a58f088214868cefef658190c22fb42f2f9d3eef1da875f7efd196ef738b1b
SHA512 58d9efa5f7719deed40065bb48c5aee7df4b7cb58d86b6f7e33026edc3e17c5e281e2c575421183f82778e3a5ef035fa65ac2c8bbc0ff947959df509af76cc9e

/data/data/com.greatwouldmu/kl.txt

MD5 dcb0f71bd24f445d097dcc7bbc2d5f11
SHA1 882646da5a56128877f9c2f1955db0850ebde643
SHA256 48d2e3fbd171a3284308958acef42f9c890af2aff02484f535670b00968b633e
SHA512 82a8c2a7e77016e276ea7690ff0331a9dadae20c042fd26c645685dd96d364d52e68f57d96b47b022dc41612747f5f297fcfb03478fdb1da8cc5185ca6c1e1c7

/data/data/com.greatwouldmu/kl.txt

MD5 9313a5f614619c21620e718a3a3cc783
SHA1 68dedf97d83e9fff668225af5e1d024dcf4eb39c
SHA256 b93a61cfea087b6d1d16c37a645e46eb8cbe729ebbf6e924747bde8df8dbc914
SHA512 8d7c13bb713127c2ed0001507f74f5764156d625533c5f447e95dd69a9056aa96259f7521ad2a2beb68f4a3459c413d433fe67b436d65c49a51f6970b87643ab

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-26 22:00

Reported

2024-08-26 22:03

Platform

android-33-x64-arm64-20240624-en

Max time kernel

177s

Max time network

141s

Command Line

com.greatwouldmu

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.greatwouldmu/cache/euoys N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.greatwouldmu

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 hava540derece.com udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 74.119.239.234:443 hava540derece.com tcp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 216.58.201.100:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 172.217.16.227:443 tcp
GB 172.217.16.227:443 tcp
US 172.64.41.3:443 udp
US 34.104.35.123:80 tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 172.217.16.227:443 udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.100:443 udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 216.58.204.78:443 android.apis.google.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.greatwouldmu/cache/euoys

MD5 1b206ca7482850762845e38dda392660
SHA1 ce06671ff58958072a66b82504b5da808e8d214c
SHA256 1875b9609e49b27c4b972afc0da4c2a12aefc22f411995da012bd1e1588906a9
SHA512 828d1d658dab52f526d808ba778fdb36ae369e99cce567317b97c0820cf099b4608a9941c90b9d95cdfb89215e6e73b163b89a32ca1a9b85edda839a27f7e44c

/data/data/com.greatwouldmu/kl.txt

MD5 b1cf1b79b502e933c2ea9b2e5d8273e4
SHA1 c3ae470d397d2c55f2288262029ed043d2470efe
SHA256 02347b766faf040b0fd78c67bbab2e008cb92eb1c8eea11f1e08593094d30d36
SHA512 5fb1d8626475391a8ac52142c0db4dc82dbd58b42bbd27226f785098aefd06eb1beb8bc32639b1a64bea55a50272bc57179a74bd124c1d7233532f9e3663d9a2

/data/data/com.greatwouldmu/kl.txt

MD5 d83e5b676201b30efecb72118e5cd7a5
SHA1 c0b42daaf27e8d561daef3895e8dd43cb98df535
SHA256 267089bcf3fd16fc15d21f686a94b46437efe7bd856fb2e7e3f46014bc9c113a
SHA512 12af3f4cd4158fcf60d714515746ff70076b6e8d42219e52e01eb0f9bb43041c444d20c9b01be62f370b3f898e8b10c5de8da1db25846ddc6325a4c875fd734c

/data/data/com.greatwouldmu/kl.txt

MD5 2bac070dd15c235af0d97713ee3f201b
SHA1 34f705417a5d396e933dd38b232d9bdf3dfaf9d7
SHA256 b3c61c51482abd6b8337915a33da4d9076a80136139e1bf733d7e22bf2725082
SHA512 488c5898fe5b47b9126319223f110a93ab44fe5c2d4e1fba52e93bfcd8e50c6ed22da8c2dc881542dc9d4438e62f6f03069c02bf10a7d415ea14bce832593804

/data/data/com.greatwouldmu/kl.txt

MD5 5d5923f6f6d5d2eb19719772d38f617b
SHA1 5db6a2f53637b4c8756ee1fb15fda985160f8567
SHA256 5d675d762a4abc3604f08b1f2ff478233513edea77c5ed69cafcd63abf6e5826
SHA512 682cbd10e2b55380c34d6e3add3e5329a306a2219391b32c56cff83c2975ca8583f3fef46133832fe09837d85987791188457d17c7926ab40b9f3c8a9ff8ab0b

/data/data/com.greatwouldmu/kl.txt

MD5 03fb86710c916fcb600419e8412d0ecd
SHA1 49ffc1349729342185113fd39dcf6bdbadf6a5d1
SHA256 668d19a79c923912eb178958894c33eaa1f69793bef0cd80e13a53f708cd6918
SHA512 217332c04703f68fd8e9f46b8e5740e5b41879312eb3a22afcaee0cb1c4fb0655d05aa47d47b5ac4c68b9596c1f85fa6899e7fb3c38c12b0fe4105d852f4f566

/data/data/com.greatwouldmu/cache/oat/euoys.cur.prof

MD5 e46dfb1671794b087b094201582e1962
SHA1 edba8181a507461bbd42ea1d48285b3f7fd99944
SHA256 f84bda108233991df10cd9d49ff4dfbb108283134c5b4a8353ed954037c1432e
SHA512 72d61306e44cbd98ba27e4ffbc1d809082a416f7d33c9221a5074d93dccb94077c30b6522e9e6ada396a6e911b240264a95b2db502cf56e11cd57b0bbac9e3e9

/data/data/com.greatwouldmu/.qcom.greatwouldmu

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c