Malware Analysis Report

2024-10-19 12:59

Sample ID 240826-1xj14sxfpb
Target 7ebdf8a7d2f8c0cd920040a2276c4a3e04ad1eb96d185beeb59bfec201992a2b.bin
SHA256 7ebdf8a7d2f8c0cd920040a2276c4a3e04ad1eb96d185beeb59bfec201992a2b
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ebdf8a7d2f8c0cd920040a2276c4a3e04ad1eb96d185beeb59bfec201992a2b

Threat Level: Known bad

The file 7ebdf8a7d2f8c0cd920040a2276c4a3e04ad1eb96d185beeb59bfec201992a2b.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests modifying system settings.

Queries the unique device ID (IMEI, MEID, IMSI)

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Queries the mobile country code (MCC)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 22:01

Reported

2024-08-26 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

46s

Max time network

171s

Command Line

com.studyfireyuaj

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.studyfireyuaj/cache/amtmiwv N/A N/A
N/A /data/user/0/com.studyfireyuaj/cache/amtmiwv N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.studyfireyuaj

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 1.1.1.1:53 havasarinliyorla234.com udp
US 1.1.1.1:53 pikniktupu2534.com udp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 hava540derece.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp

Files

/data/data/com.studyfireyuaj/cache/amtmiwv

MD5 2c525225fa1985de668b61943d75219d
SHA1 1efdcbc52189b2b4fd57945ee88f24ad4aeba8bb
SHA256 a617474923322e023c97c5f2d64765ad0c053ea33ed8e387194a056a61964ce7
SHA512 33ede844c6a3d460f4bc22e7f63381c5d0a40d8c259f61fa3ba6bfbcf86125213a1836dd4ccb82c7f2aa66090f31d611971a4d7a81d30557670831c4da14e7eb

/data/data/com.studyfireyuaj/cache/oat/amtmiwv.cur.prof

MD5 05ef8d33de6ec48663853944cf173d22
SHA1 bbd05bea545f9c4a151798d72e3ecbd8a52b5fb7
SHA256 347b67e37f5fc306c1fd269a178699f8fd7e9e56e68799799fd73abfba86b42f
SHA512 5c015c7644e5e64dcf89e7cd625c92a4196231e3196c6be0d967a5ac8322b297f001cf6a611ec7c0a43fee8a2e70147b1140f89dd01c5e575a0927554c1440bc

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-26 22:01

Reported

2024-08-26 22:06

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

172s

Command Line

com.studyfireyuaj

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.studyfireyuaj/cache/amtmiwv N/A N/A
N/A /data/user/0/com.studyfireyuaj/cache/amtmiwv N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.studyfireyuaj

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 havasarinliyorla234.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 havasarinliyorla234.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.180.2:443 tcp
GB 142.250.179.238:443 tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 pikniktupu2534.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.studyfireyuaj/cache/amtmiwv

MD5 2c525225fa1985de668b61943d75219d
SHA1 1efdcbc52189b2b4fd57945ee88f24ad4aeba8bb
SHA256 a617474923322e023c97c5f2d64765ad0c053ea33ed8e387194a056a61964ce7
SHA512 33ede844c6a3d460f4bc22e7f63381c5d0a40d8c259f61fa3ba6bfbcf86125213a1836dd4ccb82c7f2aa66090f31d611971a4d7a81d30557670831c4da14e7eb

/data/data/com.studyfireyuaj/cache/oat/amtmiwv.cur.prof

MD5 5c969bcf8f9d06661217b80019b336b8
SHA1 4b1c010bd396d07a0ca96bfdf20fcb6da5137b29
SHA256 a13690e5f9563924c15122dcb862e1bf63b0bd316768170357b7de01c3ec92f8
SHA512 4d33d5e7d3d65939bbeb29429a717939af05e7d55e725785aaa19f105495f476781fdf64dd3bcf3eea8834a0a321366879c17a916e7061dc20faf567e27e43dc

/data/data/com.studyfireyuaj/kl.txt

MD5 9b9a2b9add27db16c80a18df1648d1ba
SHA1 648469160f6a8379d56b89295dfde450e5000153
SHA256 d2f2f1485ee575ac2818ef2d483a08ef6ebf6bd7f128064ca8420ddffe32ea65
SHA512 612c44d078fceacbc1ef57114f2a279d012b179e7b8514927528cc6bc97624c1bb7ed7b621ca609359afb75d5989324f718dc3f51ed212e3e059a4fbfdf7c087

/data/data/com.studyfireyuaj/kl.txt

MD5 39b2184db520669d3cf96877aa244aff
SHA1 d037ee6042caea137e3187147e2fd23cfb67dcfe
SHA256 759090c5860eb9871319edb5cdcdd2bd3380ac26418645b1e71a182ca43e2ddd
SHA512 fd2b3f97f552cb0e33265fe703b028e8d7fb79b54020f1b4ce2492e13af947d54a2d626dd806dc560492c5d24be3aaa7ae00ca2278005b49a7ff7112a2e6bac8

/data/data/com.studyfireyuaj/kl.txt

MD5 907f5b772fc20a6f3d251b43c1d78ccc
SHA1 735e6077167eb5762cbdb8708d651d73639c7748
SHA256 c4cd1d0f02388467b4a5e42fa22191ac31d346bbc1a848c4e069c15c3f7455d3
SHA512 aa42480967ae3de1769ae3650ed99f9c376a6c8c0b857be1595a9365a4bee88a52f41d8f15dca54ff760982729fb0575320a713bd83cd792920c3dea6d0d83e7

/data/data/com.studyfireyuaj/.qcom.studyfireyuaj

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c