Malware Analysis Report

2024-10-19 12:59

Sample ID 240826-1xl6gayhqm
Target 76ee0c251245ad77f98ab84bac17ddbc2b9cc27aaf2e69a98c8b0c4dfb9593d2.bin
SHA256 76ee0c251245ad77f98ab84bac17ddbc2b9cc27aaf2e69a98c8b0c4dfb9593d2
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76ee0c251245ad77f98ab84bac17ddbc2b9cc27aaf2e69a98c8b0c4dfb9593d2

Threat Level: Known bad

The file 76ee0c251245ad77f98ab84bac17ddbc2b9cc27aaf2e69a98c8b0c4dfb9593d2.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests accessing notifications (often used to intercept notifications before users become aware).

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Requests modifying system settings.

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 22:01

Reported

2024-08-26 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

43s

Max time network

137s

Command Line

com.formher20

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.formher20/cache/yqavq N/A N/A
N/A /data/user/0/com.formher20/cache/yqavq N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.formher20

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.formher20/cache/yqavq

MD5 27f085de2e1bc9d7556641a963598b4f
SHA1 709bf20ea86922b017aced08a721b9f8f400b7b8
SHA256 06ee555f534320db517130c99e95761f817ebe72e6e99234908348e5175aa796
SHA512 48509fd23a267275ebc230849d237a26145e1eb5296c1fa6a420957c28ee9cb8d7c6d6b559d519aea5773c76ff876eca9f71bd60b735982d9b1fd88d81d4b824

/data/data/com.formher20/kl.txt

MD5 3812cdb604505c87b9a955c2a46654f3
SHA1 25a5514a54d7adaf1001c8e7f825f2ca15833e5b
SHA256 fe3fdbe3e80d88e7afd6aa382da6a59f952d055a52527343f88f9c6a7d4b0d40
SHA512 60d04469e08f469a99f96535cc28f7293046b4ec25796cf906cd8415e2eca1cfb956f0251d8945a0c7598d38c1ab80ce84a1b1a4301e97e181109da52f05484f

/data/data/com.formher20/kl.txt

MD5 63af4152191e214871fb1f1fefabb089
SHA1 7a5d83efce79364bd83f82de036cc81a199d926d
SHA256 b3cbda29d18d1316c897543013929f0021c4ec3e43514dea430622a444b28f2e
SHA512 8d315e9e91ca3810d90e8d6cb0f6efe2c0c2c48795daba3a197ea3b6c59d17123fb3dbe612edbe37cb6a6fbcc99b0beaa8ee56fd71d8aad65912c5f170dd0a6f

/data/data/com.formher20/kl.txt

MD5 f633397a8e7e53efdc6cc6afbdb2314a
SHA1 1e2e114b569dbe48e7421bfdd0bf9cd533177919
SHA256 c82ccdc9117ed3bccee45b7c7f91c1906f94e34fc17c78c5044bbf0e5f6ac675
SHA512 08f523fcf80eee815eaa17736b2effb64734c34462ad10565843df1f942be94db19cb891828a9c87aec072faef9863dd3342822ff426463252bc657206dea5a2

/data/data/com.formher20/kl.txt

MD5 1ecebbe6d6ef12053d0f6b1c2613a131
SHA1 280fc2d3d5f11caae552daa29e51d106fd209633
SHA256 6689f9d0ad04c1c26ea11e3b10bea12cf7d6d5887e47ff49e1feb18b6cdf4042
SHA512 fed65197a6267452e31d4a5a6d93ae2d15dba3e3c3009f4ad281a73641c02ad9af05e29807eddd9e35757983a83ee17ea61dc5e0fbab03a305d50a9a8e49a868

/data/data/com.formher20/kl.txt

MD5 d1c38596ac6a2e3cfcfe6fc8cc5c095d
SHA1 5cc221c523ae95ff27a7615954f5fc80cf1477c8
SHA256 53707c30b6b693aaf7c3fb92fbf8bb1560e19a6d97a7ccfa44b0bf2c40e00a22
SHA512 bd8c5c5d10f33539fb559114b9c8760e21e786d27ed3a13c312c381a84b7f5284ea4c6a7d16dff0eb8fdd5c2fa1de5451796dbdd9a3bc31abf97483ffa3f3c27

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-26 22:01

Reported

2024-08-26 22:06

Platform

android-x64-arm64-20240624-en

Max time kernel

29s

Max time network

171s

Command Line

com.formher20

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.formher20/cache/yqavq N/A N/A
N/A /data/user/0/com.formher20/cache/yqavq N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.formher20

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 hava540derece.com udp
US 74.119.239.234:443 hava540derece.com tcp
US 74.119.239.234:443 hava540derece.com tcp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 pikniktupu2534.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 havasarinliyorla234.com udp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp

Files

/data/data/com.formher20/cache/yqavq

MD5 27f085de2e1bc9d7556641a963598b4f
SHA1 709bf20ea86922b017aced08a721b9f8f400b7b8
SHA256 06ee555f534320db517130c99e95761f817ebe72e6e99234908348e5175aa796
SHA512 48509fd23a267275ebc230849d237a26145e1eb5296c1fa6a420957c28ee9cb8d7c6d6b559d519aea5773c76ff876eca9f71bd60b735982d9b1fd88d81d4b824