Malware Analysis Report

2024-10-19 12:58

Sample ID 240827-1w8m3svhlr
Target 143c3bae3c9d502b37d8b936c5752b9862d145cbdf581373009f9cef38650752.bin
SHA256 143c3bae3c9d502b37d8b936c5752b9862d145cbdf581373009f9cef38650752
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

143c3bae3c9d502b37d8b936c5752b9862d145cbdf581373009f9cef38650752

Threat Level: Known bad

The file 143c3bae3c9d502b37d8b936c5752b9862d145cbdf581373009f9cef38650752.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Performs UI accessibility actions on behalf of the user

Requests accessing notifications (often used to intercept notifications before users become aware).

Acquires the wake lock

Requests dangerous framework permissions

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Queries the unique device ID (IMEI, MEID, IMSI)

Requests modifying system settings.

Reads information about phone network operator.

Attempts to obfuscate APK file format

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-27 22:01

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-27 22:01

Reported

2024-08-27 22:07

Platform

android-x86-arm-20240624-en

Max time kernel

170s

Max time network

151s

Command Line

com.snap.hub

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.snap.hub/app_enhance/APRSs.json N/A N/A
N/A /data/user/0/com.snap.hub/app_enhance/APRSs.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.snap.hub

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.snap.hub/app_enhance/APRSs.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.snap.hub/app_enhance/oat/x86/APRSs.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 vernolimarevox.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
GB 216.58.213.10:443 tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp

Files

/data/data/com.snap.hub/app_enhance/APRSs.json

MD5 96f99951ad4f6b6ba924ccd3401c41f3
SHA1 aacfc0f39f95a3e2c3e5303d340409efdff4d71b
SHA256 edbd602d7c27e9bcf21ea2b714e9757316491019bb2dcd7a274fc3c5114144a6
SHA512 4c08c620fa8e48efda2bb5126751305e2993bab33e23f2e7a4da194a55c13188a8775fa167d4a453a258741d8aeef896b3b7bde68bc2dc8f7b6bcabd290c5dfc

/data/data/com.snap.hub/app_enhance/APRSs.json

MD5 1583d4fe6a4395555a3901097623d569
SHA1 11efd2f661a1c7ebebab84a997d4bd1e4238a616
SHA256 6aab8ce172293a03e59a1486d1c042adb9c316540f972ba6bcce33d55268b34f
SHA512 98a97569d0c5beeb3d9f3dd3073f469dc768fbd8ca78b77f810a4f6a0a94a70f887a4d394dfb0a670751a5350bfd11b190b40dd2617067df62907fcdb67c26c8

/data/user/0/com.snap.hub/app_enhance/APRSs.json

MD5 f3682ad1b9ca551299b936b0490bafd0
SHA1 ecc10eef13d7fce92c193630b9ec52bf5d6b5edc
SHA256 6cc0186bf14c3f124aafa281c7d3194a5db638bcdb73b9fdda77a4a57b4fcc7f
SHA512 a0e5424d84043da353cc9f9fd2d7174f904356cb1deb866a0a99c84c75df998fdb967d83d774e1c7a7610d321de5cf26109c9ab847930bdba02a78393808a434

/data/user/0/com.snap.hub/app_enhance/APRSs.json

MD5 66d37fcbb384035a8bd6ff6bdf9786ba
SHA1 edf6bc3d0a740f4423e6d3700e3e859afb83e5f7
SHA256 52399b72d36399cc1621625af5d675a8e951e6803ad10e7430174bef0928a8c1
SHA512 26c4426856ad9368ecc6c94cc2f66a118fa0c727753f05e46e670719400292f111a7dda6b6cff03c124d809724e32a9bc088edaf714e48ec4c93ef8471604d57

/data/data/com.snap.hub/kl.txt

MD5 007d3c675d0a0ef47df291b080bb21d0
SHA1 06da44b994fcddc0a31e2a25b9de6fec7b0289ec
SHA256 edce1717f72412427542c58b1fdf58cf3af813866b4076146c30438f3ffb5ca3
SHA512 b3ff56806b5952316e4f09a2a19390af06566d7862ddc0a842540e34b1720d767d9e0aad3bb904fcfe5866a16a0e96bcf3ad45e5b7e583cdeb51c4acc5be1e49

/data/data/com.snap.hub/kl.txt

MD5 83d16b47f5e8ef73903eba8171471a92
SHA1 fe550c0ba2f8a180c0f10d5d08667a0df18eaa12
SHA256 8ffe5adfeeabb7534499804cac28a4971429fa8a8a8256c795d747c8fe65a04f
SHA512 548fc198eff65acd275caa139348f009c446b655fa3fe4390d05be98bae9032a336aa25cdd13ce10b8efb69dd17f049a932e3f401b43d03498bb2ee7defe75d9

/data/data/com.snap.hub/kl.txt

MD5 ab6107c813b36a82f4f36ab72aa58dd1
SHA1 307d493157e0c3b3df6213768259beefd3f02b06
SHA256 9c60e948aafe50d32d93b522155ac03c598a7569be2a34440cb15d27cf14d123
SHA512 a5d3eed96a98050dac7488f6519dc8c67a6c3aa36f809bc56f75e2649d5a74b6b3d7a98f5a3a8dd1e4addd9af54b1710cb79478d5514df7333144d12b3f98906

/data/data/com.snap.hub/kl.txt

MD5 93da9324639143ff64c190e7dfabd44c
SHA1 8829a5def089a4bd9388913176b4741728796f3f
SHA256 ed2bde2040a94465d697fc1d3ca1809c4a48c3bd15c3e296ebc08c58e398c095
SHA512 fe5581b7203f5127c83b337dc3e01efc4c17e32e18c40af65ab9f85423954e4455dbf075f486c2aebfe7cff189ecc5bd1c4e10e5957c2d83e8c6fcade7ee55b6

/data/data/com.snap.hub/kl.txt

MD5 9a5bc35f25ae7a3652f2bc743505a03e
SHA1 04da67368311884ed735677f21719fe5e84f3172
SHA256 932c528bbc27571f5da988e87695acf2b7af02e3aa2ae26cbc912a4cf086a6cb
SHA512 adb4b89fdbd92e75f6b88605e730c13b99a3ca7735ddcf1d9f16fa0e5f263ecbe52ff7b09690e54c154c322198fd598c62feceaa547ec9a397d8ad162bcc506e

/data/data/com.snap.hub/.qcom.snap.hub

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-27 22:01

Reported

2024-08-27 22:07

Platform

android-33-x64-arm64-20240624-en

Max time kernel

179s

Max time network

162s

Command Line

com.snap.hub

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.snap.hub/app_enhance/APRSs.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.snap.hub

Network

Country Destination Domain Proto
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
US 1.1.1.1:53 xerolimanorvix.xyz udp
US 1.1.1.1:53 tarovinalexmon.xyz udp
US 1.1.1.1:53 jerominalexvor.xyz udp
US 1.1.1.1:53 lornavinarelox.xyz udp
US 1.1.1.1:53 pelonivaremaxo.xyz udp
US 1.1.1.1:53 tarolinaxmover.xyz udp
US 1.1.1.1:53 zolrivanelomax.xyz udp
US 1.1.1.1:53 merolinavexrox.xyz udp
US 1.1.1.1:53 solvinarilemax.xyz udp
US 1.1.1.1:53 jarolinamovexr.xyz udp
US 1.1.1.1:53 tralonivexomar.xyz udp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 1.1.1.1:53 karlovinarelox.xyz udp
US 1.1.1.1:53 norvinareloxam.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 vernolimarevox.xyz udp
US 1.1.1.1:53 zarolinavexrom.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 xerolimaxonvor.xyz udp
US 1.1.1.1:53 ferolimanivrox.xyz udp
US 1.1.1.1:53 trevinolaromex.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 172.217.169.42:443 remoteprovisioning.googleapis.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 172.217.16.227:443 tcp
US 162.159.61.3:443 udp
GB 172.217.16.227:443 udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
GB 142.250.187.228:443 udp
GB 216.58.204.67:443 tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 1.1.1.1:53 kolvanarexilon.xyz udp
US 154.216.20.238:443 kolvanarexilon.xyz tcp
US 154.216.20.238:443 kolvanarexilon.xyz tcp

Files

/data/data/com.snap.hub/app_enhance/APRSs.json

MD5 96f99951ad4f6b6ba924ccd3401c41f3
SHA1 aacfc0f39f95a3e2c3e5303d340409efdff4d71b
SHA256 edbd602d7c27e9bcf21ea2b714e9757316491019bb2dcd7a274fc3c5114144a6
SHA512 4c08c620fa8e48efda2bb5126751305e2993bab33e23f2e7a4da194a55c13188a8775fa167d4a453a258741d8aeef896b3b7bde68bc2dc8f7b6bcabd290c5dfc

/data/data/com.snap.hub/app_enhance/APRSs.json

MD5 1583d4fe6a4395555a3901097623d569
SHA1 11efd2f661a1c7ebebab84a997d4bd1e4238a616
SHA256 6aab8ce172293a03e59a1486d1c042adb9c316540f972ba6bcce33d55268b34f
SHA512 98a97569d0c5beeb3d9f3dd3073f469dc768fbd8ca78b77f810a4f6a0a94a70f887a4d394dfb0a670751a5350bfd11b190b40dd2617067df62907fcdb67c26c8

/data/user/0/com.snap.hub/app_enhance/APRSs.json

MD5 f3682ad1b9ca551299b936b0490bafd0
SHA1 ecc10eef13d7fce92c193630b9ec52bf5d6b5edc
SHA256 6cc0186bf14c3f124aafa281c7d3194a5db638bcdb73b9fdda77a4a57b4fcc7f
SHA512 a0e5424d84043da353cc9f9fd2d7174f904356cb1deb866a0a99c84c75df998fdb967d83d774e1c7a7610d321de5cf26109c9ab847930bdba02a78393808a434

/data/data/com.snap.hub/.qcom.snap.hub

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c