Malware Analysis Report

2025-04-03 14:13

Sample ID 241104-118hwa1kcn
Target c7a9b0cc0bd18ea5c4b7ad861f3e666117e1189e942220aeb78f4b8cd51d90d2.bin
SHA256 c7a9b0cc0bd18ea5c4b7ad861f3e666117e1189e942220aeb78f4b8cd51d90d2
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7a9b0cc0bd18ea5c4b7ad861f3e666117e1189e942220aeb78f4b8cd51d90d2

Threat Level: Known bad

The file c7a9b0cc0bd18ea5c4b7ad861f3e666117e1189e942220aeb78f4b8cd51d90d2.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo family

Octo payload

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Attempts to obfuscate APK file format

Acquires the wake lock

Queries the mobile country code (MCC)

Requests modifying system settings.

Requests accessing notifications (often used to intercept notifications before users become aware).

Performs UI accessibility actions on behalf of the user

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 22:08

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 22:08

Reported

2024-11-04 22:10

Platform

android-x86-arm-20240624-en

Max time kernel

49s

Max time network

145s

Command Line

com.windpowerlw

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.windpowerlw/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.windpowerlw/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.windpowerlw/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.windpowerlw/cache/qpmdvqmk N/A N/A
N/A /data/user/0/com.windpowerlw/cache/qpmdvqmk N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.windpowerlw

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.windpowerlw/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.windpowerlw/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mal1fukizmirli.com udp
US 1.1.1.1:53 oyunbaimlisi35.com udp
US 1.1.1.1:53 fukiyibartiyom2.com udp
US 1.1.1.1:53 malkafali222.com udp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp

Files

/data/data/com.windpowerlw/cache/classes.zip

MD5 20d29d10863ccf104c23aba9596156d0
SHA1 07d3bf5c6f353ed56773d6527fdc4690ea5f5237
SHA256 1c408ed5b849eb55213c1cb31bedb685b51160b121d0f2cbed407c77b85d11f2
SHA512 71c7fa8d4ace35c0a3c15674e3aba1bf5c2eec4e5c2f037d99f217a25b20eb18577c2fbe44485e917db3d7fb7a9669de4f80efb9916cf318352a608b2da892a4

/data/data/com.windpowerlw/cache/classes.dex

MD5 6f3c937b33d0840584225884a2b03270
SHA1 959e14964d3085d43fab119d5f5ff2cca020062c
SHA256 aeb3375564c2d9df98d81436687e4b068e39ddbdba7343293dd2bc7a0e92859a
SHA512 578f26303fd7a3d4961eed8cc51616f2fde809f4ae7df112981d61a1ba694fc669e35e26ea48721fea090e2b15773d0691dd87480be988bd8fada7ecbcf5aa20

/data/data/com.windpowerlw/app_dex/classes.dex

MD5 98d02837aa6bdb8bb645d310f604e951
SHA1 2e143af157e223e7f64ec8998a9bb0c09853950d
SHA256 840c2d23a61b52ab28157d89b8beed80749611a5ef421301cc7e76c6a3bf1f9d
SHA512 ef31b15f5ac3f6aa740b071d07f2ff9fd7b731b72706d5d904307911ba85bebee4d8803d978a29b4d5d425a41930d4f5f0fca54c10f1c73b48245db22d0179de

/data/user/0/com.windpowerlw/app_dex/classes.dex

MD5 8085aeaf499a694a64f3de3306101b27
SHA1 639d4651aaf7e891c6a73fdbbdf82d4bd8b7480a
SHA256 3783a5c89ff7f2116551d861938b9df9aee17da5d0de0d17127f9f4ea00ab70a
SHA512 a80a98e47ad118474b6e36f049bca0d3d0b3ed0454cba8e9719d2ea60e0e2fd6a9603c3b97bf199197305f9bd9dfc0bbb9d1bc409b19c4ec52fa8ab4ca11bb58

/data/data/com.windpowerlw/cache/qpmdvqmk

MD5 2ca8072ecf153fab71065c291cd49953
SHA1 e3ff93cb1a133bee7a4c6ce19c9e0a2f7d49e74f
SHA256 d2b264acee763c6bc1f9fc9c5e98fb3c71625cea78fceca2532691c93bf81044
SHA512 3ef37ced677557de145b59e74e63553c0a222324b68990ce42e77c2f14b46de4e5cdf8e2bf89185d649d74e0f22492d8b2f58271d84a831191bb5ef1f7a36af7

/data/data/com.windpowerlw/kl.txt

MD5 cc3685fbc3955c5715373cca391b6a59
SHA1 0dc7559a8c375e7f388013d9356277174392bf74
SHA256 c0aadf51046b5812bade58ae81f4b441cae93c54804598f8a9b92a426f7f1892
SHA512 4b0d12c50b1dc8118a51c65349c9e1d25aabc4ebb6d580bb8aafb1674d59b7f01a5a16beab107dfd9bfb8706de59c1d45dc1417be5184822618298b5531b49fc

/data/data/com.windpowerlw/kl.txt

MD5 370959cc115a17a422567fdf1ea194d6
SHA1 8a96060cf7871b858f054037e20fd8203a9e4b5b
SHA256 fab0179ff76be47efb95bd2d085cc7f18dee778ba25f923fdc33b28526a6c97a
SHA512 fde7d4620a8ffabfd9227867b3e8c4737621d475ee25e4171496e49a43ba07d99d3317451fc9e0fad1a3e196ce6906061591b9a641d6cb967714a16394109f39

/data/data/com.windpowerlw/kl.txt

MD5 01611a597cc28853ad28922335d3fd7e
SHA1 54d1888069de82a1a25fba93699b8296a86501fe
SHA256 dcee6272881a1630c98d09536a0418875547915590f4b8ec7f3a4d79b6c6deb4
SHA512 ed813b7ac85d8816c9996b849b146ad9b71aa1bd331c3795193a29c98db51c66e32838b1eca7d9c0dd171af819211a691b8594c9855245e82a066e4e0cddd987

/data/data/com.windpowerlw/kl.txt

MD5 8effc14e6265095ef04f37fb26e2c351
SHA1 56d762afaf5574c112e2effbf1052974db091cfe
SHA256 370125a24455fe32206d7a2a5efa4bf638d918819a393ae5d041442776f4e19b
SHA512 1bfb978cde69cc01f9b98b3f3acf3598d1f03fdaddcc4c52cc6b9bc67ab23b342b9a9f09ca8915bd97dcd88fba9890600cc995ea5a767bb9c1544cbd188b2abe

/data/data/com.windpowerlw/kl.txt

MD5 a27094a1180405a9ae572f5c5c58bf8c
SHA1 e32a496f0e332181a28abca790590df55f73d907
SHA256 5398f454c32ff282eb4659d78854f69f5cd4ef80c89cf07167eec5489797d5c4
SHA512 a378bacc01ae4e96a91e2c96dafcc3889f99f20554bf8f5d50095f6d09ea14d53f4526170b82b65999f90a78dfbf278a6c61e5c1f64699901e308c91ae4f2eb8

/data/data/com.windpowerlw/cache/oat/qpmdvqmk.cur.prof

MD5 925266ba8899a4e8dde85b5429956f6f
SHA1 4c805e77c476640f9a4cfb5961df100f72e8320e
SHA256 45f96047901e4ed5ea9181d18c49c940603027bc4c4556e88fbd2b52dc6c000f
SHA512 1c2d4f8052e591208e62c4de9961814c9ba961eecdbd5d615ec8da843c01e63d668bc619e8073e1bfd16f0621c4487af700288c902f0776b4cb2963d03ad8e95

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 22:08

Reported

2024-11-04 22:10

Platform

android-x64-20240910-en

Max time kernel

1s

Max time network

150s

Command Line

com.windpowerlw

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.windpowerlw/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.windpowerlw/app_dex/classes.dex N/A N/A

Processes

com.windpowerlw

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
GB 216.58.212.238:443 tcp
GB 142.250.180.14:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp

Files

/data/data/com.windpowerlw/cache/classes.zip

MD5 20d29d10863ccf104c23aba9596156d0
SHA1 07d3bf5c6f353ed56773d6527fdc4690ea5f5237
SHA256 1c408ed5b849eb55213c1cb31bedb685b51160b121d0f2cbed407c77b85d11f2
SHA512 71c7fa8d4ace35c0a3c15674e3aba1bf5c2eec4e5c2f037d99f217a25b20eb18577c2fbe44485e917db3d7fb7a9669de4f80efb9916cf318352a608b2da892a4

/data/data/com.windpowerlw/cache/classes.dex

MD5 6f3c937b33d0840584225884a2b03270
SHA1 959e14964d3085d43fab119d5f5ff2cca020062c
SHA256 aeb3375564c2d9df98d81436687e4b068e39ddbdba7343293dd2bc7a0e92859a
SHA512 578f26303fd7a3d4961eed8cc51616f2fde809f4ae7df112981d61a1ba694fc669e35e26ea48721fea090e2b15773d0691dd87480be988bd8fada7ecbcf5aa20

/data/data/com.windpowerlw/app_dex/classes.dex

MD5 98d02837aa6bdb8bb645d310f604e951
SHA1 2e143af157e223e7f64ec8998a9bb0c09853950d
SHA256 840c2d23a61b52ab28157d89b8beed80749611a5ef421301cc7e76c6a3bf1f9d
SHA512 ef31b15f5ac3f6aa740b071d07f2ff9fd7b731b72706d5d904307911ba85bebee4d8803d978a29b4d5d425a41930d4f5f0fca54c10f1c73b48245db22d0179de