Malware Analysis Report

2025-04-03 14:14

Sample ID 241104-1xb1hayaqa
Target 3930209b6a9f9a56b9d4af9fa92950552fb3c1e349d801f81551269db3f588ff.bin
SHA256 3930209b6a9f9a56b9d4af9fa92950552fb3c1e349d801f81551269db3f588ff
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3930209b6a9f9a56b9d4af9fa92950552fb3c1e349d801f81551269db3f588ff

Threat Level: Known bad

The file 3930209b6a9f9a56b9d4af9fa92950552fb3c1e349d801f81551269db3f588ff.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Octo family

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Reads information about phone network operator.

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Requests modifying system settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 22:01

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to recognize physical activity. android.permission.ACTIVITY_RECOGNITION N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 22:01

Reported

2024-11-04 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

43s

Max time network

156s

Command Line

com.fog.cart

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.fog.cart/app_attitude/lPuA.json N/A N/A
N/A /data/user/0/com.fog.cart/app_attitude/lPuA.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.fog.cart

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fog.cart/app_attitude/lPuA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.fog.cart/app_attitude/oat/x86/lPuA.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 kriptoekonomivetrendbilisim.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 yapayzekaveteknologigirisimi.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 kapsamdijitalanalizveveriharitasi.xyz udp
US 1.1.1.1:53 bulutbilisimkapsamdijitaldonanim.xyz udp
US 1.1.1.1:53 akillirobotiksistemlerveotomat.xyz udp
US 1.1.1.1:53 sibertezvebilisimdunyasiprojeleri.xyz udp
US 1.1.1.1:53 yapayzekaileakillialtyapi.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldunyavebilisimyenilikleri.xyz udp
US 1.1.1.1:53 dijitaldonanimveyazilimharikasi.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 akilliveriyonetimiplatformuve.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 uzayteknolojisiveyapayzekakesfi.xyz udp
US 1.1.1.1:53 bulutbilisimveyapayzekatavsiyesi.xyz udp
US 1.1.1.1:53 endustri4veakillifabrikalar.xyz udp
US 1.1.1.1:53 yapayzekavegelecekteknolojisi.xyz udp
US 1.1.1.1:53 kriptoalgoritmaozeldanisman.xyz udp
US 1.1.1.1:53 uzakgelecekbilisimplatformuve.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 blockchainvekriptofinansuzmani.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldunyabilgimimariprogrami.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp

Files

/data/data/com.fog.cart/app_attitude/lPuA.json

MD5 f88b0febeebde6d9bf4e03e42a1e44df
SHA1 43f26be4a76b3a0b1e204bac7461da7c88575c40
SHA256 966841fac8654354677cb8efd09d721d852c7556d9faae8ba8cce110213cf0dc
SHA512 42287e789a859d27ac9a586160e6e292ffe9011a952988e2672e1b091e69f8a5a7e06bbeb728eec598f025902a659ffb260af51c6cd95a0561f629beea85d336

/data/data/com.fog.cart/app_attitude/lPuA.json

MD5 6b5d0ea61a90535a9523d63e295979c0
SHA1 103eb2b8314d800dca76115c50f0255578d469a6
SHA256 eede24fa53cca2a8bca7fd6d6ede432ab2bdd4af1e581988fcc82ef811c3b5bb
SHA512 a55f723b417fd757f295e96de3a8f984551d6b6e967ad1e0730edb514c1056dd29f859fcbb0edf1bd4f222e85d3426f47fa6e2520d672a02e87545c84b0802fc

/data/user/0/com.fog.cart/app_attitude/lPuA.json

MD5 d5f348392f35fbdc7b3d169777e58231
SHA1 dc18f1fba4faec1ddfb68d45fb9a91628302acbd
SHA256 aca090b783832f942c64de3688a8c9757c2b2bd41a7cdfeed260590e468dca11
SHA512 6c88e25e7a8816325cbc3a03d3dc5675c62b72460a213d51dcbca8cabb9adf0f438cc2388720d9dbd891be515e6ae5f2fb8f10a65a8446637d50332e4970ded3

/data/user/0/com.fog.cart/app_attitude/lPuA.json

MD5 084cd742220ef53bae69b3be726e262f
SHA1 36768834f341846b8ffda963f3452694704dda9a
SHA256 157ab1eaccc1dedb4f337f6f322c86b5e652f5dc0f81c3748aa0ab66c0dab931
SHA512 682d0cd4d49fd1b04aa795b17dcac08d9ffe853ec8b7c8954e1b02d6711466b5bd750a33d871534714d854ae355cb38229d0bfca858297505810a8b9f7ba056b

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 22:01

Reported

2024-11-04 22:04

Platform

android-33-x64-arm64-20240624-en

Max time kernel

148s

Max time network

157s

Command Line

com.fog.cart

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.fog.cart/app_attitude/lPuA.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.fog.cart

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 yapayzekaileakillialtyapi.xyz udp
US 1.1.1.1:53 sibertezvebilisimdunyasiprojeleri.xyz udp
US 1.1.1.1:53 blockchainvekriptofinansuzmani.xyz udp
US 1.1.1.1:53 kriptoalgoritmaozeldanisman.xyz udp
US 1.1.1.1:53 kriptoekonomivetrendbilisim.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 akilliveriyonetimiplatformuve.xyz udp
US 1.1.1.1:53 dijitaldunyabilgimimariprogrami.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 bulutbilisimveyapayzekatavsiyesi.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 uzayteknolojisiveyapayzekakesfi.xyz udp
US 1.1.1.1:53 akillirobotiksistemlerveotomat.xyz udp
US 1.1.1.1:53 yapayzekaveteknologigirisimi.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 uzakgelecekbilisimplatformuve.xyz udp
US 1.1.1.1:53 yapayzekavegelecekteknolojisi.xyz udp
US 1.1.1.1:53 dijitaldunyavebilisimyenilikleri.xyz udp
US 1.1.1.1:53 dijitaldonanimveyazilimharikasi.xyz udp
US 1.1.1.1:53 bulutbilisimkapsamdijitaldonanim.xyz udp
US 1.1.1.1:53 kapsamdijitalanalizveveriharitasi.xyz udp
US 1.1.1.1:53 endustri4veakillifabrikalar.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
GB 216.58.201.100:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 172.217.16.227:443 tcp
US 172.64.41.3:443 udp
GB 172.217.16.227:443 udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
GB 216.58.201.100:443 udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 dijitaldonanimvebilisimproje.xyz udp
US 1.1.1.1:53 robotikteknolojilerevesimulasyon.xyz udp

Files

/data/data/com.fog.cart/app_attitude/lPuA.json

MD5 f88b0febeebde6d9bf4e03e42a1e44df
SHA1 43f26be4a76b3a0b1e204bac7461da7c88575c40
SHA256 966841fac8654354677cb8efd09d721d852c7556d9faae8ba8cce110213cf0dc
SHA512 42287e789a859d27ac9a586160e6e292ffe9011a952988e2672e1b091e69f8a5a7e06bbeb728eec598f025902a659ffb260af51c6cd95a0561f629beea85d336

/data/data/com.fog.cart/app_attitude/lPuA.json

MD5 6b5d0ea61a90535a9523d63e295979c0
SHA1 103eb2b8314d800dca76115c50f0255578d469a6
SHA256 eede24fa53cca2a8bca7fd6d6ede432ab2bdd4af1e581988fcc82ef811c3b5bb
SHA512 a55f723b417fd757f295e96de3a8f984551d6b6e967ad1e0730edb514c1056dd29f859fcbb0edf1bd4f222e85d3426f47fa6e2520d672a02e87545c84b0802fc

/data/user/0/com.fog.cart/app_attitude/lPuA.json

MD5 d5f348392f35fbdc7b3d169777e58231
SHA1 dc18f1fba4faec1ddfb68d45fb9a91628302acbd
SHA256 aca090b783832f942c64de3688a8c9757c2b2bd41a7cdfeed260590e468dca11
SHA512 6c88e25e7a8816325cbc3a03d3dc5675c62b72460a213d51dcbca8cabb9adf0f438cc2388720d9dbd891be515e6ae5f2fb8f10a65a8446637d50332e4970ded3