Malware Analysis Report

2024-12-01 02:55

Sample ID 241108-1y7tka1ckk
Target 532232fb96e9bcfe28456e5c8a9334ece123883c875306019699efce68c71900.bin
SHA256 532232fb96e9bcfe28456e5c8a9334ece123883c875306019699efce68c71900
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

532232fb96e9bcfe28456e5c8a9334ece123883c875306019699efce68c71900

Threat Level: Known bad

The file 532232fb96e9bcfe28456e5c8a9334ece123883c875306019699efce68c71900.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Octo family

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the mobile country code (MCC)

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 22:04

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 22:04

Reported

2024-11-08 22:07

Platform

android-x86-arm-20240624-en

Max time kernel

148s

Max time network

153s

Command Line

com.windspecial6

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.windspecial6/cache/kurqfatg N/A N/A
N/A /data/user/0/com.windspecial6/cache/kurqfatg N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.windspecial6

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 y7macreklam232.net udp
US 208.95.112.1:80 www.ip-api.com tcp
US 198.185.159.145:443 y7macreklam232.net tcp
US 1.1.1.1:53 y3macreklam232.net udp
RU 213.109.202.154:443 tcp
US 1.1.1.1:53 yamacreklam232.net udp
US 1.1.1.1:53 y4macreklam232.net udp
US 1.1.1.1:53 y5macreklam232.net udp
RU 213.109.202.154:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
RU 213.109.202.154:443 tcp
US 198.185.159.145:443 y7macreklam232.net tcp
US 1.1.1.1:53 y8macreklam232.net udp
US 198.185.159.145:443 y7macreklam232.net tcp
RU 213.109.202.154:443 tcp
RU 213.109.202.154:443 tcp
US 198.185.159.145:443 y7macreklam232.net tcp
RU 213.109.202.154:443 tcp
US 198.185.159.145:443 y7macreklam232.net tcp
US 198.185.159.145:443 y7macreklam232.net tcp
RU 213.109.202.154:443 tcp
RU 213.109.202.154:443 tcp

Files

/data/data/com.windspecial6/cache/kurqfatg

MD5 5808706f629e747ad9a2df9ada4b8893
SHA1 31e0e62ffb7da0a37002df34f422f38bc1c3a366
SHA256 aec9d784060c29065c9f354bb06e9752d39506c8b7d89c0600125013fe5e0efa
SHA512 2d5eab388c41c886cebbce058bb146c28f145212ccd241ae198022052d09667a5d564680f0c2efd4d1c0f41ac1de5afbd8fdd3211e3015d0eff328be59eb5c43

/data/data/com.windspecial6/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.windspecial6/kl.txt

MD5 2ed921f6a0ff45422d2132ad25275828
SHA1 ef1e42998252ce3a70a05e32e5ed2b3bf8f2cab6
SHA256 9339c14736f4720e11415f02805f0e4e9de8f96d3c1452627954ec003b96bfeb
SHA512 32b0cc49bc4f345877fc3cc70aba1756bc828a2213705c6892cfa031f81cbd33f303a44e570eba9bdaa9d6009b45d064e9f8c5a7407d67d5f70b6f42f4258239

/data/data/com.windspecial6/kl.txt

MD5 7aa3e6897442a2506a8df11d58181b74
SHA1 4fe621ec3ca359b05bc5b68f6c7d97a2611b766f
SHA256 458a0a02f2745ebc4f33c63f6fb5194d49478508f855295cd7f949654cb3d704
SHA512 62a95dadc107b971616ae87842add5b877582f1ae79bb2840cc213580deec1d81199e3ae9f67db40b41df7de3fd605ce7979c9e1e66e8f257551178776d1279e

/data/data/com.windspecial6/kl.txt

MD5 6152b76f437fefd76d922e7a884e9740
SHA1 bacf396208e4d8fc14cbeddf5034d9616c09af72
SHA256 51ee88c6624dd6e9a1299152d9947081192ab1bbb4223e238035651f807e878a
SHA512 a5ec8cfcaf9241a6f7c63bda24dac42a66652409340a7d72f2e4746ef706f159b152d300382eaf5c6f94107818755211883cb408182c29bdb546714c2ccc7949

/data/data/com.windspecial6/kl.txt

MD5 77df25086b19f3d93cde54c4febc99b5
SHA1 6087a20beef351ddcd44dab997b9e1d9d9d653f9
SHA256 80e7295abab489f7be29f819278d7e35dd3883f8f6fc20c1dda6c4e8a7e962c5
SHA512 30dce03b669d45b2488c3d5b363b043b2fcc7609bdfc9e2240e1ed8b8fce605213dea4984420a3c267d4f68dfa587627aa65a55ca5f6857e95c6f94e6e8bdbec

/data/data/com.windspecial6/cache/oat/kurqfatg.cur.prof

MD5 ae7e0657b0f2c23b0b1799fab8edd033
SHA1 808bd1c4f6686a28e3526f8837623776930cb0f0
SHA256 d8ce6fa7c4eb936de775a6f4b4dd022313a0e0180eb53a45b8bc16de1bf1a9cb
SHA512 38e3c19ae8caf85fae7d884144abe1852e20581370009af9b1aaf91343df6ce7edf08a1ef516d96bbc4c131289f493db071bc32edc172778c634221005cc1c79

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 22:04

Reported

2024-11-08 22:07

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

154s

Command Line

com.windspecial6

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.windspecial6/cache/kurqfatg N/A N/A
N/A /data/user/0/com.windspecial6/cache/kurqfatg N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.windspecial6

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 y3macreklam232.net udp
US 1.1.1.1:53 yamacreklam232.net udp
US 1.1.1.1:53 y8macreklam232.net udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 y5macreklam232.net udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 208.95.112.1:80 www.ip-api.com tcp
RU 213.109.202.154:443 tcp
US 1.1.1.1:53 y7macreklam232.net udp
US 198.185.159.145:443 y7macreklam232.net tcp
US 1.1.1.1:53 y4macreklam232.net udp
RU 213.109.202.154:443 tcp
US 198.185.159.145:443 y7macreklam232.net tcp
RU 213.109.202.154:443 tcp
RU 213.109.202.154:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
RU 213.109.202.154:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 198.185.159.145:443 y7macreklam232.net tcp
RU 213.109.202.154:443 tcp
RU 213.109.202.154:443 tcp
US 198.185.159.145:443 y7macreklam232.net tcp
US 198.185.159.145:443 y7macreklam232.net tcp
RU 213.109.202.154:443 tcp
US 198.185.159.145:443 y7macreklam232.net tcp
RU 213.109.202.154:443 tcp
US 198.185.159.145:443 y7macreklam232.net tcp
RU 213.109.202.154:443 tcp
RU 213.109.202.154:443 tcp
US 198.185.159.145:443 y7macreklam232.net tcp
US 198.185.159.145:443 y7macreklam232.net tcp
RU 213.109.202.154:443 tcp
RU 213.109.202.154:443 tcp
GB 216.58.212.206:443 tcp
GB 142.250.200.2:443 tcp
RU 213.109.202.154:443 tcp
US 198.185.159.145:443 y7macreklam232.net tcp
RU 213.109.202.154:443 tcp
US 198.185.159.145:443 y7macreklam232.net tcp
RU 213.109.202.154:443 tcp
RU 213.109.202.154:443 tcp
US 198.185.159.145:443 y7macreklam232.net tcp
US 198.185.159.145:443 y7macreklam232.net tcp
RU 213.109.202.154:443 tcp
US 198.185.159.145:443 y7macreklam232.net tcp
RU 213.109.202.154:443 tcp
US 198.185.159.145:443 y7macreklam232.net tcp
RU 213.109.202.154:443 tcp
RU 213.109.202.154:443 tcp

Files

/data/data/com.windspecial6/cache/kurqfatg

MD5 5808706f629e747ad9a2df9ada4b8893
SHA1 31e0e62ffb7da0a37002df34f422f38bc1c3a366
SHA256 aec9d784060c29065c9f354bb06e9752d39506c8b7d89c0600125013fe5e0efa
SHA512 2d5eab388c41c886cebbce058bb146c28f145212ccd241ae198022052d09667a5d564680f0c2efd4d1c0f41ac1de5afbd8fdd3211e3015d0eff328be59eb5c43

/data/data/com.windspecial6/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.windspecial6/kl.txt

MD5 ea840614f31922b5a4d890f1fdf40b28
SHA1 127258082b1223c901fbc005db7cffbaaf40be41
SHA256 95514dd38a93350f2571a92a211ae577e05f3baacf0cbed57994e2aded6750b9
SHA512 e60b3b8a62302ff938a581eee503e52c888f12559f58713dd1b24210e0478d94e287d2e619f60fe574f0939807621a1ffbe518b440fe24e76076204687d7022b

/data/data/com.windspecial6/kl.txt

MD5 dd4d8c2c599c6316b8997ae9e7254c39
SHA1 c58be8d020bdfde3aae6614d1d02fd6c42972951
SHA256 bda30085cc4a96069643144e624cc3fcf883395eda3fb836cc5af3bde5f4ed7e
SHA512 14baa5d729a64576e67ded58b8ba69c4ff9c6dd7a1f6a635ffc239b182b3181353be1ecbcbfe4d41097cc8cde2599db910f0d8d5e746ab8b1517d4cb85d161a3

/data/data/com.windspecial6/kl.txt

MD5 dfc16954a1880a2aabefcfb236d33aef
SHA1 f32e6b314a079fc898c04e8e15256d4994c1460c
SHA256 cbe30b571e65342fb00bd422f076e170042b67465e9ec8cbce4dbb805f0d5af7
SHA512 fa79b5e9bc0cff4960b4f00129770fb85e8650ebc9b7798c069cbcf23da3940090eca94c260f98e5222b49b2baf28ccc4ceec90e343fe41c751966477b4e76c4

/data/data/com.windspecial6/kl.txt

MD5 3434fc40a7cba529bd8f291cebc1abaa
SHA1 cbc6ad57ef898d91067fe21b52fbe6757cbd50ec
SHA256 a5b2e931ccc38ff3b18bd868cbac14d665bc6748cbc26eb8a521c4030fa55f16
SHA512 8cb8451c40adf09cdbe2d614edf082248344049541e33865adfaede6f6b9e12b29bc772a072fc811bf73a0efdba5b1d8640a3f16dc8e87a50493e5a7d9aaff8d

/data/data/com.windspecial6/cache/oat/kurqfatg.cur.prof

MD5 dd4fbf1a499738928bdb28022936e390
SHA1 4cab444a4aebe24e350f3b22e0d34210cd5843a7
SHA256 0d22d8a9c7690375abb57a044ec6e98e13c4b56e58302cbd53a25347f1e5f3af
SHA512 2038d1fe063f255b720da87e87d5fc514799e8f7244aa47344346b16fe519dbf0c393a524fad43474bcf5e0a709b70d7461fb665f69dfd6e1e6e5d056c352a01