Malware Analysis Report

2024-12-01 02:55

Sample ID 241108-1yvh8szncz
Target 023da529bf2ea3fd050cfa993e3a34dbf3102ed502412ce5bb6474433d0ebc11.bin
SHA256 023da529bf2ea3fd050cfa993e3a34dbf3102ed502412ce5bb6474433d0ebc11
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

023da529bf2ea3fd050cfa993e3a34dbf3102ed502412ce5bb6474433d0ebc11

Threat Level: Known bad

The file 023da529bf2ea3fd050cfa993e3a34dbf3102ed502412ce5bb6474433d0ebc11.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Octo family

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Acquires the wake lock

Declares services with permission to bind to the system

Requests modifying system settings.

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 22:03

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 22:03

Reported

2024-11-08 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

144s

Max time network

135s

Command Line

com.doesself12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.doesself12/cache/aeailrwvggwdh N/A N/A
N/A /data/user/0/com.doesself12/cache/aeailrwvggwdh N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.doesself12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mal1fukizmirli.com udp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 oyunbaimlisi35.com udp
US 1.1.1.1:53 fukiyibartiyom2.com udp
US 1.1.1.1:53 malkafali222.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp

Files

/data/data/com.doesself12/cache/aeailrwvggwdh

MD5 920ed56287ab552376fdf9cee28248e1
SHA1 ca9c78f4a616c68c7e7e4863f1d5e8038aa6d4bd
SHA256 1c9a650d432a899005d1628738c79f63e3caaab90b2e32e52f8c00316f2f93e4
SHA512 b7eebc0748bb36caf90b9b224e43a9f07074b5c2903965be9fb6cbce106f4b20c7897592a9fa30121d2b639b2e07fa6e2a7b0e60c91e7169e7746d1b3c8b0e03

/data/data/com.doesself12/kl.txt

MD5 21d9a6ca9f24b58e3d1fbde78d473f52
SHA1 a9988b2c08c6f395583006a931eb1a20be541e07
SHA256 ed5f4f9d448387cde496fad72aeabb91d84c8b9313a5d16205042461a21b7a71
SHA512 ff970e38864a5cd4c25874e467b36c7081f10ced33f2d4af2ee9524648e26c891d522a22c1752c41d636e9cb90f0767629105318a171fa1d5cd6fbe0e8513782

/data/data/com.doesself12/kl.txt

MD5 147dfe2dec70d79f418eead6a1caf238
SHA1 05e046e9daaa9e9c9af34c9ede7974cc79998bfb
SHA256 3657f5bebb54edfa3452f2d49946e989b75e3aaeaff445733a74e3dc28b1036b
SHA512 b6ce1f4b57aaef8ef3739f860059b4eb58138d8feb84c5e187d34cb2103aae2819f9a13452e0e3f9a8eb767d037b7efefd2b17a64cd0849512d2851f35c22d03

/data/data/com.doesself12/kl.txt

MD5 a51bdeba6c1d0b34494992a35ec2a1e9
SHA1 6dd7524d66105a1ec5022e01adbb52643f851a41
SHA256 cfcdc5c8e51c3fa271928bc41476b9fe0ca58e27c7c71e94b899bcdbc90c4c64
SHA512 ac643be69f410c66b8094627490ecaf060cd1f76614bc4b250bb7f7c98043086fca24e65ae5a2328bbfe64c49fef8adc47714760638c44edca108c2f545f8417

/data/data/com.doesself12/kl.txt

MD5 70f93720d8a419181d244e18d936934e
SHA1 4d3c6954f8a62fe7a2e983fd43e239d65642d37c
SHA256 84abf32567dc3ed2d33f4316b5f9cdacee591004f69f608621df7a0ee046d724
SHA512 8990ea9f361f3535a3e60138df4c053181d704b002f54fbe48438a20c5b03c57342ac7dff19557299002b6ad855c73798de95d712264b52829c64dc5cd4d9e88

/data/data/com.doesself12/kl.txt

MD5 83d40bf87ff6e41e6db7e648a5d6aab2
SHA1 42a64519f9d7f0381a9c1aff5cb2e16b9be8b6b5
SHA256 daf123cd154191a3c60cc2d47ef415f07f98eb9d77cfaceb9a7c541adc87116d
SHA512 c27c83f2eb84b26f00b5e049510978697f6de0b5b20afe729aedf77f93a4cac593b0a82101785ae0fa6e24566e90a98c957eb87a126503ea3efc256c5f41bfac

/data/data/com.doesself12/cache/oat/aeailrwvggwdh.cur.prof

MD5 7324cf672037b31f5ba65b5df80410ae
SHA1 6290bd9fbb60f8f7b13d86cf24943a94c14362dc
SHA256 8c1e895abe2bd598ed81376162761f04660c4d427ba857954f8b5edd32c07370
SHA512 889065dd6d3d8c04373ae02060172aca8c4e28e7a61e67d31cfdecda5feed22790de20bbde17eba43adfe701af443959f8c476b2a685accbae4a212d162b7c7a

/data/data/com.doesself12/.qcom.doesself12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 22:03

Reported

2024-11-08 22:06

Platform

android-x64-arm64-20240624-en

Max time kernel

140s

Max time network

148s

Command Line

com.doesself12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.doesself12/cache/aeailrwvggwdh N/A N/A
N/A /data/user/0/com.doesself12/cache/aeailrwvggwdh N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.doesself12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 mal1fukizmirli.com udp
US 1.1.1.1:53 oyunbaimlisi35.com udp
US 1.1.1.1:53 fukiyibartiyom2.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp

Files

/data/data/com.doesself12/cache/aeailrwvggwdh

MD5 920ed56287ab552376fdf9cee28248e1
SHA1 ca9c78f4a616c68c7e7e4863f1d5e8038aa6d4bd
SHA256 1c9a650d432a899005d1628738c79f63e3caaab90b2e32e52f8c00316f2f93e4
SHA512 b7eebc0748bb36caf90b9b224e43a9f07074b5c2903965be9fb6cbce106f4b20c7897592a9fa30121d2b639b2e07fa6e2a7b0e60c91e7169e7746d1b3c8b0e03

/data/data/com.doesself12/kl.txt

MD5 70f82590917240b03560af33b2f0259c
SHA1 2dc43212883a3931c3cc92b713724d58af88078b
SHA256 1dc591dcf2962d5039ea5a64227777700acd6cae1d0071208ae55555f342b94e
SHA512 95b01ffc6037a3a529910cdb9f3fb639a23169dd96e75f7ea4c52614b93d4935a708abf4cae94d02ed5584d161f2a1afecdff055b7e65a6dcc0dc9c70d5bf4ba

/data/data/com.doesself12/kl.txt

MD5 f1ebbe9a5fd9651de27f52b6ab63e3f3
SHA1 0cde67f9b75b30ee10f791dd98c387f1ca47d3bc
SHA256 68cac758d603cff3f0d174d68fdccb44561a9323350d25ff8271d8c9b1ea5ee8
SHA512 d59cc3f07159ecd523751b0ac8cb913c89a07755fa8957b717cb1f8f819dc1bed977985bddbe4985cbf981c15fc273ffd0b44164e95816c34f25747081d98851

/data/data/com.doesself12/kl.txt

MD5 e2d607a2789ba3f39f24fe663c3be7b7
SHA1 1fce16fe1b521719b399b6148b1459c30f5df5a0
SHA256 7368aa5ee4a264afa73ed7537a5649aa48ac20bbe3f49558450b6c94e9f431b8
SHA512 28b395f973ec7033a368d771fd1b444c05baf1e6f07adc382e09f4242bd6c38d0932f96ae4a4d7c9348705f4115e4051890a753c6f6f5f3ff44ddc14414b54c8

/data/data/com.doesself12/kl.txt

MD5 79221ece4a8de92ad9aec45dd0612b01
SHA1 adf5877f0741d964a470c4ea04ea89fad1b92eab
SHA256 5b50a0264c2a689a9ad65ed85d0f21520c1e103a8d0070f0d6298538a7dfe1df
SHA512 fe1a4ad6c4893096bb57fbb15d17f883b08eef9780e20cc3d2a0927cc0c3eb96b7928c5b94fd907db137027f2d2e228661663f1ba8e9d8ddd75cc91a25e76831

/data/data/com.doesself12/kl.txt

MD5 43c8e722d0b8e26bc4e8f1b05e4f280b
SHA1 c46d6fcedd89663079beaa2196af986438102336
SHA256 7fe51650933451c6559b9495b89efbdb2a3792f9cc3a54584a35594c66114b09
SHA512 48d4aebc8a14443e8faf09f65458069959d5b651955d5addc8a6156a354963996fc1ad9d78ecca2e85f7409f4acf084301ca4208020763996c423b83487a650b

/data/data/com.doesself12/cache/oat/aeailrwvggwdh.cur.prof

MD5 45d59c391ff9b1ee0de732578d016e88
SHA1 1ef5e64508b63396d084a7f2d482122a80d54d95
SHA256 3141189d43437fb6078ecb760d7ab957fad76ada0cef532c96c8128311afd407
SHA512 65168ff80ae8344d937005d0ff97320c6842fbe18d23ea745edbdf935d3e3f4b0323d3b2c5a6531f6ab0fd1a862417eadc7fb2b89ecb3976cf81598e137f3894

/data/data/com.doesself12/.qcom.doesself12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c