Malware Analysis Report

2024-12-01 02:55

Sample ID 241108-1zk17atlan
Target dd5999d30913072a1dc303331b177b18beb12a6d9676e99becf9c9daab377092.bin
SHA256 dd5999d30913072a1dc303331b177b18beb12a6d9676e99becf9c9daab377092
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd5999d30913072a1dc303331b177b18beb12a6d9676e99becf9c9daab377092

Threat Level: Known bad

The file dd5999d30913072a1dc303331b177b18beb12a6d9676e99becf9c9daab377092.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Octo family

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 22:05

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 22:05

Reported

2024-11-08 22:07

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

150s

Command Line

com.growfamilyu

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.growfamilyu/cache/azlisdjdilhs N/A N/A
N/A /data/user/0/com.growfamilyu/cache/azlisdjdilhs N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.growfamilyu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 5yam4acfirarda22.xyz udp
US 1.1.1.1:53 8ya5m8acfirarda22.xyz udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 3yamacfirarda22.xyz udp
US 1.1.1.1:53 5y3am4acfirarda22.xyz udp
US 1.1.1.1:53 7ya5m8acfirarda22.xyz udp
US 1.1.1.1:53 5yam8acfirarda22.xyz udp
US 1.1.1.1:53 5yam7acfirarda22.xyz udp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 79.110.62.121:443 tcp
US 1.1.1.1:53 9ya5m8acfirarda22.xyz udp
US 1.1.1.1:53 6ya5m8acfirarda22.xyz udp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.growfamilyu/cache/azlisdjdilhs

MD5 5f0cd5e0042fc32bb33ae4719437c898
SHA1 b51cfff35bb31556861bc36bda7e11f691521376
SHA256 395c70aa7f61367f97801e68921b4269786246ee619519648a83e4e7837a8e8b
SHA512 69ce016478933e3076be9c87be5ae416e44d3e92f78e8cb14f16f3951bafd4656588fa408ed9e564481bf5958afd0175286060270b7440006cda014f76c6d349

/data/data/com.growfamilyu/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.growfamilyu/kl.txt

MD5 f3fe27c9cba6cf9db35bd7b9f80afc13
SHA1 4cabbc996ebb8c2d5a76b1cdb59575ff8247183a
SHA256 ea7bc5e793f899a45b4a0b625e6f12ea127dd3cf1e9fdcbe8eebc1af779645ef
SHA512 73a5f9b50e9d6e5a5679b091bd4d92f9932996540aab817545e299f33ecad937a2372a3be5119bc6900c08415d8aa2250fa44f20948d372af0b6800b436ee423

/data/data/com.growfamilyu/kl.txt

MD5 e97a21bcfd343428e7441afe2672994b
SHA1 235a282cb534e7216f8d38d45050c9f5b333f886
SHA256 f121031b347ee777620bd4a848c34d9bc55b30bc50bc9474040966109325c0e5
SHA512 3bdd0f6d31e16b802e8b280e38d0b40aa1d061a34d80bbd1fadd18863a5dfc8890137b0e749f250a7edd0c9571e3830731381c90d7945ce38ed158d4b7caacfd

/data/data/com.growfamilyu/kl.txt

MD5 c01f0878ad39eca26dc84104b213a6b3
SHA1 947b1f205a98f86bfec3556441f5421599ef1c00
SHA256 f9cb2f712aedbe47d35237174afde10a130d56c7a5b6f6d8e4ba070438c9f477
SHA512 f003540856965086cabad26d34e811aac178cbb8eee8b447ad816427d4de5be74be3f1fe3a773632621e032079bf9407e5918c5e01e69d703d05c09673e3bd4e

/data/data/com.growfamilyu/kl.txt

MD5 02cd8ced5770d5fabdd391174521df9f
SHA1 27e87a6090eea03b7f871947f7bca951801b51a0
SHA256 ca446f19db06c9fb9daf5b53a5e931638389c0f4e4dc9f508f246bdc59e32687
SHA512 8a72290dd47297e9b30d39b1202739e150128831eeaec5ecbabd348916c1c0fb2314d1923faa206f5f5d3d1242f5d1dc0c74125b10e2376ad48500ba7c215d94

/data/data/com.growfamilyu/cache/oat/azlisdjdilhs.cur.prof

MD5 f1f2580521b7aeed6ed0fdbcd3e49814
SHA1 94f53e06c37b4e3d5111ff6a02e0555d02d0450a
SHA256 8f05977eb38acf08af74eb4c0bcc2540bda92156cdf63a0889707e8bd543a9a4
SHA512 f3aad888b61c70d66dfc7fefb7289372c61cf0522c9e00a54246192f1fdfb59b65335979cd392dbb75b3b7a78756136b9e5d225a9cfc1810858efe66f5443157

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 22:05

Reported

2024-11-08 22:07

Platform

android-x64-20240624-en

Max time kernel

148s

Max time network

155s

Command Line

com.growfamilyu

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.growfamilyu/cache/azlisdjdilhs N/A N/A
N/A /data/user/0/com.growfamilyu/cache/azlisdjdilhs N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.growfamilyu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 5y3am4acfirarda22.xyz udp
US 1.1.1.1:53 9ya5m8acfirarda22.xyz udp
US 1.1.1.1:53 8ya5m8acfirarda22.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 5yam7acfirarda22.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 5yam8acfirarda22.xyz udp
US 1.1.1.1:53 7ya5m8acfirarda22.xyz udp
US 1.1.1.1:53 6ya5m8acfirarda22.xyz udp
US 1.1.1.1:53 5yam4acfirarda22.xyz udp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
NL 79.110.62.121:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 3yamacfirarda22.xyz udp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
GB 142.250.200.34:443 tcp
GB 216.58.204.78:443 tcp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp
NL 79.110.62.121:443 tcp

Files

/data/data/com.growfamilyu/cache/azlisdjdilhs

MD5 5f0cd5e0042fc32bb33ae4719437c898
SHA1 b51cfff35bb31556861bc36bda7e11f691521376
SHA256 395c70aa7f61367f97801e68921b4269786246ee619519648a83e4e7837a8e8b
SHA512 69ce016478933e3076be9c87be5ae416e44d3e92f78e8cb14f16f3951bafd4656588fa408ed9e564481bf5958afd0175286060270b7440006cda014f76c6d349

/data/data/com.growfamilyu/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.growfamilyu/kl.txt

MD5 725c6c1b74bf40ad0717de7254b83328
SHA1 46e434a611c4bb340293a6aad2a35703ea29313d
SHA256 d3dbe4124767a33edc235766662299b7c8b21450f4c54efdadef87bdd46e9aca
SHA512 7f89076b37a3feb104df3dc7cf2788cf0554f8272c2c42f95cd60d99fd8afa09c494b70c6fbe8b1a5d2067438bf2be3c90debce13fe9eed5ef51373d8b4a67af

/data/data/com.growfamilyu/kl.txt

MD5 290de46a84abe2d6a9912b8c3b379526
SHA1 8fafc2c1f4d8f4bc95279b32635d385485b3f04b
SHA256 2247aca6bb5245ec8963ffcef6c6d0f13f0d239d66a55e3b212faf33ddc7958d
SHA512 3d3e94b633ecdff4359bcec094d88456525e5745d030ae9d29902f89fe1a63e02f0fc91b1d755ea7919815caed6d0870bbbaf69669b3b5b192fbf0b1b8ed347d

/data/data/com.growfamilyu/kl.txt

MD5 84dae13adc5a8eb30073d92a93ea5e4f
SHA1 f11dab21d9a7eefab63048b363fd15d16f97a521
SHA256 48d4ba218d4fa85a9d4ec8d7592b76232e8bbe337ac0b230dfd346e53a071485
SHA512 2cdcef8b7671cbce6c04f3afb2169e90516945bbb440537c125c9102711d9029d6c82c0859f378263c553dcce852fdc57e121d0e5cd1855fe85eea85cc209d7a

/data/data/com.growfamilyu/kl.txt

MD5 8711ac02b1184df636f56df3a319d3bd
SHA1 492d22932480e337a65417bdf4293ac9641b7b86
SHA256 c7f48084602725c5e7cd82173faa4646bc4708ed8bd9dabb73928bb87e8b2c1c
SHA512 3dfc9d26eff8b86efe4b8fe709e3597d7bb1620a8738fb3acb04ff2424c58aab5b0ac989309891e7b20f88f5d7cfe93ac448c3752438306de6ce34bf931ea9a2

/data/data/com.growfamilyu/cache/oat/azlisdjdilhs.cur.prof

MD5 340152171b63a0bb4892ed30eccbba1f
SHA1 746162ca58321bbe69cdef152662bd6855c6dc0e
SHA256 66f6a4636edafde471261ed251eccee592223d4961dbc33d41dc7058ed702990
SHA512 e967cb1c0cc05a0e87655224c917cf92a847127994771585f750630989af734ab4da08938b663815e345f9e3909df5eadc5e8026259367be1c4d7e6dd677d0cb