Malware Analysis Report

2024-12-01 02:55

Sample ID 241108-1zm6js1ckr
Target f659b96e0ea9aadd630dee0509a93facf898cba3cc6ef47a6928c51ad9b3cb0b.bin
SHA256 f659b96e0ea9aadd630dee0509a93facf898cba3cc6ef47a6928c51ad9b3cb0b
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f659b96e0ea9aadd630dee0509a93facf898cba3cc6ef47a6928c51ad9b3cb0b

Threat Level: Known bad

The file f659b96e0ea9aadd630dee0509a93facf898cba3cc6ef47a6928c51ad9b3cb0b.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo family

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Requests modifying system settings.

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Requests accessing notifications (often used to intercept notifications before users become aware).

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 22:05

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 22:05

Reported

2024-11-08 22:07

Platform

android-x86-arm-20240910-en

Max time kernel

148s

Max time network

150s

Command Line

com.restthe31

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.restthe31/cache/tdgcpmrc N/A N/A
N/A /data/user/0/com.restthe31/cache/tdgcpmrc N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.restthe31

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 172.217.16.234:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp

Files

/data/data/com.restthe31/cache/tdgcpmrc

MD5 871a701b17c1a47b67d387871f510b5e
SHA1 36c122c7f7f88670f3231a716e9bc71ab90f2e24
SHA256 93af3ee0906e1212ca2da1f7f4238f54fbd1f0eac346eadc38fd7c2c7bdf2ed7
SHA512 f3c23e0e980cf1c0ee0f8500d50faebb7bdfd9f59f3cd0b06e4bba3d04eb01d480cbad8dfa2e43349a030e5a81f660fcd1835d616b33a6319b80a42c788f870e

/data/data/com.restthe31/kl.txt

MD5 41a3d3931aed65512f24c94a173fdfaf
SHA1 a9b9a76686c207545389a42eb21fd8df43606dc1
SHA256 93b0a53163f75c4d44219bf296dc5f20dcb772c14f91c3378a1de4d3ad732a3c
SHA512 41b48fa453ac5132fb7aae9f0972003bf7ac4a981eb6a6876e7c71b28770c13e21996e934d3eb78cdc1674632d866ac21c342238dc84c4b93741a811b38c73f6

/data/data/com.restthe31/kl.txt

MD5 fcb4873dfac1c0d67c949b6f342ee4c7
SHA1 b6dce57e451eb684301314e674eaf2b3b6d831a4
SHA256 db7e7df9678e4f83145e5b94541e750b361113789c029d01a69d5f6b3cff14f2
SHA512 523b2f8658a72dd670ab50972f7c6376d8d779f28e122e8b453d5882f4f991decad963baa91c6a1f8ad970655566bfc07ad99d8d007b5aba59cebb7e8cd74e17

/data/data/com.restthe31/kl.txt

MD5 dc1adc60b0eda8b45020ff512e7a9eb6
SHA1 59999f90a8ea5a12f4b114c2efa232b6a38cc7d0
SHA256 405b2a795cb2bc7a4e4510527bd24c35e55f92d0d278b403fced8057d0f531b2
SHA512 17d728da04801f759ac4ca44d292421987f382e7ec2bd065669fafe2d886d64d2cd63183156d57962e1a3efe86a74e6838aa6249b3cea3ed5882f8225d76fbfe

/data/data/com.restthe31/kl.txt

MD5 ef6e75cca5751f6c528f5f72097d4650
SHA1 31a6b1e846ea0659dd9ca978c4c4d7614efd0cc2
SHA256 dadfe12e42088afe2792335067dd035bd8cedd73c0e009e3e160984dca2b05c6
SHA512 a376820e821d70424a05feb02ed7ce7735078e54fcb693a7561efe68a3289a7475442d8eaee9c2985daf2befa2dd7ff1249d19116c01ad5aa986019e3798ebb8

/data/data/com.restthe31/kl.txt

MD5 30e6378d4a558a9ae3db908a15959675
SHA1 c7a924bb80fbd60ea2d853d27f1c92e399efaebc
SHA256 db3036f51ae5f7ea0266856d0b8680fae816644dab9d88b44f347f4f63300894
SHA512 9d65ed60f011574277d95ec081502d15c2b8a01caf6aa3585e56765bfe44e434d5126f55b8d1c3171ce2cd4adc62c12e5daebe16f100d4573c5f54ac14d4a752

/data/data/com.restthe31/cache/oat/tdgcpmrc.cur.prof

MD5 e0ddbc6c5843f20ec97a8a8cc011aa9d
SHA1 546c9914f313c9dd8f93c92df055d5729fda0690
SHA256 8fa83d5f2dd37b487a6f43360c7eb2b499d46e26aeec12e0bd8433bd2df166a4
SHA512 c3bc3331a3716f083ec560f5af203c9936f2c2453bafaf5b4052dbd17a25c0f5f98137a29042d9c39420475d4c545bb1a86ad0d744ea9762eb9cafe4b46b69ae

/data/data/com.restthe31/.qcom.restthe31

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 22:05

Reported

2024-11-08 22:08

Platform

android-x64-arm64-20240624-en

Max time kernel

140s

Max time network

148s

Command Line

com.restthe31

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.restthe31/cache/tdgcpmrc N/A N/A
N/A /data/user/0/com.restthe31/cache/tdgcpmrc N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.restthe31

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 fukiyibartiyom2.com udp
US 1.1.1.1:53 mal1fukizmirli.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 malkafali222.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp

Files

/data/data/com.restthe31/cache/tdgcpmrc

MD5 871a701b17c1a47b67d387871f510b5e
SHA1 36c122c7f7f88670f3231a716e9bc71ab90f2e24
SHA256 93af3ee0906e1212ca2da1f7f4238f54fbd1f0eac346eadc38fd7c2c7bdf2ed7
SHA512 f3c23e0e980cf1c0ee0f8500d50faebb7bdfd9f59f3cd0b06e4bba3d04eb01d480cbad8dfa2e43349a030e5a81f660fcd1835d616b33a6319b80a42c788f870e

/data/data/com.restthe31/kl.txt

MD5 ff16a123601ca5c3eff4cdd8f4e802b8
SHA1 d84586009f72d59d96ab35febdea85a8ef8ff0dc
SHA256 89c688631d37c3714f1f86d64ccfd5a92f161427e594eb3a4651a03fcf8d4b5a
SHA512 7affe3bd4e689d985d9df31801ba1fb68b981132afb175914eb9b60a567cb5a95d6bebecf53ea859c7c9f8f35ca39ff3eef09c4db201b2f31495eb787eea5dd5

/data/data/com.restthe31/kl.txt

MD5 829bf933ed26f095005efad4cd07da6c
SHA1 5479f61072c7c8ec49fb16de5a5e71137ba54e5c
SHA256 ef31529b147ca6e00abede02dde4c3ce49408bfbd7f3db74fab5eea18ab69be8
SHA512 9f0ce45a39b427d76757071a8a10915c411b4df36b70e30be84f00ce022cba01e2401655ad5008d3fa5fd6b858a22987a3ef5aee1280ba39f59fb2faa84381a0

/data/data/com.restthe31/kl.txt

MD5 4ddb4c400cfe367a4a8dcdd15c986d3b
SHA1 bd81a7993fdde52cda885367c73f132e68385fa3
SHA256 ad292ab8b2961cf20121aeab146c23c12c066979d2f3fbec4368a77a4b805eab
SHA512 5d4fb2c635d96903be14f7b87b9b7f419582b25822dc7d694e0ab126f98f4553d19c8064eaccea4ed9bcdb01441d6106d4dd64f181c145e6c268addcc05084da

/data/data/com.restthe31/kl.txt

MD5 a4739be8fe105279b03f733ca7fae0b9
SHA1 425d3c8efa39b15f3cb0409c47081a75d952fb1b
SHA256 12db81e7b7cccf5cbf263e4decfd721de661c373fd82d30c8aed691970dbb146
SHA512 435f41654f945164b67a41409d6ecf7da3ac005343d8bdc8dbc05beef02263b3740ffeaef499143578d28b47dd5d6ad2b7db47288bd602c6f575af0483b03b5a

/data/data/com.restthe31/kl.txt

MD5 cb2f034449e399fc84c75a7a23df5811
SHA1 c4f09af951525ee494e268c20b9eaa05ea5ea050
SHA256 4de72d4825b6ff6e2263bb36c04568dbc77859ccbf04c2e74cf94a84a2a44ba5
SHA512 d35ecc89f1d9975d90d553b5a0746b6442861857319246c1fe12d8e819744f749007c4e8e373422fdbb2ae32c6d8c8a1dd95d9a1b32e30a98e23d04d973f965f

/data/data/com.restthe31/cache/oat/tdgcpmrc.cur.prof

MD5 04d57961d8bbed3537ae24e9cefb93b6
SHA1 c8c67e3ed008a9a68def35aa169d3771738a38c8
SHA256 364321e5abd767f5e69cfc86bd02ccc99ca45f2e01493e4414b73c7ab1718bbe
SHA512 05e76bedbaf8c8fa26970b2c37e29e146af68cb174c874a69bf3a548a31e6cf245204cfb43ae9ba4dafbbca905ded2e05e0ec5c3adf50dd2c81d89648eaaa210

/data/data/com.restthe31/.qcom.restthe31

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c