Malware Analysis Report

2024-11-13 17:37

Sample ID 241109-1y2bsatcjc
Target 9faf5666bafd89ef14684e50b048d64db9bc6ee1ca3d5a6175ec7efb9170faa2.bin
SHA256 9faf5666bafd89ef14684e50b048d64db9bc6ee1ca3d5a6175ec7efb9170faa2
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9faf5666bafd89ef14684e50b048d64db9bc6ee1ca3d5a6175ec7efb9170faa2

Threat Level: Known bad

The file 9faf5666bafd89ef14684e50b048d64db9bc6ee1ca3d5a6175ec7efb9170faa2.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo family

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Reads information about phone network operator.

Requests modifying system settings.

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:04

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:04

Reported

2024-11-09 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

47s

Max time network

140s

Command Line

com.toldfood1

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.toldfood1/cache/mmcekclycm N/A N/A
N/A /data/user/0/com.toldfood1/cache/mmcekclycm N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.toldfood1

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 oyunbaimlisi35.com udp
US 1.1.1.1:53 mal1fukizmirli.com udp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp

Files

/data/data/com.toldfood1/cache/mmcekclycm

MD5 4e0a023c71ed8cb7297d6ad3416813d7
SHA1 ae592f3709e76d3ebddc3c44dca00e7906e599d1
SHA256 5a594ef10d24029837e875c8472ed3fb91d99d3c62201cbffcf50b728629a7d3
SHA512 d69c4268a4dbb41a00c0762e47153d76e3a224f4e308df5b0fe0414a7ae785ceba3a2ee209e4db0e5b6a50f59e248655b76a81fc6ddedfdbd8a1b0658cddacab

/data/data/com.toldfood1/kl.txt

MD5 bd6105b03de278231e6237a80afe7ab6
SHA1 d77b66c04894b58933dcaad9ccb60f99e0ec656f
SHA256 2297b955bd12973e9fa24bb8ab766aff7a2c1a9deb0800449fd9b97c12e8fce2
SHA512 d68e6a915353e050c32df9cb87b009107fcd16ae4b9034f57aab6a8932fed304e9b77cd986b22e28466e7c05e1abdb4f980e8f95d52933c9f02e850c88a3dbc5

/data/data/com.toldfood1/kl.txt

MD5 f1c33e7d2810ee1e08be2341369adde0
SHA1 14200caae141730e331c80ab87323ef221cf825c
SHA256 af242e9bbd36b3c7e8f7dc1a33d50984457bb9bd99c8a9bc28c63312cf8e76ff
SHA512 f1f788af0bda1dac035c3fd836e61cd280481a01b3f70cb60e1bff854985d1c7e71605b3163556fc93bebda6a4b1191700a49b8547cb7d7399c144ca3b2b49e1

/data/data/com.toldfood1/kl.txt

MD5 ca16318900a0b2e7d4e85f4d0f9621aa
SHA1 10448cd308e3babf3ae2ef71a793e45c58890d15
SHA256 1a6ccfcbe17cf78dafe4726d1cc7c747c78e5ffd9a38ce5e029f7fd711e85e36
SHA512 bd06ddb5af5c44be69b067bc5cfcc5c0a092648187aa83f71499abb4ca4380963c1572f860ffdf58168df890e702f8243a32819ce013e256f330f950dadf0399

/data/data/com.toldfood1/kl.txt

MD5 e7b6457c78a951f02df48441b7fcbb38
SHA1 a1b839792b2698c7de91d1aaa0eedd4acc24d3fe
SHA256 fda4e30d54bcb4b6ce5b184abd034c86fa3c54b5a7c8c2f265d11bcdf6133d76
SHA512 5533bd0500a59d9d4f9a75f1f930ce4c3889f9a0f0774e6888c23c0618097d70da188464eabdfdf94dd058766a6f4e2c0b2cf2f0faad2b0fe7571c5d2ea088f3

/data/data/com.toldfood1/kl.txt

MD5 f46b82596a1a89403a0d46f687cd19ad
SHA1 f2ed0fddc441750920af4d3a960930c8defb2f99
SHA256 bf9c7f40118bdde43f7f5ae3124789b03c2aaa2e43dae8ce8c3abc8bc5927599
SHA512 54ec1790fd4f205e8aecac8524ef3ebfefe184c98711ca1611fbd761eed0e617e127c6f8b3a6b768d3b0ae8a78315547b114a2ca8aec809b6107413f7683afc3

/data/data/com.toldfood1/cache/oat/mmcekclycm.cur.prof

MD5 fd9aa209e5e5582beb0ad8d472f1238b
SHA1 90196d4b17fe91b1c1b755597a793849d2e1c72e
SHA256 0918cc3dc174f61814bcefd1def56d61bdbd8a6b0ba3e0a321ad313dce34370f
SHA512 01a948683407e67657f101303dc698a0ac6c4b7eafac314a64b2f18e85e535ba972354d68f0afc97f55dc4cde6a30db14fb6f8fa8862b60d838577f2f5f205f0

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:04

Reported

2024-11-09 22:06

Platform

android-x64-20240910-en

Max time kernel

149s

Max time network

150s

Command Line

com.toldfood1

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.toldfood1/cache/mmcekclycm N/A N/A
N/A /data/user/0/com.toldfood1/cache/mmcekclycm N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.toldfood1

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 mal1fukizmirli.com udp
US 1.1.1.1:53 oyunbaimlisi35.com udp
US 1.1.1.1:53 malkafali222.com udp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 fukiyibartiyom2.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 216.58.201.98:443 tcp

Files

/data/data/com.toldfood1/cache/mmcekclycm

MD5 4e0a023c71ed8cb7297d6ad3416813d7
SHA1 ae592f3709e76d3ebddc3c44dca00e7906e599d1
SHA256 5a594ef10d24029837e875c8472ed3fb91d99d3c62201cbffcf50b728629a7d3
SHA512 d69c4268a4dbb41a00c0762e47153d76e3a224f4e308df5b0fe0414a7ae785ceba3a2ee209e4db0e5b6a50f59e248655b76a81fc6ddedfdbd8a1b0658cddacab

/data/data/com.toldfood1/kl.txt

MD5 2b84daa7e9298fcce0646edc4b7de944
SHA1 ca6f7b1d2cc0fa1ffa23c74a23ac6936e8c05cd3
SHA256 bf3d6d8560c799380e7a923d0bfaef400e7ca75422d9bb6e1a6c1623afef1117
SHA512 b69c17579a066cb2f3c8dd8410b9be959cbf136c66a3bb41ab307c2172952a25db625c470a01dd7171b7136d43ada2c43f11829c162253ce088a6fa5265fd877

/data/data/com.toldfood1/kl.txt

MD5 5968ed39b869130852228a360ab34b8f
SHA1 e7039a297b4411349ef5b83cd1904371e17025f7
SHA256 140c7f3564ed623eb4bf05eb7fc50ae56572819098405a152b7ad541697902e1
SHA512 515240687bd59bd983ab56fdcf4b732059c90ae6fffbff24f2ceaf1bcee3e226ec6a6d4939d2ef029212e72bc15e42d63a57150e6b63367eb3299226f4816906

/data/data/com.toldfood1/kl.txt

MD5 70532ad318591bf5c6c143755c8e4a36
SHA1 94520b0d2fb3ac3eddd46712abaef2b7899636b6
SHA256 7d9e98478f3dfe36de447e4817cad3d2649ee6f2e93c2ac9c766c73e036006a9
SHA512 b9ef03d99c060175cf42efc6c0bdbfcf584475f8a5de0a74bd39f4b31800561ce6bfc6752079b12f48d75d862f537640d35dab8ff3df95db8f5fd59ebebf6494

/data/data/com.toldfood1/kl.txt

MD5 190b8f0ca9cfb0be9ebd1d8d33642392
SHA1 2a1e8b62a5456c7446b20b82f557d3b555dafe1e
SHA256 d60092ab27ddada1d447db4a7f177b60383c1c3fd59449cb3eca51774a163089
SHA512 6f60d43645496ba18784fe5bc283f2113f5362c2125d90b107305de7f4a55dc6f6809dd205f715a68a7ddca5733449d8a75251fd2e557f00b719bd4473986baf

/data/data/com.toldfood1/kl.txt

MD5 ac8ddb7bc5d1e13299d160308000298d
SHA1 fbd495c7d56342de4f915d31dfb7f333543d7509
SHA256 cffe71e8383a347dae80147f44ca2a905040fad684d6641dec8a26a854ecf6cd
SHA512 232bf4d67373bab4ea419032239ad1661adc9be722faf71917f6e48110e2e9e9e1e59a1b64bc4f5dc71b6d4e11ff3fc1c7bf695ebc4571971610fe7f3501f420

/data/data/com.toldfood1/cache/oat/mmcekclycm.cur.prof

MD5 761215960b735913fa6d7a057286f8b7
SHA1 1ee54934226bf5a2613d004a99a7df3bc910a470
SHA256 f8ed07549937a75413814e981e09d4f5e6f1cdb99475f419ad768d48604823be
SHA512 97c5525dfc759a3ed6525df61ad14fb788225ef8c1aaf0a5a0c6e24e07abc41378811a7037ed96197c06bb9c3c970311bd2530c073b2d060c55103f4c920991b

/data/data/com.toldfood1/.qcom.toldfood1

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c