Malware Analysis Report

2024-11-13 17:37

Sample ID 241109-1zcptatcln
Target 81941896cc661009832760712d8c876ce6c6491ccca5ab4580e95333cc65d452.bin
SHA256 81941896cc661009832760712d8c876ce6c6491ccca5ab4580e95333cc65d452
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81941896cc661009832760712d8c876ce6c6491ccca5ab4580e95333cc65d452

Threat Level: Known bad

The file 81941896cc661009832760712d8c876ce6c6491ccca5ab4580e95333cc65d452.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo payload

Octo family

Octo

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests modifying system settings.

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Performs UI accessibility actions on behalf of the user

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:04

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:04

Reported

2024-11-09 22:07

Platform

android-33-x64-arm64-20240910-en

Max time kernel

148s

Max time network

154s

Command Line

com.islandnewimv

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.islandnewimv/cache/jpkzwx N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.islandnewimv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 mal1fukizmirli.com udp
US 1.1.1.1:53 malkafali222.com udp
US 1.1.1.1:53 oyunbaimlisi35.com udp
US 1.1.1.1:53 malkafaniskm.com udp
US 1.1.1.1:53 fukiyibartiyom2.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 142.250.200.46:443 android.apis.google.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.204.74:443 remoteprovisioning.googleapis.com tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 142.250.187.198:80 tcp
GB 216.58.204.66:443 tcp
GB 216.58.204.66:443 tcp
GB 142.250.187.198:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.204.66:443 tcp
GB 216.58.201.97:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp

Files

/data/data/com.islandnewimv/cache/jpkzwx

MD5 24d89cd7730b8048334b310845211b85
SHA1 ffa27bfe0aac11f97e1f7bb607adc2ad4d0c3c02
SHA256 9b4030f789b5fd4cb091e9c3f0c14229ee540a0e98d9f940ea7a771761ff8fc1
SHA512 130e51b27554667b1dab72cf1accf1ef0491091fa9527544d8050c457a60247dd3a3d5d237479c03dca2296ad8eb177b89bd894a46b35686fd26d70fe596f264

/data/data/com.islandnewimv/kl.txt

MD5 5858abf4293b92db0c15049d3016fc09
SHA1 2940076afe9bcc0b3d2241a7728af2896c67f046
SHA256 f9bcbaeeb4243dc2a80d0b607f7087ccf25e6ada748fb075f2a386d07d08eb39
SHA512 3b8c8b41f02952fab8ff54b06a15e4c1c368c0944a9252e9fd521b9fe61287a8ed5babfc6929499cd7dc1da8dfb273766f41b339cf21053534bb163a9f92664b

/data/data/com.islandnewimv/kl.txt

MD5 fe3c620d81b2b5fdeda18d7c1a36bc34
SHA1 cb3ce58f61d46f2b7220085ac54896b4116ba383
SHA256 9ac7c8505e26550b6d94e311888209bc02df2959322f917d8e11ee9f4c22aaad
SHA512 386404de0326b1adb8b4837a583f8b505bd57edde152d8765c636b5ecfddfdadbae7c3e9fefa67b643e9892bf4e3c8b012e69291476bf71ab15d934f38833e67

/data/data/com.islandnewimv/kl.txt

MD5 9f96833cdaa60f2da3b0b61db1e706e0
SHA1 a297abaaa592f2d2cb5a84141f5ffa4fd90abfb8
SHA256 692f1180ce66d94659a3504bd2a32b32e751a5576207d541b1744e1a34eb68e0
SHA512 65773d3759c8e67b4c12e693f3a55e0b7049016cb0a9ba062369f4bdaedd19dc9a714a5dd5ab48f8bcd8c15ff340cbe394aff449baaa0e4fd26345c03ac483cd

/data/data/com.islandnewimv/kl.txt

MD5 a34d93b2a5f972b5144d3eea21e62ab2
SHA1 efa4eed9d1b9a52fad3a74a9d45b2f1d8d15dd09
SHA256 cf39a90257ba044e732e9acfae7a7ee3859c192c4912e802616230bd9df4e8d7
SHA512 2e908ce4c5eff92e4dcbce3367f54bf8e7c489f79152bc62451411eccd4ed1babb96c2ce18359fef2676bad16a2fc05cb54ee0039e4b0eff79ea24928f462a89

/data/data/com.islandnewimv/kl.txt

MD5 98cba372c282c8307b77df9155b47951
SHA1 f523cf8c52a64d1b11e5d2e80769ec2f1221a90d
SHA256 a161e924382e733aa1632cdfc76ecf6e077a053ec3eb44a9da36e911e3a59a68
SHA512 38f2f2f369d5283acace56ace7c4df4e79cdf4b2189e9fe53388e301027fa85c18334c1c084c40736803e8ec57c7f71075c52a1ff0cb10416360957e7bfdc8b2

/data/data/com.islandnewimv/cache/oat/jpkzwx.cur.prof

MD5 9fc5a27decf176eaae676bb036c703ab
SHA1 e1d2cba9d712adc6c554689c7d21070acbeda962
SHA256 44ab2a19e7f307534ae845ab40cf422a9dd2a5a8177cbb3e6bdafd6d900e22ac
SHA512 c185e3bfcd7f5d1826adc5b5f1f325391264e7d6d3b33a28294ecdaf97d4ee57ef5ad521d1b4f6404b694b19e861901fbbc56a443cb89635d6de9ebad4d1298b

/data/data/com.islandnewimv/.qcom.islandnewimv

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:04

Reported

2024-11-09 22:07

Platform

android-x86-arm-20240624-en

Max time kernel

145s

Max time network

137s

Command Line

com.islandnewimv

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.islandnewimv/cache/jpkzwx N/A N/A
N/A /data/user/0/com.islandnewimv/cache/jpkzwx N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.islandnewimv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mal1fukizmirli.com udp
US 1.1.1.1:53 malkafali222.com udp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 oyunbaimlisi35.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp

Files

/data/data/com.islandnewimv/cache/jpkzwx

MD5 24d89cd7730b8048334b310845211b85
SHA1 ffa27bfe0aac11f97e1f7bb607adc2ad4d0c3c02
SHA256 9b4030f789b5fd4cb091e9c3f0c14229ee540a0e98d9f940ea7a771761ff8fc1
SHA512 130e51b27554667b1dab72cf1accf1ef0491091fa9527544d8050c457a60247dd3a3d5d237479c03dca2296ad8eb177b89bd894a46b35686fd26d70fe596f264

/data/data/com.islandnewimv/kl.txt

MD5 84489abb696ff4e009f9c0c2bce3c5b3
SHA1 04e6ef38a7a6c4906a32e5342046d09022eb339f
SHA256 23b0b5694586d482087b76a1e056a69d9f3ec2745e39981aeab1e5cc3cd88639
SHA512 75ddf9efc3628f3c9c055d90d641fd2c60b0f8f1611a9a6c68a209e8c7a35f3f8d2d4ed436b37b641fcde604b2085b6e980d5f7b3e34f740758ae0f7cd206ffe

/data/data/com.islandnewimv/kl.txt

MD5 5520b4979c30c0ce3d43d3efd0c46d86
SHA1 1312cf0d5b024ff376f5c07080187b587f77b8aa
SHA256 bc65d3aead6379105d970c8a7181dcec14d5d0543d36c2019d34dcf939c2023e
SHA512 00f8197dd04396949692b288426637a3c9060db6bcd970ce576e0acc5df430ee870364a3ad2ac00c12938797f6da36a732d16912f238e697098d69211e5717f4

/data/data/com.islandnewimv/kl.txt

MD5 86af13a3686a35eb0434c61df8f40fc0
SHA1 273d97f6c45c7482ea14666cc58df9e1b6d81222
SHA256 7b9f1fc653b53b766c7ea09ee64677ccc3fddc3db353281d76294d694275ecf6
SHA512 51ee8fc7256554ace8187f2dcce26aa390ec04dc1746c19840f53f3b1ef22ca1c9f75f77d7e1e4838b46d00dde399fd346249b3929296095e9a949f701a51cf5

/data/data/com.islandnewimv/kl.txt

MD5 06954d84e1ce65b125836f780387eaff
SHA1 eda3ed7e077985694a4ecd14289337e4828b37fa
SHA256 11f430733164fb808cc3438c63464e793414a28d8f84c30368d7c9e0a2955070
SHA512 405352d466529092f2de076553b93d96f47bb5230106c85df1eb6c4b0c021471e020a364772acdf8783cdc3c1eb45cdeaca66d7cf967a9984aa05b435466567b

/data/data/com.islandnewimv/kl.txt

MD5 11db74642efa4649aa07721dad6c920f
SHA1 79dc012b26448584cf56d7fec74647b63812c630
SHA256 853fb392085267c535d0c0f9554fcdb0820b7a8b015b6da7169f7b01abcf59cb
SHA512 079d9348bab795df528a37e671e12fd00d209dbbeb80aa5938df84d7288f11d66593d15f089064c0baed9642f797a22464ef9be4f0d01973b7480018d5b270ab

/data/data/com.islandnewimv/cache/oat/jpkzwx.cur.prof

MD5 0dcb203f8cecebe45aadd90c9c52923a
SHA1 5bc79f8bce05567e9292c373f3fb2fdfdcfdf490
SHA256 5f14f2e4123d8689008594702d337d55e50d1b651c8b02ee36d05b4d4b7ae7d6
SHA512 40dc4b16cf0a0ffee7e4b27430e7e4f9c5174e90e6b281885221212bfebf5be89af9bb976770294fdf71b63bcb20b82bae8314f933d39f9b8161f45a658e7259

/data/data/com.islandnewimv/.qcom.islandnewimv

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c