Malware Analysis Report

2024-11-13 17:37

Sample ID 241110-btwhaswflm
Target b6d9f5578287239a26741b7daa33dceac0042bcf6fb08e9d07415b4b8dc748b7.bin
SHA256 b6d9f5578287239a26741b7daa33dceac0042bcf6fb08e9d07415b4b8dc748b7
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6d9f5578287239a26741b7daa33dceac0042bcf6fb08e9d07415b4b8dc748b7

Threat Level: Known bad

The file b6d9f5578287239a26741b7daa33dceac0042bcf6fb08e9d07415b4b8dc748b7.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo family

Octo

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Requests modifying system settings.

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests disabling of battery optimizations (often used to enable hiding in the background).

Makes use of the framework's foreground persistence service

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:26

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:26

Reported

2024-11-10 01:29

Platform

android-x64-20240624-en

Max time kernel

142s

Max time network

136s

Command Line

com.formwatermq

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.formwatermq/cache/vjfxwirnwf N/A N/A
N/A /data/user/0/com.formwatermq/cache/vjfxwirnwf N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.formwatermq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 oyunbaimlisi35.com udp
US 1.1.1.1:53 fukiyibartiyom2.com udp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 malkafali222.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp

Files

/data/data/com.formwatermq/cache/vjfxwirnwf

MD5 bfcb1d0f09416800bb9694146c1a889f
SHA1 eea94dd3be80990592156ca261e5df797cb82aa0
SHA256 17e95c496ca599d5824075907c76fb09f3f5c40c35383600f82625776d24ef54
SHA512 14fe702551d1bac07d4b6da1fe0d226af39269af81a3696a4d303110de289f1e41e8e4ab5b96d4f5ceb5ede71d9d8a63cf36e305e43d4e7adf47af0b63cf7a93

/data/data/com.formwatermq/kl.txt

MD5 018f9d5eed310964ed00629374a712ff
SHA1 1f13ebffdc315e9ef3f1d39c176b7165c83f80be
SHA256 9fa6ab1647ba9e07603d3601749d2d121f6de8a344a198a39f46ba8be5f2a5ef
SHA512 c26bff4d05feca30de5caeddcb47a7ae374f4ee0ae59b42718558c3cd304f82d95e1a0d28b83ab87a527fe7a94f9e0d2911a36f3dbda4a3889d917cc0e37cc44

/data/data/com.formwatermq/kl.txt

MD5 76c98dcef904a1cd61b626ae717c788a
SHA1 c171d666e52e45ccff4dec3634aca35ef9f8186f
SHA256 d15b91d648acd8aa5aae85a631eccd310dcda227f0c85d831c2f17a62d57425a
SHA512 4e5b77352d3e753c120ae37b4cf3b06e5815a0d3ad57a9c44d637a4f12e3156a0ad64b458c3f170cb90b3b683b18e8473c21914a0a3ab2e0d5e23781965e84b3

/data/data/com.formwatermq/kl.txt

MD5 2fc5f4689e5a09ca57612d719f0b60f6
SHA1 0c528227238712690d9fe2cc7fd719b7d7a20bc2
SHA256 496294a716265fd434a37e9ad69dddd955c8b908512877cde9de82e9dfda6797
SHA512 bdc462ee18cee14aef53119d5c4c48abe114cd022ba54d9debb5e78f3ec92c75ada6f56250fdb2763844b783be2f2b69f249474fd47dbfe2a63226435232c6ee

/data/data/com.formwatermq/kl.txt

MD5 5b7ece5e0d912c337951f26a10609109
SHA1 9662ca1c8ebe4f6f4a74180b92a54745764844f1
SHA256 1e9e7b4087a3d7185afc6445bd03835432dfef406b9f2e433074961aaa7a22e3
SHA512 e6bc3216ff85a4fac72433bc5b7ea938c08a98c3914842eb07dcf390a75ba2877de4be6c7675948846426a374b7996d0cb69f67d6a9366620331c8cc958acfea

/data/data/com.formwatermq/kl.txt

MD5 0b09c4405711ef01b8d8720c599d8bce
SHA1 0d4cb42ee0da59f293320e39858920a62a35a67e
SHA256 eb463f821d0656d2a0ddd9e9f9bba0838c56f50b49ddcfaf8a36f652833bea79
SHA512 05eb005d32a12a03624015811d9a94c1f0f145e4e26120246e85e7efce700d91440786499b9781cf7254c069f29f8fcbc9f7637a1970b42adfabb7e9ec15b127

/data/data/com.formwatermq/cache/oat/vjfxwirnwf.cur.prof

MD5 8251f13761d925ea89c709c6fd146311
SHA1 b957e35b9795a1b4a4bcceab3956b20e2d203147
SHA256 27d2822274a33786089042f9a0973720daab2d98ea0ab9ec1bcc2691801fb1a0
SHA512 fd51443b8157d80d93e11410da5781b0d8e0b6935458c645636ac9a45bc3d02f2e99995f0e3dcf84ad5d835c4e6904623d93af691bcef72f1b68eba01858aba1

/data/data/com.formwatermq/.qcom.formwatermq

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:26

Reported

2024-11-10 01:29

Platform

android-x86-arm-20240910-en

Max time kernel

148s

Max time network

129s

Command Line

com.formwatermq

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.formwatermq/cache/vjfxwirnwf N/A N/A
N/A /data/user/0/com.formwatermq/cache/vjfxwirnwf N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.formwatermq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 oyunbaimlisi35.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp

Files

/data/data/com.formwatermq/cache/vjfxwirnwf

MD5 bfcb1d0f09416800bb9694146c1a889f
SHA1 eea94dd3be80990592156ca261e5df797cb82aa0
SHA256 17e95c496ca599d5824075907c76fb09f3f5c40c35383600f82625776d24ef54
SHA512 14fe702551d1bac07d4b6da1fe0d226af39269af81a3696a4d303110de289f1e41e8e4ab5b96d4f5ceb5ede71d9d8a63cf36e305e43d4e7adf47af0b63cf7a93

/data/data/com.formwatermq/kl.txt

MD5 2f381c905af12a19ff1ed0a3fa9b49ff
SHA1 7ce5ff72ecffd55ac10699b6a47684411290cb0a
SHA256 cd35cec00956b859a50f617274424a8a2343f844ae64df3d024d5661a5233545
SHA512 f0e40d28a2ea88af5fa8301fc51ee85d4d3af4b38b3463c30e38235431960d117d455b314f2bb184b15fc0b165e8fd6c8b81deb5cf13960a9125893767bef825

/data/data/com.formwatermq/kl.txt

MD5 c7a20b28bc3d949937e1d1b65c2d00aa
SHA1 b244aeb061d2297e802cfef3854dbc39689f48bd
SHA256 b5203f2a2bafd57bbab1666d324bb12c5a07d074e76c3da9f3785c1afaafeb6d
SHA512 9714b414200621551a8237d23e37aeb8d6fcccb5b0b3783ac0c0d9f9b60b1af056bf66acd421366e99f7944c0671d5687979c370619e021e6c17c9ad670d413d

/data/data/com.formwatermq/kl.txt

MD5 6402e94b09b546b026b804f055e0f84e
SHA1 04ee50c3f26af671634145eb961def822a064516
SHA256 2c30b9b4d6edfa82687125bc6ded844581dc6c22180f9a4af5aef98e32870f72
SHA512 9e2b1871f83e5b3164a70967fc881fbe83060d5f17cfa80b7425d88516db86722f0256b15cc38c6deff2292aaa70de0e481b7fb4b1adabfee32630a5f0e37f62

/data/data/com.formwatermq/kl.txt

MD5 3e407f597c4b632a878898d8fd74ad73
SHA1 0c5df2b64187787fbb05c9aa666c8e375757b0d3
SHA256 6260eb4d485940f67cfc3714c90239a56615241ce59c672af8ffd8e83cb93e03
SHA512 39481f2f92abb611ff51e7dee1cca5de1346fcbea0f199b4f14ad27986900d9120a62244e7882a09f33f8c29e586b53fb45fa6b70c0f6536ca1fe8be778f9158

/data/data/com.formwatermq/kl.txt

MD5 6874effa21b131580e0b45b499800eea
SHA1 e99537a5d6519ad78988a3bdc6b27d88d7815b44
SHA256 feb64071094b01ef6efd86415aaecf7aaab9cfb21cafc8c0d39ee9937e9db99f
SHA512 e85f307b344f4dc026396f4e934e974c8b215c93b5b6bff6a32e419bf7d38708ea5254f4dd32e44cace27c47767c05bd967e9ceaf708f24f0b3f825395fdfa45

/data/data/com.formwatermq/cache/oat/vjfxwirnwf.cur.prof

MD5 456d9416e96ab35c31af423f5b50f4aa
SHA1 4a67264ede5bc0e226fa266045bc31d891332b32
SHA256 abebff2c5869ffc99f6323a0fb378ca1cf26decd851dba4fb3b1ff7c722e0147
SHA512 044f21a6c9183581fe2d4b1eab07893123ea14fae6e8534cde434a1162ca397e11f338c739509d501661013d1a03c20415113cd8a734d833ad7b5ac20fbe3a9c

/data/data/com.formwatermq/.qcom.formwatermq

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c