Malware Analysis Report

2024-12-01 03:08

Sample ID 241111-lr98saxekr
Target 6c4be0f9dc1394c3a6fc7f658370ba2e51a4be6d230dedf43d6573e5dd63e4e2
SHA256 6c4be0f9dc1394c3a6fc7f658370ba2e51a4be6d230dedf43d6573e5dd63e4e2
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c4be0f9dc1394c3a6fc7f658370ba2e51a4be6d230dedf43d6573e5dd63e4e2

Threat Level: Known bad

The file 6c4be0f9dc1394c3a6fc7f658370ba2e51a4be6d230dedf43d6573e5dd63e4e2 was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Octo payload

Octo

Octo family

Loads dropped Dex/Jar

Checks Android system properties for emulator presence.

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Queries the mobile country code (MCC)

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 09:47

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 09:47

Reported

2024-11-11 09:51

Platform

android-x86-arm-20240910-en

Max time kernel

18s

Max time network

40s

Command Line

com.qbasic_personalization13

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.qbasic_personalization13/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.qbasic_personalization13/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.qbasic_personalization13/app_dex/classes.dex N/A N/A
N/A Anonymous-DexFile@0xc6af8000-0xc6b7ba98 N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.qbasic_personalization13

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qbasic_personalization13/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.qbasic_personalization13/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 20ecf74e9a1739b937901e1722359437.org udp
US 1.1.1.1:53 20ecf74e9a1739b937901e1722359437.org udp
US 1.1.1.1:53 56724c2aedf990741575bdf280125065.net udp
US 1.1.1.1:53 56724c2aedf990741575bdf280125065.net udp
US 1.1.1.1:53 9e599bf86232f0ac9e97a84e6f826c9e.uk udp
US 1.1.1.1:53 9e599bf86232f0ac9e97a84e6f826c9e.uk udp
US 1.1.1.1:53 1621d00e1f19743bd2b32e0294860070.de udp
US 1.1.1.1:53 1621d00e1f19743bd2b32e0294860070.de udp
US 1.1.1.1:53 c715dc57c1d70bec6ebedf853a084eba.com udp
US 1.1.1.1:53 c715dc57c1d70bec6ebedf853a084eba.com udp
US 1.1.1.1:53 301d05e7ca9087799264eb84be61b422.us udp
US 1.1.1.1:53 301d05e7ca9087799264eb84be61b422.us udp
US 1.1.1.1:53 700168455561bc19f43dfc350ae17925.info udp
US 1.1.1.1:53 700168455561bc19f43dfc350ae17925.info udp
US 1.1.1.1:53 c33e5046bf42eb4b312024b42582cda5.in udp
US 1.1.1.1:53 c33e5046bf42eb4b312024b42582cda5.in udp
US 1.1.1.1:53 0b40ba976e6d4ef3fe0920c774d2d9cd.ua udp
US 1.1.1.1:53 0b40ba976e6d4ef3fe0920c774d2d9cd.ua udp
US 1.1.1.1:53 ee2396cf9dd5f0111eb7e81f1a81de3f.ca udp
US 1.1.1.1:53 ee2396cf9dd5f0111eb7e81f1a81de3f.ca udp
US 1.1.1.1:53 6c95375e4a7d6b74a99638e4341902e8.ir udp
US 1.1.1.1:53 6c95375e4a7d6b74a99638e4341902e8.ir udp
US 1.1.1.1:53 21cb16de393bc2f0ade66678b59aebe8.au udp
US 1.1.1.1:53 21cb16de393bc2f0ade66678b59aebe8.au udp
GB 142.250.200.42:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 56724c2aedf990741575bdf280125065.net udp
US 1.1.1.1:53 56724c2aedf990741575bdf280125065.net udp
US 1.1.1.1:53 1621d00e1f19743bd2b32e0294860070.de udp
US 1.1.1.1:53 1621d00e1f19743bd2b32e0294860070.de udp
US 1.1.1.1:53 0b40ba976e6d4ef3fe0920c774d2d9cd.ua udp
US 1.1.1.1:53 0b40ba976e6d4ef3fe0920c774d2d9cd.ua udp
US 1.1.1.1:53 301d05e7ca9087799264eb84be61b422.us udp
US 1.1.1.1:53 301d05e7ca9087799264eb84be61b422.us udp
US 1.1.1.1:53 21cb16de393bc2f0ade66678b59aebe8.au udp
US 1.1.1.1:53 21cb16de393bc2f0ade66678b59aebe8.au udp
US 1.1.1.1:53 9e599bf86232f0ac9e97a84e6f826c9e.uk udp
US 1.1.1.1:53 9e599bf86232f0ac9e97a84e6f826c9e.uk udp
US 1.1.1.1:53 c715dc57c1d70bec6ebedf853a084eba.com udp
US 1.1.1.1:53 c715dc57c1d70bec6ebedf853a084eba.com udp
US 1.1.1.1:53 700168455561bc19f43dfc350ae17925.info udp
US 1.1.1.1:53 700168455561bc19f43dfc350ae17925.info udp
US 1.1.1.1:53 ee2396cf9dd5f0111eb7e81f1a81de3f.ca udp
US 1.1.1.1:53 ee2396cf9dd5f0111eb7e81f1a81de3f.ca udp
US 1.1.1.1:53 6c95375e4a7d6b74a99638e4341902e8.ir udp
US 1.1.1.1:53 6c95375e4a7d6b74a99638e4341902e8.ir udp
US 1.1.1.1:53 c33e5046bf42eb4b312024b42582cda5.in udp
US 1.1.1.1:53 c33e5046bf42eb4b312024b42582cda5.in udp
US 1.1.1.1:53 20ecf74e9a1739b937901e1722359437.org udp
US 1.1.1.1:53 20ecf74e9a1739b937901e1722359437.org udp

Files

/data/data/com.qbasic_personalization13/cache/classes.zip

MD5 0769481eb6f7e306afe50e45a26f4b80
SHA1 b1009451e2a64bacf33bf2906080768c6c07e2dd
SHA256 b2d1f498d16bd2a604ec5040cb30fad0e9eacfeb9d2fbfa2db496896ed0678cc
SHA512 988e58ebb3a853020935e9017966aa6a12fb39484cc9fde69e4945a79d54cb27525f6e77ea702fbea44f250d8f44d0f31e24857717a30d1bece2f66d12567a9c

/data/data/com.qbasic_personalization13/cache/classes.dex

MD5 ffa312e62d68250c7e160d80ad02f9eb
SHA1 4e024589141f06c747cd2826bd6a858655a38a64
SHA256 188e33568631365a5ee9d61134c162710fb67b56f468917583d3b8a9380eae99
SHA512 df2fa8e411139ca0f13770e07b692e401326c0518744ade7cec42f22f487e4430eeb7ce65973662ca9392ab9e08d40bfccb56dd7570453cf8937d73535b812ec

/data/data/com.qbasic_personalization13/app_dex/classes.dex

MD5 1aa0ba8c507da8a44a3f732716d2da6f
SHA1 bc73705ec042b458b0dbb8286425eeb60a0c6dec
SHA256 90e4b41dec25498dc5274c2c045e4b3114ae464b1da2b74a0278bf18d178ee36
SHA512 3dd4e682736910831d8ceb380aa75185e9b8810ad197f45d06c9b54f75f2b115c168acba7ae4f207b690564c50ea4e86ef91e0175de8469d0121df1c10c9b966

/data/user/0/com.qbasic_personalization13/app_dex/classes.dex

MD5 99aa85b6db4109d389ab4b8a3ff44cf8
SHA1 7ded89f779999cfe04b440653e7899c7908dcfbe
SHA256 2fe51a61f9f20d71242d4af23281d9b88d60a54e2ff38badd78822c4b9a52db8
SHA512 3e57c601ce9a203f99c0c6a05dd7f9568737c83a27f20fc53323be8e9ee1e0ed1f72036af2837c0f8beb66aa1398ff6702d8a8fc7f64e1090a8f3bb380648ed6

/data/data/com.qbasic_personalization13/files/.f

MD5 4e73947cabb5db3f92ca85004981b754
SHA1 6d9667fdb0280ed2dcb782b4683e422a51bdc601
SHA256 6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c
SHA512 be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

Anonymous-DexFile@0xc6af8000-0xc6b7ba98

MD5 321eebc132862f5726881f4b49d33745
SHA1 6fd3942af4839c3962229afc6fe5f79970774f2a
SHA256 c42bca155ab329f379f1be5a39ce16308fd1a33dd3f929378636557360562898
SHA512 347fa530e3954a6ece72b3e1005d062a5a3024eb75795525a4eaa7ab9153c8872051d9abff7daf082836e38a5f992584845bbe6a6f309709d823841d3681dafb

/data/data/com.qbasic_personalization13/.global.com.qbasic_personalization13

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c