Malware Analysis Report

2024-12-07 17:09

Sample ID 241112-18v8hswjhl
Target 118063b24a6bc25761d379d1043ed6f2825a6daa164f58c39b762b8225b7b577.bin
SHA256 118063b24a6bc25761d379d1043ed6f2825a6daa164f58c39b762b8225b7b577
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

118063b24a6bc25761d379d1043ed6f2825a6daa164f58c39b762b8225b7b577

Threat Level: Known bad

The file 118063b24a6bc25761d379d1043ed6f2825a6daa164f58c39b762b8225b7b577.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo family

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Requests accessing notifications (often used to intercept notifications before users become aware).

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests modifying system settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 22:19

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 22:19

Reported

2024-11-12 22:22

Platform

android-x86-arm-20240624-en

Max time kernel

143s

Max time network

132s

Command Line

com.underlargeue

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.underlargeue/cache/kbqoazxbcfhdqi N/A N/A
N/A /data/user/0/com.underlargeue/cache/kbqoazxbcfhdqi N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.underlargeue

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 malkafali222.com udp
US 1.1.1.1:53 fukiyibartiyom2.com udp
US 1.1.1.1:53 oyunbaimlisi35.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
US 1.1.1.1:53 mal1fukizmirli.com udp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp

Files

/data/data/com.underlargeue/cache/kbqoazxbcfhdqi

MD5 b91147a23c51a0c8ee1e972b72c85d81
SHA1 72b81326b948a7c7fe58ed56827e5ef2ad31a26b
SHA256 cdcf5218c3191307ecc1589d56c3e9aa80c9acec4c23a7d77e7adfcb19bed8d6
SHA512 6b74f2f47d2d335189b0517781c7038152d2d4b50cdf2475ef8a95e4d12c8689ee61d7fa1134210e8a4202dacf29c08cdf57a344eafb93a247a06ead433c117b

/data/data/com.underlargeue/kl.txt

MD5 f1067d63d93e9d1ec45e7977770178ca
SHA1 a538073f0b37c26f8181014b8a00ffa54392d18c
SHA256 63c3a947ce131e3fdc991691e7bd6ca8f43e6d6d07a80cea3d6c425c4c67eb1f
SHA512 5c81dc189fc12b67042c7df82a7824698cd83e934dda9e2e21663f5fc91c1bd3784c6cb1bddf1b8d50030a1170533852a7b1c7e8fed412deb562d2347b23613a

/data/data/com.underlargeue/kl.txt

MD5 77ad4c0191d1ed95938fd660866b2cc5
SHA1 00ba9862cc910458308a521a19d95686d288e90d
SHA256 553b618df7702f82494ac193b7ae430bf44eabebbafc462deeda8ef32340b7e6
SHA512 9d7862c5336a651abd163a93169f4b5ad2df5f4c6e8217b2e1d619669e3258df6ae1b4390c4bf6d7b0d4c791a244d590d7f3559f3ff1a3525c21a2b7a93970af

/data/data/com.underlargeue/kl.txt

MD5 7fb973f575a3ddabe35ca1caf1d81316
SHA1 6a0a1b042198103e44b2ddc8ab6a7b0c2cf6620b
SHA256 1e7e52c08d6740bd70b5d7644ce6fe7104aae90b00b126994813e1c93f186e46
SHA512 13ccbf021f34283554c13bce8b8718d609a15d60b1330c99eaec7b006966f06aa77f6719ffe6303e1de1a53762460c0aae618e5e5ea2652354a38780667949fd

/data/data/com.underlargeue/kl.txt

MD5 51c4232f527b4d3b5a7c1874b9f567b9
SHA1 d297a863ae51b30a4adf08e8b136cf3ac8ef1e5f
SHA256 b97a57646be3534ec8171a509de38513c58eb10b36348ea01d2a02328c36bdfa
SHA512 31d47a85292ddb0e5bce80b4222573a1fdd167e261db8312c482aa375304a13d75e1af7e705f867052ea17a4e6f3c5ada103cb2367a35ff5a5717d558981a179

/data/data/com.underlargeue/kl.txt

MD5 8850cd980b8e0fa2aaf0e8cb915ad8bd
SHA1 b16de5fd8df362d6e6d5c970c48afe060f0bd17e
SHA256 d0dc66a12eb7f6e3597e90b542fe9d21f0566f88f76c85446cef3497fdd78662
SHA512 36be61e0f79142cca5a0542492bab3dbff8898bc2342b3d6062de35603c7480d5c2af4bdc302f0c22670e70bd32af355f70eb955e632780eaac611750b57cf9f

/data/data/com.underlargeue/cache/oat/kbqoazxbcfhdqi.cur.prof

MD5 eec313dda04288745ac641563d6df196
SHA1 c6bea461738ba918ebe95cf9670701cf272dde0e
SHA256 0b105257aebe337077069bf3e16a5f858979b46685177f7f79f0ae0413fa92de
SHA512 a83f7da6d39fec8b65431d99b17fe3b97daed68003bde92a2cc32d151ec6e6950ee7f2735658c0f74d369bd0f2e9d7f374397744c879d60ab9dca7883e6b2ae7

/data/data/com.underlargeue/.qcom.underlargeue

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 22:19

Reported

2024-11-12 22:22

Platform

android-x64-arm64-20240910-en

Max time kernel

148s

Max time network

150s

Command Line

com.underlargeue

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.underlargeue/cache/kbqoazxbcfhdqi N/A N/A
N/A /data/user/0/com.underlargeue/cache/kbqoazxbcfhdqi N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.underlargeue

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
GB 172.217.169.14:443 www.youtube.com tcp
US 1.1.1.1:53 mal1fukizmirli.com udp
US 1.1.1.1:53 malkafali222.com udp
US 1.1.1.1:53 fukiyibartiyom2.com udp
US 1.1.1.1:53 malkafaniskm.com udp
US 1.1.1.1:53 oyunbaimlisi35.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
US 216.239.36.223:443 tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.193:443 tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp

Files

/data/data/com.underlargeue/cache/kbqoazxbcfhdqi

MD5 b91147a23c51a0c8ee1e972b72c85d81
SHA1 72b81326b948a7c7fe58ed56827e5ef2ad31a26b
SHA256 cdcf5218c3191307ecc1589d56c3e9aa80c9acec4c23a7d77e7adfcb19bed8d6
SHA512 6b74f2f47d2d335189b0517781c7038152d2d4b50cdf2475ef8a95e4d12c8689ee61d7fa1134210e8a4202dacf29c08cdf57a344eafb93a247a06ead433c117b

/data/data/com.underlargeue/kl.txt

MD5 220b562133516d96200c62ff7f3ae8ae
SHA1 fbbb78e33e00b4411ff6cd63913d351d6716a4f6
SHA256 586278703a443fce821bf7fae02d14645bac81652b1ce84aeee9b44373f5aed4
SHA512 9bd1dfc9d6fb7735196707d4072ad96483e94ec728c2258aeb6040f50ec1a807edda45f984e9f019225f50c4f56acd7d4496a0cb83168d1f43487d1fddc9b94b

/data/data/com.underlargeue/kl.txt

MD5 b82c9a0ffacf8d7d43b4d8decbf40767
SHA1 db20a519fb603455a9609f48e507666abaa2ba8e
SHA256 bb56b134bb6a8e00d2c1875285d300c04105e4641b0f980c9037de530dd3e31f
SHA512 4afb1cb54230fbae0be7bf993bd7d5d61ef46d50cbf4204c49a81a3d782e5104deb751e6a4a3ca769e77a2b68799e62f21f4d460f4562de9da52c26712e519c0

/data/data/com.underlargeue/kl.txt

MD5 9801493741c8ec246ba9b2467bf1deb5
SHA1 fbb4616998f187d819246f3c8f0c0f0aef33501d
SHA256 2f5733dba213481907de7a4b1055267ba7c86bd7135da914490a32df5ca6c7e1
SHA512 75256f95792854074cb3963ecba1bf7d99e01d1b35635c0eb10b29b990f55c1113ff808020e976a0303a3b7df5cd19fef83af506c81f7f7286f0f81fab94ce8f

/data/data/com.underlargeue/kl.txt

MD5 dd74994c2c75196b895f684ed70f219a
SHA1 cfe4d12b3f3aba791ed98ddda28a92dd9c12edf0
SHA256 b0598fb0614396d97177f72da001c7a2d007cdf9a6eb8151ed36ea2aa1f26674
SHA512 520e588e5cede7ac9b9f16c13d242018d0455962e6d23f1c31c3613d9bee0c00978e3d0cc671781759f414568c5c9bfdd0449c178b31e7c9ffd7eaaf1165f6a2

/data/data/com.underlargeue/kl.txt

MD5 9610f1ded60663e49f9e5c0cf63d93b8
SHA1 e7b6b9a1a9fd3adb04240bd118bc6aa0be071d00
SHA256 2ded0f5e2040f772b82243c2a4b173dc6370cdd704856ad0e7abddc103b2e740
SHA512 4dd329ffb9acfefa3f656d6b8fcab4a777363d15114b35ca02ffecc9d332ad141d1e16a885570d933e2adefb7a1aacf480dc278e9a4113e96e96aed98520470d

/data/data/com.underlargeue/cache/oat/kbqoazxbcfhdqi.cur.prof

MD5 44dfa34c2dd60283a12fd87a23849a54
SHA1 dbc83b94c0cc0cdbb1d974e5bb88f32dd8844f3c
SHA256 4f0fb945f7b31ce0d5a7c869ee11e3ba4f12ff60055bc50462c1b342cb0d0bb0
SHA512 81df5b6b5d907709be1b0d7d59226c0e577cbdda457601b60b4750cc6c3dcfb55ada0a350f1b17e1dfdd4b6518ccfa4432e228d38711ac4a391ad85cd65820ec

/data/data/com.underlargeue/.qcom.underlargeue

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c