Malware Analysis Report

2024-12-07 17:09

Sample ID 241112-18x24sseqf
Target 285196fc2692efeb65d2507ce5f47fc5364c547006db4844a4ba4a38c2651290.bin
SHA256 285196fc2692efeb65d2507ce5f47fc5364c547006db4844a4ba4a38c2651290
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

285196fc2692efeb65d2507ce5f47fc5364c547006db4844a4ba4a38c2651290

Threat Level: Known bad

The file 285196fc2692efeb65d2507ce5f47fc5364c547006db4844a4ba4a38c2651290.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo family

Octo payload

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Reads information about phone network operator.

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the unique device ID (IMEI, MEID, IMSI)

Requests modifying system settings.

Makes use of the framework's foreground persistence service

Acquires the wake lock

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 22:19

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 22:19

Reported

2024-11-12 22:22

Platform

android-x86-arm-20240624-en

Max time kernel

143s

Max time network

131s

Command Line

com.tenthought1

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.tenthought1/cache/ckkmqvbtwzidfh N/A N/A
N/A /data/user/0/com.tenthought1/cache/ckkmqvbtwzidfh N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tenthought1

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 malkafaniskm.com udp
US 1.1.1.1:53 oyunbaimlisi35.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
US 1.1.1.1:53 mal1fukizmirli.com udp
US 1.1.1.1:53 fukiyibartiyom2.com udp
US 1.1.1.1:53 malkafali222.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp

Files

/data/data/com.tenthought1/cache/ckkmqvbtwzidfh

MD5 71ea9b8cf101504e7615a65853c81300
SHA1 cbbf07478f5fe6b57288725f72c9c658f961b624
SHA256 c8d91b69ed6676cf8226a3df3c6231a07ef3f7eac20112aa3d64cc10cf4dc5fa
SHA512 9377ebd9e3e3e6b29dcaaddd650707ef1c0ac3cb8de300b01ed2c3963c45b1a5b16ee361193c3259362e217ecf5ce497dc29ee2f2bd2b0fdb20bc79fa4a5ea6b

/data/data/com.tenthought1/kl.txt

MD5 b5324606329539f601b975740b8e01b5
SHA1 e4d838e0732b8d174ce3a64ec5328a32ed7ceeb6
SHA256 f6c2364c3c12b6d0e38d241f99098d0b8a9c6cd84cce343fe6aafcf84e916455
SHA512 bd471c8dfb992dc33c13e0e4732f51d9723c7be7da62e56db09e8648d11b70fc03ded78a53fb5159f2ea234df3e5313e80d953a7bdcd76b4d8919e6b61f43acd

/data/data/com.tenthought1/kl.txt

MD5 e80b0a5c907dbd2b2108d0ec58c5bdc9
SHA1 75159ef6b123a039d3d4a17bf607467ccc871803
SHA256 b2df3383cf8ca9c37363c43c02c26edc935351c7ebe3dfb0ab1ee862783911b2
SHA512 880a527ca12ad134ed36888ca1a807369096c2f908c6d03f543f8fd38adbb7092084e7da9a432fd6c66fbd49c44d4b76c1667ba0a9af21b2f617ed73c7df81e7

/data/data/com.tenthought1/kl.txt

MD5 175b65b950b1b3effae4e20b60976c7b
SHA1 a4eaacadb18bb30aba8db4e8ef80945d163b96d7
SHA256 f4bfc53428b0e456ea7643d4760a17f005d8b24b60b8d7d725b5af2354e1d1f6
SHA512 6650ceeeb11916f8a95cfa0cac62bffa03c826a4e76ac20b79d7193c53550b2bbf13297ebded572c86ed33290af8b7b1b081c8f077eac1f8ab93880d811542bc

/data/data/com.tenthought1/kl.txt

MD5 76ec02c488e11c7b46b510caf46884ed
SHA1 5b5b929ca7c7f3e5d1ef6ce9063872fc8b11a134
SHA256 a93a9b4e9fce573603f0202fb8c53ff563b2d4f7d1741ec85936e50616366739
SHA512 32962852eb09d4198736077d843a296477c3604bb2e9bbaa126523c53c6f8ae4d02eac534800b960772c7c2e845e4baa15c11648f8e51b4d5450c57423f661a2

/data/data/com.tenthought1/kl.txt

MD5 cfe8408e815788a7b9e8638264f29564
SHA1 fb7f70c2763227b7cbd158bfa5fd2f6f315cb3d5
SHA256 b4d0311d2064a2bd9cb45296641a33ca854cc91371e51c3e85cc6fe8b314b802
SHA512 2e94230653dad499104592fcccc6984de8a2f2dd40ff425152518e2e9e65846e50f24bc8a3c4220e1f2706537225eb38c736cf55c6b00d9c4ceba138ca5b0c75

/data/data/com.tenthought1/cache/oat/ckkmqvbtwzidfh.cur.prof

MD5 0a953d2083fe82919004ab8ab18a4616
SHA1 76af942f7325d9433c7e0aa2e47d71b2fd77c8d0
SHA256 49534c9155f82e172bb275b4455ba21704e00d714e384e8ca7c7bd0124769016
SHA512 71566236ceb977e93f77c61076c04ba4f7ad0db1110707da7c25205c2e7854129ad1da1dabdfbea66bc07b82fa4c6f3edfb13532b2e8bc0673c0d2effa618994

/data/data/com.tenthought1/.qcom.tenthought1

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 22:19

Reported

2024-11-12 22:22

Platform

android-33-x64-arm64-20240624-en

Max time kernel

149s

Max time network

133s

Command Line

com.tenthought1

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.tenthought1/cache/ckkmqvbtwzidfh N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.tenthought1

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 oyunbaimlisi35.com udp
US 1.1.1.1:53 malkafali222.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
US 1.1.1.1:53 fukiyibartiyom2.com udp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.187.234:443 remoteprovisioning.googleapis.com tcp
GB 172.217.169.74:443 remoteprovisioning.googleapis.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
GB 142.250.200.36:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.200.35:443 tcp
US 172.64.41.3:443 udp
US 34.104.35.123:80 tcp
GB 142.250.200.35:443 udp
GB 142.250.200.36:443 udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp

Files

/data/data/com.tenthought1/cache/ckkmqvbtwzidfh

MD5 71ea9b8cf101504e7615a65853c81300
SHA1 cbbf07478f5fe6b57288725f72c9c658f961b624
SHA256 c8d91b69ed6676cf8226a3df3c6231a07ef3f7eac20112aa3d64cc10cf4dc5fa
SHA512 9377ebd9e3e3e6b29dcaaddd650707ef1c0ac3cb8de300b01ed2c3963c45b1a5b16ee361193c3259362e217ecf5ce497dc29ee2f2bd2b0fdb20bc79fa4a5ea6b

/data/data/com.tenthought1/kl.txt

MD5 f53a3fa918fe39aceef7095d8b036566
SHA1 3482b55dc21f771b8f3dff593f8168789da32811
SHA256 cef135534c8570b80e6c03909f15164474402a22c55fb94aadd483065a5dbf57
SHA512 e534c5a76765d7f73e8cd818d97c8d9abc4491b15316325f031d6faf219718b5aa8bbcc33ef30d3837344210f2da82457aa58734e90a984a726a62610992c164

/data/data/com.tenthought1/kl.txt

MD5 ccbe8263d670daba3322409341bc5af1
SHA1 cabcfb79a924e76b413b5f54c74972baa6a29692
SHA256 763830908b54d9f594f36fbb960eac373949621b65c8cde8a427aabf8a8b9fad
SHA512 7f7240e0a8b97c0cecaadb6da8d96d3b9f88fd7d3bb5bd50b4121e897349b80f88fc6b875c095f0fa2eb0c3bb13615773d415b0c54beefeb66ef394c2670ed7f

/data/data/com.tenthought1/kl.txt

MD5 7fb973f575a3ddabe35ca1caf1d81316
SHA1 6a0a1b042198103e44b2ddc8ab6a7b0c2cf6620b
SHA256 1e7e52c08d6740bd70b5d7644ce6fe7104aae90b00b126994813e1c93f186e46
SHA512 13ccbf021f34283554c13bce8b8718d609a15d60b1330c99eaec7b006966f06aa77f6719ffe6303e1de1a53762460c0aae618e5e5ea2652354a38780667949fd

/data/data/com.tenthought1/kl.txt

MD5 1158c28bab41abe3dc1d257f3ad194ea
SHA1 5a0f3ab47d5cfb9122ad3bf3ca629ce25a841c08
SHA256 659c1d7c9f06a3c6830c25b1657c4fcec48e3a176bebc76f80a22fe3d2b30d89
SHA512 8b5f5af5bd5c99020eb52e708a3800d8944717727e888c4ba6cac63fff77067b7969e7ea42dd3e2e7ca15c2c451a5ad42e7d0ad63f71a005efb0935a0c655440

/data/data/com.tenthought1/kl.txt

MD5 f0141dfd103a91512af26f88fd81530f
SHA1 249f6a7e9f32551d1689931f5392aeb9898c9cb4
SHA256 1bc9656b2fdbab95e21bac96749cbd8a029b17d1940450aec81b073754ce74fd
SHA512 695d0586d198f57b81b576684557b1a5f9865cde45efd4580925748a818d71167b08c66487125302dd2aef493c8b11f525ff321db8fa7a778d5dec934d5902dd

/data/data/com.tenthought1/cache/oat/ckkmqvbtwzidfh.cur.prof

MD5 6eaf774138ae4b4454fae1039accb2ac
SHA1 9030b1a916dee936f9c4b165673aed2aea0b161e
SHA256 dae90fa83f6ebbf1434ee64f261c701543351f7ad8c4dc2453810b65c1c52394
SHA512 f850b702791a11254cc05077221559ce1b7cb7ab2341cf23b846b728c2bca6104f962882c3abe5a1ed20ce3e55ae6b15244c0801bff4a5a7e1637d7dcc4b30f2

/data/data/com.tenthought1/.qcom.tenthought1

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c