Malware Analysis Report

2024-12-07 17:11

Sample ID 241112-1w6hqavram
Target 41e28bed1680f4163678f0e6d9db9247064e0eaf10bd7c77064a94975d5d59d9.bin
SHA256 41e28bed1680f4163678f0e6d9db9247064e0eaf10bd7c77064a94975d5d59d9
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41e28bed1680f4163678f0e6d9db9247064e0eaf10bd7c77064a94975d5d59d9

Threat Level: Known bad

The file 41e28bed1680f4163678f0e6d9db9247064e0eaf10bd7c77064a94975d5d59d9.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo family

Octo

Octo payload

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests accessing notifications (often used to intercept notifications before users become aware).

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Requests modifying system settings.

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 22:01

Reported

2024-11-12 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

144s

Max time network

133s

Command Line

com.maylove09

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.maylove09/cache/bzfkisss N/A N/A
N/A /data/user/0/com.maylove09/cache/bzfkisss N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.maylove09

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 malkafali222.com udp
US 1.1.1.1:53 oyunbaimlisi35.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
US 1.1.1.1:53 mal1fukizmirli.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp

Files

/data/data/com.maylove09/cache/bzfkisss

MD5 01bf7a8fc9be45d5d6bbe194d1bd8fa8
SHA1 5ec512e5a13ddcfaec74b13bea7b7dec4d6ce38f
SHA256 dae97762e25eb3374ab9b3c01664192f0c2f38874fdd8a08c7687d95ba061e3f
SHA512 8559a74eca54fd4e0f1a71601801f016c7a88b8020b7722447ec9bace7ba5a656dcadee46495e31646bff23b4e0d91c0a81b8fd200b5bdbfc316ac9dc8c01bb1

/data/data/com.maylove09/kl.txt

MD5 d99fdb7d0810c5af297a981ecb07adeb
SHA1 17801e2e773cf12e14682cbc05149e551e538736
SHA256 75a114e7a3bcf99fdcbd1e91883b846bf771b3258bfbd0733bea78ecbc479f88
SHA512 aef65bcdc7170b86dda73d7709ebb66943db6b46fa6bd865aa2e725503c01639dd6a25e930596dfa61b18f3cda2c34067d75d4685bdf41676ad2e66fcb26a808

/data/data/com.maylove09/kl.txt

MD5 4bed7b645097ea47ecd991d2b2d44da7
SHA1 3d3c623f8dba3b3a58a9356c9f4766b5ff2a688d
SHA256 bdce4f359b72986c5827f838e7a11de0b8f34fb73224c65dff5d0f81ff38b470
SHA512 9d66d427ecc3bc15a50259d6b10ac9318bc51a51c0d0c5450fff77af81637e1e49efac34ec53688369fc5101c916c8bf17a551939faf20758b3d88c33cb71d08

/data/data/com.maylove09/kl.txt

MD5 2c20d96f66aaf1453174924394e97adb
SHA1 d16d3a1aaff48fe5390d2acec2f9c4ee3c3b660b
SHA256 8360ebc4b2c998fba8b6671c26fc0e02ee232a053438d3d8cb9baf437d5c106e
SHA512 0087c925f8085b4a336c796e29612cfc4902039ec8d42661a1d832ee8b0b1cc92db3de347e923e5d0224cd8618e58dbcdcc81bf9135e2880de19ca1967474bc8

/data/data/com.maylove09/kl.txt

MD5 cf9e6478ea4234006136a2f4750cab2b
SHA1 280f2133cda6281110b789a8cbdf1f69f7a7119c
SHA256 7f62be510a177f93cdf2d896668927221a3f9da4968af2999a7924f020a5bbb4
SHA512 97728afde8ba373fe1dd131d3af8f2eae2d48abb48bc31303afeb45911aaf050aab236e94f4e229e87ad8d98a0035993c395519e6873e904cb1b0e1bca9001c6

/data/data/com.maylove09/kl.txt

MD5 00c165c1c4031429f2e2332d9f8a57be
SHA1 ff5bdbf00499214021ca1912d7cbd6b5fe495a26
SHA256 41502cf78894969a9bb0792ade4dde820afd8ff768fcebc4f16c9baafa65971e
SHA512 59bf52091f618d9673725f6a39d64eec897738b3ee3e63a3d1d42a7fc50bd8dec2349ad1bffd55837d12caf0e024c991cab22fee62559db791fbbbfb4a5a52a9

/data/data/com.maylove09/cache/oat/bzfkisss.cur.prof

MD5 8aeba76481cb29c3fe1464d1e15921ec
SHA1 2ec026b485de419d1f1bb274598d196cb8809e67
SHA256 ceddbd99658d9d7f0448b46d4c095e71072e5f1a1b955fb1ac3642ad9c6209c6
SHA512 5e2b46256c6fed1bb2ab735b0726e0435b671f7aced2a4184d40921019fabbc123311234ea8922d46df74177d8b89f0fc4e547a7c88185e9c23ea33573765113

/data/data/com.maylove09/.qcom.maylove09

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 22:01

Reported

2024-11-12 22:03

Platform

android-x64-arm64-20240624-en

Max time kernel

140s

Max time network

146s

Command Line

com.maylove09

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.maylove09/cache/bzfkisss N/A N/A
N/A /data/user/0/com.maylove09/cache/bzfkisss N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.maylove09

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 mal1fukizmirli.com udp
US 1.1.1.1:53 malkafali222.com udp
US 1.1.1.1:53 fukiyibartiyom2.com udp
US 1.1.1.1:53 oyunbaimlisi35.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp

Files

/data/data/com.maylove09/cache/bzfkisss

MD5 01bf7a8fc9be45d5d6bbe194d1bd8fa8
SHA1 5ec512e5a13ddcfaec74b13bea7b7dec4d6ce38f
SHA256 dae97762e25eb3374ab9b3c01664192f0c2f38874fdd8a08c7687d95ba061e3f
SHA512 8559a74eca54fd4e0f1a71601801f016c7a88b8020b7722447ec9bace7ba5a656dcadee46495e31646bff23b4e0d91c0a81b8fd200b5bdbfc316ac9dc8c01bb1

/data/data/com.maylove09/kl.txt

MD5 f5a1e401b93b0bfa0a09bb6f5277682f
SHA1 178c5b7b7e5803df094447c3dcc3ddf90322f80e
SHA256 699bf5fca01ec682079eee6ae53c3331a37090eb6ca3e02bcd00f4bac1c2a413
SHA512 dacf109a231d00d8993390179cb3bc3c2b9bd39291ee970c21a03a95354e95541696a4458576cd2b8811eb4f49b4371739f90b84ab53908de920ee3d72073791

/data/data/com.maylove09/kl.txt

MD5 8283b2c99432b85c033e1f4d80db3050
SHA1 bdbcef8af5f7ddba3ab72632ae1c9a50e642d941
SHA256 784a8495d71f7dafa011bfcbac7016fac1f27b74d68c917cf12db2165200a50a
SHA512 d196dcdea0bef990b4c815551a472df4699a7e1c4ca37b33ed2d9b14f5dc3dba58dcb773cc1c5fa8fe6b484f36b139e77f44bb074c60954fdb43fcdf6e913eaf

/data/data/com.maylove09/kl.txt

MD5 ea160d3c00093c282aee2d87c6689057
SHA1 ec02666e9db37982fbf2aa394e8ffaa4731175d9
SHA256 d855d77ff9c12e599785cca68929e4b461160daf869f7b89e34f2d1d05735e96
SHA512 fbe82a1590040c01b5670d448d2ee13e653e589c57647b51e98217df1d6160d8380142a5f7962713cad60a6fb10e44c3f0449ee13301f4dc4be9c2d61b8ac7e2

/data/data/com.maylove09/kl.txt

MD5 5d27a9439838bccd4e4e5db02a438101
SHA1 286b35e96be889ebf2d4b947304124da368de59c
SHA256 405ce256ccbedbb6672670efa0260cbddcfb104c694d8f23f65e17ae38757e15
SHA512 3561a1f9087bda0c1a726397807f61d4a38e031b076ffe8e6635b43c9624f9cbd4b4c606922bb488c247cedea1b72bfd8f97da0a44980446cec1788a389ff993

/data/data/com.maylove09/kl.txt

MD5 ae03110b82a7c32c141bdb137ee113eb
SHA1 ab97bba591ed1449b06dbaadaf5e18e8a68afdbf
SHA256 7a32dc263f6db2859430f6e1a00b330fa983454dffb93eb1d828d0d57aef9c2c
SHA512 e74ce6d46803927123daeaa38af7f8eaba25f43f8a2b374445d4138b2dcebe21d2b4d4aaaf4f3dd826f77d96968a718bcb8da2629c4e21d4578129df37cea353

/data/data/com.maylove09/cache/oat/bzfkisss.cur.prof

MD5 aaa53b2000a6cb29fe878fdef544fd2f
SHA1 490a08be2252474a4cda9e8970592e78dc72a3d4
SHA256 105b28d6129d2512e52f3cf387d67b6425d7496206a2c4ab1cd0d332569618cc
SHA512 a37f50c45fbcf087751079311a72d568c2423882c27a6e3a0b90c9082b2d43d5c8ef105c57c55bfa860a0e76281704d87f510118583a2438903a198a2de5a946

/data/data/com.maylove09/.qcom.maylove09

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c