Malware Analysis Report

2024-12-07 17:09

Sample ID 241112-1x9a1asdmc
Target 8ae862ff41c649123153df8a885c1985456a103878d9841f8b24e6a14d44e084.bin
SHA256 8ae862ff41c649123153df8a885c1985456a103878d9841f8b24e6a14d44e084
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ae862ff41c649123153df8a885c1985456a103878d9841f8b24e6a14d44e084

Threat Level: Known bad

The file 8ae862ff41c649123153df8a885c1985456a103878d9841f8b24e6a14d44e084.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Octo family

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Acquires the wake lock

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the unique device ID (IMEI, MEID, IMSI)

Requests modifying system settings.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 22:02

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 22:02

Reported

2024-11-12 22:05

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

150s

Command Line

com.crywind88

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.crywind88/cache/pclfmmywlt N/A N/A
N/A /data/user/0/com.crywind88/cache/pclfmmywlt N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.crywind88

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 172.217.16.234:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 7bb13903074567453981d0595033c23.com udp
US 1.1.1.1:53 94b641553903074567453981d0595033c23.com udp
BG 87.121.86.147:443 7bb13903074567453981d0595033c23.com tcp
US 1.1.1.1:53 74b6413903074567453981d0595033c23.com udp
US 1.1.1.1:53 894b6413903074567453981d0595033c23.com udp
US 1.1.1.1:53 4b6413903074567453981d0595033c23.com udp
MD 213.159.75.106:443 4b6413903074567453981d0595033c23.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
MD 213.159.75.106:443 4b6413903074567453981d0595033c23.com tcp
US 1.1.1.1:53 64b6413903074567453981d0595033c23.com udp
US 1.1.1.1:53 94b64139033074567453981d0595033c23.com udp
US 1.1.1.1:53 34b6413903074567453981d0595033c23.com udp
MD 213.159.75.106:443 4b6413903074567453981d0595033c23.com tcp
MD 213.159.75.106:443 4b6413903074567453981d0595033c23.com tcp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.crywind88/cache/pclfmmywlt

MD5 97d44408554656a1fcc526e4b78c490d
SHA1 163a3fea34a070444897e4383df27cb85f6dc068
SHA256 a8f4935222b8e008e0f0e8d0d694d842400bfdf67d40edb8b71050d40cec0e55
SHA512 ce1c7f688becbf4ff7e33994a25fe4c52b783af6df38c0a9d3fab51e2b02ca54f263883fd2f5b39d305750225020c88d8d536ab6fc6d0d9aa50e826bfc724558

/data/data/com.crywind88/cache/oat/pclfmmywlt.cur.prof

MD5 6bc0bf70cb63376038f7399260593b31
SHA1 691efe5d211997f0c51647eded32760a810010c2
SHA256 c964688a340651ea113a75917310b7fce4dc1cad899c8f24d0749400d3ca9232
SHA512 895df132c24865d6f0b011eb10fd0bd500ba81ba174315d72de8baa56efa19808b6201421c57d248114702284d129c5cc2cb86d18611d7e9e1b863747d4e9c71

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 22:02

Reported

2024-11-12 22:05

Platform

android-33-x64-arm64-20240624-en

Max time kernel

148s

Max time network

143s

Command Line

com.crywind88

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.crywind88/cache/pclfmmywlt N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.crywind88

Network

Country Destination Domain Proto
GB 142.250.200.36:443 udp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 94b64139030754567453981d0595033c23.com udp
US 1.1.1.1:53 34b6413903074567453981d0595033c23.com udp
US 1.1.1.1:53 74b6413903074567453981d0595033c23.com udp
US 1.1.1.1:53 64b6413903074567453981d0595033c23.com udp
US 1.1.1.1:53 4b6413903074567453981d0595033c23.com udp
US 1.1.1.1:53 894b6413903074567453981d0595033c23.com udp
MD 213.159.75.106:443 4b6413903074567453981d0595033c23.com tcp
MD 213.159.75.106:443 4b6413903074567453981d0595033c23.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.187.234:443 remoteprovisioning.googleapis.com tcp
GB 142.250.200.36:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.180.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.180.3:443 udp
GB 142.250.200.36:443 udp
MD 213.159.75.106:443 4b6413903074567453981d0595033c23.com tcp
MD 213.159.75.106:443 4b6413903074567453981d0595033c23.com tcp

Files

/data/data/com.crywind88/cache/pclfmmywlt

MD5 97d44408554656a1fcc526e4b78c490d
SHA1 163a3fea34a070444897e4383df27cb85f6dc068
SHA256 a8f4935222b8e008e0f0e8d0d694d842400bfdf67d40edb8b71050d40cec0e55
SHA512 ce1c7f688becbf4ff7e33994a25fe4c52b783af6df38c0a9d3fab51e2b02ca54f263883fd2f5b39d305750225020c88d8d536ab6fc6d0d9aa50e826bfc724558

/data/data/com.crywind88/cache/oat/pclfmmywlt.cur.prof

MD5 0ac2b84568d2f17a6d2e8c6a1d455b86
SHA1 ecbb403fa6994bdcc60f51e16dd62be4738a907e
SHA256 45472898e379149b5f2cf2f1e4a167ca695dc01ff9f7a0568e69b81d0e332552
SHA512 9d61b5da33d6f38ef74cfcd2b79788caec099a8d6f82f2c71975101bacd54912dd7caea29caa9a10669e8a1108a85712c7b243fd025bcdfe71b2c504cdfec2ef