Malware Analysis Report

2024-12-07 03:18

Sample ID 241113-1ybfcstlel
Target 4f386b4971d5ca9d048c76a9766f850a0da67c2c0ab3696cfd296c1a005a47a1.bin
SHA256 4f386b4971d5ca9d048c76a9766f850a0da67c2c0ab3696cfd296c1a005a47a1
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f386b4971d5ca9d048c76a9766f850a0da67c2c0ab3696cfd296c1a005a47a1

Threat Level: Known bad

The file 4f386b4971d5ca9d048c76a9766f850a0da67c2c0ab3696cfd296c1a005a47a1.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo family

Octo payload

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Requests modifying system settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Acquires the wake lock

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Attempts to obfuscate APK file format

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 22:03

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 22:03

Reported

2024-11-13 22:05

Platform

android-x86-arm-20240624-en

Max time kernel

54s

Max time network

145s

Command Line

com.riverlightlrab

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.riverlightlrab/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.riverlightlrab/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.riverlightlrab/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.riverlightlrab/cache/mcagswvws N/A N/A
N/A /data/user/0/com.riverlightlrab/cache/mcagswvws N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.riverlightlrab

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.riverlightlrab/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.riverlightlrab/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 fukiyibartiyom2.com udp
US 1.1.1.1:53 oyunbaimlisi35.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
US 1.1.1.1:53 malkafali222.com udp
US 1.1.1.1:53 mal1fukizmirli.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp

Files

/data/data/com.riverlightlrab/cache/classes.zip

MD5 7a6aa58730717c342195e7673baab112
SHA1 229347f74d7aec7c9ba0c46165003ea9a709f1f7
SHA256 34125a57487597c594698e718175dd293486e1976fddba3d0ec2012b51b8cd78
SHA512 f44bd4531a9fc0b6f61f215d9abade6736737ceff671a0df7edd2ba5b5c90cd268f9dc3ef7a5e96aacab0fedfc622bcba035976d6fe834aba6d961a4bc5565ad

/data/data/com.riverlightlrab/cache/classes.dex

MD5 2dbc54d718bab0af35d5845cfd7dd8ed
SHA1 c7f42ca13629f66ccf1b4bd9e68ab68c95069418
SHA256 bc41abbaf04484e2549a5ed9b54974073ec854fd817549b458064cc3f8ef0726
SHA512 3c829f13b0c8057bc5727baa5b9ffacc2eea259467a472ef10f6808c8d99afbd7ebe8f89cf387e6b4ecf171ceb5d572d8db8a05b9f0fe0920a9685dbb25cedaf

/data/data/com.riverlightlrab/app_dex/classes.dex

MD5 fafd2517ecb1685b96f71845fa4ecabd
SHA1 c0eaf86a80573da14e9855deef0940eae87ae347
SHA256 1436e6ca525b89b050d645bdbf9be3925a7f3e589bb1711b01c814d1b37a31f5
SHA512 4a4773b461360fc792dfa11fb2cfaad3ff1a223ca517c181768df7737f7a439f1d43dfd578e6539f1a65aa7bc15cf7a8ef5d6791d140aeb1d87721c0e7993014

/data/user/0/com.riverlightlrab/app_dex/classes.dex

MD5 80309d58da80ade64481f0c8c82b47e5
SHA1 4b07e9706a7c1de65081b62599fd09a565a34323
SHA256 20db902842bcd0ed4c23883feb77708d441a40ddb24bdcf32b74d96f1e52226f
SHA512 ab8580ade16690d7caa538cb9bbace52f63e0b537fee3f508e3f57ba663e0ff8728b64e4d84e3d9bedc616a116f86b743f9b7897f2d0be12e76279f31f402d22

/data/data/com.riverlightlrab/cache/mcagswvws

MD5 9fce030ed71e5ebde87bd47b14fb0233
SHA1 f0714d1cccfacf1514430f6e4b6d66e6b9f68e70
SHA256 f6d9f10980d92deb506a11b8fff12013b3859d655c40f77fbb27cd7ea108e9ff
SHA512 82c417659ff30a19af15dc0bc8bfd56b5a13ac5ea5997f67343a365a45723ff3c2d3ced6b62dc1b6997658cb058413ea7cc46ee6d02ded4ce43c46d39c29a72d

/data/data/com.riverlightlrab/kl.txt

MD5 7301c2081e4a75465fdfa51efa6ecad0
SHA1 e80563098b95ce2b79b79ee659f941f5d3230389
SHA256 349bf24a89a6aaf27b5245a3d74872ccadfe700a91bffbc7734392e6ad21ec2c
SHA512 298adeac216c0e22e4f6b412873966d66871cb7a2dbb1f7a085d9bc1376e753b5ba06b3b615f14ae1668066d058954bbff7039b72d47a0b2a306367120a4325f

/data/data/com.riverlightlrab/kl.txt

MD5 d8787c4dedf8d1ffbfe185024ce476a5
SHA1 c6a3eeb40a80ac9a98ee30cfa24b8e826718c93b
SHA256 a8850aab2c52d5f816c09d25e7a6e7fe8d16ea1e552842d9430425f9279a81c1
SHA512 70d53e7b45c7c20b65123a1a166b946d1b84e505342e404766ca44a55cd9907e48c4b4d76143657b86200d93c3e8f2faa8fccafe70ffcce23feed1905ccc6e07

/data/data/com.riverlightlrab/kl.txt

MD5 7abd7c71f5f751f840b85fa0be89691e
SHA1 65f9662aec87f88a386a3b3ee21a07b1afea4f82
SHA256 8ca6cda9a690e98d3151bf8c18c3ee145c67d939f0704532ac163245bdf85250
SHA512 68c39fe016d20edea13ca61a82028afbf5f0db26053820fc8510281d1a7b67b512e67f4975c8cd286e82c341f98cbe9b9e835c1b38832a0e229adec7181ea3b9

/data/data/com.riverlightlrab/kl.txt

MD5 4d3f0ba5cc7e9a1ec4aae3b202a147f1
SHA1 cd27663cdb94e20cc0aa6353d8d4700c08371a8b
SHA256 0ee7250c6c7a635b6ce98356b7e67c1b5c1351db2aa50549c9a8c10f8c83fece
SHA512 76c57dfb578b5f58dda9faa5b19ab0c0be72c3a5753e687fc16672da4f7dfc24668ea0803ff7cc03f7292e94956aea7ee09b1237f55bd63770c12d1172928bff

/data/data/com.riverlightlrab/kl.txt

MD5 796738ecf561509f841e9af3efa91e0a
SHA1 0222c1a940f929032cd285c978350a2f0f4cc404
SHA256 2246b583f75140f45e79a0d5ed61656a5055870a2728981507f63262dcaebe99
SHA512 59d4db121cb68492e1a0062fa49086d711bed228d96ddb0268b3e3408e0b4e7a579f8e329ad62547679619772d4af1cc713d136fdc03f90b740a2d6f5fe758ad

/data/data/com.riverlightlrab/cache/oat/mcagswvws.cur.prof

MD5 bdd84208ee190992f31811b8c6b34f1d
SHA1 1a88ab4f4edda0726e7da6fc1cef067f458e6618
SHA256 f62a97dd6769ce42357d3a93baa8a915ab743744d7287acaf8722a0bdd06b659
SHA512 19876f07e660e4f574de559ced86e6275d81d4b75cbb3a4ab71d2c4a0e53d15b0c79e4ace3d78eafba6493d94be1cd07b9ad055b185c532cd3d402eafad489cd

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 22:03

Reported

2024-11-13 22:05

Platform

android-x64-20240624-en

Max time kernel

2s

Max time network

146s

Command Line

com.riverlightlrab

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.riverlightlrab/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.riverlightlrab/app_dex/classes.dex N/A N/A

Processes

com.riverlightlrab

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/com.riverlightlrab/cache/classes.zip

MD5 7a6aa58730717c342195e7673baab112
SHA1 229347f74d7aec7c9ba0c46165003ea9a709f1f7
SHA256 34125a57487597c594698e718175dd293486e1976fddba3d0ec2012b51b8cd78
SHA512 f44bd4531a9fc0b6f61f215d9abade6736737ceff671a0df7edd2ba5b5c90cd268f9dc3ef7a5e96aacab0fedfc622bcba035976d6fe834aba6d961a4bc5565ad

/data/data/com.riverlightlrab/cache/classes.dex

MD5 2dbc54d718bab0af35d5845cfd7dd8ed
SHA1 c7f42ca13629f66ccf1b4bd9e68ab68c95069418
SHA256 bc41abbaf04484e2549a5ed9b54974073ec854fd817549b458064cc3f8ef0726
SHA512 3c829f13b0c8057bc5727baa5b9ffacc2eea259467a472ef10f6808c8d99afbd7ebe8f89cf387e6b4ecf171ceb5d572d8db8a05b9f0fe0920a9685dbb25cedaf

/data/data/com.riverlightlrab/app_dex/classes.dex

MD5 fafd2517ecb1685b96f71845fa4ecabd
SHA1 c0eaf86a80573da14e9855deef0940eae87ae347
SHA256 1436e6ca525b89b050d645bdbf9be3925a7f3e589bb1711b01c814d1b37a31f5
SHA512 4a4773b461360fc792dfa11fb2cfaad3ff1a223ca517c181768df7737f7a439f1d43dfd578e6539f1a65aa7bc15cf7a8ef5d6791d140aeb1d87721c0e7993014