Malware Analysis Report

2024-12-07 03:19

Sample ID 241113-1zf28stlhk
Target c64eb599155bfb8352dbc943e1772edec7a2af0d66f50ec82d027f53b0569e5a.bin
SHA256 c64eb599155bfb8352dbc943e1772edec7a2af0d66f50ec82d027f53b0569e5a
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c64eb599155bfb8352dbc943e1772edec7a2af0d66f50ec82d027f53b0569e5a

Threat Level: Known bad

The file c64eb599155bfb8352dbc943e1772edec7a2af0d66f50ec82d027f53b0569e5a.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Octo

Octo family

Octo payload

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Acquires the wake lock

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 22:05

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 22:05

Reported

2024-11-13 22:07

Platform

android-x86-arm-20240910-en

Max time kernel

108s

Max time network

150s

Command Line

com.sgakagak.agakagabs

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sgakagak.agakagabs/files/arm/classes.dex N/A N/A
N/A /data/user/0/com.sgakagak.agakagabs/files/arm/classes.dex N/A N/A
N/A /data/user/0/com.sgakagak.agakagabs/files/arm/classes.dex N/A N/A
N/A /data/user/0/com.sgakagak.agakagabs/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.sgakagak.agakagabs/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.sgakagak.agakagabs/app_mph_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sgakagak.agakagabs

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sgakagak.agakagabs/files/arm/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.sgakagak.agakagabs/files/arm/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sgakagak.agakagabs/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.sgakagak.agakagabs/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sporkly.top udp
US 1.1.1.1:53 spaghettom.top udp
US 1.1.1.1:53 hangryv.top udp
US 1.1.1.1:53 workaholkc.top udp
US 1.1.1.1:53 mansplainu.top udp
US 1.1.1.1:53 chillaxio.top udp
US 1.1.1.1:53 ginormusj.top udp
US 1.1.1.1:53 infoglo.top udp
US 1.1.1.1:53 frenemyq.top udp
US 1.1.1.1:53 sporkly.top udp
US 45.61.159.139:443 sporkly.top tcp
US 1.1.1.1:53 fleekyp.top udp
US 1.1.1.1:53 spanglix.top udp
US 45.61.159.139:443 sporkly.top tcp
US 45.61.159.139:443 sporkly.top tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 sporkly.top udp
US 45.61.159.139:443 sporkly.top tcp

Files

/data/data/com.sgakagak.agakagabs/files/arm/classes.dex

MD5 d90e84492d628958f60f85c42b42d36a
SHA1 9a40bde00b906f276b7f37a233f3418869bc1199
SHA256 61a95b5c5e05322f45130fe7389ed0d3ee905d4c1136499b90b855b9b4216b13
SHA512 d54abb185cdb614a1f5c5ee668b9fdf6c8aa95da07e9276cbf6ec02219a1fbff9f5fab1b69f8713c53611ae3c022643c2af6644e205615527a8d3a3bd539e7db

/data/user/0/com.sgakagak.agakagabs/files/arm/classes.dex

MD5 fc41cee2fe29a00586b1e6e3436d65d1
SHA1 5f61b1a0f842d28dbe8340baa8c2f09a72c9e84e
SHA256 bd064d7110032cc1c57eacb570b3da7bcb8109d1b91e2ec16e9e9e95c9db0093
SHA512 0a1ca3ae10e7652fb182210150bfb1c0ea6ec17df61e185d00179941edf41eb182a32ebde5e559d79ca8ce246e463605ed6c0bb1a879b5b6605037b012906ca2

/data/data/com.sgakagak.agakagabs/app_mph_dex/classes.dex

MD5 96de19022452856853c365e26583ad59
SHA1 a47e679075ddc612b4ea2b80edf54abdb169caaf
SHA256 31cc0b964c631b816d0fecd21e09ab8be6655b61df751a40b7f376dae7280446
SHA512 595248ca615e2eac908e988a00812e5c4df990df6c79d602cfe3fb98ea56269ea848ff534d200ac643e04ce9c5d5ed7935b5eeda00886cb539f7b937750478b9

/data/user/0/com.sgakagak.agakagabs/app_mph_dex/classes.dex

MD5 2abb97e1b8b8944235e50cfeebbd142a
SHA1 b357a16570c3ff4a4c8970db1be406ef11ce79e5
SHA256 a3c49064f5d825868ac1f37657fc66d01adaa26e36e60c91b249f5e6d4fabb05
SHA512 ebd636c44163881f9999a72ad466afbd70211c38a510a7eb188a339714ee7d05f3248032a9d01a3f86f00e3395f3aa2619efa1af95b1e8c356d4860bf965c718

/data/data/com.sgakagak.agakagabs/.qcom.sgakagak.agakagabs

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

/data/data/com.sgakagak.agakagabs/.qcom.sgakagak.agakagabs

MD5 892845b46a8a568e735d22de821d5fd6
SHA1 830d7a30d80129af708b99ce36f8d3ec7bf3429d
SHA256 f8870cfe7fd37e2f06006c3cce67373f6fb0a887a6771a0b9a977ac1621d50ab
SHA512 6fb1ac2e92693ec60c852840049907078a1787e398cf2b045d6c2ca9328a365d12373ae9470f8276e80bc35a028c199acd7b23373d69c2a3b305e9aa93ab810f

/data/data/com.sgakagak.agakagabs/app_mph_dex/oat/classes.dex.cur.prof

MD5 46dee6998fed147b48c9c98f128ac932
SHA1 65cd63fc57560920e541423e0239557ed88881e1
SHA256 cdf32c8e54d6ad6f4efdefd9065a4fe2bb92283bbb60b31a2090037091edae41
SHA512 f4abc0cb4a2154525ab4cf10f4ebcdf6ea2c7df00620e83e59349728400b10a74e87a01449bf0dc6c0ad7bbfc6ece54286627a3fbde2dae5b8f24fe1f3be41ee

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 22:05

Reported

2024-11-13 22:08

Platform

android-x64-20240910-en

Max time kernel

144s

Max time network

152s

Command Line

com.sgakagak.agakagabs

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sgakagak.agakagabs/files/arm/classes.dex N/A N/A
N/A /data/user/0/com.sgakagak.agakagabs/files/arm/classes.dex N/A N/A
N/A /data/user/0/com.sgakagak.agakagabs/app_mph_dex/classes.dex N/A N/A
N/A /data/user/0/com.sgakagak.agakagabs/app_mph_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sgakagak.agakagabs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 glampingaz.top udp
US 1.1.1.1:53 workaholkc.top udp
US 1.1.1.1:53 chillaxio.top udp
US 1.1.1.1:53 blogosphze.top udp
US 1.1.1.1:53 spaghettom.top udp
US 1.1.1.1:53 fleekyp.top udp
US 1.1.1.1:53 gluttonyd.top udp
US 1.1.1.1:53 spanglix.top udp
US 1.1.1.1:53 ginormusj.top udp
US 45.61.159.139:443 glampingaz.top tcp
US 1.1.1.1:53 brunchxy.top udp
US 1.1.1.1:53 hangryv.top udp
US 1.1.1.1:53 sporkly.top udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 172.86.86.152:443 brunchxy.top tcp
US 45.61.159.139:443 sporkly.top tcp
US 1.1.1.1:53 mansplainu.top udp
US 1.1.1.1:53 sporkly.top udp
US 45.61.159.139:443 sporkly.top tcp
US 1.1.1.1:53 sporkly.top udp
US 45.61.159.139:443 sporkly.top tcp
US 1.1.1.1:53 sporkly.top udp
US 45.61.159.139:443 sporkly.top tcp
GB 216.58.212.226:443 tcp

Files

/data/data/com.sgakagak.agakagabs/files/arm/classes.dex

MD5 d90e84492d628958f60f85c42b42d36a
SHA1 9a40bde00b906f276b7f37a233f3418869bc1199
SHA256 61a95b5c5e05322f45130fe7389ed0d3ee905d4c1136499b90b855b9b4216b13
SHA512 d54abb185cdb614a1f5c5ee668b9fdf6c8aa95da07e9276cbf6ec02219a1fbff9f5fab1b69f8713c53611ae3c022643c2af6644e205615527a8d3a3bd539e7db

/data/data/com.sgakagak.agakagabs/app_mph_dex/classes.dex

MD5 96de19022452856853c365e26583ad59
SHA1 a47e679075ddc612b4ea2b80edf54abdb169caaf
SHA256 31cc0b964c631b816d0fecd21e09ab8be6655b61df751a40b7f376dae7280446
SHA512 595248ca615e2eac908e988a00812e5c4df990df6c79d602cfe3fb98ea56269ea848ff534d200ac643e04ce9c5d5ed7935b5eeda00886cb539f7b937750478b9

/data/data/com.sgakagak.agakagabs/app_mph_dex/oat/classes.dex.cur.prof

MD5 92479b3080a59de087e0900387c36366
SHA1 9f20e316a39c993b9a26827a4f0f6cb441a33a9c
SHA256 1522b90dd527e6268698237b6175e61568e2d7464c70ce721d94264c866e4602
SHA512 29b00bc04583c2c097c784d0ff48f6edbe9a5840a256daa78dac4c6da6bee702534d5b38a549765a3f683d274315e43982d13c28a13f9addb497d57bb63f9f24

/data/data/com.sgakagak.agakagabs/.qcom.sgakagak.agakagabs

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c