Malware Analysis Report

2024-10-19 12:57

Sample ID 240302-1w33laac52
Target f89b36bee38876b2757a0123d1a35bee9a7924d5b0688ff17f421db9172a58d5.bin
SHA256 f89b36bee38876b2757a0123d1a35bee9a7924d5b0688ff17f421db9172a58d5
Tags
octo banker collection discovery evasion infostealer rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f89b36bee38876b2757a0123d1a35bee9a7924d5b0688ff17f421db9172a58d5

Threat Level: Known bad

The file f89b36bee38876b2757a0123d1a35bee9a7924d5b0688ff17f421db9172a58d5.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection discovery evasion infostealer rat trojan stealth

Octo

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Removes its main activity from the application launcher

Acquires the wake lock

Requests dangerous framework permissions

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 22:00

Reported

2024-03-02 22:03

Platform

android-33-x64-arm64-20240229-en

Max time kernel

150s

Max time network

149s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
GB 142.250.200.4:443 udp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
BE 173.194.76.188:5228 tcp
GB 142.250.200.36:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
RU 2.57.149.238:7117 2.57.149.238 tcp
RU 2.57.149.238:7117 2.57.149.238 tcp
GB 216.58.204.67:443 tcp
RU 2.57.149.238:7117 2.57.149.238 tcp
RU 2.57.149.238:7117 2.57.149.238 tcp
GB 142.250.200.4:443 udp
GB 216.58.213.14:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.187.227:443 tcp
RU 2.57.149.238:7117 2.57.149.238 tcp
GB 142.250.187.227:443 udp
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.193:443 udp
GB 142.250.187.193:443 tcp
GB 142.250.187.193:443 tcp
GB 216.58.212.251:443 udp
US 1.1.1.1:53 i3.ytimg.com udp
GB 172.217.169.14:443 i3.ytimg.com tcp
RU 2.57.149.238:7117 2.57.149.238 tcp
RU 2.57.149.238:7117 2.57.149.238 tcp
RU 2.57.149.238:7117 2.57.149.238 tcp
RU 2.57.149.238:7117 2.57.149.238 tcp
RU 2.57.149.238:7117 2.57.149.238 tcp

Files

/data/user/0/com.nameown12/kl.txt

MD5 2742297855ffa3858e620c57fa79fd37
SHA1 0135523d548a1afb05884da34f0bb02a019de4ac
SHA256 b69300d9ad6221a97236c482c647f7eb6b8b116f6d9373f42f7913faa8d3ce04
SHA512 a6398a67b54bb6708e051352e5c55ba7255ed17cc4cf6ef4efd6cc5d605735952581a725aa0e594809438b4e05981244d7daa9935f8927f82662aa8cf140bc39

/data/user/0/com.nameown12/kl.txt

MD5 9455a8570012b15ff7477e8e676552bc
SHA1 29b118db9fe69a695ed599d17c5ea5d5542879c0
SHA256 e4c9d4a80786f330be60ad7bbcb3fd4534f220ac649e4bb7ccd3440d997c89ec
SHA512 2eaea046dfab02bfd8f9b235107fe45864e350480c1ae78ba6389436345158bfa20f55684c0524b5d01751439137c3bdd2d74d35c26b08912dbc400f1088562e

/data/user/0/com.nameown12/kl.txt

MD5 baafe27f1f8db8f9e89dfdac50bc63b5
SHA1 bfeeceac6af55dc00ea82c622901420341525fc3
SHA256 684adac77d76f6ebaa17999c66059b61c585126031c4a3f9447291b96d2294c5
SHA512 23152798f3754c383ba1fa28ff87d0b1e610142cd38774a615a6c4db1d9ff4e732eae927366a9d036ea2b40a1f0b274950f5ddb5cf379ca183fb691161a6340b

/data/user/0/com.nameown12/kl.txt

MD5 45e3d806cd9a955b92e629bbc9feb6a8
SHA1 5dc30ecde423a96ae7ebcbf39ab4eff9501a3f23
SHA256 fa1c9e88e79cf294f788273c7ab0b200743361dd25e5007db6cab0b23f5e1ed7
SHA512 7b14ec3db8d64965fceb97eb3a5eb221f624657aaa7ebc804748e739cddda7ed570777ee7efce5ba2f32ebf0578f7f338302fe2b623922aaef73db63e21c66f5

/data/user/0/com.nameown12/kl.txt

MD5 29fbfe6935b4a2b7e871953e133b3509
SHA1 89a4fa352b00efa8f89f06c0829259b12943837b
SHA256 39455455473b955810f718fcbcd0f1dbd7cdabdde10c523cd897ad86af471bb3
SHA512 7edc543c8caf7c73cb948d676035cd153c2e7472c16128964039567c2043ef0e0f9bf490bf76234cd9ab7dbf1a057ee536c667c0baaa210e2012e46493e4c19a

/data/user/0/com.nameown12/kl.txt

MD5 c55ed83c252a31781665a5b84fb5e174
SHA1 0c29206bfd764c9aa16fbf04c1b9b8152ece28d1
SHA256 0cdbca96ff7a0151450a752f933cd2baac9b1c082121c5ac882b241d651723bf
SHA512 fef2434e8bd8c0201eabcdb7cdc1c6d3080b2a8c140f8ce00ffd74692e8e7790d9f722dd60731f54826d8020adeece3fca05ebe094d18a89ecb58b82304dd52f

/data/user/0/com.nameown12/kl.txt

MD5 0b312b809022f3c5d7afbd82aad6dc91
SHA1 de0e57296b648edc763aa770c9e8e492da8dd950
SHA256 565d425ebeb058dff982b78653d607a07f81267a76f5d5eca25241f2f9c16aa5
SHA512 801a469916444d20fe36c6ba2a2a3ec71a10d0e66effd03ed9db6185d59d1f2c77f45d9735689f70212ed7ecaa9de0c454bfae24a2a7bc041d52bc68900b22c7

/data/user/0/com.nameown12/kl.txt

MD5 9cd8d6e57bd1ab1e242dabe4f5315934
SHA1 65a9478dc761dcbb57e680e5c6af9a77ba249c53
SHA256 dd75a448ba765b085875cb3f8a57faf5d05e40f56503028e44086d80d2ac7586
SHA512 42a03e4c8d7f7032ca6a0625ec356b12b1d8526bf5bb3250614fb3e71fc20635af53cd4b9d2b40b64a8c86de5c8574ff7b45baba5692567f04c53048cffd596a

/data/user/0/com.nameown12/kl.txt

MD5 f3d286b45ef2afd446be11b9ba1dd5f4
SHA1 ac7314a557c6b3e5f898fafd2c8da341e394a99c
SHA256 a0d832a105258d8c0c83607ad63152e1781fe79eb02cef963008c4887ee631ee
SHA512 e49694c6a996358ff6d03287bd505214bc86e39fd0fc4fb2a4203a64fe31fffb1c7f7e9bb806353f6fec019a895db6c716f2455b56c240dda0a25172a7530a0c

/data/user/0/com.nameown12/kl.txt

MD5 e360235177f64aea790dd5aa1bb78bc2
SHA1 71130c761aedfff109b42f1d9392b9a9466f9c67
SHA256 07dbd13b8c3c1736137343d4ab50708a1d6dde70ecfee1961aeded99b608ca65
SHA512 6f27bbecdbdff38dafdee8b1af9241f8f23005c2b9b571b78edab1dc5c5d059618c9f5452eb593eccd4b87f05ed22934da9712faef6897a7d159a4d34512a52c

/data/user/0/com.nameown12/kl.txt

MD5 f4486f8d433cd0cddc032d7be01e3b33
SHA1 cca4de79797ff6294499315778cfe1d71e6ece68
SHA256 b13bba2b0105a0f0569e27e7b31699d3a0068b8cc34d9063cdf70ec616d89949
SHA512 b3fec7f9178510a51d10275f38d2e283b2c8f737f23c1b8e40c0243d9159c06440ab060a80702efaa70bfa2fb591d74b65690692db041abd2899be76eaaae6c6

/data/user/0/com.nameown12/kl.txt

MD5 a36907aaa6cc014704d924b3799974e4
SHA1 5b5772ee8b993f4043966447cdcdb6e0c5474e97
SHA256 3ae2dba9e0d20fb8ffeaf5b570c4a6cc2835acd7e608fb1e6b8bc611b997af90
SHA512 881b208b38f23ead3643e1faf30b6c73eb9b71a01e4f28f3c2209a84dcd861c122c3d9f9282667cf7b3371017d7b8740597979378e8f5f1c7c397979ba95b728

/data/user/0/com.nameown12/kl.txt

MD5 06f8b16ed7ace64cead4fd9f3e8319b8
SHA1 e91ff4122bf26ee9c5afa69b0f556b0d623f9962
SHA256 5c2f36f1c2e1a59ba8b5d689214441364193af6d953244ce0227d6043baea318
SHA512 1b523e66c2acc2e765b96f127f8d0e3287c8188d1712583c753191630a786e3a0ac9c1813c712d9d7c2772b5d00f7f949841ef96e74ccdc9bf5a25661648367d

/data/user/0/com.nameown12/kl.txt

MD5 f719d02647e4bc88a5febe9a4276ae98
SHA1 d486b2852289ef58a637f94e9f9e5d772254623a
SHA256 9e9ca493805dab84a61a09eb149fbad506b5e853d8fe2fbd0d23606a5753c9df
SHA512 f9a9abdccd43087c1d8a3bb68951422500921c0807a6eabc32b8a5a8f6bff06821686e23f0153138b4070c3688b472db5cd7303d9b358dbd5b16699f51783b97

/data/user/0/com.nameown12/kl.txt

MD5 1dd45513c7401988c6f7b85bd484dd6d
SHA1 0e831ad823634c3f003c4ff822b9d8f9e04808ca
SHA256 68c87e006a41155360ce8300caa8a43d97a1f30fda967c17ac836eb41bb85819
SHA512 2ca743e165c59d07c362fae63ae09b788772dfd0d88bfb277c2b935c35c06dd371c52b77dd916cf57aeec794769a9ea4533f5e5d2a0e9107b368d2e3abc63299

/data/user/0/com.nameown12/kl.txt

MD5 1a7ca634f806ba1946c5cf4990b46947
SHA1 42db261b059749408a61a70ff1224fd546bbc768
SHA256 5d3f37956f04fde407ad5d8d98c49671b4999855e42e70dad1f55a5aee3d597e
SHA512 895c37cc71c0553701839327bda75b2e47836eb0818638dbf28247e20b4570a991e3f8e853efcbcc6fb8e15de61a140e9c00a0e23954bed8da87f65507c97eb7

/data/user/0/com.nameown12/kl.txt

MD5 4b05e464921e57def5e91d26f2a3e168
SHA1 af9dc83be9450335705587ca3e59d44063f55e29
SHA256 cf79d83ac236d2d18f5e1d691482a9aab147e8da811244b92edb5e3600b70897
SHA512 df5e8d3ea9f7fc2752bd73e33fd98f1a773aa0e70fd2eb9f65db7e792c5597a1a28e02ceebf3023855811d212d5f0d3b4cd37bb9294ec18e50e4eacaf9537a35

/data/user/0/com.nameown12/kl.txt

MD5 65930654bbd5ea64141939cd09810aa0
SHA1 6f7957d4b9b83f89d5175d04fc80e071061303d2
SHA256 935d64d1f95efc7816232a6837af8737dd41e170d6b4552a718ad397ce005739
SHA512 e144f0253927e714432924c2e3b1fb1bb5d2c79916fd34339fbf3841ebe43763c7fe27f6713c096570eac937dd3418474d7e1bfaf7a1147b6715bf715df31b81

/data/user/0/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 22:00

Reported

2024-03-02 22:03

Platform

android-x86-arm-20240221-en

Max time kernel

141s

Max time network

138s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
RU 2.57.149.238:7117 2.57.149.238 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
RU 2.57.149.238:7117 2.57.149.238 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
RU 2.57.149.238:7117 2.57.149.238 tcp
RU 2.57.149.238:7117 2.57.149.238 tcp
RU 2.57.149.238:7117 2.57.149.238 tcp
RU 2.57.149.238:7117 2.57.149.238 tcp

Files

/data/data/com.nameown12/kl.txt

MD5 26ae1ac985ff775f3860b825ae67030b
SHA1 aff7ff56d10b9d514706adbba9e7559ec0279036
SHA256 9c2438db2efe70d51be9bb424212486054e73e65147fdbaab1fa8613b80c2895
SHA512 5fa0f1f31c494d73fbe0fa38eccbd4eaa1deb5df651e1f43ad7da4f4d9522eb0465b422654f2bc53a08f98bbdbf9aa2fd8b718b5a5969a44be10bba2c6fa83bc

/data/data/com.nameown12/kl.txt

MD5 45ac9f7581a8014da29e6c3bb8a98a10
SHA1 c93acd4a1a1c4bd3d8acfa16ed1621e25671cd7c
SHA256 05c5631ab8bc37ae4cc5800b68ddd979e6f2f945338f73090c3541e722627f3e
SHA512 fd71d9c7b441d63674c3d175f78bdb4c3c7ad3bb2bae6e5a2db471086c4faa5b9e53a45e41d2bb8c39af60a08bae2111fdfac300f399cdce329ed61a9d3905cb

/data/data/com.nameown12/kl.txt

MD5 6b7b1ea04a6e50f904b3a32b011d8ab5
SHA1 accc0587dfb9d53a429d42ef8c4f3483cc1a6302
SHA256 af0a04ba98adf37f3068aee54995de660fc53a436c6d9a4833f4ff1fa13215fa
SHA512 8699ddff310355cb115f35e9c84170e0ec7c4c7b7ab0f2a664e5b3807bcc70df26275a1466dc417b7a154edb8e1e1e782e5e98da850d1c0cf899fa330d4482df

/data/data/com.nameown12/kl.txt

MD5 598a3cfecda1702c34e40cb845803336
SHA1 532440b732629d194af2b32e0be9ab08a1daa2df
SHA256 08bdb3c024585b4b4901fd3f7342cb521c9c96c7265a23ad459cdfecee27b9e1
SHA512 84680fbaf34c22a9dc71275de9fa4bf989da001e6dd7e27fa854dee2e6d4ad2233e87e5c0be15ba42ef62f5dd21a33696fc4dc13a333ea4e44f8f927c0f8182d

/data/data/com.nameown12/kl.txt

MD5 f83a0c21f7902488d2bce6b7c559cb02
SHA1 14f2e463019988207b1e551f880b465c179c01d2
SHA256 84e922a315337182480539582eb340911342f1756ef269e6480cd175d84c13c1
SHA512 da6332d48fa2120c4f96cf6b9f94c936d4e37371809b999c727d9244ca75056277e63f1051ed8deef2799f7f37a7c1265efe3c2f2f90ce9e97c10394d493e9b8

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c