Malware Analysis Report

2024-10-19 12:57

Sample ID 240302-1wvffshg8t
Target 6fd7c95b5cb68b2849ec0de17f98419b9a3c82f81a8dd67fc322db05f5407791.bin
SHA256 6fd7c95b5cb68b2849ec0de17f98419b9a3c82f81a8dd67fc322db05f5407791
Tags
octo banker collection discovery evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6fd7c95b5cb68b2849ec0de17f98419b9a3c82f81a8dd67fc322db05f5407791

Threat Level: Known bad

The file 6fd7c95b5cb68b2849ec0de17f98419b9a3c82f81a8dd67fc322db05f5407791.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection discovery evasion infostealer rat stealth trojan

Octo

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 22:00

Reported

2024-03-02 22:03

Platform

android-x86-arm-20240221-en

Max time kernel

35s

Max time network

141s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
RU 45.93.20.111:7117 45.93.20.111 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
RU 45.93.20.111:7117 45.93.20.111 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
RU 45.93.20.111:7117 45.93.20.111 tcp
RU 45.93.20.111:7117 tcp
RU 45.93.20.111:7117 tcp
RU 45.93.20.111:7117 tcp

Files

/data/data/com.nameown12/kl.txt

MD5 10085bec124afcb1e9938cbec269e346
SHA1 ad38cf9dbe2fe8ef61e36c2dbd4763adbcbf60d0
SHA256 a89839281f59859249a3c39b4a2354a6dbfd9841951f54c7d137f28f6fa94643
SHA512 cf672a8df3e2aa52207e85d1ece83c4c781508e4bb4a5fa902de28e1cc60b8489c1e2ab6990dc0a2ddb09cb24ab233dddc5b7ef2a1c01b25dcac3e3b9c3f931a

/data/data/com.nameown12/kl.txt

MD5 fa4d358ad97e4b75d68608a7cd9f8bcf
SHA1 e196e1eee9bcf3c0c35e3239e53088a79ed94de0
SHA256 910bc8daf112e1b21cb3213a18b1c8754169a103cb59a9164dd0cfe17d1de1f2
SHA512 68dc6c910d001598ecf40a2faedc380a6a4e988363ba38caf4a839c1f47bd1f51466e795f108bc352c0b4f5a3751ebebb65640c319515d9afdb32e0c22b1b6ca

/data/data/com.nameown12/kl.txt

MD5 425550930de5a39bf5ec389aa46f52c2
SHA1 60ae72cc6123b4e6ba5f8ec52d554c5b2048f0e3
SHA256 227e1b706e1728bf163e21cfe204e9c05464879048fb081638ec4fff10fce5a6
SHA512 442c92737981a652c6bd06cd94845fcc86ac981abfbc38f48adc846d34f4b753629f6cb3c87b17bc3c65a34cedfa6a73237d178fa141ab4bedd552cc4a7638c4

/data/data/com.nameown12/kl.txt

MD5 a4c8a71517c4a8e4a0b508d5ea3390db
SHA1 8abb14f8d520ce65bef99fe13ca97c1e505b3bcd
SHA256 a469659bd2810672731b330b255b4037e5c82b6935e43e9da4be9e48d50d795c
SHA512 51fa42110607632d7784058cb03f1b30be52130816318acfd45ab31f3d5d131f122e5ac3d9f711629502ead45e2d2613ba52c658b607c651b6df0451a1eafd3e

/data/data/com.nameown12/kl.txt

MD5 d71a9fa15d95f3f71ecc811f80b4b5fb
SHA1 dd6e677660bb32182473adb30cae0f64cb4cb3c9
SHA256 249ad77adfb8ba101486037e87dfda60588823710c41bd22be48a7495a0f2155
SHA512 2c666e746d97e63a1e9f5d234c4ce37db259108eb40bbfd61da3e93a8524cc1df49fc55737a9d03c96b6399d1df7354e35018c1b043542cbe06633200baeee10

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 22:00

Reported

2024-03-02 22:03

Platform

android-x64-20240221-en

Max time kernel

152s

Max time network

147s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
RU 45.93.20.111:7117 45.93.20.111 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
RU 45.93.20.111:7117 45.93.20.111 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.195:443 tcp
GB 142.250.178.14:443 android.apis.google.com tcp
RU 45.93.20.111:7117 45.93.20.111 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
RU 45.93.20.111:7117 45.93.20.111 tcp
RU 45.93.20.111:7117 45.93.20.111 tcp
RU 45.93.20.111:7117 45.93.20.111 tcp
GB 142.250.187.238:443 tcp
GB 172.217.169.34:443 tcp
RU 45.93.20.111:7117 45.93.20.111 tcp

Files

/data/data/com.nameown12/kl.txt

MD5 2737b2947c21163f8b09936e2586be54
SHA1 35ea6db24cc5cfa40bd0fa8bd30c3cd4fa995819
SHA256 d4eee23a9f37def2a65a08b53e541feefbbb17654febbe971e99091e1a4ac34f
SHA512 f1cd6e780ad6e83f1dc8abeb54ddd0cc4fbf76bdf92746be1d76b32411870eef76bbc63132476f788fedd0d571da1784509a0f7c7b1610e5d591cac75c2ae1e0

/data/data/com.nameown12/kl.txt

MD5 a4c8a71517c4a8e4a0b508d5ea3390db
SHA1 8abb14f8d520ce65bef99fe13ca97c1e505b3bcd
SHA256 a469659bd2810672731b330b255b4037e5c82b6935e43e9da4be9e48d50d795c
SHA512 51fa42110607632d7784058cb03f1b30be52130816318acfd45ab31f3d5d131f122e5ac3d9f711629502ead45e2d2613ba52c658b607c651b6df0451a1eafd3e

/data/data/com.nameown12/kl.txt

MD5 2af42c2560193ff9b38b065380ee0409
SHA1 22f1639487fd45f1f00193263aa3d71cca661302
SHA256 b4ef6e9378113f3afda82b4d791bd4bea7ed42575edf7ac8cd62b918fb36c22d
SHA512 1e6009edbc809172c3c7a195d02b99216a659036981230652139201cda86380ccd838fd3f1b02e16d2df1ec97be387c7b71bd5dabd153606b772482bf28ecacb

/data/data/com.nameown12/kl.txt

MD5 b379eafc863c0433f55f771064e64e66
SHA1 025ddaab7d9089e760bea97be9dcbe55d9ac1413
SHA256 4c886060d444a0c1ecdcee655814dc2495a08f4eb87b09ee633f5f355e129437
SHA512 774cc06be8dedb077314ab6c48bbe9fb224b2a8680ca0f494e6d69da42ecd8adea7f90e998489154200ab5299675fde1318d2402c26349b7fbb05aa64494aa8d

/data/data/com.nameown12/kl.txt

MD5 aa7705b56b38541ddd143fb23daafcd9
SHA1 3255efdd83936cf5e7eb1f082529301e1577e2c2
SHA256 46246bc1c46c18b4806484bb1d58c932218aeb44c891f7bdeb09034ae74ccf60
SHA512 6931ae8247786ceb5cd2eea181e2cbc71cf8cc6b2aa9b13183c91d729ae2e1a9f0d9e56d6e8b7d0d7fed85d276be6e95311cb8b9e574eba89658a0e0126b2b02

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c