Malware Analysis Report

2024-09-09 13:45

Sample ID 240509-1wvffsca94
Target 657d6c7f79d60e0f7e3458d26fe5c0c1b0e1e1576dc07e47ac488ffda8f6f616.bin
SHA256 657d6c7f79d60e0f7e3458d26fe5c0c1b0e1e1576dc07e47ac488ffda8f6f616
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

657d6c7f79d60e0f7e3458d26fe5c0c1b0e1e1576dc07e47ac488ffda8f6f616

Threat Level: Known bad

The file 657d6c7f79d60e0f7e3458d26fe5c0c1b0e1e1576dc07e47ac488ffda8f6f616.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests accessing notifications (often used to intercept notifications before users become aware).

Prevents application removal

Removes its main activity from the application launcher

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Queries the mobile country code (MCC)

Queries the phone number (MSISDN for GSM devices)

Checks CPU information

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-09 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 22:00

Reported

2024-05-09 22:04

Platform

android-x86-arm-20240506-en

Max time kernel

148s

Max time network

148s

Command Line

com.sonnokta

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sonnokta

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp

Files

/data/data/com.sonnokta/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.sonnokta/kl.txt

MD5 f160cf48a40004e05d93dd2fdd3ea20f
SHA1 208616a52cc52a9c71ff901e10023a84bdd9afcf
SHA256 34fe26950e10a48d5e59a43cfd2403e7ab1f1506bb96ee625b9c7208eb18d600
SHA512 564057f1866922238885a0ccfbd5f5806d462876bcd245a548826f28358bbfa8074fe9826e0e4f1b4b9e60bd0561a67545de65969a2b93668703b9262f31566a

/data/data/com.sonnokta/kl.txt

MD5 6f43f81609df7e97d40cf80cbfe2dfba
SHA1 c8d8cea0f50115436ea6f093acaafe08fa8585d7
SHA256 be5e84e46f0982abc16be10ba2fe3f250f4e3a41dd045f1499d800bf3c31acb6
SHA512 6b71596751145cb44b6452c01a828bc76f5617cde3deaccaa4153bbd77146b888eac4b38ba42343fb71f828aac55b5670d48f1bc7c4e2c32eaa5a202443b76d1

/data/data/com.sonnokta/kl.txt

MD5 37625f91a6286fbbcffad4a1dba0c577
SHA1 833fdc42fe5aa90174b9aa6272ecec05f80dbe05
SHA256 a54f3958bd3438579a066e14fb85edb9efe865986e9747f5742822cdf918c061
SHA512 09bcf2f8cd40bc98a8d26c3884ae34aa3dfa6f74ce062799a9a8597ef623ae300ea30c1c2dc8cea787ea614b7de2272fa6e1824055ee928a381346f74f7cf0ab

/data/data/com.sonnokta/kl.txt

MD5 6a2365aace81f500107b62f5b653fcf2
SHA1 bc0174113c486aec56f306e049dc469a98b441e8
SHA256 6d759664fdb9448eaa64cd143b838c25d86dbc7fadabd9a8ef6b41988ccf7663
SHA512 573d852f1d4fce3c737764234ec193e3a8d8cd2c1a767ef3e1871add86543a80ab7edc7f1340b18ff67f3857d6df60317ac8d69229ed219881f6be17c06929c8

/data/data/com.sonnokta/.qcom.sonnokta

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 22:00

Reported

2024-05-09 22:03

Platform

android-x64-20240506-en

Max time kernel

151s

Max time network

147s

Command Line

com.sonnokta

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sonnokta

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
GB 172.217.169.10:443 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 216.58.204.78:443 tcp
GB 216.58.201.98:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp

Files

/data/data/com.sonnokta/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.sonnokta/kl.txt

MD5 958d718c8e7217a5a4a27a9102ca3e61
SHA1 dfb4f1f6c5dbcf1b73a1d3fd6502293c5323db50
SHA256 14aa262979726d4d94659afd3f51bed5442decc5be64e5d7b58f89d5b27b3aac
SHA512 60d8e29949935b73f5562fdd5a3c86404bed9e1054fc212e426da9e5fa82f24f4f85e26776f1aec8b30e70e999759ce5ba06693d5011240d2e954f6204cbc62d

/data/data/com.sonnokta/kl.txt

MD5 0a807d71e8651c86138e86eb14bd3567
SHA1 fe98f61d9eb403f2501678dc5a0c41fdae1a8ee9
SHA256 6d3eacee343e3cf4e41298fa9412fc3eea1fc152da3ff8dcfd2b869a4f9a4350
SHA512 2dfad720c5a93d066e26de6dcc962949b6aa905e731394486ae582611be97bb81249f5108d1f0ccb926ea1d88ba6b589a472f0a4ad04392a969d06e7a43ee407

/data/data/com.sonnokta/kl.txt

MD5 c66420a507d57fdbda504935c5146afc
SHA1 eba84275278562e18840f460d475b897679d6e05
SHA256 6bed190c030dcf389b364ddd351b975a3c57bc314f48bdd83f2405fe4aa5c7e4
SHA512 81d578a0ff41d5870aa12d7e01bbf7701853e343d2932abe5b8fe306ebdd51bac0a38c252c0306801c235a57053e4147ab45eba862c07b8d0dbfff599a91655d

/data/data/com.sonnokta/kl.txt

MD5 8efa62eb5c68627c72bddc2aec0f0b18
SHA1 cb32c49c47a9f2f202767eb615a387f3fd6621a1
SHA256 cad4685848e7f17be00c2e6b1869da4653850648fdeee8873e51518e1585e365
SHA512 1ed4f3f082447f649843bd44d2ab3515100655e094787ad3c18c6585bfbeebf0a4dc03a5a5e3b11b41f4504127105011b03226e19d04ef9e06ad465ff27710be

/data/data/com.sonnokta/.qcom.sonnokta

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-09 22:00

Reported

2024-05-09 22:03

Platform

android-x64-arm64-20240506-en

Max time kernel

150s

Max time network

158s

Command Line

com.sonnokta

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sonnokta

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 142.250.180.2:443 tcp
GB 216.58.213.14:443 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp
GB 93.123.85.124:443 93.123.85.124 tcp

Files

/data/data/com.sonnokta/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.sonnokta/kl.txt

MD5 606598362902639597e749458fed73e3
SHA1 f2af01f9b578a7378ea6f96a232a4343186a15b0
SHA256 8c915fb2068b9b3ea310d4cb1a7ff76f2acbeea2bb25dc901cf383944c902903
SHA512 1968adb608dc8fab284360250defbea87472e1c146b1df9030cf1f9aa524d5e7584c7c4682521d2c268bbeb2d2d4c74c1773f756ef0ec5a4df314914d64d66aa

/data/data/com.sonnokta/kl.txt

MD5 dd293185710263afa50f66f73a15837d
SHA1 1cc935d4ef63b7a0c18febd3f20b0c8111a8fa55
SHA256 836b3094523a6bb141c09b2a4d8188fd36e938f64e6165ddb431d5d0422fe2ec
SHA512 3f8ca2ce14ed5e591884f2de1bfb4d768220054a3f4fae233c599bc20a306724e50cf588d0c87ae8f32e69da19bab819f4fc2648611fd03ef6ce5783f406c330

/data/data/com.sonnokta/kl.txt

MD5 99ae35d776aca5670cb7169c2351418a
SHA1 5e0d9cca6fe39bc6e2947823410e9c236a4ba5ae
SHA256 cff987c3d6bc384ea4ca1284acf35054f2f99b5947c2150ff0d79c05bfdbb159
SHA512 4c14036c62b591c2ac1e3977c154c5151a90f8d9429c1a85e66ae83cbb0ceba14a13eeef9205e1cb47ba02b1f6e71d01ac9c930605bc77989c7465beb67cf01a

/data/data/com.sonnokta/kl.txt

MD5 1e7203bd2b116c2cbea78beb5f6fe435
SHA1 4457d853106c53906b99507c03310856e991347c
SHA256 5be219f5f3bf2f300a86c40139f3c7d5fa008436a21b8f4f1b11dd9aeeee6f17
SHA512 c088503f6ed0bc47b7a7307dc76f2b8b7416d2ff6e862779648c81ba26d2c9b79a72ae58ae053ee47fa34af08a78cbe379f469362a753c74a2a3901728da4373

/data/data/com.sonnokta/.qcom.sonnokta

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c