Malware Analysis Report

2024-09-09 16:38

Sample ID 240612-s1ab3szfma
Target 76d7e7392319e855d23dc92d2b9bbe05a88b0e437a4e3f1525ec4d73a71f49e2.bin
SHA256 76d7e7392319e855d23dc92d2b9bbe05a88b0e437a4e3f1525ec4d73a71f49e2
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76d7e7392319e855d23dc92d2b9bbe05a88b0e437a4e3f1525ec4d73a71f49e2

Threat Level: Known bad

The file 76d7e7392319e855d23dc92d2b9bbe05a88b0e437a4e3f1525ec4d73a71f49e2.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 15:35

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 15:34

Reported

2024-06-12 15:38

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

139s

Command Line

com.keepnorth3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.keepnorth3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 bitmeztukenmezbuenerjj.xyz udp
US 1.1.1.1:53 birbirbirdenikidir.top udp
US 1.1.1.1:53 taktmkafayikapattmkafayi.xyz udp
US 1.1.1.1:53 saffetsafmigerckten.top udp
US 1.1.1.1:53 savuryadarsavuun.xyz udp
US 1.1.1.1:53 gormedenglenlereslm.xyz udp
US 1.1.1.1:53 bileneaferinbilmeyeneketamn.xyz udp
US 1.1.1.1:53 sankioguncokuzakk.top udp
US 1.1.1.1:53 birgunolucakelbeet.xyz udp
US 1.1.1.1:53 snayatkatalicam.xyz udp
US 1.1.1.1:53 hyatyumrukgibi.top udp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp

Files

/data/data/com.keepnorth3/cache/tobpmklxk

MD5 ad99d2e463576d713843c4887b9fd92a
SHA1 c76a36c0af80c1705e479be87937508e7d1a64c4
SHA256 9c332c17cb07d2ac2bc37c15a01d78f92ab3dfd1bd39be89578125b0645ea111
SHA512 61a02d0e0d1ecd69134458c5086a38162056268eeaf60fc0396086f3f139c8151503ad4d02fd264a0d8885b3b45f138d821e6ac98e46e0b6e4868014f1bbda21

/data/data/com.keepnorth3/kl.txt

MD5 2113bfff68d22b8438a9230289355e96
SHA1 c68b0b0b7a236279cd0fb5285e5aab48354451aa
SHA256 0c85ef6e12019dd492aa9a82b02a2afc595ed5f771c04cef0d7fe546b23b5d6d
SHA512 daedeb82adb1aa291ba68d5e1b389f9961c416a67032172329212d1fabca8907d0fb0c640c59db215a7ba004ce3971a524a34c67eec39a6d7fec655549b8a75d

/data/data/com.keepnorth3/kl.txt

MD5 99fc217f65ee5fd519888473f5994d38
SHA1 00cf30aa17e844280cafd1399b95ed85f16d82ca
SHA256 e7e6331ad68233909df384735e93c5d55f78f554902ae79aa5177336402b8e9b
SHA512 2cf9a2fefd2d446ba9b7c4d4d7d0be0bd5656cbe371b54d1066c5a9e1545d3d097988c33b1ab62f241a898a39f75df32205445d225213a7a1e9985e6f35fed72

/data/data/com.keepnorth3/kl.txt

MD5 23759cbc61241d9000fb1fdf299399f3
SHA1 fbada26af59a11f72ab236d385d063a1e5b9014f
SHA256 11f8d1dc7ca017840249f792cbbaa26e42896674a0a72ccc49c0ba8432843432
SHA512 5ba60c35877f8931bdc834f21ed991db2c4db09ba1a504f33adc43d6f27dacd95c1d6cd7192e57e3c8402dc1026247edf3f09c5dccf5d4228f325d15d120bbdc

/data/data/com.keepnorth3/kl.txt

MD5 c68e1587954a84b503c7d94afae1264e
SHA1 7538790ec3e81946d718dded53088721ce8fb984
SHA256 e646ebb8634c0477b9b38bd6c5db7e3ebe04e8e83e45f51e0507e73d4c64820f
SHA512 e84e2bd9cb2a5fbd39f215fa7b3d441f46fa8e49c07922ae9f8293225fada368bbad297126161827f62cceb47066966ae8d85cf3ed31b99d02a802432cfc97b0

/data/data/com.keepnorth3/kl.txt

MD5 1fe557fd243c475722eb8dac5f22e507
SHA1 34405af32abc2c4c65f8f83f9979f76a15b0f198
SHA256 915bf1e737ddc5062c5c3635981997a95868f0f7aae9b9c742c116aea55b7a4a
SHA512 cdbe2023aab44d49723b575915bebbd34142f97dbe91c6d35319a9b8207fa054519da465aeee731b0ee276fca8efca178e24800c5142db7eb9a65c8ca9032ca1

/data/data/com.keepnorth3/cache/oat/tobpmklxk.cur.prof

MD5 35eee2e338528d323655c7544fefef0e
SHA1 0a2a09bae2e40268b96a02280f5daad30ac06bff
SHA256 d6d44f7b0c15d8c0b859d74d4ea3e50bc713d4f105f157c251a873be2fcbd42c
SHA512 cbf8148f923a32032f541f9afaa90bbb9f4badd86de08be420c770550a84c1bcb63476a4d6731321854a568d50bcec121908c2dffffcf5b1490c1bb603b22d78

/data/data/com.keepnorth3/.qcom.keepnorth3

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 15:34

Reported

2024-06-12 15:38

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

173s

Command Line

com.keepnorth3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.keepnorth3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sankioguncokuzakk.top udp
US 1.1.1.1:53 saffetsafmigerckten.top udp
US 1.1.1.1:53 taktmkafayikapattmkafayi.xyz udp
US 1.1.1.1:53 fesatlarafesatkk.xyz udp
US 1.1.1.1:53 olanlarigoruceez.xyz udp
US 1.1.1.1:53 hyatyumrukgibi.top udp
US 1.1.1.1:53 savuryadarsavuun.xyz udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 birgunolucakelbeet.xyz udp
US 1.1.1.1:53 bileneaferinbilmeyeneketamn.xyz udp
US 1.1.1.1:53 ckinsanaffettmm.top udp
US 1.1.1.1:53 dnliyomsadeceuzaktan.xyz udp
US 1.1.1.1:53 taktimbirtipayivedekovayi.top udp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
US 1.1.1.1:53 kfamhepkarambol.top udp
US 1.1.1.1:53 gecicekyramatuzatma.top udp
US 1.1.1.1:53 snayatkatalicam.xyz udp
US 1.1.1.1:53 dememelalemnedeerr.top udp
US 1.1.1.1:53 gormedenglenlereslm.xyz udp
US 1.1.1.1:53 birbirbirdenikidir.top udp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp

Files

/data/data/com.keepnorth3/cache/tobpmklxk

MD5 ad99d2e463576d713843c4887b9fd92a
SHA1 c76a36c0af80c1705e479be87937508e7d1a64c4
SHA256 9c332c17cb07d2ac2bc37c15a01d78f92ab3dfd1bd39be89578125b0645ea111
SHA512 61a02d0e0d1ecd69134458c5086a38162056268eeaf60fc0396086f3f139c8151503ad4d02fd264a0d8885b3b45f138d821e6ac98e46e0b6e4868014f1bbda21

/data/data/com.keepnorth3/kl.txt

MD5 8ffce7866e582a55f7786e17e1446b29
SHA1 916f335bed1ba6663d3a6215c6b04049e523e8ff
SHA256 31e3b5e50b13735f1eeb8571d8ffba3bb74f7fc5cd7c2babb01d90672964e9e6
SHA512 a95afe7770a41d12ec8db6db481523c4b451e9e4412f8f7a7951a5060070e54baf7767a73c926b9a5d07da5fca6e8635538b047441408b94e7e0b73ea8096347

/data/data/com.keepnorth3/kl.txt

MD5 d3f3b7772ffeed3f3188ef9d99dd3319
SHA1 e086c5b69ddf5ee8882f22cbc89cb6c495fca989
SHA256 e1f33b451bd5d9e818c8e3208737e3f78d28faafd33d9dce3af0b71d4522533d
SHA512 56c436c59669efd2be69b42a82a16b4662b07092d6965ef6aa002cc4d564e16669a63209cb8846f0fb0cf7b13ff94f2e2c2646b969689c8f80e4c0eb260c0d46

/data/data/com.keepnorth3/kl.txt

MD5 c93690358e8a924052e9890ef1822b10
SHA1 33ed8a97937464354f0cdd0c8285ece2a617be50
SHA256 b010c8319fa9c2ab0cb6c262e780e505fff184aa1ee80105b049607a6083a19b
SHA512 ae69fe38cf72eb8f2c81feebb1b5998b713b57ac5a15c8d4e594f2918d9b0c53e9d23924188e363b43bdd3b4ecc2feddc49d768c49631c1213d7dc7fbf376be2

/data/data/com.keepnorth3/kl.txt

MD5 af033d69590925cb51be4fddcdd9dcea
SHA1 9f3ff8a822a52ac3628ded1550b404b1f0bc6d5d
SHA256 d9f05503febd3000998a5db59910ce30a5c1b36b305c51824d20113d9cd07918
SHA512 44cc77d1ecc74fb52aa011bb1f8e272021606563c83accd5af8cbeb2a3c9a25343f52ca4bad09b6b6486384daf18b81fed1afdff0345229c41cf97ddf0081244

/data/data/com.keepnorth3/kl.txt

MD5 e3105dad96b9630270983224b00a648e
SHA1 263b0abdd87ec017974553cbd60f44e626fdebf6
SHA256 9587a2cbe47dfbeff35795bd8ef385246620ba0d21b9ad7ef709f08f612b92eb
SHA512 ec1b8bdb58a751d42c04d62c742bc341472d47d18cc2694541116e4483111c0fcbd658c476485ea127f4129ae4d2317d87c0bea4c24a5f990817946640124dcd

/data/data/com.keepnorth3/cache/oat/tobpmklxk.cur.prof

MD5 141766be0c7facc9565e06ccbb4a2d12
SHA1 52a2629929d063ceaadd5ef0ba474f14afa93634
SHA256 2f1bb89d564f31cb532fd21c0a97e46de91bc772356309f8ec477ae11af3e902
SHA512 746e1c58c452e5bb2db8cce61d236958c9e3d12880a7c4d8a7e877c919b9384f739456115fa6f57b3ac01130d0a1269da44f307bd889eb876ee62b48d164d9ac

/data/data/com.keepnorth3/.qcom.keepnorth3

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c