Malware Analysis Report

2024-09-09 16:16

Sample ID 240612-s5c9jazgpb
Target 40377c817087c420dedeeb910a405a07a47029833d7fd33d15123d99766888d0.bin
SHA256 40377c817087c420dedeeb910a405a07a47029833d7fd33d15123d99766888d0
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40377c817087c420dedeeb910a405a07a47029833d7fd33d15123d99766888d0

Threat Level: Known bad

The file 40377c817087c420dedeeb910a405a07a47029833d7fd33d15123d99766888d0.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 15:42

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 15:42

Reported

2024-06-12 15:45

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

144s

Command Line

com.keepnorth3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.keepnorth3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 taktimbirtipayivedekovayi.top udp
US 1.1.1.1:53 gecicekyramatuzatma.top udp
US 1.1.1.1:53 birgunolucakelbeet.xyz udp
US 1.1.1.1:53 saffetsafmigerckten.top udp
US 1.1.1.1:53 dnliyomsadeceuzaktan.xyz udp
US 1.1.1.1:53 sankioguncokuzakk.top udp
US 1.1.1.1:53 taktmkafayikapattmkafayi.xyz udp
US 1.1.1.1:53 bitmeztukenmezbuenerjj.xyz udp
US 1.1.1.1:53 kfamhepkarambol.top udp
US 1.1.1.1:53 fesatlarafesatkk.xyz udp
US 1.1.1.1:53 kirmizimavigelldii.xyz udp
US 1.1.1.1:53 snayatkatalicam.xyz udp
US 1.1.1.1:53 olanlarigoruceez.xyz udp
US 1.1.1.1:53 ckinsanaffettmm.top udp
US 1.1.1.1:53 gormedenglenlereslm.xyz udp
US 1.1.1.1:53 dememelalemnedeerr.top udp
US 1.1.1.1:53 savuryadarsavuun.xyz udp
US 1.1.1.1:53 birbirbirdenikidir.top udp
US 1.1.1.1:53 hyatyumrukgibi.top udp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp

Files

/data/data/com.keepnorth3/cache/tobpmklxk

MD5 ad99d2e463576d713843c4887b9fd92a
SHA1 c76a36c0af80c1705e479be87937508e7d1a64c4
SHA256 9c332c17cb07d2ac2bc37c15a01d78f92ab3dfd1bd39be89578125b0645ea111
SHA512 61a02d0e0d1ecd69134458c5086a38162056268eeaf60fc0396086f3f139c8151503ad4d02fd264a0d8885b3b45f138d821e6ac98e46e0b6e4868014f1bbda21

/data/data/com.keepnorth3/kl.txt

MD5 6d7fe5d7ec80cff468c582524bc6ad1b
SHA1 78c711d8776fcea6b89587392f6ccc981ea40907
SHA256 4d69d593d05040b4192da010d217c526abfeff62883496ccef84b75bdf4a9015
SHA512 95f0a02a65930d9c6c0684f2c30c9a7f2855768b338ecc2d3830ca7d353c06ed79ebf16de4ef7d4af92ad0f04a5c99237ed296aca85890a86e0a592e43604729

/data/data/com.keepnorth3/kl.txt

MD5 4ce64310fbcd413f049dfbc0b556c4b0
SHA1 d19cf03824bf439552dae975420f87981134201e
SHA256 d3763784fcbe078ee8c7878e2c5f3a50e2460212af75b5099bd0dad3916cf361
SHA512 c04adf3c308161e66d6637c14cb973c70e5551f8a3e2a1577664a42cbe17ddb1c51385ee1adc876e2af1294eca720c41789d51f3d9dcfa38fb5e607b61c87b74

/data/data/com.keepnorth3/kl.txt

MD5 698734a667d19d03329a14af96787ce6
SHA1 3097cf76065eaacb9f35a50d5db19520afddb021
SHA256 651203a025fdfea21d1642e9cd9f108318e8bbed48e16c0bc4b626d5d91222c4
SHA512 4f7364191c88bd69d4ad1e53a1a5df0450e75b037d9f432868754143c9f00831c7f6eb2b3536b5870ac3a2d31f9185c98e734a0bbce9b1c47ac813a94861c021

/data/data/com.keepnorth3/kl.txt

MD5 325389e42dd9cb9eb204ed82e358a6f6
SHA1 be17013c50711b637a0224981e7caf9d10e4eada
SHA256 19538bab54fc888f8685498368c4350433ef2dce749d1d15011c583acf639880
SHA512 4dd87f5eb40df3fc46df4ca4dc23641b0ea5e092ed5f0ba85e418c2f033b7fe965c01733b05bd96479792310fbb3a85fc7388c2fbd568d466eaf36477a0bab47

/data/data/com.keepnorth3/kl.txt

MD5 4a01e65ad16cb53ec543d06421459d72
SHA1 c1f2052ed23e2a0970c0bff55b3540c117023fd6
SHA256 0eb968033e0bfbb5186e8589cb378a8893bc5d3e109c40c9a17f91aa7223c8cd
SHA512 edbb7a241058092b11f69058e8851513d3a24a5c75247205dbff3c2aacc58b0381c04dcb0a63256ce038f71f8544a351e859bd58ab4268b403a9186fcda11ee8

/data/data/com.keepnorth3/cache/oat/tobpmklxk.cur.prof

MD5 8a00aa91432eb67f1ebe974cf0b01ce7
SHA1 3d80985d8267ba369449791433c9faabd1b56851
SHA256 1ce5cd25211237665be4fc1caf299b4dceabe8046fced539ef8f3cc7f15a26f8
SHA512 12ddb1392f7e6c835feca095edb345cce70e616727674b31c21b37693bf1149b4178a7723125bf6ca5e83136eb74f97e6574f218b677888b1b322314d78f7636

/data/data/com.keepnorth3/.qcom.keepnorth3

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 15:42

Reported

2024-06-12 15:45

Platform

android-x64-20240611.1-en

Max time kernel

179s

Max time network

183s

Command Line

com.keepnorth3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.keepnorth3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 birgunolucakelbeet.xyz udp
US 1.1.1.1:53 olanlarigoruceez.xyz udp
US 1.1.1.1:53 gormedenglenlereslm.xyz udp
US 1.1.1.1:53 dememelalemnedeerr.top udp
US 1.1.1.1:53 sankioguncokuzakk.top udp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 taktimbirtipayivedekovayi.top udp
US 1.1.1.1:53 gecicekyramatuzatma.top udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 kirmizimavigelldii.xyz udp
US 1.1.1.1:53 taktmkafayikapattmkafayi.xyz udp
US 1.1.1.1:53 bileneaferinbilmeyeneketamn.xyz udp
US 1.1.1.1:53 snayatkatalicam.xyz udp
US 1.1.1.1:53 ckinsanaffettmm.top udp
US 1.1.1.1:53 saffetsafmigerckten.top udp
US 1.1.1.1:53 birbirbirdenikidir.top udp
US 1.1.1.1:53 dnliyomsadeceuzaktan.xyz udp
US 1.1.1.1:53 savuryadarsavuun.xyz udp
US 1.1.1.1:53 kfamhepkarambol.top udp
US 1.1.1.1:53 bitmeztukenmezbuenerjj.xyz udp
US 1.1.1.1:53 fesatlarafesatkk.xyz udp
US 1.1.1.1:53 hyatyumrukgibi.top udp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
GB 142.250.179.238:443 android.apis.google.com tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.194:443 tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp

Files

/data/data/com.keepnorth3/cache/tobpmklxk

MD5 ad99d2e463576d713843c4887b9fd92a
SHA1 c76a36c0af80c1705e479be87937508e7d1a64c4
SHA256 9c332c17cb07d2ac2bc37c15a01d78f92ab3dfd1bd39be89578125b0645ea111
SHA512 61a02d0e0d1ecd69134458c5086a38162056268eeaf60fc0396086f3f139c8151503ad4d02fd264a0d8885b3b45f138d821e6ac98e46e0b6e4868014f1bbda21

/data/data/com.keepnorth3/kl.txt

MD5 2135e84313fa1ef1693dfa13e19d4741
SHA1 b18182cc28ad63e91eee0dfa87be08eb856666a8
SHA256 e5be42434747521e5f5d7d482e54131137411298c759914702bab850b9325e70
SHA512 316cd3a3ec24992af5261e23da17db3c6f8212d9e04731b092c991769e08c3bf8c793be000d40dbd5f2ceb8b0bcb5ca3b56c2c916f956735d0f121002ccbd0d5

/data/data/com.keepnorth3/kl.txt

MD5 20902b0abdd8754dacb89816d81c58d7
SHA1 34d3d1e972efd5ac32dd3ac173dd0df09cbb71a9
SHA256 17824e55cb50754a993a196ca5cdfca06d012a0b98c55d677f62610cef2e18fa
SHA512 5de5a5629298b30f40885a8e52a952684592210be21081494124372eab32dd55b0a136f48f8ac0d53f2d6fab52c843d92f442ee6c3fc6d90735d23b0ae650e21

/data/data/com.keepnorth3/kl.txt

MD5 19bd0413d1fa16874fda908a78be69bd
SHA1 701435268a36def272f09101b1c01cb79e86aaf7
SHA256 368afe75444f75bb9c9159ab968e6dfc0efcde9ded79ab736e860275d366be22
SHA512 099b9a18177568b30b64562365b6ccc9a3109185b41b2d2eb1a73f0df7b14039856a10999cca260d7793673c8b77b77e72eb9f9f41a643ed9644c62c232a2216

/data/data/com.keepnorth3/kl.txt

MD5 215a4078aa24534a19f622b4b4729c7f
SHA1 c1dc0404f5e5614b9629f7b62bf5a84a807b0d84
SHA256 18dcbac2afb123e9bf2af33e0e347725720d03192c51a894f1d4bf83d032849f
SHA512 66f1f5583a472c1a08bea3d09d0b2dc1f848bcf9aabf8b500878f70687063e8c0fc7b45da6cfbc92da31d2205f9175ee3118713dfcac1ee46d9c5bc60141b4e0

/data/data/com.keepnorth3/kl.txt

MD5 cad9202c1a9e185b0a9643c378907eed
SHA1 dfce04d6256aca2ad8d19dfc8daff066ca62e130
SHA256 23dc6baf467766dc4f9ed837ad5dedf8cfd7e6984acff5375fa0636c79859076
SHA512 2ef149c214b727a32d1486c3fe04ae3b622b767f3141a16b70c89c19f3cf085de6bf4c04c05d7f895afe195ecb906e563ecd7c13e15cc619c83d3aa351ce4dc2

/data/data/com.keepnorth3/cache/oat/tobpmklxk.cur.prof

MD5 b82b932827d21bd34e45ff30ff5b595c
SHA1 7c7e265d90f83eb6c7711cd9e13da188442d4f60
SHA256 f426642f22194463fc9edc6f15498b3ecc0ad35a5642a6904dd0f68abcb41966
SHA512 f9981cec17ade462f5e0dfc18456dab834f261bfc9131dcacc76b27568d963d87ca07830415f94dd9675096eed8bf966699da811d915181dca865e74d94d0715

/data/data/com.keepnorth3/.qcom.keepnorth3

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c