Malware Analysis Report

2024-09-09 16:33

Sample ID 240612-ss5s1stekj
Target 91827e2e1e23cd5335ea3bcf9c78d1de390adf6d22f7f351ca42c8f419ac73c3.bin
SHA256 91827e2e1e23cd5335ea3bcf9c78d1de390adf6d22f7f351ca42c8f419ac73c3
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91827e2e1e23cd5335ea3bcf9c78d1de390adf6d22f7f351ca42c8f419ac73c3

Threat Level: Known bad

The file 91827e2e1e23cd5335ea3bcf9c78d1de390adf6d22f7f351ca42c8f419ac73c3.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Requests accessing notifications (often used to intercept notifications before users become aware).

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 15:24

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 15:24

Reported

2024-06-12 15:27

Platform

android-x86-arm-20240611.1-en

Max time kernel

179s

Max time network

161s

Command Line

com.keepnorth3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.keepnorth3

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 dnliyomsadeceuzaktan.xyz udp
US 1.1.1.1:53 birbirbirdenikidir.top udp
US 1.1.1.1:53 bileneaferinbilmeyeneketamn.xyz udp
US 1.1.1.1:53 sankioguncokuzakk.top udp
US 1.1.1.1:53 fesatlarafesatkk.xyz udp
US 1.1.1.1:53 dememelalemnedeerr.top udp
US 1.1.1.1:53 birgunolucakelbeet.xyz udp
US 1.1.1.1:53 kfamhepkarambol.top udp
US 1.1.1.1:53 snayatkatalicam.xyz udp
US 1.1.1.1:53 gecicekyramatuzatma.top udp
US 1.1.1.1:53 taktimbirtipayivedekovayi.top udp
US 1.1.1.1:53 saffetsafmigerckten.top udp
US 1.1.1.1:53 ckinsanaffettmm.top udp
US 1.1.1.1:53 hyatyumrukgibi.top udp
US 1.1.1.1:53 bitmeztukenmezbuenerjj.xyz udp
US 1.1.1.1:53 olanlarigoruceez.xyz udp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp

Files

/data/data/com.keepnorth3/cache/tobpmklxk

MD5 ad99d2e463576d713843c4887b9fd92a
SHA1 c76a36c0af80c1705e479be87937508e7d1a64c4
SHA256 9c332c17cb07d2ac2bc37c15a01d78f92ab3dfd1bd39be89578125b0645ea111
SHA512 61a02d0e0d1ecd69134458c5086a38162056268eeaf60fc0396086f3f139c8151503ad4d02fd264a0d8885b3b45f138d821e6ac98e46e0b6e4868014f1bbda21

/data/data/com.keepnorth3/kl.txt

MD5 701d0c209708d1aaf8211a4dea8d9c09
SHA1 b1397e0807d5cc1340883a342dba2119ec6952bb
SHA256 04fd630b394612c2b4b1f9dcd9aa2f122af0ea3130b480cbdf2aaed1bb6b8ad2
SHA512 2e9fea01537fdab104882b509266a1ae72a023363e2199d049c847237ef2e3168350defbf67fdb220dd795ef7b9b4ea37cfd366a694859205352e3b7474ed840

/data/data/com.keepnorth3/kl.txt

MD5 a30bbbfb30c916baa03caf0e88cdf528
SHA1 800036acb3614680455d2bac30233ad0451e90ea
SHA256 8e7df90f3a23c4a35340e374c2066aa3d17620881de1412ee2944840a3432668
SHA512 93b0e9b34bb466a639e543e1e035bf070540e0c59f2cb4c21e485c77a7ad1d07a0dfd73e12fc805f464b98353cae7fb63340ecbec8edebf50fe8ef60eaee0626

/data/data/com.keepnorth3/kl.txt

MD5 66a73d3a5c7ac1944807ca17ef470997
SHA1 ddae71c76ec110a19eb646164b83a8650059b066
SHA256 572f1794000420d43e8c73f55160e94ab18b75e2d7a89cf2457b11ef642be5e5
SHA512 64820dd0f6d34897afa530b3ee34157240a84c9c9964ddd90fc7aaaf11860310d88a75edd101e5bbc02149a6c3367f017317e326ae262e9453d6adec280cfa48

/data/data/com.keepnorth3/kl.txt

MD5 6b69e55b5027dde56af1be0cd9386ff4
SHA1 a67a7aa30c130a76c73a09e2c3f538b2eeb620ec
SHA256 745c9c2d39a538af6924433f68186021fee424f0e16bb1abdc2a622ed28a9cdb
SHA512 ffa4c8c0da20cf60195e2b1369a6b61fa637ab4ab722f1f7ed602ad751a1b8bd49ddb59b69f56427110e0b2e37e760d348d5a4e307e062518a57d65f813ecfb1

/data/data/com.keepnorth3/kl.txt

MD5 7cb2e69baa41083caa1d92e421e06250
SHA1 72f8b11885d96d471993654afce52e327110554d
SHA256 d2cd53f5c8135ef6b4333784c09f3cfc6f22ed4e49c3e0bd3910dfbad9e51714
SHA512 f7d35c7f8db9a4b719acbe89394fda8216b1e3f7b4c1b6861a7d9f422f45b506dc35b3c516a892fb2dbd748bc42cd7e1cdbd557ff2aacef10836cbd927e9eb4d

/data/data/com.keepnorth3/cache/oat/tobpmklxk.cur.prof

MD5 34cc3b872b76da8ea0fcd04857b6decd
SHA1 657ccc6e8907a4a851eb5dd48351605897de3d8c
SHA256 0a789c7c2464977441952b99feb18672ee0aa5e9f8b81e47195b2505a8ec41b7
SHA512 2868dc999df44a86f5a834deeeffc6a19ca3bdd52f5797ab6712982cfa4c7935902e7e0d25b1eabf5dae367b2accda13fc911977db0eee21f27429c98d2e5059

/data/data/com.keepnorth3/.qcom.keepnorth3

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 15:24

Reported

2024-06-12 15:27

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

183s

Command Line

com.keepnorth3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.keepnorth3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 bileneaferinbilmeyeneketamn.xyz udp
US 1.1.1.1:53 snayatkatalicam.xyz udp
US 1.1.1.1:53 saffetsafmigerckten.top udp
US 1.1.1.1:53 dememelalemnedeerr.top udp
US 1.1.1.1:53 kirmizimavigelldii.xyz udp
US 1.1.1.1:53 birbirbirdenikidir.top udp
US 1.1.1.1:53 kfamhepkarambol.top udp
US 1.1.1.1:53 gormedenglenlereslm.xyz udp
US 1.1.1.1:53 hyatyumrukgibi.top udp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
US 1.1.1.1:53 sankioguncokuzakk.top udp
US 1.1.1.1:53 birgunolucakelbeet.xyz udp
US 1.1.1.1:53 fesatlarafesatkk.xyz udp
US 1.1.1.1:53 bitmeztukenmezbuenerjj.xyz udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 taktimbirtipayivedekovayi.top udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 gecicekyramatuzatma.top udp
US 1.1.1.1:53 dnliyomsadeceuzaktan.xyz udp
US 1.1.1.1:53 taktmkafayikapattmkafayi.xyz udp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp

Files

/data/data/com.keepnorth3/cache/tobpmklxk

MD5 ad99d2e463576d713843c4887b9fd92a
SHA1 c76a36c0af80c1705e479be87937508e7d1a64c4
SHA256 9c332c17cb07d2ac2bc37c15a01d78f92ab3dfd1bd39be89578125b0645ea111
SHA512 61a02d0e0d1ecd69134458c5086a38162056268eeaf60fc0396086f3f139c8151503ad4d02fd264a0d8885b3b45f138d821e6ac98e46e0b6e4868014f1bbda21

/data/data/com.keepnorth3/kl.txt

MD5 6667e81a2cdefccddec739b24c4fc780
SHA1 83db0cb2b40be601c6ac26e990103b79c1a0b904
SHA256 95619503de667586b7a7d6eaca1b6c1cef6cb02935b21195e90c6a1f2c1d0de4
SHA512 539552166724291abfad3a734faf81d7795807662cdad978db4bc9f3de19f140b0ce9d84cd207f6c1f94b7819f8746970cbe47379e8fb1f914a81967a490c1f4

/data/data/com.keepnorth3/kl.txt

MD5 9314e33daac8168b1998915165fa2778
SHA1 65a77465cc65588e0fa43ce1acf77c27f32ece23
SHA256 28f93d975ffaed0bdb30c37917b428db51ab18bff0c414e49fb28d274ea4dd11
SHA512 c09c2af36984c379026d7265850083f7d89f487dc5224fe19e001d77786e7c0a7f3c6e9fbb032f125f269ceec3081ead2fed979b0513ce55cd386263170f7c84

/data/data/com.keepnorth3/kl.txt

MD5 66a73d3a5c7ac1944807ca17ef470997
SHA1 ddae71c76ec110a19eb646164b83a8650059b066
SHA256 572f1794000420d43e8c73f55160e94ab18b75e2d7a89cf2457b11ef642be5e5
SHA512 64820dd0f6d34897afa530b3ee34157240a84c9c9964ddd90fc7aaaf11860310d88a75edd101e5bbc02149a6c3367f017317e326ae262e9453d6adec280cfa48

/data/data/com.keepnorth3/kl.txt

MD5 7b846f67bfb37450725edf25d1788ca6
SHA1 659e55267c6df3e4506e80a2128eb9c49d2dc5d8
SHA256 326f276ef7de1ac63a99b5bb3d0077496b870ed7003d4be39662ed35664dadeb
SHA512 9f9755f7c797df6e96dc5d945877b3146b1f645f594972edae3d7b1f0531bf5a4c95fe89711a6cf9d3e642acef9ab84f59d7a13771b3be139fe5c0a07f111b36

/data/data/com.keepnorth3/kl.txt

MD5 426c9a8a339f162b2befc5d2c0f35fb9
SHA1 1b491b3951fab4d5e9d3ec2dea199a922c4abd24
SHA256 530ae53e82e163099abe0195c5ad44eee09f7ab33b42bc3a4391d641962660e4
SHA512 9d3587eeb6a1ada6d12d8d9dd9cc352c02e860de9bfa0a16d8b590e137ff6a695b3976a7e705947c784929b3ea111104865528a2316bac431b8e3a3305f25086

/data/data/com.keepnorth3/cache/oat/tobpmklxk.cur.prof

MD5 6af296a4890d07bc32d95fd1e3e52565
SHA1 0a9439c4ec0ed87c4dc0a7cefffc8febd75aefc5
SHA256 9a1d0a6b487fb16e20fd4af80e70d40802b5495900a1442c7f9b92234f0580e3
SHA512 f81592562c69c8f3fb9713d5930cc0385c6a6ffc11c01bb92cbc22b11c6aeef9cd57d360f8c3825f0f527a5dd88b3abe8237fe5328c289272af9dd5a5171657e

/data/data/com.keepnorth3/.qcom.keepnorth3

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c