Malware Analysis Report

2024-09-09 16:16

Sample ID 240612-sx9b1azeqa
Target 7c97e4596816a9d5251c98f6271709867f4b50b89a8f4e9e24ac38ca7dc59cff.bin
SHA256 7c97e4596816a9d5251c98f6271709867f4b50b89a8f4e9e24ac38ca7dc59cff
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c97e4596816a9d5251c98f6271709867f4b50b89a8f4e9e24ac38ca7dc59cff

Threat Level: Known bad

The file 7c97e4596816a9d5251c98f6271709867f4b50b89a8f4e9e24ac38ca7dc59cff.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Acquires the wake lock

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares services with permission to bind to the system

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 15:31

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 15:31

Reported

2024-06-12 15:34

Platform

android-x86-arm-20240611.1-en

Max time kernel

35s

Max time network

156s

Command Line

com.keepnorth3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.keepnorth3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 sankioguncokuzakk.top udp
US 1.1.1.1:53 taktimbirtipayivedekovayi.top udp
US 1.1.1.1:53 taktmkafayikapattmkafayi.xyz udp
US 1.1.1.1:53 dnliyomsadeceuzaktan.xyz udp
US 1.1.1.1:53 snayatkatalicam.xyz udp
US 1.1.1.1:53 birgunolucakelbeet.xyz udp
US 1.1.1.1:53 dememelalemnedeerr.top udp
US 1.1.1.1:53 hyatyumrukgibi.top udp
US 1.1.1.1:53 kirmizimavigelldii.xyz udp
US 1.1.1.1:53 saffetsafmigerckten.top udp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
US 1.1.1.1:53 fesatlarafesatkk.xyz udp
US 1.1.1.1:53 kfamhepkarambol.top udp
US 1.1.1.1:53 bitmeztukenmezbuenerjj.xyz udp
US 1.1.1.1:53 gecicekyramatuzatma.top udp
US 1.1.1.1:53 birbirbirdenikidir.top udp
US 1.1.1.1:53 ckinsanaffettmm.top udp
US 1.1.1.1:53 bileneaferinbilmeyeneketamn.xyz udp
US 1.1.1.1:53 olanlarigoruceez.xyz udp
US 1.1.1.1:53 savuryadarsavuun.xyz udp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp

Files

/data/data/com.keepnorth3/cache/tobpmklxk

MD5 ad99d2e463576d713843c4887b9fd92a
SHA1 c76a36c0af80c1705e479be87937508e7d1a64c4
SHA256 9c332c17cb07d2ac2bc37c15a01d78f92ab3dfd1bd39be89578125b0645ea111
SHA512 61a02d0e0d1ecd69134458c5086a38162056268eeaf60fc0396086f3f139c8151503ad4d02fd264a0d8885b3b45f138d821e6ac98e46e0b6e4868014f1bbda21

/data/data/com.keepnorth3/kl.txt

MD5 2f2496c707c2b46fdfe3dc522cf58469
SHA1 1be241762a7167cdc1e5bf9e8b6f8037ffba9f47
SHA256 31d94552a276453c1c6e995bced0053173002e02da8f8b9cb8511a4e9bba07d2
SHA512 9b212faddca9fe4361fc791c12a26a9e7ca4e8b8a3c03931f6c9f0c1e6f6ae6303d2a62e6074d560d4e7c267b5b6724f45651a0c5d3033fbefe98aae6b9a6f17

/data/data/com.keepnorth3/kl.txt

MD5 7bb289452937f41ff48a7afaadfae006
SHA1 b2741c761422fca3899e145b84462eebf33c98dd
SHA256 72c366733fe44f9672af96ea5d9f88bd6a176acea28301a3023d24c8b00bf672
SHA512 6da6fd2b2d468819caa44950ef49a80cc24a2a9074ca345e0056647d7cad74a19a931f1a6170d0cf003f147bc130d8972345e46802b0b72e2e92f2c1fcdc5ff1

/data/data/com.keepnorth3/kl.txt

MD5 68ef89105166fb419941c26e26b8be44
SHA1 d956d292d140cd0042fd7d2b328aeeac4a03e70b
SHA256 3815e9e3e53af16d7dab1ba9a947ee8383ffaf3bf1103f759d43e4b37ac3f39b
SHA512 dc0670a271cfe4448192162ce34a3fd7c0caf32b608f578d790af7c87378ac32c5f7c0f042e3533a1daad1714ed072dbe288492a368921039bc009e698495d6e

/data/data/com.keepnorth3/kl.txt

MD5 03a43e3df3cc3b2e160cea006e6fe692
SHA1 ac8df8454ebdc391861709f470b7fe033d9bda2d
SHA256 3e9c30bde9343a325c4dbc0f33ec7419d64cf9f92e25f395eeb0ca1a342827a9
SHA512 73658e477137609cd8e2666450f676e7295b386829e4bbb481ddebcd242e4ea1f69388cc5fe985f55cac9da03ac838480115d83ec551b3d54ed460b3d65dbd00

/data/data/com.keepnorth3/kl.txt

MD5 185d22ab9dd9ea48458f4431c02d5dec
SHA1 81d9190f2fa75473f42e2a567668346017aee302
SHA256 69dbe98d0c4d5c8f17898881e8ea03a1efb8576158bc304f3597abaaab504f52
SHA512 229400acb6f28eec647a9ba26c6fbe14b68dbabedf5e2a6543f153b76fd734f68e022ebb0626d2bf69e30d8499e3668f2917d70818ba156ef0eb8f4b578ed477

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 15:31

Reported

2024-06-12 15:34

Platform

android-x64-20240611.1-en

Max time kernel

74s

Max time network

180s

Command Line

com.keepnorth3

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A
N/A /data/user/0/com.keepnorth3/cache/tobpmklxk N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.keepnorth3

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 fesatlarafesatkk.xyz udp
US 1.1.1.1:53 birgunolucakelbeet.xyz udp
US 1.1.1.1:53 sankioguncokuzakk.top udp
US 1.1.1.1:53 gecicekyramatuzatma.top udp
US 1.1.1.1:53 taktmkafayikapattmkafayi.xyz udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 saffetsafmigerckten.top udp
US 1.1.1.1:53 ckinsanaffettmm.top udp
US 1.1.1.1:53 birbirbirdenikidir.top udp
US 1.1.1.1:53 savuryadarsavuun.xyz udp
US 1.1.1.1:53 snayatkatalicam.xyz udp
US 1.1.1.1:53 bitmeztukenmezbuenerjj.xyz udp
US 1.1.1.1:53 kfamhepkarambol.top udp
US 1.1.1.1:53 dememelalemnedeerr.top udp
US 1.1.1.1:53 dnliyomsadeceuzaktan.xyz udp
US 1.1.1.1:53 hyatyumrukgibi.top udp
US 1.1.1.1:53 kirmizimavigelldii.xyz udp
US 1.1.1.1:53 taktimbirtipayivedekovayi.top udp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
US 1.1.1.1:53 bileneaferinbilmeyeneketamn.xyz udp
US 1.1.1.1:53 olanlarigoruceez.xyz udp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 216.58.204.67:443 tcp
GB 216.58.204.67:443 tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp
BG 194.59.30.2:443 hyatyumrukgibi.top tcp

Files

/data/data/com.keepnorth3/cache/tobpmklxk

MD5 ad99d2e463576d713843c4887b9fd92a
SHA1 c76a36c0af80c1705e479be87937508e7d1a64c4
SHA256 9c332c17cb07d2ac2bc37c15a01d78f92ab3dfd1bd39be89578125b0645ea111
SHA512 61a02d0e0d1ecd69134458c5086a38162056268eeaf60fc0396086f3f139c8151503ad4d02fd264a0d8885b3b45f138d821e6ac98e46e0b6e4868014f1bbda21

/data/data/com.keepnorth3/kl.txt

MD5 a7345e45b2a392ea34a60487582c78e9
SHA1 c075e7f1d281ea028ea0e6cf5e279e19390dc9e3
SHA256 17d397f653efd42b3c21fb7cb3a126f968df1d07876e2dc473cc82b98d33f505
SHA512 843b3e33c899d7378c5c5ee0c67ca652818f4191a413ea427bf8c6ee0cf83bfedf060cebeed8ece362365d52f8d4a5e3d325ab0d34e77d5db9d99f35dd77cb1c

/data/data/com.keepnorth3/kl.txt

MD5 ab953c795104b34aa839c16e6a522e17
SHA1 45f336736791a94ed188489abb849589b0d88924
SHA256 b5c67ab5a3b5de06561ba6235abd65d1490939e6effe9ac023153f8362f48b69
SHA512 773225aa7cb0a96a7bbc4c97f76ffd6e540a4aee8a5bcd5742037219f0fbdc857fae6e23498916cb3b23ef503a963f03b875bf9a7881a0d8872ec52a5c15164a

/data/data/com.keepnorth3/kl.txt

MD5 1bf0babe85bdb8c0c063808c3bc80f67
SHA1 148121d187ea698f883c5a00e35d2d45bb87b324
SHA256 e092135499ed3cd85e22a4800d41a1e1b6e1dfa36e4922a90d4a86f07373b64c
SHA512 598fac40d119bb4105ab40ab74ec39081926ef8826d870b866381f93e70ac83c3615684e5ec756e574cb6b0fc79447c7c1577fbdfa86e51450d02c6e07b92110

/data/data/com.keepnorth3/kl.txt

MD5 bf9fc5e8ce21a8d07efc6c3df107bcba
SHA1 700f3aa02c4f62326f5c90a85102c2a29740a341
SHA256 756ea41e11a76dfc80d7f8c5167a92c7eccfcd9b20900be0f9047dedf57766fc
SHA512 03ef4ee1dcd4efc31f93e3cb2fb5f9f837466b2545fcbd5181aabe4e1dba13e6e2614effa587f8d3566b022a7fe61ceca522abfcb2ae99187261f48835eeeed4

/data/data/com.keepnorth3/kl.txt

MD5 f56cb9d1dbd5b781ed1ac8678ca747af
SHA1 ba497291d93cbb7d37687b5dfbb926f4d814b664
SHA256 716497c557257fb1f0fcdd082d1d0f8e956ff25bb347ccb66b6fb90f55af8d2b
SHA512 faf57382c88e58095fa1239424b126455a453e9f125e150f29731db77051576dd22e40e179868567dc5cbd890509fe217c798bf2ff70107d69eb0ea3bbbde296

/data/data/com.keepnorth3/cache/oat/tobpmklxk.cur.prof

MD5 0b1ee6391454c178898cb4673d4c584c
SHA1 b59510f13a2dfa67c04271d0f952019d99810011
SHA256 c25853847bc89fed04a4c11ca4ae14a5ca1cf51aac691ab97a04e99606bf479c
SHA512 bca1e126f337885bcad1f0f5163eb95331151587e4df2fb66a082d9279974397e7e07b7e9242b62f1697960dc0550967ade2e434340aedaeaaf14b58a056358f

/data/data/com.keepnorth3/.qcom.keepnorth3

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c