Malware Analysis Report

2024-09-09 13:51

Sample ID 240722-1y7tka1akc
Target 08affa968ba39f0d0a215b98d7eda66d5d850ffe13a2fd2a898b495b36638a4f.bin
SHA256 08affa968ba39f0d0a215b98d7eda66d5d850ffe13a2fd2a898b495b36638a4f
Tags
octo banker discovery evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08affa968ba39f0d0a215b98d7eda66d5d850ffe13a2fd2a898b495b36638a4f

Threat Level: Known bad

The file 08affa968ba39f0d0a215b98d7eda66d5d850ffe13a2fd2a898b495b36638a4f.bin was found to be: Known bad.

Malicious Activity Summary

octo banker discovery evasion infostealer rat trojan

Octo

Octo family

Octo payload

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-22 22:04

Signatures

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 22:04

Reported

2024-07-22 22:24

Platform

android-x86-arm-20240624-en

Max time kernel

2s

Max time network

176s

Command Line

com.nameown12

Signatures

N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 tisavoraktsstumahozexe.xyz udp
US 1.1.1.1:53 androstormxnow.xyz udp
US 1.1.1.1:53 tnisvsorupazuxehome.xyz udp
US 1.1.1.1:53 mubarekzamanalsa.xyz udp
US 1.1.1.1:53 esrdinclimarxketxu.xyz udp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp
US 1.1.1.1:53 www.ip-api.com udp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp
US 208.95.112.1:80 www.ip-api.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp
US 1.1.1.1:53 esrdinclimarxketxu.xyz udp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp
US 1.1.1.1:53 esrdinclimarxketxu.xyz udp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp

Files

/data/data/com.nameown12/dpt-libs/x86/libdpt.so

MD5 122ef29cd1aac46fa82c41cd40ef61e0
SHA1 a659f4793db895dbeb598ef9dfab2f1bb17b3497
SHA256 8bd3133b9b04e1932adc1dbc84b4b4ee75ae26b42aade3cdeca611fa85da109a
SHA512 5ce85f3a7dca8dcabad94e9af789ca1978bc5dfae2a8393f54b264c536c7fae2efce644bc42b848c3bc6d40a25cba75acea14c46dde9e5ad32e8ec4e8d3d8e5a

/data/data/com.nameown12/code_cache/i11111i111.zip

MD5 f006630fb2bbfad91d74c1bd35a2a914
SHA1 74ecbe095f4064b57b53417f15238fab3abdb3ac
SHA256 64520e37dbb8d285c5e0ea0c03133b1741da8179ac0c520147c16d177459ff9f
SHA512 8d77e63f38f469fed5a752d9cc47923b98f7c80b346cf54b9a9cbb6971597581122f081817f7c59e2a232dd18e11ca65c3a03f31bf063fbd20c61266afe08211

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 22:04

Reported

2024-07-22 22:25

Platform

android-x64-20240624-en

Max time kernel

4s

Max time network

157s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nameown12/code_cache/i11111i111.zip N/A N/A
N/A /data/user/0/com.nameown12/code_cache/i11111i111.zip!classes2.dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 zekurapoymaivssuheno.xyz udp
US 1.1.1.1:53 androstormxnow.xyz udp
US 1.1.1.1:53 tnisvsorupazuxehome.xyz udp
US 1.1.1.1:53 esrdinclimarxketxu.xyz udp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp
US 1.1.1.1:53 www.ip-api.com udp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp
US 208.95.112.1:80 www.ip-api.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp
US 1.1.1.1:53 esrdinclimarxketxu.xyz udp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp
US 1.1.1.1:53 esrdinclimarxketxu.xyz udp
NL 194.55.186.84:443 esrdinclimarxketxu.xyz tcp

Files

/data/data/com.nameown12/dpt-libs/x86_64/libdpt.so

MD5 14a36e2eea3edcb7a7b9f00668c86dde
SHA1 25b0cf4f6423d29402a533517fc6b1277f10d7b1
SHA256 8f87c1fdcdadeafa04c11bc390675c2e293cddf8df09971854f637e19651070a
SHA512 695ebeb763361f19e1f6a561d88dd3b23e1c8284513e4a01e83a4876f92365c9653039595319f493450c2d75e04e9ff75ba5eeaab50c55363958b1ed279ef8d2

/data/data/com.nameown12/code_cache/i11111i111.zip

MD5 f006630fb2bbfad91d74c1bd35a2a914
SHA1 74ecbe095f4064b57b53417f15238fab3abdb3ac
SHA256 64520e37dbb8d285c5e0ea0c03133b1741da8179ac0c520147c16d177459ff9f
SHA512 8d77e63f38f469fed5a752d9cc47923b98f7c80b346cf54b9a9cbb6971597581122f081817f7c59e2a232dd18e11ca65c3a03f31bf063fbd20c61266afe08211

/data/user/0/com.nameown12/code_cache/i11111i111.zip

MD5 f6cfa9db0604c20a6bf80f30a6bf65df
SHA1 3d511f5b6fedf68bafc2d87951ff5cddd27d48f6
SHA256 d49f8ff32fd7487571f830b2ee287806a6ab3ccf8a0d715cd1baaf5b92166683
SHA512 0aa797ba9c6f019bdcd8731aa6ae16dc0ba70ce8ad926c176fd9242a9cc18836f479495f1a0ee3ba2b52b3ff9f8d32c2e498452b8de29533696d2375a6b5713e

/data/user/0/com.nameown12/code_cache/i11111i111.zip!classes2.dex

MD5 c15804d75ad84c1de89596a48950be14
SHA1 571ed1b9dfc541b2b3929bfa5727b408cae2bb8e
SHA256 07072b1c20c4cf6785cba0ea43158365c46dc027e5fb0d43a27826fa1206e5e4
SHA512 0612cc8aa98385477592de07c9c8cb5ad602d423a469c0c9cfc6341ff46aa2d4e84be5217bc087fc82f15dbdd2ccce1d72e37e3ff88a9405f4da21538e39e689

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-22 22:04

Reported

2024-07-22 22:22

Platform

android-x86-arm-20240624-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-22 22:04

Reported

2024-07-22 22:22

Platform

android-x64-20240624-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-22 22:04

Reported

2024-07-22 22:23

Platform

android-x64-arm64-20240624-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp

Files

N/A