Malware Analysis Report

2024-09-09 13:49

Sample ID 240723-1wwnhs1crm
Target 7adbac5e163733fbdc97e89f41779ea45d1319f0f10b552a8c34b620d91f5857.bin
SHA256 7adbac5e163733fbdc97e89f41779ea45d1319f0f10b552a8c34b620d91f5857
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7adbac5e163733fbdc97e89f41779ea45d1319f0f10b552a8c34b620d91f5857

Threat Level: Known bad

The file 7adbac5e163733fbdc97e89f41779ea45d1319f0f10b552a8c34b620d91f5857.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Acquires the wake lock

Declares services with permission to bind to the system

Requests modifying system settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Requests accessing notifications (often used to intercept notifications before users become aware).

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-23 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 22:00

Reported

2024-07-23 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

171s

Max time network

148s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 tisavorakttumahozexe.xyz udp
US 1.1.1.1:53 mubarekzamanala.xyz udp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 jtsekirvorsaapumahaxe.xyz udp
US 1.1.1.1:53 tnisvsorupazuxehome.xyz udp
US 1.1.1.1:53 tiviyakezopahaxo.xyz udp
US 1.1.1.1:53 erdinclimarxketxu.xyz udp
US 1.1.1.1:53 loksusnivepasazuxeko.xyz udp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp
US 1.1.1.1:53 mubarekzamanala.xyz udp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp
US 1.1.1.1:53 mubarekzamanala.xyz udp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp

Files

/data/data/com.nameown12/kl.txt

MD5 5db0406d5c96006e170fd02b4f4f5605
SHA1 35475fbf2a063cb116baf899b4214f79014a7910
SHA256 7a8125ff70df51409aebf9a742846389bb3dbc00ed83178d9b2304ee6c220844
SHA512 152691caac2596c1d2997bf79361d396f4bb52f0ff0782a3fa6925c3e865faae3746743d1667f67eb2df34ff8a67b3d171693e41011a826ef193b2da384fbbf6

/data/data/com.nameown12/kl.txt

MD5 2c71e20a010595afea34d61c4eda191b
SHA1 b25d368b2a425e9be40c68917279ee7c0c2d49af
SHA256 98743ac9ab268267e80331ebbe0d6d61f6f463657d7bb750638891b8413b7366
SHA512 152628f9d059d50422b224b6f30ddee44c912436fce6f300a5315614ee1ad5d71587e2976015d65e6ee38f0862f99709b30578a61846e50fa320fecb05432bd3

/data/data/com.nameown12/kl.txt

MD5 322d1d3af4b37e63a0e8cd7850351d9f
SHA1 c47ed13407e94eb00ee5f277ecb05229e5963fc6
SHA256 364782dc760fc2d9fd25f851d615522d75f05754ff2777c47187682674a42c69
SHA512 32ff09e64d72554be7204f0dfc6f1a0325f917362e7e049374e656dd4a1ef81fa5fd4f6e794a3f9dd7aadb9ebdf2c192a10aa0232ee2c5782068dcedccbbed85

/data/data/com.nameown12/kl.txt

MD5 62fcfedd2da18cdd03ccb6eb9a44cbff
SHA1 8f61b4b6d45d8a7396da069fca069871d42d32b5
SHA256 4851b2a04ee2de88073fc55f30d4490e6c07492aa111fc48bdb30b447ebcba79
SHA512 0640e37b084f9d864760959ae826ed9242cf4622d400ba3658d346ff96746cad246c935ae017591b47d161595bc51e0a781f5878d6e90ab8e6e37d21070380f9

/data/data/com.nameown12/kl.txt

MD5 a319079b9037ece21862f26e9fd257d7
SHA1 549e0eca95ba21386003cbf8c337868c16af29a2
SHA256 9d560a0eb65e006e86e1740b03edb3663d3dda361f47f418a2ca34d741c62011
SHA512 629aea429975fc614379801c80015f7a51569d0bb3e481279887e6dff4bea61da1768c28cc6bbd1715295ecd94f8ecb48ec11cb6c278a5e29e540fe4b6cb9a57

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 22:00

Reported

2024-07-23 22:03

Platform

android-x64-20240624-en

Max time kernel

178s

Max time network

151s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 tnisvsorupazuxehome.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 tiviyakezopahaxo.xyz udp
US 1.1.1.1:53 erdinclimarxketxu.xyz udp
US 1.1.1.1:53 mubarekzamanala.xyz udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
US 1.1.1.1:53 mubarekzamanala.xyz udp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp
US 1.1.1.1:53 mubarekzamanala.xyz udp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp

Files

/data/data/com.nameown12/kl.txt

MD5 daf00bdaf3c4c7a26615e546c010a9c5
SHA1 6ee5f314335d70f5d37fe417bfe0ae7c69585f9e
SHA256 d7ffdcd8a430272b005f36c17f46e42640a12db1870d0fc7be6befab520cde1e
SHA512 4073e48548aeb43a974d4f2153fdbc6119ed9967f91e7ff7e1ab90bfece87b4d11063d8f69fbe32f11968afe5339de03854d9cd9b92f83ed16d7484c6264edc5

/data/data/com.nameown12/kl.txt

MD5 ec70b2a77d694b1b2d6123ee1ae89a94
SHA1 c328529e495376aaf752d598c5f13808c92fdae8
SHA256 387a1e3bb51d717d665aeb967cadc6a9481c044a9f0691f0ba4e11ee82628cf3
SHA512 a14c0fce6b61c9552cf46be3a9d1cdc843c9e599179886eeaf432e477f4c9ee2dd7b06d7373b450b98b6243b8d6694069481e57b23dcbd9fd247e148864ec749

/data/data/com.nameown12/kl.txt

MD5 d40a38e73395ed2729c0581a4f387869
SHA1 00aa76a187e4df820f0b10517d17f7f9a8f2bf93
SHA256 cfdc71fe4467a15dab391b8346ded013c47a81429960d8deb818e12d11658cef
SHA512 0b7591b12168e047abca0de86aba520476acec1b4a15cb73405d1bfc69a4ddd47bdf4226585c3d79551d9a28d206ced85798dde5bacefa2371d46278787f20c0

/data/data/com.nameown12/kl.txt

MD5 45ee1173ad26e6279d137541af319506
SHA1 7317108d759fef61abac5f54ca61da7b887ae3ec
SHA256 6ada1b69149469359ef2385bbea15cd4f2f7ee9c08642ea53f710ced4046219e
SHA512 9d9676e987de56ed4dcf8c956311a02d41df2e539886d817556360e2a00bdbde57ec63cfe38a376a1ab97e33366577c23a5e10a0fb60a8c0777aa57ce7c8a422

/data/data/com.nameown12/kl.txt

MD5 f00599078ebc4767d470d8e8169f37c2
SHA1 4654ac64b3dda82fa43f142e927d96b39ddbd568
SHA256 c4f408391e10c6d74e9dc8b35d871127d4942317297e34e840bc01cee0ddeafd
SHA512 7a2d4feaeefb764fb6d2b57b70390b69e54771783f9097838970f9851bfc678524db30ddccc175321500dfc61452bd1aefac721f34ed89a5bea15e4c31991b18

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c