Malware Analysis Report

2024-09-09 13:50

Sample ID 240723-1xw1ns1dpj
Target 87a6396585770c045a5d046379ac019bf80b2bdb6499124a28ecfd082a8cbdef.bin
SHA256 87a6396585770c045a5d046379ac019bf80b2bdb6499124a28ecfd082a8cbdef
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87a6396585770c045a5d046379ac019bf80b2bdb6499124a28ecfd082a8cbdef

Threat Level: Known bad

The file 87a6396585770c045a5d046379ac019bf80b2bdb6499124a28ecfd082a8cbdef.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Acquires the wake lock

Reads information about phone network operator.

Requests dangerous framework permissions

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Queries the unique device ID (IMEI, MEID, IMSI)

Requests modifying system settings.

Declares broadcast receivers with permission to handle system events

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-23 22:02

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 22:02

Reported

2024-07-23 22:13

Platform

android-x86-arm-20240624-en

Max time kernel

172s

Max time network

165s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 jekirvorapumahaxe.top udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 tisavorakumahozexe.top udp
US 1.1.1.1:53 nivsorupazuxehome.xyz udp
US 1.1.1.1:53 zekurapoymivuheno.xyz udp
US 1.1.1.1:53 lokusnivepazuxeko.xyz udp
US 1.1.1.1:53 vtaokipujeramunexu.top udp
US 1.1.1.1:53 tiviyakezopahaxo.xyz udp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
US 1.1.1.1:53 vtaokipujeramunexu.top udp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
US 1.1.1.1:53 vtaokipujeramunexu.top udp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp

Files

/data/data/com.nameown12/kl.txt

MD5 c954bf12099e5b0fd5f1d73bdb9a2d68
SHA1 865448e69a8d2a883d8beee039c844e16bc9a634
SHA256 9b128a0ec427c34e7ed5026a4de8447396fd1c82a2f132b78424568bfa17b2ab
SHA512 b3fa6e9f1435bbfc3923dfeddfdc4cc83ff0eaa63b13668f66f29034ff0f16dd59ccce0ecaa52b2ab2ce8d2205a5ef03a935250dd60d931eb82fae8e2b7e800c

/data/data/com.nameown12/kl.txt

MD5 666aa4035bc69086e74fa24798f45e1f
SHA1 82f34f4ec6da3d245a024379665257d7317eb10c
SHA256 c0fc62a470666e0838f5b54e35343e65e2732ceaf4e482ee2f25cc68608d1b16
SHA512 10c2bf0e077e4ffd496532466bee8a054140cdfdbff00020a5feb2435fd25ab8199fbb75231be1b9a06da3e64106a4838dd39b026dc2a6e368212eb94681145b

/data/data/com.nameown12/kl.txt

MD5 fb515377ddddcbcdcc2aa4b9377df391
SHA1 9c5b5c43a344615a394e0262b8595610b40aaa1d
SHA256 10d40b799fc7d6ee13467e833e214b833bd8722640a1c911a15d16a8924caa3d
SHA512 87fbdbe64180b2278cde93098006298569330a473faa6cc1baf9b1c9235f645e11998a5e8f67374481a1f7ff8106c0c8cfea2283e773a235c4d05259a58ed870

/data/data/com.nameown12/kl.txt

MD5 64ab55a746506d17f8d345c3a069994f
SHA1 a068e2773e308331d343e53b37ed2877b2a081c7
SHA256 5702d6a14acf0a3f9f6dfe41c388cf887138942d49b31e75f46ad061e6c3f1a1
SHA512 7db1fb12af3a5f141537545660fd0c2c792ca8d4d3efe463009530e800b15af4b00febeecbcbc2b65bfd3255a1e89af36b4472bb7ab262ed67aab6ef42382fd8

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 22:02

Reported

2024-07-23 22:13

Platform

android-33-x64-arm64-20240624-en

Max time kernel

178s

Max time network

190s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 lokusnivepazuxeko.xyz udp
US 1.1.1.1:53 zekurapoymivuheno.xyz udp
US 1.1.1.1:53 tiviyakezopahaxo.xyz udp
US 1.1.1.1:53 jekirvorapumahaxe.top udp
US 1.1.1.1:53 nivsorupazuxehome.xyz udp
US 1.1.1.1:53 tisavorakumahozexe.top udp
US 1.1.1.1:53 vtaokipujeramunexu.top udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
US 1.1.1.1:53 zivimakezopahaxo.xyz udp
US 76.223.67.189:443 zivimakezopahaxo.xyz tcp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 172.217.16.234:443 remoteprovisioning.googleapis.com tcp
GB 142.250.187.228:443 udp
GB 142.250.178.4:443 udp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 172.217.16.227:443 tcp
US 162.159.61.3:443 udp
GB 172.217.16.227:443 udp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
GB 216.58.204.67:443 tcp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
US 1.1.1.1:53 vtaokipujeramunexu.top udp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp
US 1.1.1.1:53 vtaokipujeramunexu.top udp
LT 147.78.103.52:443 vtaokipujeramunexu.top tcp

Files

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c