Malware Analysis Report

2024-09-09 13:51

Sample ID 240724-1w57yszbpn
Target dbacc40b602f706c9a8b60eb335c82a3405a4d1addc676901363ecbfeabbf3da.bin
SHA256 dbacc40b602f706c9a8b60eb335c82a3405a4d1addc676901363ecbfeabbf3da
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbacc40b602f706c9a8b60eb335c82a3405a4d1addc676901363ecbfeabbf3da

Threat Level: Known bad

The file dbacc40b602f706c9a8b60eb335c82a3405a4d1addc676901363ecbfeabbf3da.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Queries the unique device ID (IMEI, MEID, IMSI)

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Acquires the wake lock

Requests dangerous framework permissions

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Requests modifying system settings.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-24 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 22:00

Reported

2024-07-24 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

46s

Max time network

142s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 lokusnivepasazsuxeko.xyz udp
US 1.1.1.1:53 erdinclimarketxu.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 kelebekleroyunuq.top udp
US 1.1.1.1:53 zekurapoymsivuheno.xyz udp
US 76.223.67.189:443 kelebekleroyunuq.top tcp
US 1.1.1.1:53 stiviyakezopahaxo.xyz udp
LT 94.156.79.48:443 stiviyakezopahaxo.xyz tcp
US 1.1.1.1:53 jekirvorsaapumahasxe.xyz udp
US 1.1.1.1:53 nisvsorupazuxehome.xyz udp
US 1.1.1.1:53 tisavorakumahozexe.xyz udp
LT 94.156.79.48:443 stiviyakezopahaxo.xyz tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
LT 94.156.79.48:443 stiviyakezopahaxo.xyz tcp
LT 94.156.79.48:443 stiviyakezopahaxo.xyz tcp
LT 94.156.79.48:443 stiviyakezopahaxo.xyz tcp
LT 94.156.79.48:443 stiviyakezopahaxo.xyz tcp

Files

/data/data/com.nameown12/kl.txt

MD5 16c6714d7565090dea7e4c70eda6877b
SHA1 24d5f27b5440ba38f09a19ac987a75188fe02005
SHA256 31379bbc3b95f151c9a533191d26d23f1ce0b9efaff13a7e447b188024c736be
SHA512 c3e81c02643733622eececadcafe055a25fd8d3c2461cccdafde98a07dd9601c76fdc11c3147c734c308933cf5a71cec02ed3b48d5175a2347b1dbe3496a37a8

/data/data/com.nameown12/kl.txt

MD5 648b7ea2252966a313254221afb2daf2
SHA1 9d9a6692ee32a754e6e546e7d8f96cc467923ae0
SHA256 ea29b1a54a7c39413c503dd08540f9f1a7aa4dcd74131ff68229723b81802939
SHA512 279d70c0221f9ff95ba268b632baa9eb677bb84ed92fe2604a04ad491a0b4ecf6edd6fca575f538f6a7304040cc2ad2c3a5d37db62cb218b79d920c0b77059a1

/data/data/com.nameown12/kl.txt

MD5 2e734fa8f76109cc30811f70ef27ee87
SHA1 2e20bcc545b714dd1de79ebad692ac7acc70ce80
SHA256 4266320157090d3ef320860bf1c62336065601fa5a45e716beb16a6b9b9ef5fd
SHA512 7fe1888b62d808f7ffe6260c95c6eaec6c68b07f9879b365e2bc898fa45e5d6ea39c34682ad78e005597a04fea602ed71de56be1641667f9732b533411271f24

/data/data/com.nameown12/kl.txt

MD5 2176e0a0353fdc6d6acf6858082c763e
SHA1 8363ba57a192fdbe07d4827a50a992a72a597323
SHA256 92d775e623b3f74c5ff7c78eb2d88af89f4eacc9b674aa570a09a928c1a152f4
SHA512 7fde9802f480b2612e66f3f6d0880cbf24d80c9369790305550fd1c4e8132e49aa2b90332a4d579b4da708c89884d84be5790a9bcd27612d51215ed2ff691ee7

/data/data/com.nameown12/kl.txt

MD5 f6d4e0ac4cdc49483889a3b158a2433b
SHA1 fe23ed02e288ebab01b85b085589e1624c2c64e9
SHA256 0479679eca3a55c06a568d227d339e8accaaaaf3ba938206d3831d64e4de2564
SHA512 22a88442c81b25afc3833d5b99a782474957cbee0e20d6f54fec9623df5f5beec647b29edc6cd94d7f1fc7e25e0c9f62bde6ea1f28bd8de8b6a87cdfbbe71985

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 22:00

Reported

2024-07-24 22:06

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

166s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 tisavorakumahozexe.xyz udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 kelebekleroyunuq.top udp
US 1.1.1.1:53 stiviyakezopahaxo.xyz udp
LT 94.156.79.48:443 stiviyakezopahaxo.xyz tcp
US 76.223.67.189:443 kelebekleroyunuq.top tcp
US 1.1.1.1:53 lokusnivepasazsuxeko.xyz udp
US 1.1.1.1:53 erdinclimarketxu.xyz udp
US 1.1.1.1:53 nisvsorupazuxehome.xyz udp
LT 94.156.79.48:443 stiviyakezopahaxo.xyz tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
LT 94.156.79.48:443 stiviyakezopahaxo.xyz tcp
LT 94.156.79.48:443 stiviyakezopahaxo.xyz tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
LT 94.156.79.48:443 stiviyakezopahaxo.xyz tcp
LT 94.156.79.48:443 stiviyakezopahaxo.xyz tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
LT 94.156.79.48:443 stiviyakezopahaxo.xyz tcp

Files

/data/data/com.nameown12/kl.txt

MD5 37f20c3c601f1c60d8d2ead755748369
SHA1 9acbac40586865b954b2ddaeb84716436ed64b58
SHA256 89d0dd322fe3ef4502d19213988bb19d8e256e2137771806b493f9adb5bbd43b
SHA512 fc7c243881c37fc0b6729418882e2759ba4c155d063d262c26bc9dd0eb25cdfadafba62423cba3f0a7888eb715f4775b842cc8a18e0672a62b02de02b3c4bd32

/data/data/com.nameown12/kl.txt

MD5 e3f01a00f80d99e4ca80193881e1b576
SHA1 4b9abf40fb31e45c49f526f3591c78dabddcf16c
SHA256 bb5fbfe7ca80ee72025a95b97f832be3544af1f9e3dfabcd74027b8e473380e7
SHA512 ca39cecb88e6b234f949f21c593eb17d80c49ba73681f05c23ab2fe8b593b4fb8de423caa74acb0dad82381a3370b29e1abbaa6f007ebaea41741a35e7eb3348

/data/data/com.nameown12/kl.txt

MD5 648b7ea2252966a313254221afb2daf2
SHA1 9d9a6692ee32a754e6e546e7d8f96cc467923ae0
SHA256 ea29b1a54a7c39413c503dd08540f9f1a7aa4dcd74131ff68229723b81802939
SHA512 279d70c0221f9ff95ba268b632baa9eb677bb84ed92fe2604a04ad491a0b4ecf6edd6fca575f538f6a7304040cc2ad2c3a5d37db62cb218b79d920c0b77059a1

/data/data/com.nameown12/kl.txt

MD5 922beab0588d99a19c4e76c5d5505a9f
SHA1 bcd7d52cb2a1dab27a6723187006e95e112be239
SHA256 b97eea1a92471f9b4dedc4f6a555fadd9ce521cf4747ecdc21ca9b2172202db2
SHA512 4984d7b66a8e6de8ae7e265cc0f34d78fc826325e6e4db520d3bdf0aab7f46186ca34522eb21df944d060076c20da25e9e793c4919e5c093a1e8fb152f655652

/data/data/com.nameown12/kl.txt

MD5 d57ef4dc3e9177fff3eddb84516290ab
SHA1 e5d289363148ce7bf6f453e6908dddf59c9b95d8
SHA256 9d90b7385ab6e18361e234c7500b4e4622d113babdcaa0e74846b919833c680f
SHA512 aa3eb55aec024306412d1b192c305970a673c725c451e8b0d25c826bdc6e2cd4598d9e32f7f39f0f9e1d9857ddd15887d3740bf930807aef057dc09f6036734b

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c