Malware Analysis Report

2024-09-09 13:49

Sample ID 240724-1w9kdazbqp
Target 80ac281799826357cc8e12b83c1720f29b7877224e6af24e61a106429907ad68.bin
SHA256 80ac281799826357cc8e12b83c1720f29b7877224e6af24e61a106429907ad68
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80ac281799826357cc8e12b83c1720f29b7877224e6af24e61a106429907ad68

Threat Level: Known bad

The file 80ac281799826357cc8e12b83c1720f29b7877224e6af24e61a106429907ad68.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Makes use of the framework's foreground persistence service

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Acquires the wake lock

Queries the unique device ID (IMEI, MEID, IMSI)

Requests modifying system settings.

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-24 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 22:01

Reported

2024-07-24 22:07

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

146s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 tiviyakezopahaxo.xyz udp
US 1.1.1.1:53 www.ip-api.com udp
LT 94.156.79.74:443 tiviyakezopahaxo.xyz tcp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 tisavorakttumahozexe.xyz udp
US 1.1.1.1:53 tnisvsorupazuxehome.xyz udp
US 1.1.1.1:53 jtsekirvorsaapumahaxe.xyz udp
US 1.1.1.1:53 mubarekzamanala.xyz udp
LT 147.78.103.52:443 mubarekzamanala.xyz tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
LT 94.156.79.74:443 tiviyakezopahaxo.xyz tcp
LT 94.156.79.74:443 tiviyakezopahaxo.xyz tcp
LT 94.156.79.74:443 tiviyakezopahaxo.xyz tcp
LT 94.156.79.74:443 tiviyakezopahaxo.xyz tcp
US 1.1.1.1:53 loksusnivepasazuxeko.xyz udp
US 1.1.1.1:53 erdinclimarxketxu.xyz udp
LT 94.156.79.74:443 erdinclimarxketxu.xyz tcp
LT 94.156.79.74:443 erdinclimarxketxu.xyz tcp
US 1.1.1.1:53 erdinclimarxketxu.xyz udp
LT 94.156.79.74:443 erdinclimarxketxu.xyz tcp

Files

/data/data/com.nameown12/kl.txt

MD5 de8a7359714ddbae4bbf15a1a278a1bf
SHA1 e5f4b7ece9724021aca4dd113e925d0a3b867cf1
SHA256 94477eaef8f91c529695ca0642c4f0402e45bd56057a47768363528cb8090028
SHA512 1e2de0ea849ef09ecdf4b34bbb934726601fc3fa3de1cc996b4a7949d5e6fdb56148c5cb94d291b0e552bf588d5a86df979594d63270128c5a008ecc7fae3209

/data/data/com.nameown12/kl.txt

MD5 10f2c276477157768b41c968d4ca8b68
SHA1 4e2e2704cd915a0ea7bda33fcd1b07713f843a5b
SHA256 c65e76d9e4e97b85719641013ff8befaa8f4c2fc60d56dece81ce7fa4e611cc3
SHA512 5347d24107f9dd036b44fe838cc72416d4de3a55a6eba6bd42f3154bf80e2d42c26e88d0592ef9e64a980d331dcdda28e714b58d49154806ab4bcefe46d8eb47

/data/data/com.nameown12/kl.txt

MD5 fb6e912432d57ab341ccc36df853f7ce
SHA1 f2bb662abffb9e1ceecd76a8b5f6420affc2d242
SHA256 157c60c43e7fcfb37a53618f2aeba7e71f0767818d4a23c0380fa5e294a9763d
SHA512 633b609c239831632fac0b93ff9e1a1fb72d323a6d6c9b8b04ade5d0544f854ad448cd28c315a031584688a7b9a3124272d747a30cc1ce36dd54ed315ec88bef

/data/data/com.nameown12/kl.txt

MD5 3c7bdf92d04bcb507a7bedaf4b852bb3
SHA1 6400548009a52eb3152e144e307072d0969213a9
SHA256 8502680f9d1d9cbc672ecacdcb69bedb984208730319fe5f37d90db32a102e02
SHA512 eab6ca073a036bd3c13edffe2fff18395fe8d4fe6de64144ffcfb61dfd287c3d686c86285bee7423dd663e0d161425b747c7a4d8037f23f99626b8459f3bb13a

/data/data/com.nameown12/kl.txt

MD5 c264df218dd7385e7ee6a946d17400f0
SHA1 fe1eb43c0bd861334e8f2750c1935376940ddaa9
SHA256 9c59b5731e16aa2dadf952c93ef55e4142450138cf7a5737abba1fb240086fec
SHA512 1e720441508d53cb88349e74ce196cd3b18a4dabc771ac088a94400067251f3d7726119dc657756a73edc7a23f08b5f66e13683a0934b0a994385a727dfef67c

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 22:01

Reported

2024-07-24 22:07

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

145s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 tiviyakezopahaxo.xyz udp
LT 94.156.79.74:443 tiviyakezopahaxo.xyz tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 tisavorakttumahozexe.xyz udp
US 1.1.1.1:53 jtsekirvorsaapumahaxe.xyz udp
US 1.1.1.1:53 tnisvsorupazuxehome.xyz udp
US 1.1.1.1:53 erdinclimarxketxu.xyz udp
LT 94.156.79.74:443 erdinclimarxketxu.xyz tcp
LT 94.156.79.74:443 erdinclimarxketxu.xyz tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
LT 94.156.79.74:443 erdinclimarxketxu.xyz tcp
LT 94.156.79.74:443 erdinclimarxketxu.xyz tcp
US 1.1.1.1:53 erdinclimarxketxu.xyz udp
LT 94.156.79.74:443 erdinclimarxketxu.xyz tcp
US 1.1.1.1:53 erdinclimarxketxu.xyz udp
LT 94.156.79.74:443 erdinclimarxketxu.xyz tcp

Files

/data/data/com.nameown12/kl.txt

MD5 b8cb3d8994fb6ce6df66c39b5b94ecbe
SHA1 89ae537e29a3e5af1be4615843f1229fe8ded664
SHA256 0bc3cacc669b69b3af57bc7c07cc48ce302c25fb83d551c3e72e81b6aa9c13e5
SHA512 c100ccdf342dd8ec861797c3ff114f58b3b6bd5d3ca6c7bffcd49b9ce363976069e61bf62c9a51c84982a69289e8d6badfc2ea16d86caea5f5da516cc83373db

/data/data/com.nameown12/kl.txt

MD5 05113645cb16fecbb7d33be1f0076781
SHA1 63d2a0a64117071a598306163b4aef6dc5b043b6
SHA256 4e5a0805f57e43ebed5c07a3fa176b22eee0d8317c16155f15404c70fd5a5f42
SHA512 de70839f250233f4f154cfa5809326072459ce902c8d93ab989042f469013247f998c51ce5ae54870a1260a0c10ed07b601e3680fe9b43a4f13aa6d8c425b924

/data/data/com.nameown12/kl.txt

MD5 3ac845c83ed4ae603a58978df687f8bd
SHA1 43e989ccc088fe10709ce29bb6344d0b8b949398
SHA256 13f1ee16dc58e5cce20b3b39d95bfd1d889b159ed9830bf72f589d6762686e3b
SHA512 d39c9c5b0e827d87edbe5c074acf13bac2c8a3e981ac78fab1490a1a1ade500abe5aa1cb1d4d59d21fbd6ec690fcd13aea729f7f5293199a2a9bc98bb0a814e9

/data/data/com.nameown12/kl.txt

MD5 de640a5d4be85e8e805d264169cb80b4
SHA1 ce5decfa7db8755c11eb0e7e2ba23489b71cbd63
SHA256 7a992242aa2f757a264855e472d1b59fe36c4eadb9ec2a3ec6a520b61cea513f
SHA512 5b2a7625321c7001e41fd5b5b4b6ea50d567482994fb0d6e94a67f7a7d6c3b55844d75908a71c7580e22ac02d5c257d831c06546884fc58e10cb246ab6bc1e21

/data/data/com.nameown12/kl.txt

MD5 86583fcb5622c3fe812ab958da817f09
SHA1 c6599b8ca17016355bd1946c9578af59951c882f
SHA256 fae2c7607c50ed33dbe9d01eff5e7cda651c59028eb0f23d9051d9a9b38c3254
SHA512 a06be11a46fafcf12cccb77c91a13f4170336b52be011c9f9de0c4cd12842b609eb2859de926543036faf7212d5543470415e78115acfb5d4cf13d582ac0844a

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c