Malware Analysis Report

2024-10-19 12:59

Sample ID 240826-1yfp3sxfqd
Target 5edbec00871d7fcd81a1b918c4ad5e209f35a12b8940285138b3828a8b6fa5ab.bin
SHA256 5edbec00871d7fcd81a1b918c4ad5e209f35a12b8940285138b3828a8b6fa5ab
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5edbec00871d7fcd81a1b918c4ad5e209f35a12b8940285138b3828a8b6fa5ab

Threat Level: Known bad

The file 5edbec00871d7fcd81a1b918c4ad5e209f35a12b8940285138b3828a8b6fa5ab.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares broadcast receivers with permission to handle system events

Requests modifying system settings.

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Performs UI accessibility actions on behalf of the user

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 22:03

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 22:03

Reported

2024-08-26 22:07

Platform

android-x86-arm-20240624-en

Max time kernel

171s

Max time network

139s

Command Line

com.nocomplete9

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nocomplete9/cache/nnqqlurqai N/A N/A
N/A /data/user/0/com.nocomplete9/cache/nnqqlurqai N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nocomplete9

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 1.1.1.1:53 slmla6242nbr.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 hava540derece.com udp
US 74.119.239.234:443 hava540derece.com tcp
US 1.1.1.1:53 pikniktupu2534.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.nocomplete9/cache/nnqqlurqai

MD5 72b7960d9feae4cd2f8714657411dd44
SHA1 5ab3648733ad74eeabf4022cfaf8ad09d8ff33db
SHA256 e1f5268e8b932c829e9d39e5c4feb15de04a23e19a1f853e80f3f9b18df533dd
SHA512 339d3c2a6ae1d14b4127550db81330f0fa425699124580d9852e98b6c391ddba69e726899189bc089977814d4f17ca8ed00cce5ff6016311f3a3ae3182de1c9b

/data/data/com.nocomplete9/kl.txt

MD5 6062d4b7a1635f131535c80f9090f502
SHA1 6be6cfd82dad727ad067ab3cfa02b498236bda59
SHA256 f1bda9b0d679eff18e4a42e00d4c23224f914d2704feb1f1bdff4a1b42a783ce
SHA512 87d9923cf7dd21205cf56e8e13b0906705d7de494af391ab20e6f43fdfb30334a645e06cf612b74217323b89c143423c9b9cff18d5bb734829a8cc27634fd688

/data/data/com.nocomplete9/kl.txt

MD5 7f70a158bc0a6d97a61ba6d9f688d894
SHA1 0269fd4a33e2399ef8cb904c319d1c2e0105c784
SHA256 f91b7edaf5430cbf0fa2c43c08c38b108709d5382c9c7918b700e4c8208509ae
SHA512 f72e0c688b9edb29561d678f3374a9715ab93197b4be71bef66c9b146ac0ae57e0725aa95956e7b5fa75a070a4f81d266211ae267ec62e6ce1ae0a474b4a511e

/data/data/com.nocomplete9/kl.txt

MD5 fdcb2495a11c684a89e9e3fca410d170
SHA1 0c2d742db52885c0c1228599ceaaa76b2a3fc6d9
SHA256 a7b03642fb96d00b24b65cbb22e813406e8e4f9c48fa82c515f3510c34dbde09
SHA512 5cb3cdd8eb9a480f45e91d50012973a1ce3ba4dc5b66f6d601c9d0f6ef1b47c85d0e18a2ef09c60963cf627ac27ec1dff71d555e6dafd2e8272dea185e880239

/data/data/com.nocomplete9/kl.txt

MD5 f8aa7c5797b1f587515273c56ce9a252
SHA1 dc03ff4a8c49185e4997e2adad8efe26b1cfeb0f
SHA256 be2ebd8d6bc004e486f99eb33a7f8dbfaca133418c9842b5258dcc783df4465f
SHA512 92d8e1094d9a110228c57f112b42556dbc7ad133df9267a5cafb68386896fb0940274afd46d460da0bc2f2db838821ec208af746e05bd7ed14b62b4737a1563e

/data/data/com.nocomplete9/kl.txt

MD5 cadd4e9f73288f72ea1a5fb82e7e46a0
SHA1 b0f25c11b281d401f5274291c76f11c993408a7e
SHA256 c0052d73f718f7117d6b3b2d52804eacf7e207cefd90d15b61fdb4839cba386d
SHA512 408c0f4108b6bd52de5f06b3b3589e6e480dbb7b6be664d120b88b4361fb4a0ab96ec06acd8e88f2c8fffe35b9ab14b1832f3866156520d000378b98bb84c10e

/data/data/com.nocomplete9/cache/oat/nnqqlurqai.cur.prof

MD5 a8ae52a7909cc95b974ef2c27bd628f9
SHA1 6d8072fd69c7863e5615939bd4a4b4bdda713e5f
SHA256 f74bd1e137c8dca67593d2783fc7e877945c3e5136ce447c1837f524b59c8480
SHA512 8f1e49f8a60f5f0b0227a11bed66d854bf5869a2189af6b455fd50924fa3afd1777006692281313f608e7a91ada6c9b3e20e42f5a33fd045fca54cdffd5d7253

/data/data/com.nocomplete9/.qcom.nocomplete9

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-26 22:03

Reported

2024-08-26 22:07

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

185s

Command Line

com.nocomplete9

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nocomplete9/cache/nnqqlurqai N/A N/A
N/A /data/user/0/com.nocomplete9/cache/nnqqlurqai N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nocomplete9

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 selamcanoonaber.site udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 1.1.1.1:53 havasarinliyorla234.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 hava540derece.com udp
US 74.119.239.234:443 hava540derece.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 74.119.239.234:443 hava540derece.com tcp
US 74.119.239.234:443 hava540derece.com tcp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 74.119.239.234:443 hava540derece.com tcp
US 74.119.239.234:443 hava540derece.com tcp
US 74.119.239.234:443 hava540derece.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 pikniktupu2534.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.nocomplete9/cache/nnqqlurqai

MD5 72b7960d9feae4cd2f8714657411dd44
SHA1 5ab3648733ad74eeabf4022cfaf8ad09d8ff33db
SHA256 e1f5268e8b932c829e9d39e5c4feb15de04a23e19a1f853e80f3f9b18df533dd
SHA512 339d3c2a6ae1d14b4127550db81330f0fa425699124580d9852e98b6c391ddba69e726899189bc089977814d4f17ca8ed00cce5ff6016311f3a3ae3182de1c9b

/data/data/com.nocomplete9/cache/oat/nnqqlurqai.cur.prof

MD5 dff12a998901d18bc1effd644f5dafb0
SHA1 65515bc8249782fab19c004ffb7b7a4827286fbc
SHA256 a1de04cb4216a0a60794838db2220f8d86818465c8abed5f04016ca2e199f933
SHA512 cb1933b015ad3474e41947b84f7f22ca7b01d6f57449a49c7d297ad8d2847288d0129002d4340e6cc7a4785ca809413ed072eb79a1a4cf1a221a5bb5d644a969

/data/data/com.nocomplete9/.qcom.nocomplete9

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c