Malware Analysis Report

2025-08-05 11:53

Sample ID 241015-1xw1nszanf
Target af5936c0c9bfcfcfa74a37bf23ba9f1edb2ca8b335897e274ce5f3af54394458.bin
SHA256 af5936c0c9bfcfcfa74a37bf23ba9f1edb2ca8b335897e274ce5f3af54394458
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af5936c0c9bfcfcfa74a37bf23ba9f1edb2ca8b335897e274ce5f3af54394458

Threat Level: Known bad

The file af5936c0c9bfcfcfa74a37bf23ba9f1edb2ca8b335897e274ce5f3af54394458.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Octo family

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Performs UI accessibility actions on behalf of the user

Requests modifying system settings.

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 22:02

Signatures

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 22:02

Reported

2024-10-15 22:04

Platform

android-x86-arm-20240910-en

Max time kernel

148s

Max time network

152s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 www.ip-api.com udp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 216.58.204.78:443 android.apis.google.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 142.250.187.227:80 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.nameown12/kl.txt

MD5 358bc902c69e8cdb1b2b3f7d1cdc8375
SHA1 71ac32bbe1eabef122d6cd26290f885858630922
SHA256 cfd2abfb3358a1cbe1b2c5fbe107fe401ce127f436d6543a506f95981741c2c2
SHA512 bf6ee8120877fcc3f6c43d7730bd8a7b44d2a0c89e6995e991a45af71788cf533fe9e10b949b41fd76ea84dbf86a235fc58b23007db335aa5c64fe17a40e7d7e

/data/data/com.nameown12/kl.txt

MD5 c581a6f185cc71d82815f889e2292b1b
SHA1 b7e79c1760886670638b6f5d0bbef6aaa738a2aa
SHA256 3dc2d527beaf27c79592e005fc239cb23f3e6559c4a10da123060fc382a94ca6
SHA512 09d52c119d5172da88177a2487bdb0197cfdbb4d24850c1cc03173553278d9ba2e7314cadb6fc3965c95aa29b7de43d7fa2bb4bc81692d20bb0efbd22ae8d513

/data/data/com.nameown12/kl.txt

MD5 c44aa8583e18af1d4f32b7b9a0f4d054
SHA1 e927eab9f70ea652752ffc85f385f7852abd3e86
SHA256 69371ded6a97f07db7fbb667196415255aa949f105d9a4c4998024bcb0d2b3e2
SHA512 9904b79bc434ac337a9f9d9eb8925846d77b0d3c0c232f364ebb2f8cf166622a76eaae8d09c9b19e9124ea260855487bf27f6689fe905df3a7520655d13657dc

/data/data/com.nameown12/kl.txt

MD5 210942f60a3795f47b260ced59c771ed
SHA1 e03990de672314e0e224afba2b3bd57469249282
SHA256 82618a150a65c040eb7e6e24092778fbc98c0234de8235a32cce6077157485fc
SHA512 1c1c5353242a2346fd4c86380534352ba8dea0976a6aaa133b67dfbcbba35ac81ea8ba71f57760876d4e990c9cc948253fce5acf843c0f7bc10a650d25018428

/data/data/com.nameown12/kl.txt

MD5 e9235209591b0844478494669f102a9f
SHA1 6d65664419fbbdfb2c6b72332767e0eec908e438
SHA256 8daf03ab4c9af8048ff6c4cdde612dafd474e69738ef5240ac346b96f2521415
SHA512 3247b0416996ed4e481f6b4daa88f353c924a719cd6f07df1dfe71d6971718a786a6c5d16d1691a4b70b066b66b602610cf77965a8d697f635e3283732108082

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 22:02

Reported

2024-10-15 22:05

Platform

android-33-x64-arm64-20240910-en

Max time kernel

149s

Max time network

158s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 www.ip-api.com udp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 208.95.112.1:80 www.ip-api.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
GB 216.58.204.78:443 android.apis.google.com udp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 142.250.187.198:80 tcp
GB 216.58.204.66:443 tcp
GB 216.58.204.66:443 tcp
GB 142.250.187.198:443 tcp
GB 172.217.16.226:443 tcp
GB 216.58.204.66:443 tcp
GB 216.58.201.97:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.179.225:443 tcp
GB 142.250.187.202:443 remoteprovisioning.googleapis.com tcp

Files

/data/user/0/com.nameown12/kl.txt

MD5 176ce6a9dd3f053d7b05cd88208e6760
SHA1 7e59da19fb100f74e925e45f810b226b00d99778
SHA256 36751ba6b29d9c167a97165f6f3bb5e8f8be8daffa0bbf1e67bb3f33c2128459
SHA512 12f492eb276728b7f64cf7238939d4ab0638548b172601cbfff0048054ddb7bf254d5fa27fd7417bbca700d80fc01d6ce8fc1ebe36ef8ef870145eeb12cd075f

/data/user/0/com.nameown12/kl.txt

MD5 bb8eea6e802af212f6f840ea393a08fb
SHA1 8323f884d60602f4d523911c7a857bad259cecf6
SHA256 a8dd2caf5e92c4883b8eae99e7484fed7138dc47ff137072c6b057e968f527b4
SHA512 3e27bd14679f133adbb7312c08c17e5ee0347e87fba5c2a25e3ff01b6b164d0a9d5def0bf3a4bcaf5f5edbdb763616973909203f34beb5da1a4438757514fb81

/data/user/0/com.nameown12/kl.txt

MD5 5fd3e2e8bd8d61191a8df63684e2c74a
SHA1 2dc2ec735c5ebc4d78c6ecac199a26d4b6dd15ba
SHA256 5422856e415e369e34ee753dc69e1c7646feb1529b0e36c4570ceca8ef0270ed
SHA512 11481ed8cc713352c2f94095783cf0430ee28e3a777ffc8880fa5b4af470d84dc3b18cd6771b7d00c653f189db4107b74aa6403506cffde3660e1735d0e1568e

/data/user/0/com.nameown12/kl.txt

MD5 7ea0a05732852ee05c3ed88f9ce44729
SHA1 5ad1f3b9b0ab452372a779078c27d9b44e40ebb9
SHA256 23ad2c0c95bd703f84f952a8a51d076c9562a1872f1c0c5ee9b5ff885482f396
SHA512 51e31cc2ed27111a073c7b28a34df543cc99296250ccfa04068e6789c242481880419507f3da780871726838c26d6cd7fd41784182c933646f9e13eb30b46b55

/data/user/0/com.nameown12/kl.txt

MD5 dcfbd058136deccda9212b3fb3b40575
SHA1 eafdbdb027234a9e1865eeaa49fa90dca4e091e6
SHA256 7bc94ad6b91f991d927a7a430b6723ffbe4183262390b6a20710741935d8b118
SHA512 1a647905447f76193ec6161e7c14df9d59054067ca386886ca55145b68c2848b3638caae9fb7b6d46264181b1bb9b48c45c8a56fa2e40777cfd5694f04eb8368

/data/user/0/com.nameown12/kl.txt

MD5 290302ef23b8489dca3156a7f44d8105
SHA1 07cef8459209151aaf1c706c689cee779fd75d77
SHA256 6a5fe772b2570d543abf56877656439336b0ba58fada4fea9c01128f46416e2f
SHA512 d5d1c7096ff4e81c7be87eed2583e7d2b3c60a8a8e55f3ee788f4af82924916bde229ee8cf5e15f600cb52abfbd42a64977db7033ad2cd8ff0eada5a2e1e34af

/data/user/0/com.nameown12/kl.txt

MD5 3a5d7140a8ca2337d44b19902b16cf98
SHA1 3a8f752b4fed66e33e05bf87358b2312a20fe68b
SHA256 540ecea21d48a21ac21dda45fa036fc740c39815edec342aab2a5388dbeaf0c5
SHA512 688b01d66c60470b62f7aad5ba2f0162948ff319eb2a051c892f6fc3c5220c0594433c72f6575d58c9a59dc14c6e0b88e4787eea54b2581a5980fdc4ecaf10fc

/data/user/0/com.nameown12/kl.txt

MD5 a55da70b9c72d080ca370603c0472da8
SHA1 cec957fc4c3c36c67ead90456da099bcdb33fa7b
SHA256 528f474c89aa1083ed9283a04786ba08ddb8bd22d6ce882fa3c0a16896aae70b
SHA512 b1b0633c8ce1c91222f827031cef472ec5b2c870d114af9c18d3ca204cbcc21713912ce122f2862574f5d07efe51a8d49ea2d146015f8d0c3d9fe2bdc65988f2

/data/user/0/com.nameown12/kl.txt

MD5 d12150f61021dfbc8ddf59efe9700114
SHA1 8a6875ede80b06cdf51035bf825870b3b24da434
SHA256 ceb9b1d03127625ec2c6ab61f39f8ea779081e616906b712ab7dc338ce3fbd9e
SHA512 2716770186acabd0bd870e3b1c1d8adc675e5271ac02e826dbe67aa320facd58ed11cddc55de8e85cc0173bab82e0bc54e9123a63789a5dfbed597031e13a9e4

/data/user/0/com.nameown12/kl.txt

MD5 9bde61ba4c0a727808d90fc317fe8751
SHA1 690cd2f82da4695aa363b590761f694ac5f3d917
SHA256 7fd51b3cd37d87445559d52d22daad5b1c740d481b221c628c57e543f68b9f49
SHA512 e0fb653c2d8adbd91f7a5007afce6a087fbe6eab8a6568320e87208ce7751a338c9cee55dbd079be243489442f7ecd0b46fba7aaf92ebd023db9690e880ae499

/data/user/0/com.nameown12/kl.txt

MD5 1532cce3b69d3c934656ed5532ce93d8
SHA1 2ae8c46f580dd66a3f0daa515c790faab2244748
SHA256 22d52fd9b699299c73202326f9789b7e05429b576e5aaee8c411c73706a78cd5
SHA512 1f5285ec2fd51f24a9ba19d1587004db17f72ec551b5e7f51a0931e5a21b0e4232df504a010b00c1b1e30fd020dd6e1bdfa5772c7813a4c0eb9d484097cb8c3a

/data/user/0/com.nameown12/kl.txt

MD5 eaac2d3fcabb9d4b48d438d928ce55ba
SHA1 ff75275cf94f4fe17145ecb9fea79adeb1b8c51b
SHA256 4f930295126d400957977fcf6da2c3b9b0772fdaf538726a0177083f1bad240b
SHA512 865ee8ae376b0ecff848e7cb88455c60dc75186c8dd67128331a9a715901faf7e80036d0c44e9a877c7bcc565e73d6148b88db5105270517ff3e82623e7950d0

/data/user/0/com.nameown12/kl.txt

MD5 4f2b8ac5656ce7f9de96c199e4119b99
SHA1 1eaf3688411474cb5fce2fe36a8c7af426ad664c
SHA256 ded6f5e15498152c0c657e1b962296ca06b46f1c08ff7e98612097550427c1f5
SHA512 0d15ae57e141984aee548c9e6efcd1885a91ce1773c1c0d7d42de7411a78750794a73276ddc104a532e183b93158f8bc4dda973ab7a9ffb3ea13b5007d471a55

/data/user/0/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c