Malware Analysis Report

2025-08-05 11:54

Sample ID 241015-1y1p9atemp
Target a316406c294ed2ebc989bf3f306a66cce0f7ff738bba6430966bc03d715d284e.bin
SHA256 a316406c294ed2ebc989bf3f306a66cce0f7ff738bba6430966bc03d715d284e
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a316406c294ed2ebc989bf3f306a66cce0f7ff738bba6430966bc03d715d284e

Threat Level: Known bad

The file a316406c294ed2ebc989bf3f306a66cce0f7ff738bba6430966bc03d715d284e.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Octo family

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Requests modifying system settings.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Performs UI accessibility actions on behalf of the user

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the mobile country code (MCC)

Acquires the wake lock

Declares services with permission to bind to the system

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 22:04

Signatures

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 22:04

Reported

2024-10-15 22:07

Platform

android-x86-arm-20240910-en

Max time kernel

148s

Max time network

152s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 216.58.204.68:80 tcp
GB 216.58.204.68:443 tcp
GB 142.250.200.35:80 tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.201.98:443 tcp

Files

/data/data/com.nameown12/kl.txt

MD5 d6522c53ecfc1a9faa930aa961e1f463
SHA1 3ca44b0ffb88fea09c6398d456e5afaf5e43e754
SHA256 93ac4bd8f610caabd49090f0dc6a9c082713255a4be506ac01ce11e10fd3e843
SHA512 5f4ac4a9e9449e4edf38b2398ec42b0545992af407bdf009dd9460bed480fc58297b6ff31fe7e17a9427138ec3f315a2aaa537638c1364c222ef19c1d3804b3a

/data/data/com.nameown12/kl.txt

MD5 e5d71efa3b512bdd464b4b120c5f41c0
SHA1 b4559ee75bd4f899511b45089dac42fb49a5125a
SHA256 c9dfbb633eb59da3921996412a2e1891e4b40be7a135730b5844a42b82a440ff
SHA512 3683407270a9827c887f2f988cec9b1522d63de5e7ddc505a82afe2858df4735b9b25d992440f7a6281e43c60b4e687e38bc1dd105cd3c16f7d56118a2661a62

/data/data/com.nameown12/kl.txt

MD5 67993e8599fc91c09da39e7c1ee6a878
SHA1 f923c43953f2ab820e358c37ca2cf611fd02162c
SHA256 6c06c41abc417f02e0d671466820f62eab884961e0cabda979f1a5d51b3b444c
SHA512 49761633585bdf43d1a1fb46bfc671842c964dcf67bafcf4f30ec58715d86c467009211412a004fca14fb401aff4ce23e460f6d2613e7b24d57741016647ce17

/data/data/com.nameown12/kl.txt

MD5 7ff223462f5c1ad740baa1a187b8790f
SHA1 a961a396a8cace6ac669c3bc08072f5c8e5078d1
SHA256 e840d92d261206fc716e8c0cb0a47ae0267a67663ae2f732f6688778ea654d8a
SHA512 feacdbf64a09ba14f159d8f4ed6a8f78c525bf12a4fc4b3f17981ca47da55b8250aa8169d890ebcbae60366748b625af00ac2a0f867ab2c7f4cce6aa3aeed2b9

/data/data/com.nameown12/kl.txt

MD5 4440e051c8d49c5a02898ba258d36294
SHA1 45793ac466051a0dfaaf2445f904cb75126172e5
SHA256 ba0d8e34f7c2b654de2eb2bdf5146a11d2f43da380dcfd1b70f9f7517648c9b9
SHA512 00719383ad5177c30c93ae3923ef0cc5c0741bd2122a46292d1979db0a3dc50b7f40a9fcb9af204e5f2bcbf696b929c091f3ea279bcc0206e727c5287feed9fa

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 22:04

Reported

2024-10-15 22:06

Platform

android-33-x64-arm64-20240910-en

Max time kernel

148s

Max time network

150s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 www.ip-api.com udp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 208.95.112.1:80 www.ip-api.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.187.234:443 remoteprovisioning.googleapis.com tcp
GB 172.217.169.42:443 remoteprovisioning.googleapis.com tcp
GB 142.250.187.206:443 android.apis.google.com udp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 142.250.200.38:80 tcp
GB 142.250.179.226:443 tcp
GB 142.250.200.38:443 tcp
GB 142.250.200.34:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.187.193:443 tcp
GB 216.58.201.97:443 tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.193:443 tcp

Files

/data/user/0/com.nameown12/kl.txt

MD5 18520f58248ec7db4fbbae1e7af7ced0
SHA1 1904082fd939200c48bc45a149cb9f0e4f7929d3
SHA256 99b2a2dae0540212b43bc928a1ad716cc054866cb130018de4a0bacd2acd73e9
SHA512 eb25193001bd3ae3eab176b75254bef179ce8e7e68e1cf81a4a2a36b40648132891d8f2ff8dd16b5aaaf756e2b91d4633abd72236280684541c78762d663dd86

/data/user/0/com.nameown12/kl.txt

MD5 db0f694c6b4655cb468386eafd7ac5df
SHA1 3862cf0732ba897fd59223a455923a00a424d4db
SHA256 1537cad0548cfbf23ed22a576966cb3593c0f7a4432c8dc6d79c3dd4f0395063
SHA512 f08261b57065e1573ccf4758f5995fa9692e9ce3cc13681f33c92def05431bfb8da4e139440f6f8b180d72801425f722c9d5c8677e817220824f48a8f73b7458

/data/user/0/com.nameown12/kl.txt

MD5 991f633095df91dc4fbf9f06e1e050ab
SHA1 8cabaab855c1e48e73a665db0ed3094b373a8d9b
SHA256 377bcc219d380244f2693e2d6095d40d44eb5b83ad9b22bdee1e6aa5d5d92901
SHA512 e1688d6482b3687d132ad6b975db70666996009fa7d06465b5591c3bf0167919a8ea336124eb63b0859ce16f058d2967119890d60581b388b814d720d471f227

/data/user/0/com.nameown12/kl.txt

MD5 3ca1c5e96b01f19fb5542dbbb84ac0f1
SHA1 d85e8f9a7cead45cf473a038a6f1c01abe3034cb
SHA256 c683c391c3c455f8e7fa8c3cf1021a896c948f0dcae9c4b56d7b1249d5cc0a12
SHA512 53a799635e86202ef831a3432250568cbb2a7cf2ef52c40ddfaf65c02801333d86b37e3c29e878a4e217715a97c843882344cd43c1ca9d98e1c8f9a3abe918a2

/data/user/0/com.nameown12/kl.txt

MD5 8751fcbbb533eab3d2c100e1fdc7a275
SHA1 0300a1e6089255235d98b7cf829701e49873253d
SHA256 9894daa20b2ce6f8afc45291bdb6637e6992b42a00f2b0ce3dfc025daa24f76b
SHA512 2322b390c5dedbedf2d6e19ade0c7a76d41554a0742c4ff93081d84cd9ba6b707fae67e9bbbe7479477e17f1c370b4d2524a893eb2377e90a76a361685e5adb1

/data/user/0/com.nameown12/kl.txt

MD5 9b1219bc5782e7f43a92f468e691b49b
SHA1 58549b36d3894a182929d7f62e1353241d174a75
SHA256 06b20d67e88c66669044ab527c2037784a54310f1fcb4b76aca03561c4a4a01c
SHA512 32014c2f3b65bc396c315fdf7ef5a6c638a1ce4ec5b0fc19da1deed6d20c3970fde3247267707a1f53d5b239b90c2bd374ac827e94fca8d6938c17274399c376

/data/user/0/com.nameown12/kl.txt

MD5 dca8e1c7670e389444782f1c97c3f1ff
SHA1 9c59cfa82dbe7313fc3990928e89c7e7f2626fed
SHA256 e8ae39b4d00f715433f04553913bc1822e3c760beceff63f2ea358488ab0294f
SHA512 3219ed47258f882b2981c5ae8d2750471ee4e69c58f66887e079e5a8828684d6deda7f962cd81fff8754d89496028a7775b70a73a083115de613e91b7fb21a81

/data/user/0/com.nameown12/kl.txt

MD5 b09913dfb639cdb15802c725c75d8350
SHA1 f254cea5ee8608f5e5c1cd08d898b55fc3a4a7ac
SHA256 103c91b39f739451053078bf199aa125bb7a7d2b24f8ef2bdb1db904fe12c4da
SHA512 bef8b8397493f41de0fcced60851af7cf7f385fe9faf5778f69766848d5899cee664e72d21f7c2cedb81b3e1335937078f1598e1e568c814769d7bc970a042ac

/data/user/0/com.nameown12/kl.txt

MD5 44723078db3fab474c6feef4e6f39e9b
SHA1 128749b476234ba6a35cb7e537a8f0f9b6663cb4
SHA256 5ab0ff0eb9b0c34d365ea8a3b51fa7d5ac53e7f960e5d223b91bb4fa5dfbb952
SHA512 3eb1e66d3dbddfd801b817fa747134e30853ed1cbbb03229a5a78f6812cc207e3934131d95c9a3c9b07a1900cb106f6f51c43dc057340fe7ee1a9e43a854b944

/data/user/0/com.nameown12/kl.txt

MD5 44f26646f1d9afdc658ac3ac8870b794
SHA1 3d6605f0d59380ccc18d6684b3805eeeb36a0147
SHA256 4ae643e1de4fd23ad910229210fff78a4cc94b21f775a03ff7c1b3b905fb77f3
SHA512 7dc2fe9415c82b001c53b13a36f02887c2b80ead76f6fe4ac3b4b9a5df3562b49e9647862527db98fd6c9433fc155383044d13aa198f27cc6761783086dfcc3d

/data/user/0/com.nameown12/kl.txt

MD5 a7833df8617a207b1463427e123a4e61
SHA1 286ca518990e5d16c6f45f2bbe13eb7c77e3c271
SHA256 f168bd11116777f4d7502da17bec787fb35ded8027c9904180abdcf5220e4701
SHA512 7e53b78191f3149b38328cd9cc18619595caf68c79ec022ee48681e8ccb16a279d5bda03f07bbfba0a85a879230dbf84e806b7a4b32e5263d2b0eea3983b5a96

/data/user/0/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c