Malware Analysis Report

2024-12-01 03:00

Sample ID 241107-1xcxssylh1
Target c7366dd0111a5e946e3acf74a2a59479d8d8119eb6253a6b93fdd4dc1594fd11.bin
SHA256 c7366dd0111a5e946e3acf74a2a59479d8d8119eb6253a6b93fdd4dc1594fd11
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7366dd0111a5e946e3acf74a2a59479d8d8119eb6253a6b93fdd4dc1594fd11

Threat Level: Known bad

The file c7366dd0111a5e946e3acf74a2a59479d8d8119eb6253a6b93fdd4dc1594fd11.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo

Octo payload

Octo family

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Declares broadcast receivers with permission to handle system events

Requests modifying system settings.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares services with permission to bind to the system

Requests dangerous framework permissions

Reads information about phone network operator.

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 22:01

Signatures

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 22:01

Reported

2024-11-07 22:04

Platform

android-x64-arm64-20240624-en

Max time kernel

148s

Max time network

148s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp

Files

/data/user/0/com.nameown12/kl.txt

MD5 e7b832022d13d2ac6cd22a9c72794c54
SHA1 ed3fbd4361ea6b059256cc7973bf38af119f91e9
SHA256 57793c7f9498f87081c23959662a2ee9cc52ab75063fd5920ed9f4f42081aa3a
SHA512 01481d0e710e161b175e127471e4926c91597e5e833bdd57bee55e6048bc21d6ee4d06bb9d21050f742a02b5865ee88a9eb607d8e39b79bcfd76dad94c3e4dcb

/data/user/0/com.nameown12/kl.txt

MD5 a17ad22c17967a7793b2a5312c701d99
SHA1 9ba030ca38eb6b32005fa7dcb81d37ded22d9872
SHA256 e00a862a5a099bdc9d8c817529cbe43e6c5aa9bbae95137f1b6a9a88212f7227
SHA512 de29b3f7cb8b38675b828718ee4a8efa625c32805fd8d35a303ec4ead51ac0c342b58fbc6e03082b8c9dfaeccff9b6d37702f144c8b843dd6acd89092864eb09

/data/user/0/com.nameown12/kl.txt

MD5 d2eb74486ac9ec2256d252f892d00f90
SHA1 3e24bf86e59bfd5bc7f2a006218b81e2b67bf633
SHA256 2b8c11f81cb99e78624cadf2f0df1df3ffc0c6d6bc328deb7b40bd597705dc03
SHA512 d591fb2ed21dbb5c220eae9db4b44ed4599e9336efe95912a14e898d4a1fc18b0106ce04bfed8e41631d93ea1b9f588305d2eecce6bce1cbab7b3746de445bec

/data/user/0/com.nameown12/kl.txt

MD5 f34b6bfd486b1d531fc0ec8d4275fe51
SHA1 cc96a9229af3957a7ccd0bb2e74a6c3b3a76e0aa
SHA256 7696792a15a1f497e089a96c29765ccbaf9e2019afb0e33aa18c9d3dca9260ae
SHA512 6ef3278644ea7bb94cd19545b3742955ad80170c19fae1ce79b04474f2bed1717b19a9a55dad36f0e88871da731ba307769aa91a85d2a5ad753c46e0edc37ca7

/data/user/0/com.nameown12/kl.txt

MD5 5239613f529456dba03e4e89870b0f1b
SHA1 2dad9fb8ce38d04929d1da1c36e4ef2f8a123aa0
SHA256 4be8439bba1c380dd753462e844cbbe5440f8eef2c7f9f51f3c3715adc473564
SHA512 93d707043486d9f4c9c7b87880af6cd49eee3bdd68401c69ae6df2676abac160bdc829c06379fcdb02cffb6e4be71ad21006656a8e1f710ac12cef020d5b0406

/data/user/0/com.nameown12/kl.txt

MD5 2e61d6f3eec8677323e7722aa00c3dba
SHA1 bb6becd20c55d936dda78512ff65206e2a61c6ed
SHA256 7b33ff260263c5283087fc4de02c1bdc483bf0051e3680cd020c5c8819ae9f6b
SHA512 4b6ff23167c4347b8b069a60faf1dd0b82f6ec01a50402007a7b935e9504f7764788910ac8f2afdb4e0c79075f4c94f44d956269a1765da984073e4b997f57d6

/data/user/0/com.nameown12/kl.txt

MD5 b94ac49dec46ab04aa49d7ae0da3e6fd
SHA1 89b761a21a07d618c4474582d4d473e6a1374fc3
SHA256 dedc7eaa1b9705ccb3e2a9453392bbf4eeb69d0e3dcd4a2764a474c815a0a10b
SHA512 49e7a30157e4b3591bad43f35e4c65073cf14854106e223e90e71f75d7b6e6188f0a796c116775e692cd4398f05ea7450001f95a784a380471f796eaa89e2eea

/data/user/0/com.nameown12/kl.txt

MD5 55c9912e35c927ed45fd75271ccb5a12
SHA1 cf868614dd55c5a58e8cef2ed304c76c3ac15a9d
SHA256 13017d66d5e2d494606fd9e5020d533b781d72488d31e6a371eae8b7c68d0688
SHA512 df05e8a1543e6f6cf4a875174db7ba1e4931bb71c6038bd1cb6348be28dc9e02c6565c02397a1aa19c09a24117dbb6215e864a4f64197b1287be2e2806555b07

/data/user/0/com.nameown12/kl.txt

MD5 31b09b1fa53b4d9e66e24fd587e5f440
SHA1 515b0817b1c1e2c9188533700c19e48b5570fb54
SHA256 cece99325a864f6c97843f17a83709540a9369cbbfeb358e6f3004b4c489fdbd
SHA512 fc090760c16f872d9ca27b0b92511d9f99d2f1452b7e84c0c8577b18792463b52b6448ae1eeb846162b14575a3d290f1b1db61871fcfb8a1413fbbc15673408a

/data/user/0/com.nameown12/kl.txt

MD5 513c463345a24071f4405a67c396b722
SHA1 2c71f19c66692ec818b211dbe77852cec5acb23b
SHA256 6dd62fae54fc48b290de1232478e285331f46475eb294f06b3891a60006af485
SHA512 4d56547803e80440ad6ce8d23d5ab9061b6c28886add9ec2020aa66a7472ca750db1dc220110e47148b1d3da30815e4b78e9d195cac0c841b3dc6a001dac86d3

/data/user/0/com.nameown12/kl.txt

MD5 a8d11545a5c15cacc8b4c09eb38bb694
SHA1 ba82520ac8cf146bc096026abc49f7673f0c115a
SHA256 f114330a88006a50b73b92f6c4c54a42151256e830547a12fb27e908e0925d44
SHA512 cf5df7d748aaf371d53242e113027583b1874cc2a52e6d64c4e71a300efcff3f33f4e8611dd86a40f33fbd3ef0223e66fcf29695e4d9f6bb6f4db56eecd00cff

/data/user/0/com.nameown12/kl.txt

MD5 74576c8f2d70867f6ee96d921bbaca3e
SHA1 5e168c9c609f23748930d1a1c03fcb896dfa9eba
SHA256 59301b019a2f7c33ee30d3b3341313cd1079bef1664fb46876426449caa8b3b3
SHA512 e67eab2be9c15624c5d0b9f1266194de633051707af03350aa9f46b3ec1bd1006db7edadf211f148640b01d4cdd353e1a99dac164ba85f85e7e79bbffa3058a6

/data/user/0/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 22:01

Reported

2024-11-07 22:03

Platform

android-x86-arm-20240910-en

Max time kernel

148s

Max time network

151s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.nameown12/kl.txt

MD5 b26c8cbaa40a660814fd866fe15aa181
SHA1 567f61f0e46654c50d32e0b957d82fe2f719a04c
SHA256 2995f1da7963e21444207222a5f2d6799c090bd4f7622483f6b81a4323418c88
SHA512 1da740326690e9f0b3a011bacb6426f704fd4afbae3b8d7e39d60ebac31280837f999c1f1ee733042fcb98229375d176577ea3523f4d39e61b35f61726e00aa2

/data/data/com.nameown12/kl.txt

MD5 4d3ea946018a962c94974898b7582b7d
SHA1 dfb241e40b360909759df058068d649ce9384ca7
SHA256 4488b16fbd4606b26b197cf85a9d2162eaa6a63b241cdc4ce05db8a9789f66af
SHA512 9c86a99983e5bfc49f8b315e935e78ea72652fa990af8baec257d329462ad8e784c831d8c1d83a2ab4ef68acd1a5574487a45b2c74fd5730dedc560503677e1e

/data/data/com.nameown12/kl.txt

MD5 a16310d3e1b6613a06931edb5319d4a8
SHA1 a01b00ba7d1412802f71e7feeb9fe69eb5fd950b
SHA256 04616d387ccf75646f75a253316ca0edb64c6990ba34514a6d382c925dd5123c
SHA512 20887e00f8963c19c0e413b408d3c3588244e62496a2890c0806d8992d7ccca63a059346fedd63361925325d2e89c721ff8ddf3912555ed449df57f4275845e6

/data/data/com.nameown12/kl.txt

MD5 491d89a707e953f630a3b799301542a7
SHA1 e7d688fd7e3560d8575143e6cd68f9c516ee646c
SHA256 b4c4e7b593c4902fb7284990447f0911ad915160e587c0ed4a450222d05651ac
SHA512 84b928839f1841709b79ed6c72fa0744fcc90e992ecb7ee33bb96c7f59a7308487ec0676b362aa8ff56d3623fb591d38e44a9085df17f615eaf6a38ed2a3d697

/data/data/com.nameown12/kl.txt

MD5 13f044963107284c7a2392e6a37e3bf8
SHA1 e78586c01ee5956e1f085039faab3f7bc4192c99
SHA256 744de77a42a7b3d737282729adc28beab6f0dbb8ebe775808220ae7e5e4a1db0
SHA512 fd0e1f0e024549c5ce926d3c063e69715d144b6183778471b0f764f3fab7dd334bac2f2474e30067c6145146f724002d9c95c794f0a5d3b734704f328f35c285

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c