Malware Analysis Report

2024-11-13 17:37

Sample ID 241109-2nq9hatfqf
Target ccc1186dcb7baf0bd0091b38b69c033cee59b10958722ecf0862a020102b83da.bin
SHA256 ccc1186dcb7baf0bd0091b38b69c033cee59b10958722ecf0862a020102b83da
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ccc1186dcb7baf0bd0091b38b69c033cee59b10958722ecf0862a020102b83da

Threat Level: Known bad

The file ccc1186dcb7baf0bd0091b38b69c033cee59b10958722ecf0862a020102b83da.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo family

Octo payload

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's foreground persistence service

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Acquires the wake lock

Queries the mobile country code (MCC)

Requests modifying system settings.

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:43

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:43

Reported

2024-11-09 22:46

Platform

android-x86-arm-20240624-en

Max time kernel

145s

Max time network

138s

Command Line

com.nounsentence67

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nounsentence67/cache/lznbxh N/A N/A
N/A /data/user/0/com.nounsentence67/cache/lznbxh N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nounsentence67

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
US 1.1.1.1:53 fukiyibartiyom2.com udp
US 1.1.1.1:53 mal1fukizmirli.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp

Files

/data/data/com.nounsentence67/cache/lznbxh

MD5 dee8b7e73f2bdff5df197e532640e06f
SHA1 a0f0b4478ba85069f0aa214f6af40811eee4e2fa
SHA256 6c70e3ee36f04c0e0620e598d86653a7504ca8df5428cad2ebbc9041c0a0d1f5
SHA512 471e78b00eb2ca934438cc428aa31f390cabc8b4289024dd8b74d4bc0bc19dfffb1d9c529c7a3fc9dc6544bc2538f76ad4df4bbd1dfedfeffee0b8454ba2a604

/data/data/com.nounsentence67/kl.txt

MD5 8d043de1cc0dd69a479e0239846f67d8
SHA1 56b6f2b21305e7a88182dfcc58af602ce429397a
SHA256 e31e0770e823504876d56e00ac6f4168b34885cba03fb84e2b0c0fb73e3d0e34
SHA512 3b6c2c5892e46e02d1f5df7584087f1f40e38f8892331d3df1f8827b61e52c29e4eb1745c5b6429ebb984411c88d4afe58ae6446d0fbc3bbf66d415f1fae99bf

/data/data/com.nounsentence67/kl.txt

MD5 e7bd983480cb578d97cfcb988f086ff1
SHA1 b8e6727e8461db4d6d0ca49061749119232f20c6
SHA256 6fc340f3ecd4da1e95ca705412dfeebe0a453d17657427ec38c11b4d2d04b5df
SHA512 bc023425a99d4f8fe60fa85ad917e98d9d7f37d9b9e5d70e7b78b2cd6bdf495b00913786c5ee8d3f132b318ac620d56a238df0d44896174b861af7f73fb84dff

/data/data/com.nounsentence67/kl.txt

MD5 96e38ac3f039ca0938ed4afca7fc8bea
SHA1 7a22d0ab5960f9e7615ff7c2b3a10c200421c95e
SHA256 908d3f8d0d1d1f11db56549bf8765c84cfc4bd613c4ad8ec2980979ba901b5e5
SHA512 dc69920f5d8bc72308112f456316adeeb8a4e85e9d302f3e3101400236f25982f29c6a3450e92ac376716a7e80479efa74752528de3071d18cc911c844d42140

/data/data/com.nounsentence67/kl.txt

MD5 53187bfddf224036efc3352342dcb7e9
SHA1 53b15e4b8bbce41c46dada4ae3c6f0ae026aecba
SHA256 5d31bda1d3120e2dd1a1d2bef2617a1d22bbac13b700ebf64652ac578277bc3e
SHA512 7d6673ef2058f786c0331c71b70d008bc2889998a63aa2f299082a5aa0416b8caba12465ac96a77dd43f43260983513de8d2f8813e47c324ce3a1659e7b77cb4

/data/data/com.nounsentence67/kl.txt

MD5 74be90bc63d7c503207dc9f5dfe2c32b
SHA1 a0324dfb1e34564f3c24c43202ced7b2da4f68bf
SHA256 273e854bc97afef580b07267051ca4b60d2185456c0530c82ac1cee964aa1a4c
SHA512 826bfffff5a781f8fb96e1586a8d4a3becab2c89280cf18ae8ee5704b6cda6f722a7717e3ebfdcbf3414e3a1376bf6509645927c36b31e914e4f236b6e18dede

/data/data/com.nounsentence67/cache/oat/lznbxh.cur.prof

MD5 d385c7eae9f1df2df8fc2c22252ee1be
SHA1 04ff7ceaa2be2fac690d922a236ac137beb9f07e
SHA256 40ac5fce1cbc0dc79b9e87f0e09bd9f74110ca371559785cd0dbf1d50dacf3e3
SHA512 32f421d03a9a94462527f0131ef16519d4b15d6e38ba9a3a02afca27b183206585c616de843e4c2d05026441cf512e3c2e556417dcb96e8d5e71b22bf03a1938

/data/data/com.nounsentence67/.qcom.nounsentence67

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:43

Reported

2024-11-09 22:46

Platform

android-x64-arm64-20240624-en

Max time kernel

140s

Max time network

148s

Command Line

com.nounsentence67

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nounsentence67/cache/lznbxh N/A N/A
N/A /data/user/0/com.nounsentence67/cache/lznbxh N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nounsentence67

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 fukiyibartiyom2.com udp
US 1.1.1.1:53 oyunbaimlisi35.com udp
US 1.1.1.1:53 malkafali222.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 mal1fukizmirli.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 malkafaniskm.com udp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp
RU 193.143.1.4:443 malkafaniskm.com tcp

Files

/data/data/com.nounsentence67/cache/lznbxh

MD5 dee8b7e73f2bdff5df197e532640e06f
SHA1 a0f0b4478ba85069f0aa214f6af40811eee4e2fa
SHA256 6c70e3ee36f04c0e0620e598d86653a7504ca8df5428cad2ebbc9041c0a0d1f5
SHA512 471e78b00eb2ca934438cc428aa31f390cabc8b4289024dd8b74d4bc0bc19dfffb1d9c529c7a3fc9dc6544bc2538f76ad4df4bbd1dfedfeffee0b8454ba2a604

/data/data/com.nounsentence67/kl.txt

MD5 48cda99363d24ff2accbc22117f54e5f
SHA1 4bad51f11428d2bf52b4272a275f8879202d7eac
SHA256 9457da6d4cf67ddc643e5700ee14eccfa5932998ac42465bc6e913d0fad6b26e
SHA512 8fe845acb080040be9d8516859512032efd811201b4219c0a2759a367533c3a81f58f901a981b5b1d4e90cdf2045b04681976100dda71df1d401ed585fc39d71

/data/data/com.nounsentence67/kl.txt

MD5 cd281756cb642f3b08742964da94e122
SHA1 a1deb553c193aa026b310148b1d3b5f5bd3249ad
SHA256 7c5bb3e92bc01a500a2d7c709eef4bbc237fee9e9984c375055a61fb597f0080
SHA512 9af624d6f458abc1a54c38d7eca9161dc151bb84108291d07db0e9a4400ab5da4cb84a0351e52edab2d21156ffddfac3f3d0345533e2a3c07fd1eb9b883df65d

/data/data/com.nounsentence67/kl.txt

MD5 e326cb2772707f4750dbec59003608ec
SHA1 583c0d206b3f3dcc9c44fd54276c3bb721ebc45e
SHA256 03152e44b18fc90dba41c089c2877bc6b28595944e898357b10cb24a887ae0b0
SHA512 b6d5f522c3f08d3078e037cdca4f693015f05f4f951b0da98caf48583429c2caf81e41c081c2163fa262a7e1ad13718cfbba958b256930aa42716890deb64849

/data/data/com.nounsentence67/kl.txt

MD5 5dfbb930791049e7da2a672d64dd85f2
SHA1 1f504ead0a10f3c517736677c4e2f2186bb81f07
SHA256 feb7e8a914ef3e12c3add22ce1d82e7487e9cde4f8564ed21b44c67e17727353
SHA512 4d4075fa7ba74ce54be0cb70c47c8fd47ba2ef6e2b4ec540dd1f517c822fee76d8dcd1a45f708ab5c08c1bd946e24505bfa1739bb34836576e6eeedb48e8730a

/data/data/com.nounsentence67/kl.txt

MD5 f55abf187a49d2c56e35ba114975389e
SHA1 4f6a5c328900d6683f5ad5becbb5089d68864770
SHA256 701c9f20ce150143f8e735946226b51f00f0e386e160352f52591e9b00c8bda7
SHA512 60ed70b04d69a7fd5e3b2e3617e974443245248d0f5f198310e5642a6d755c33b1f85970cdf782fef9f26ea35102839010b53a4e4b073a37242808a971e291c6

/data/data/com.nounsentence67/cache/oat/lznbxh.cur.prof

MD5 8a21a4287b225b017f0a23fd4e0e02ae
SHA1 7371b1a3c8ba51d5379d8ecdcbcd396f6a622f51
SHA256 e74959b2494832f73a354cae616264e2a437e4e9e33163d5522932841935b391
SHA512 f12dc231b91af91cfceb7fd18543d196ade64bdd550b2196d511916397882d88fbb92fc200922601d5b72603cea3f7b3963103e0fed5041a964302506f2ab70c

/data/data/com.nounsentence67/.qcom.nounsentence67

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c