Malware Analysis Report

2024-12-07 17:10

Sample ID 241112-13j83awjcn
Target bbee848756d73e100489fce4574b17304efc5f9985fcef3d3cac25ca8aae61e0.bin
SHA256 bbee848756d73e100489fce4574b17304efc5f9985fcef3d3cac25ca8aae61e0
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bbee848756d73e100489fce4574b17304efc5f9985fcef3d3cac25ca8aae61e0

Threat Level: Known bad

The file bbee848756d73e100489fce4574b17304efc5f9985fcef3d3cac25ca8aae61e0.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo family

Octo

Octo payload

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests accessing notifications (often used to intercept notifications before users become aware).

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Declares services with permission to bind to the system

Requests modifying system settings.

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 22:10

Signatures

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 22:10

Reported

2024-11-12 22:13

Platform

android-x86-arm-20240910-en

Max time kernel

148s

Max time network

153s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 80.76.51.220:7117 80.76.51.220 tcp
US 1.1.1.1:53 www.ip-api.com udp
NL 80.76.51.220:7117 80.76.51.220 tcp
US 208.95.112.1:80 www.ip-api.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
GB 142.250.178.3:80 tcp
GB 216.58.212.228:443 tcp
GB 172.217.16.226:443 tcp

Files

/data/data/com.nameown12/kl.txt

MD5 687e6d9deb935a35f31f5bcf3ef54615
SHA1 76f9a190f603e5367d71909988ea4384790d20fd
SHA256 2a4e1fcee871d2121a2765b1bb1216a12718894b43715d545f757b0f8ec10c89
SHA512 679e3ec822f7646bb19207c6a4020107da7297ca67696b0f49a9dfe05c71024c95fec2aa9d818e98e8222458190d961422e5003c6f2e37f2d5207802798c9782

/data/data/com.nameown12/kl.txt

MD5 f7b628eab2bbc57ef3d68eb983c5eb71
SHA1 2e9e1ddbec78f7955c501e0cf744f562cc76f754
SHA256 947fb746069af0897ae3ced413d56310d6859807f03fca7d5e1674506ede9c49
SHA512 d8581233c0337bd3dc336f6b70390dba9d7efbd30b9e01f84d86b96e1ec3a942e1f0e9bdb58684704b630f1a997228aae857c3de090cc7a92b9593323ab9c626

/data/data/com.nameown12/kl.txt

MD5 d9648542f7d7578e9996fd67ec09d4de
SHA1 e2947af753149d057b00dc6be68b16fe03eaa4c0
SHA256 924ca751661e210fd11fd55353158cedc07a8d72fbc7dffb8530e0de9c02fd79
SHA512 7e6d4c5decfb67cfbd682b8d9a47feb6704ff8c0c8717bd26ab54b02d07b333fd3d070aad3673b233f04290e1bdabf2f1f33ddadf9f4999746cd69ed9938df85

/data/data/com.nameown12/kl.txt

MD5 99cc5f98c69d2518725c41b66e6664c9
SHA1 6c39a0097781327e3488423781ce70e21b28158b
SHA256 a67123510f1d19725340a087cc8c08313f725172d5c5e9b739b736e9355395ec
SHA512 e25f355c6109e4ad9bfda8079e460f32160a8b6229cb7a14878ac430c41973116b94ddc78a134ed575134203db704447ef06f51502507b4543eb6a8b09459c11

/data/data/com.nameown12/kl.txt

MD5 966ec72fbbee08ec62120fc68af5d5e3
SHA1 78a8384660379e1d3427a01f00560dad0c166ea7
SHA256 4f0b7c27b29bd9dc6875f9e164f3fe5de7df5701b4a2b1d33d8474876b854e6b
SHA512 d61aebabdfe049569bee9a89fee98d84948e5f5fde0d720984e5d40f84729e8daf6ae7329e6116257c9604db8bc46ea34d188f79ef3faa8c3940d03815ce0c5d

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 22:10

Reported

2024-11-12 22:13

Platform

android-x64-20240910-en

Max time kernel

149s

Max time network

152s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.212.234:443 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
US 1.1.1.1:53 www.ip-api.com udp
NL 80.76.51.220:7117 80.76.51.220 tcp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp

Files

/data/data/com.nameown12/kl.txt

MD5 56addb75d59fc954f3136c6e42980301
SHA1 1f9a9e26c779170d9684da4b2b99f4ba46727078
SHA256 ae3dbd74d811156afd016f924e9e67d98985315fdd1d0fb6dfe29a9fb91c4a69
SHA512 589c34ce3099f8bf476a72392e10222e325db1f6a1f5f49d7f7cf60abcee30eae9f90e84e7af27d16a87670bc1781c7c83e0bc0a85b45868563fb8bd7dc91d06

/data/data/com.nameown12/kl.txt

MD5 78762d97f58900f00efd72ebabd4a842
SHA1 6249533e7e9d338353cfd8e5981ff2e7af12b168
SHA256 260b5f02c550cf7b0a4d1092ead5eba1cd1363f8c2fbb44dcc56d6d2383a59b5
SHA512 51b5a66045b8f8b58716fd8bb01979ab73803a7f8e0b1c46680985da721c3f1181a7e5a6e14cca3e9e316b40bc0c380a994bed92458254decc0290beeb11eed9

/data/data/com.nameown12/kl.txt

MD5 fcc90dbb6350a6562a214c471343b72e
SHA1 40a62b57c5276f0e97a86cc179438fd5207f313c
SHA256 83a26f44145e343ff257c8aee7a3784b7ae0e24a11c85d20f378c4a754736c11
SHA512 41fd2ce2b69fada821459f0cfb2f595b0ef4224696b28967173cea0f115d15c8b5d45f7df39bed73bcabf9f3da40d2af487cca62fa7b6b5c2171f20367bdf92f

/data/data/com.nameown12/kl.txt

MD5 c645b7a62d42654406556f3afb18ce15
SHA1 e089fea3ea3caf17a0d423c6e6947353480345ca
SHA256 ca1fa6b996dc1fb4d69490f79b9686de887777a977ea1dc55c3466441d9d3912
SHA512 6c58253fd38810fb07c1dc6ba63497930f1b9e66b8934f8a6ce56c022984063e3af0f7138bf553bff272749e0cde62578128ff66fa0b7a501e4d8593e2678ced

/data/data/com.nameown12/kl.txt

MD5 eb9d1961481d9bc64cf00345f25031a0
SHA1 20554b0b9c063158ac733a3ca2c2db10a97ede0d
SHA256 ad5bb025abd045296329606c1692aa819fcf532a0211b30e2de851385681f40b
SHA512 f10d1e881139f655d75d2bbb3c4493e6781db85e625c119a49a9c293615ae5b6c910e8583b3158d97eca9ee35ea8faa9ddd7519b661b331faf410d47f7d14c3f

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c