Malware Analysis Report

2024-12-07 17:08

Sample ID 241112-14aq1ssekd
Target d347b3d8dab41c3e07e2efa70db0e25f4af92518558acdea24754dbbf935b0c5.bin
SHA256 d347b3d8dab41c3e07e2efa70db0e25f4af92518558acdea24754dbbf935b0c5
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d347b3d8dab41c3e07e2efa70db0e25f4af92518558acdea24754dbbf935b0c5

Threat Level: Known bad

The file d347b3d8dab41c3e07e2efa70db0e25f4af92518558acdea24754dbbf935b0c5.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo family

Octo payload

Octo

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Acquires the wake lock

Requests modifying system settings.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 22:11

Signatures

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 22:11

Reported

2024-11-12 22:14

Platform

android-x86-arm-20240624-en

Max time kernel

142s

Max time network

134s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp

Files

/data/data/com.nameown12/kl.txt

MD5 559f3ceeca557e8caa3279ee104e93ff
SHA1 9ebce300ddc3b21084464c47d94f974e2f416cf2
SHA256 19188d6f4f324fa6a720252bddda833056b26b87e3f64cab1c384a852aa2e409
SHA512 6a39bd875561dcd87235084197fbfde35b8bd103da76891514648490ab1784d4c0fd372e39436035965090f871f95fa81e3d535253b2fdfb065a4a49e14747d9

/data/data/com.nameown12/kl.txt

MD5 e0bacdbbd9f70e4ceb3d6313050ab8ae
SHA1 ecd7defdea6281d848252feb9ccf4eeb05086fe9
SHA256 f153f453bb96ac83a2232e4caceffc4f25fdb19cd4eaf888abc934f7a656a026
SHA512 84661910ea5566307d928fc1dcb2865467e23a85c614ddf63032c25a079c3d7d2eb300e6096efeb72e5f7bb6572290ede68506d25348c21159b5c9f671fcad1e

/data/data/com.nameown12/kl.txt

MD5 4c8b7dc5c9dc25a5d8b973e4358bdadf
SHA1 17a770c256550a8902d9568e98159e6616bdbe9c
SHA256 bb65ef03be9c82584c30e1a08b29f4eb7ce7e0a4e1993738d333820b77891709
SHA512 fcb3542f5db17b6aeb28f7224da9c8107aa7cfb5417776fb4b0a8048a42a1b1af200c43098c7e557f4964dcb931035e89f7b00b59390f6d48a56a48d8c1d90e1

/data/data/com.nameown12/kl.txt

MD5 e0ed42a5e3b6c25688a1ec99c5b27abe
SHA1 47c7f5565a5778b5c179f1f9c761fabef35789d2
SHA256 40a4408811ab995623fbfe20ff6b4704e7a070337750ac5a74335de561b1a0c7
SHA512 7fe3e7a63f5ed1a370c92b6980820a2b8285cbf96e23b38afa465bb4b9cfcd3d1286848dd1d741eac3766bd660ab7677e7f2efe09e312fa5d95aa7a7bfa646fd

/data/data/com.nameown12/kl.txt

MD5 279df8de9bafdc7c2266548c19b6c690
SHA1 d1ef1e9af5219d0140c19e67c8da43eb838ce9c2
SHA256 5192c0082f410819af225c633fd1150910de91d8d6bd61d43b8e923a79cd5ddf
SHA512 43eeeaef0dbb5bbd69eb5e86084ccb6ee52150fc5f006e85fe955585b0dfaa570b659bab325b5f99effb536ad8757c2d9e326055b54cb6df45f795cfe2bf2a72

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 22:11

Reported

2024-11-12 22:14

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

147s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 172.217.16.238:443 tcp
GB 216.58.204.66:443 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp

Files

/data/data/com.nameown12/kl.txt

MD5 19c65dfb2a6976b8cfa8dead712f136f
SHA1 9764273abd500875c5355f9c1eba0207c4fcbfc3
SHA256 756750b9d408c89c3318bba6c2498240b555dd90e3c68f52a376b4a3aef19e46
SHA512 7ba4f6955fe049bd7e28a339feb0aadd69e9165c968c4b55e8d85d2839f161b69db0b0730031dc5d8843241b1a2292145ea8e7d4f32047b56af6270972c65126

/data/data/com.nameown12/kl.txt

MD5 84ddb8bc3ab676cc9a11cb3c28e90a66
SHA1 dd3aa6597c1befe2748835b6a3616cd6e783e923
SHA256 cf827cbb2b652da3ea7144200ffea8ba357d0c603e8c82f8bea868e5d2c84734
SHA512 96099976dae8b010e8a6e2406e9d505ee8d56a56712ed4a0c1ac95d67a1cfbd97db935d18de53b84aae5b09bd3a521a14f05d9aa8571f63b3512ddc7177aa69f

/data/data/com.nameown12/kl.txt

MD5 4716d7cab24f68b6e73aa532c2caee88
SHA1 fea10e96cea40db6c0631ccfdcc8d3dabf7fc942
SHA256 022730f361b23b5367dfecf015a1f8dea5558e185eb361fe18684159af19ad2d
SHA512 d55acb0c25dcffc4108aa0317f743a46d85842fa75c0c347d68e0b2cbc2e491f1e61be2aa7cdff9246779f8c6093ba0c28453fe31c08f9ed8b35de654381711e

/data/data/com.nameown12/kl.txt

MD5 4b7c4279340b428ef17e3bfd95e51197
SHA1 4220b4f54bb480c3fa02693fb02203b085f89612
SHA256 eca02d0be5c5d3851abc6b0fadb9c7ff2f5d38353499e0dfa99138fc78ca3b66
SHA512 20ad86a365a2d1d7d08515687a605bb4e2f724d1eb1a394474d205f36fc2ae0ba7e681310c6a81f86d0f021640ee19080702c956fc804c5a75f0f0659a7a539b

/data/data/com.nameown12/kl.txt

MD5 fe7a32a765fd584fcff9e63e386b26d2
SHA1 c143e4a63d185052f736120bfe7426c257433b87
SHA256 1ea5e64346c8f8308f716b26787033a9e30634e3b0f425f0b54396f6f2cf4560
SHA512 4dfad1a777148b298d29c8becc76ac0293b6d609f7baa3e66c10dfe6b31ba9db9016722c475d9749fd52f3b0ce5f15e3f24c77351c787413937dc0b8f3397bc3

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c