Malware Analysis Report

2024-12-07 17:43

Sample ID 241112-1527nawjfl
Target 8b549cf317862537c4df13f28b6fd0354dad4f99a0e1b2586ba1b4e4ef5a2d1f.bin
SHA256 8b549cf317862537c4df13f28b6fd0354dad4f99a0e1b2586ba1b4e4ef5a2d1f
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b549cf317862537c4df13f28b6fd0354dad4f99a0e1b2586ba1b4e4ef5a2d1f

Threat Level: Known bad

The file 8b549cf317862537c4df13f28b6fd0354dad4f99a0e1b2586ba1b4e4ef5a2d1f.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo family

Octo

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Performs UI accessibility actions on behalf of the user

Makes use of the framework's foreground persistence service

Requests modifying system settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the mobile country code (MCC)

Acquires the wake lock

Declares services with permission to bind to the system

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 22:14

Signatures

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 22:14

Reported

2024-11-12 22:17

Platform

android-x86-arm-20240624-en

Max time kernel

140s

Max time network

131s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp

Files

/data/data/com.nameown12/kl.txt

MD5 ef30bddfc0fd51ea414abeda05430a02
SHA1 03a433b0921748261b41ff0811dda20430d55d44
SHA256 342a3719c87f65fa1c6445651bc4eab0a5a0312eabebf954776268a51b303606
SHA512 be8866de465fb99f5e887727840407b005db5d8d2411236074be2c9886d7c73a3fd95f7c7a56c0bb0e01d7ec6dd6d4fa31b8ea176dc7fed37e468630946c0170

/data/data/com.nameown12/kl.txt

MD5 676d4358aa364409e32d77065ef9e2f0
SHA1 f66654c312c884cebc2cab95f3a83718a575dc63
SHA256 8d94789cdd1bcfcd858d3f09d9d5c414409bedccf68ac10aaee29fb4ef458d27
SHA512 0e330482b6513ebb0c8be71b6ae868ab7702f54d635adf1bcba035068403d2c9fd46c5f175d1409ed27a0cd483b8ef7c0f9a08a945c7ec911d9c4919d94be389

/data/data/com.nameown12/kl.txt

MD5 ce7a44258ab81fb051e83a6e345778a6
SHA1 d5acc3d4e0c277f3349842b731148603e9fcfbc1
SHA256 340176ac45e93458c80abac3d1d49bc9e28d095786555bdf1fad17f778a62c82
SHA512 73bc21fc8c4019852d3fe4aae5283f831764e787cc7607854b05e78d3b8ce659b4222120221128507b108c316471adad45881ecda1fd61143c4fa15ba38d5736

/data/data/com.nameown12/kl.txt

MD5 af6f1807d995a41f8688947c286593ff
SHA1 3ad8882a022b92c73228495eb405c1171d4813ae
SHA256 bd5ba53d7112c84cc7c543291447b23cf8b3b9282db0fd718bb83d1f96c73869
SHA512 05e6c317b9f9a769add9d4d4e4e06105ce0182619be9795cd3c8d0f99e657f752ec5663be8aad7574ab27c432f8e748ac391539d1c957336beb85003ad26f743

/data/data/com.nameown12/kl.txt

MD5 e78b4b8821b9bd9616bba2ab87b3fc69
SHA1 9cda1ca629a05e728f8c14faea5e96025f472e45
SHA256 9393b580ce75dadddd89addd8920e41a14a2ef3b3319ddd957b09ccca450f262
SHA512 b49e063a0dadeb820c10994c72978df6d170eec6b8ec0734c39882d874a4dbce57403765eaae0615eaea27d14baf45388a0523d5bd795ff269085f6c4485ccad

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 22:14

Reported

2024-11-12 22:17

Platform

android-33-x64-arm64-20240624-en

Max time kernel

147s

Max time network

137s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
GB 142.250.200.36:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.212.234:443 remoteprovisioning.googleapis.com tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.180.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.180.3:443 udp
BG 45.88.88.100:7117 45.88.88.100 tcp
GB 142.250.200.36:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp
BG 45.88.88.100:7117 45.88.88.100 tcp

Files

/data/user/0/com.nameown12/kl.txt

MD5 4eeec412f1939f07decdd86b54f3db6b
SHA1 b45db9e02f90cab7568ea9c0e68f1dcee0c23c70
SHA256 cc94148245931e1071344741876289cd487d35d3835b232339b43986eea5e052
SHA512 4a4b08f57adb85e1bbdfb85786d13eb60994cb1f0e75a93cc9b3050d2f033283520c6a92687e24d09b3af8b6f68434e2e6acfcbc43be6516064ff33085e6ef58

/data/user/0/com.nameown12/kl.txt

MD5 705ebc20775c491c61dc29f03fefb897
SHA1 a653cf368d8a56626c8efdec940cb91620ae3b77
SHA256 5c432c181611fd4cd4cb304006384afe378ed86561b402728d652e9accb61dcc
SHA512 bd37c049d7c8a4968a66ea45a55c8952fef2141b387bfdc13f285ef7821e6a84f9f35834d1271d733def5879af1343d9959557b4a0369d53c52283f8402acb61

/data/user/0/com.nameown12/kl.txt

MD5 deb79daa7b12f4786c54ad73146a04f1
SHA1 342139d6f79060265b3eec722415fcb57c971181
SHA256 6bd39f1d8172b7ce32d731d97416eea9df67552cc50a70d8a2d18a2f29a722ff
SHA512 9a328b551ac0de8ad56b11bcfdcd48bbafa03ccf33a1cffea80f12f4acead84b60a1e3ade966257e17b29c617b516fed2564e0665cb17a386af336db8b19f869

/data/user/0/com.nameown12/kl.txt

MD5 c7eb716bee63f0fdfe783753775f15d6
SHA1 1eefc4c45b280a618f7c2ea04079403c73289f92
SHA256 af6720d56393493d710e5e474774aecfcaa1d8b4c5506bb27fe5e834d6573898
SHA512 84095cda08607b288277a23c8b24e5f97041a620dcf41a7696a3a6b2e314d42aa42f8b3e973052addf3d28c5b1be9e3fd8db504d267218060e43bedca7d87440

/data/user/0/com.nameown12/kl.txt

MD5 2fcc70f011ad68d41d7ca7510593479d
SHA1 69d310a72129f00129b41e0e618b6995b5fc9425
SHA256 ca994bcbaafb15b8994ce6f823c9e1ded3254555d9531dd6c5c5854413f58eb0
SHA512 c7dd609b17cd88a92e637c6484eea72caa743ef3bc2a4c1aabd7519d5824645c46b90d78a71b49536ef0fa7c76152dfd7ab9cc4892be5b104dbfa47e4391a03d

/data/user/0/com.nameown12/kl.txt

MD5 074404103f489c65e268b884fe747564
SHA1 1a8320ea2e5cc39cb91bd39b70378a7ad967c87e
SHA256 1096a3c9b6273b6e2689f22a5739723e737e08575005c6e6da692a908a0b6c36
SHA512 4b8bf93b18e24e488a4f93db4d2ce2c41e1e2af6aa231e037cad0b248252b10c554b025eb4def37b74ceb4dc814dc488c62d36eaa0f537ff8af0b3693ca1feda

/data/user/0/com.nameown12/kl.txt

MD5 9fb996bca9a9fd6050785dbf7e8e09f8
SHA1 e8a5df4dbc05170eadc160425c5fd37f40bcb3a6
SHA256 8c808c760a74b9404a23342b3bf7da755dfad64363b8b8cb6a28342e1720620c
SHA512 a0629a34e09c03063d53b376691c0ee856281b4be9e8c92e6562a72baa7abfb51eab5319fc997aaaa23cd2492a6297622e69558f4e36ed48d6e52e5ac6e221c1

/data/user/0/com.nameown12/kl.txt

MD5 378c1024f36d567b2f2c1a10167ead52
SHA1 36447740decb37ad9916b188aa21b958b8af1886
SHA256 106403bcb62226917de99939cb7fe5852b24f759af6ba6cfd5cc84ad5df8559e
SHA512 f47315ff59e425c066a53724242ee64daf1927db67562f7e7684f99f07bd6448c64176da18b999befe616e5fab4ed8f055c473d47d31b265c6790a5cca5aa4c0

/data/user/0/com.nameown12/kl.txt

MD5 9488e09d6760e4f01fef6dc58e1a8632
SHA1 ff17446e6efe01b88149a39c99e40f1fda240db1
SHA256 b0191ad952c63014ce62bea627b17199a0f686d232b60d7e6a759760796280fc
SHA512 9d806a997c4aa18f78fd581f6082a43acff4fe8204d6148bff2c219e69e5803123b0697e8d73586b4af20f631f611e15cb181313bd4896b4e6ed731ee1009dcd

/data/user/0/com.nameown12/kl.txt

MD5 ba5713e74276b064d36ca66b98561c3a
SHA1 6e01d13b13fe4c495fd03ee0d11eca3a70db4d2b
SHA256 2934faa7c6600db8d161716a68ae318675bd2cf3607dc97d2eb8770954589c35
SHA512 e35c9e9edbe762b07d9603f2332764541216a5b0ac33917d0c25384f844dfdf3fea1c81ea387b84ca666f51688ac9ad97152256122e61b9c615da8f28c3420c1

/data/user/0/com.nameown12/kl.txt

MD5 2e87be1a1b7f57589b2290100b032ff5
SHA1 1f2c1c2a2ea65a86198f41ee1568da42c5131968
SHA256 8ed596377b5f6d3b29e038b0a76c5630ef6c9731aa644603566c8cf8c1e45de0
SHA512 56e22e2dad679cf3c810de62d0359e71c716193967075b8a9a87fed3c3180a687865281552b5f9d056fda8aa6d49afb53d92fc94f0ea5023f78b9c2e96e6eb84

/data/user/0/com.nameown12/kl.txt

MD5 da1c163b77029853c9ff48559c87533d
SHA1 de24b873be0443049f77ee09a4902b0fe90bac7f
SHA256 2f7b1abb01d9e0667ec7b953f9f3f1c1a960e17fdb64f44e286e44f33bc23182
SHA512 9fb9f8f59245c5e25d1d7643315726cb6c93708f327dbd577cb2568eeb454deedf70f2aee742ecb8d542d3e93fb4e93c8ac711c675dffa5b30b59bfe15454021

/data/user/0/com.nameown12/kl.txt

MD5 51c3dc2a298d0232ddc752d2fb224550
SHA1 568cb158a702e0539f8d95f8ff6ccbcfd9e6757d
SHA256 87e598b32d1c6c5df72388266fc047a9cb074f354a6ba9d3193a82d6e6f0c3ac
SHA512 4f93b888dfd131a89ae4941e35f84016736ad2bd9ec1701c4ed64d576c2de122f897024b1c8690e23c5cb94c1f3a75c7457851ac1766f1c45eb7d7bc95e5e48e

/data/user/0/com.nameown12/kl.txt

MD5 0887b6cbdff1045712716d670725c02d
SHA1 3e86c23d0c09fe6dc622e137d534e2ad8535c5b2
SHA256 6d2b94d8116a97d1b7cfd1f69e5a97b8488efab2dd545f13886d3b9211f02417
SHA512 b385b4ef118d1865a3e2a4abf7d6a086fe9eed9e19f914590ffeefb95d073b297825bde797147b21309a625c6ff989edb89d2a24264420f8c4d2c67891e8fd58

/data/user/0/com.nameown12/kl.txt

MD5 9ff7def8d278a226211a08f80e0a7f88
SHA1 071a82ed823337ad630079f69c6215b4060b7db4
SHA256 3fb9d6893e404c98090f8b05886965aa1cf5180bebb773bfe889586d7b316cec
SHA512 b11a50b719dfbd955f738bbf77da35bb9438c1eaa04fa6d802e782c987b0294636f0088f5e59106bb70e65b7e871af2d5fb34c32fc6523fc26b59424ee55e12a

/data/user/0/com.nameown12/kl.txt

MD5 7336abeaf2f8d9e35ce900e2d66d80b5
SHA1 c023883918e72358ca8efe89b7319f66661ec460
SHA256 5da99c0f12f57a0ee0699d4fb1ad5e59bb20319a635dbb72cdd77090e303c158
SHA512 dc17c6c51979fd174af4e0108fdae9c9222d432c9f75eaf48add27dfa91123fff1e396dfed4dd9a5e8093da752b623f64e51a5274f6da38f3ceb754f05b45cc6

/data/user/0/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c