Malware Analysis Report

2024-12-07 17:10

Sample ID 241112-15g7gsselg
Target ec689041f8c1612759add7f7736356dda9e414b54004ce3a85ee32c744f71e83.bin
SHA256 ec689041f8c1612759add7f7736356dda9e414b54004ce3a85ee32c744f71e83
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec689041f8c1612759add7f7736356dda9e414b54004ce3a85ee32c744f71e83

Threat Level: Known bad

The file ec689041f8c1612759add7f7736356dda9e414b54004ce3a85ee32c744f71e83.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo family

Octo payload

Octo

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Queries the mobile country code (MCC)

Acquires the wake lock

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Queries the unique device ID (IMEI, MEID, IMSI)

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests modifying system settings.

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 22:13

Signatures

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 22:13

Reported

2024-11-12 22:16

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

152s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
GB 216.58.212.206:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 142.250.179.234:443 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
GB 142.250.187.194:443 tcp

Files

/data/data/com.nameown12/kl.txt

MD5 700589012662f16962d64a9a32310c1f
SHA1 d92b2351e5b22eecbcb6587127646c14f3a38836
SHA256 22f868e9b8a55fc473a22342f8a48a0eed70c2a127cccff09ba5c929c9e7a570
SHA512 3f7e4628f945f058d40971e02fa639479b40554a4b0425575e2c8941a4e8cabb4dad5fef4766703ca0d2cb429942b4a2ccfdee201d02e75c466551fe235d7808

/data/data/com.nameown12/kl.txt

MD5 aae06ffa9caa2bd3dcb034936168b595
SHA1 66e9e4f088635f8fbb174afd68f8ea15e4f0fa57
SHA256 0a07e3da41cafc2121ac0f07bf2b4c7e1a233f9299f4a0ac18d4406fe102c0f0
SHA512 9931e808707fdc89f5d609ab81ec0ae97e2bccc30cd3bd05a12dbe3245db40270383d8ab3d5d7beb06a5d49cf5986dd36771d540fad10eb6b09a281b30f4740d

/data/data/com.nameown12/kl.txt

MD5 e313f224ddcf4e0094363aeb8dc1492d
SHA1 5eeeab08f7604de1d691ff5c2f82a2f1765d34c7
SHA256 7d2d06e7b856dd19bede1b1d60ab6e5441409115475ee19701013af6e4c92c49
SHA512 05f2f77e59484403d8f76ca1fc93d3afdd9973c41f17b3fd43f27d0acedc0461a03c6082731a36464609e2b1526964353ed7900bb86a9763762d3274021430cf

/data/data/com.nameown12/kl.txt

MD5 68b3e6c0b02d9e9fcd6ffcb0c40c5d98
SHA1 2d79eec72cb5652029e63bc982964458c397b287
SHA256 d5f5de3dd049c102143f8af586f2440493699ca1a8717d4667e17e5713af88f2
SHA512 ea63f18d66b447317a3487549116a42b650ea2a77d71313554736e9123c0c71766258709ff3b1f308d326c6865d60db1e86a81a9f2bfbecd6c9d55d6b5175cdd

/data/data/com.nameown12/kl.txt

MD5 4041d5ed88a20278b6fffb51f9f0118c
SHA1 43f9950d5b34ee98a21466594516af1023515ca8
SHA256 b2348cc95a9cd53e443bb2e58dfd0fe6ab754503c6ecde286c3a5a6691fb14d3
SHA512 9797b734867964ca9c08b4e2045048987f9d256bafde9d0e7f317ca5b27b0187357e396c3dce5d148ab3ccb9d5ddb68fe21a36e47a79e0677879644f18a329de

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 22:13

Reported

2024-11-12 22:16

Platform

android-x86-arm-20240624-en

Max time kernel

140s

Max time network

133s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 80.76.51.220:7117 80.76.51.220 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp

Files

/data/data/com.nameown12/kl.txt

MD5 10bbe0e8733bc081be703d35f3e034ae
SHA1 3ef078798258257a5a2ce3cd70e4dcfa9cd3d630
SHA256 6ccfc6d064e214a1cddf7bce14a7d5932e611bf2f0bf866775a58b3828f7c993
SHA512 cda94e4d2637ca4a2a347d3878ba1a277c7fcb4400106df9d1b6b76764d48920953ab8b5d2f2cb4f6d05d08c7ca403e34bd0538e76ff5a869e4ce9732e8b97d9

/data/data/com.nameown12/kl.txt

MD5 5520856f61e8108e8361612260c32129
SHA1 2da80cc6ef7d4995d3aada83379659c1a8586a45
SHA256 200f619784530a8b5781ff218257910b09cfb4caf0c3093fd125f1bd0a8f85d6
SHA512 6d49f66c590986119ecc44d839530028958a9be9256f1ae0378fe0da85d5c7a20b9bea2b180bb489a2ee8fb56a67bbb2d3ecf03ddf87b0bdfdc8daebff0f7b29

/data/data/com.nameown12/kl.txt

MD5 925272ae57e38eb6ed92eb40510038ba
SHA1 062111717fe2d80c337cfbd90362ffa155c6d02b
SHA256 30e91e5660ac8ee4280a10c3ff4798b91dde8be2dc80028655a7741558468752
SHA512 f0816ecb36bda6cb1c37740414dd689ec1ca70c3870ec1faecbbcbdf11120046b25757cf17d1b8ae68059cf706254e61a513c8f5d335bac42133f40c07b064ed

/data/data/com.nameown12/kl.txt

MD5 9f0f3b536df15929fc66ba4866a8cf34
SHA1 950f17be463dddac1befa1cdc5b25d00d1708def
SHA256 b1b7dc15af3d0228a30b5fbf65cf3e8c2c412bd8ff6fe2f83b3d9d8a40b1b7a1
SHA512 bf6d911d65ef2bee721ccd80c1cfa8f174ba2d447f49014bd394191cc22b915c870bb9144ad0229df619918969d104d4b9d9860faee45ce4c650bfcb4ae7e5e3

/data/data/com.nameown12/kl.txt

MD5 3da7fbb7578d4093cc0cc1fabd443c01
SHA1 92e77c2492816176acafb30375e8364f444abc89
SHA256 62194bf55dc3fe01381afcf0b943b6ee83015b6e8a12bc5766a28818b9965fac
SHA512 4813cae416f80c9c1bff2667411dea58d0747baa42ad6214af1f60061694d24384fed06ee039314d973c584e2f7069da646a1c0806da8126756fb0398aff8035

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c