Malware Analysis Report

2024-12-07 17:10

Sample ID 241112-16z4pa1pes
Target 49cdaf9f7a4fdacf425a04f6edef3358a13a8ead4e5f10d8bd9456e9b3e10ad9.bin
SHA256 49cdaf9f7a4fdacf425a04f6edef3358a13a8ead4e5f10d8bd9456e9b3e10ad9
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49cdaf9f7a4fdacf425a04f6edef3358a13a8ead4e5f10d8bd9456e9b3e10ad9

Threat Level: Known bad

The file 49cdaf9f7a4fdacf425a04f6edef3358a13a8ead4e5f10d8bd9456e9b3e10ad9.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan stealth

Octo

Octo payload

Octo family

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Requests dangerous framework permissions

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Queries the mobile country code (MCC)

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests modifying system settings.

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 22:16

Signatures

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 22:16

Reported

2024-11-12 22:19

Platform

android-x64-arm64-20240910-en

Max time kernel

148s

Max time network

150s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 www.ip-api.com udp
NL 178.215.224.87:7117 178.215.224.87 tcp
US 208.95.112.1:80 www.ip-api.com tcp
NL 178.215.224.87:7117 178.215.224.87 tcp
NL 178.215.224.87:7117 178.215.224.87 tcp
NL 178.215.224.87:7117 178.215.224.87 tcp
NL 178.215.224.87:7117 178.215.224.87 tcp
NL 178.215.224.87:7117 178.215.224.87 tcp
US 216.239.36.223:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.36.223:443 tcp
GB 142.250.200.1:443 tcp

Files

/data/user/0/com.nameown12/kl.txt

MD5 03a9510e60fab953a2c6ac3d7190da1b
SHA1 396859a8955131c43e64c490f5718729e6b6eb1e
SHA256 228216f973e52d4ba534967e9a1983a3a5cc71d38f6f0f7d897be11dfd5027f5
SHA512 e1062c148b6987d15acd8dbab9945b7496cefd05a4e55b9125936ed17bd92dbb95e889ba6c3e2a8d4bfb28b77532f37f59756e0d1243310c93964833dc164fc6

/data/user/0/com.nameown12/kl.txt

MD5 356c144b3518540c40c660238d05e4d6
SHA1 299d66ca356fde21452128839e7175f4c41b407d
SHA256 79e580d778a4f0620eaa29ca3f3f3044d7da7c041be1ce1f006c2a124604b357
SHA512 73138fb7dbc13df7ff136b1995def4d855cbbc8b27d49ff9fdb6397dcf49f5a51b9ba5075121503afe6de01b8b6282ca5749cc4d5e5234022ba7769ffeb79dbd

/data/user/0/com.nameown12/kl.txt

MD5 362414936647a3c919992ea77d41d2fb
SHA1 31c9a7f83976a0e641bd14612f01536b1f636f3e
SHA256 0740f28756d1d4801b02dd8143189a103301b8406620eca3d26be038682526da
SHA512 7c3cba6f349a0b2207e5d78b08fc6badbc7f937e6d25870a6bd45b729a97760aa2730d1a44ba237030084b2c4eec671e0388531ec1b469724d2b83972cf1a34b

/data/user/0/com.nameown12/kl.txt

MD5 37795cf75203ddcdfe2894b7a961893b
SHA1 93ae889ba195219dfa2f3a16e953fff2e9d14261
SHA256 ee2789d74712cfc8c40583a58630740ac07d96962b5e51ba35d2b8fe549da012
SHA512 589146d011fae0e608f0439d59ade4385aaa49ec797062175ff0818ec9ef08699cb718335586b6c40ea851a38d168cce8fa8b28b5b51abf0aa1b3cceeac4c406

/data/user/0/com.nameown12/kl.txt

MD5 db86c7ef810da68adb1c261cfa6fb654
SHA1 7251a3a07907cac2bfe2e4a0142be6456629c910
SHA256 57c78249516098b52d16185f8f85f016b7f62e448d3f6f77919ee0ff8073d0f6
SHA512 d18c84b13b0b160c08dd4187e2034cf7d900aba5ba8b73257e13db423749f009db5702372de9b7318551eef40971f70286f2bd94f343b2ad6f17876bfc37b85e

/data/user/0/com.nameown12/kl.txt

MD5 7f9e450298da47b6ee67b4b0f5d17041
SHA1 1a3f4f458952a4ee1a34008f5e410f1ae18fa813
SHA256 43cda5a7ac51799354bd3c6444ba0e5fbc1859956e7fbdd0242cd8df626fa0e7
SHA512 3042fcb4510802efd4a10b495c75a87d7a28315f15276e372807bb14921a14b3e39c1517c8c54471de59f437fa28eccd48f6433a83a8db9c77537dd054ba187c

/data/user/0/com.nameown12/kl.txt

MD5 d545d86d9b55cfae43d4c576dbb2331f
SHA1 8cc6e5af933e890346f0b65f656f0104e8072224
SHA256 a8211ed28b69cb96b2dd250f5cca367e3b1983c461161067a42e5995fdd5ac7e
SHA512 f1b4ddeb5e2ef386bb64a22d9ec38ac66a5790f473ee089e2f905a8f77d3be3dc70f3e3c4c4bb235e6a4fe6c93a8ed920505774a79f5a6ceec365c17c0dfe191

/data/user/0/com.nameown12/kl.txt

MD5 c3a168c1cff258384107ecf15369cd2c
SHA1 2352ba0db41e6807f122d82bd29fad4a183514f2
SHA256 5ce81f1fa1d2d29be6030b65dc7f6653a6a4fecbb97490105b565d4c73e19a7f
SHA512 4d6ab4a5f7ea90895bf7d22d683865c0474f7abb30e98539be039763ab0f6fce2da5c49e48355a92f392b7eaf1be4d41eb3d5ceaaeb5831f3d67b842dd6ed3ff

/data/user/0/com.nameown12/kl.txt

MD5 47845e6b0dbe1be234595ddfc8deba6d
SHA1 fca0f64cb60e8e1028bda529f3a419c441783afb
SHA256 acbd6c999436af81ec632adefa25d681cf3e9b81ed13a909c3ac49796587db85
SHA512 100d4a73c6808fdf3fd64527bf4a2b97d702e1564072cf15c28425540d8ad4ff0cb8e29abf41b514bba866a5e01938912b5ee6c05f0ed8a91610525f1c4a2edb

/data/user/0/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 22:16

Reported

2024-11-12 22:19

Platform

android-x86-arm-20240624-en

Max time kernel

146s

Max time network

134s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 178.215.224.87:7117 178.215.224.87 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
NL 178.215.224.87:7117 178.215.224.87 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.212.234:443 semanticlocation-pa.googleapis.com tcp
NL 178.215.224.87:7117 178.215.224.87 tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
NL 178.215.224.87:7117 178.215.224.87 tcp
NL 178.215.224.87:7117 178.215.224.87 tcp
NL 178.215.224.87:7117 178.215.224.87 tcp

Files

/data/data/com.nameown12/kl.txt

MD5 9688c7b841921b0420f587d63a2ac956
SHA1 78c3633a9010082b790b74063df8d6eb487503e4
SHA256 7d5e0fd7df5d481c736661917fc6b4a285147ba2a705a62842f3753e151830e5
SHA512 2d61511210e71be3f8dad13792e600051c8d4754ec99ad500a65fa243374f445371be502431a5d362b3742da3484e9ac647b9b46673c83e40e558e4a8e3a61a4

/data/data/com.nameown12/kl.txt

MD5 d46cffbed8dd611d558115a7125f10a0
SHA1 528beb9a25f3e46b34f02d01a47713d5ec501b0b
SHA256 d0c0389d91172b382ac4276cd55c3e4a72f30a94e377c06e098904598506d628
SHA512 b61da1e1b9245b87b9a3dcc28e082133bdf5f49ccca0aed6f1f91d8ee32dbb0aee184a35b9b4868cea0daa92ffa11e0182f395285c2234fcdb34cef7db86f0c4

/data/data/com.nameown12/kl.txt

MD5 64814e25a02f7e3c1fd2045863ef3d16
SHA1 647ba2454e2aebbaea978483bf342541c59657b2
SHA256 8e6e90b523936446411920e7bc9287e46240c9b601a4af2ea5bba30eebbff83f
SHA512 36f3fc62647c4b0cafd509dd9aa0b674d1cc61decb25bce8a585151cda22e9c87162561d54fa3b627e29ab029c434c0739d411bff6a40c2dff6b061ee07f7ab8

/data/data/com.nameown12/kl.txt

MD5 3eec80d22da65a2d750692174a5fff38
SHA1 d1218940bca36be89197b6b41319cf4a29a2d552
SHA256 e121d9e682657469ebc557383831356ea32f6ee097a825184e0dabf7c939b5b1
SHA512 23f61f3682151e226fc3a2697fca0a38d314a0862da2083fe817ab9f1d44e00970abcd3d28d3d78f229a203bdcb7410cdfbf8414f8e93066c8cb3d8ef8f5610a

/data/data/com.nameown12/kl.txt

MD5 4adb5ac29aa8ea4f2931ebb7a1729ea3
SHA1 90d47e21081e12db839fda5fa35ede3a53472e70
SHA256 049f60598936db04182917cc06c4e3c1aba44efdd8e1c8535eb4fb856d808ee3
SHA512 753bc90d89cd86a8e651e70fb5d633007e0aa4eeaaf471a47f1d362d0fc5d4ed6d04e721b0656c17fb0990a22ef725563d45f26a5d23c1678334487f104cd1ed

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c