Malware Analysis Report

2024-12-07 17:10

Sample ID 241112-18d91a1pfw
Target 76fcff5a8699f77290a0601f5cf653523d53803167d16c6c0d4c7137e006b36c.bin
SHA256 76fcff5a8699f77290a0601f5cf653523d53803167d16c6c0d4c7137e006b36c
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76fcff5a8699f77290a0601f5cf653523d53803167d16c6c0d4c7137e006b36c

Threat Level: Known bad

The file 76fcff5a8699f77290a0601f5cf653523d53803167d16c6c0d4c7137e006b36c.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Octo family

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Acquires the wake lock

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Queries the unique device ID (IMEI, MEID, IMSI)

Requests modifying system settings.

Declares services with permission to bind to the system

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 22:18

Signatures

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 22:18

Reported

2024-11-12 22:21

Platform

android-x86-arm-20240910-en

Max time kernel

148s

Max time network

150s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 80.76.51.220:7117 80.76.51.220 tcp
US 1.1.1.1:53 www.ip-api.com udp
NL 80.76.51.220:7117 80.76.51.220 tcp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
GB 172.217.169.10:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.nameown12/kl.txt

MD5 a0e0de88239aaef70356557d95c7c86c
SHA1 7c2bcc196703e4e6b417772eb86e0301afe620d0
SHA256 99fd8315c1fa9d57aac4d1b559df864ecc512680ab03faacb4569ac427040a8c
SHA512 c57c1e6744599e4ae06aab6cdc49d597e2d2424dfd57babc5df93f88d7a4bed11e574d7e3e4512573a12e21dd66798f55870522dc1851694377a2eb7ef21933a

/data/data/com.nameown12/kl.txt

MD5 4dbdd8bfff77b95f2c894531828f57ec
SHA1 60e1af393779918cce7eadf9d77d153d93e10d5c
SHA256 56ab96d6de4f0d5968c3a03c23c483d2690b0e2840b9676c0637331b50155767
SHA512 c53f01d6b2cef58e44684fef218c4160d10917a733fa16617c5cc21b12203ef6243d98ae0fffdb5703515b728f0618441c09716e354fb560bb36e27734bd7392

/data/data/com.nameown12/kl.txt

MD5 c541d45f93557aa544e802536e4e09e8
SHA1 12529671cb553deab60f30f699fff6e2421cda3e
SHA256 cb22eb2bbfffaa2f1a7d6b5fa5263343bc72ab7845e6c73d49af37d948ae5e36
SHA512 50867b24df26ed5fa1bb1335293104d753d586b27aede1281c5486b3b07fc9d9dc4e17d967b3945ed714eee523d27ff69ad238eb838deb3953ef7e4c33e376c6

/data/data/com.nameown12/kl.txt

MD5 f21665c323bc42d9b42b79633b961eb5
SHA1 100547fc6a34339fb0ae7ad2b50b04d4262a4ad2
SHA256 36f5600807b9578fbeb5a971c9248382cebdd3265e1a059bcbe285fc79edc972
SHA512 2ccbf8c26b7ad147da7f16ca47a65d5fa2d760b2adc14fcd189ce49ea518ec457d4198c1ff366799fe895568fd2907753516ed21644d88da3281ae3661c83857

/data/data/com.nameown12/kl.txt

MD5 169a9b5d19bb50cb5ec9b8f1c97acc18
SHA1 91fdf2deaa4f7308c1236f9a5fcb53f98e8bfb90
SHA256 f032c938caa0d101165199e24a58220370fa289dcb774bad5c302a336bc9713b
SHA512 52f267de89f0ca54d4f1d4af3ccf70196f366048ea9a6b2fbedfc6cfdb5a6ce429fff3eacb5d816e93cd2290d81d5d70448b113cb4a61eeea938dc14b904d182

/data/data/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 22:18

Reported

2024-11-12 22:21

Platform

android-x64-arm64-20240910-en

Max time kernel

147s

Max time network

150s

Command Line

com.nameown12

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.nameown12

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
US 1.1.1.1:53 www.ip-api.com udp
NL 80.76.51.220:7117 80.76.51.220 tcp
US 208.95.112.1:80 www.ip-api.com tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
NL 80.76.51.220:7117 80.76.51.220 tcp
GB 172.217.169.78:443 www.youtube.com tcp
GB 172.217.169.33:443 tcp
GB 142.250.200.1:443 tcp
US 216.239.32.223:443 tcp

Files

/data/user/0/com.nameown12/kl.txt

MD5 5453f200b651ed5ccc5cb874ea7f6a91
SHA1 517e3ca5fcc542602d0c07e0a060885415e41281
SHA256 38ae689203e468270a90f3d7a57cb21ce9a67b1e623c1fd9f4d00622ae809f88
SHA512 623675eeb5322ab1e117bb1e7b649ac11b177e9d9baffdfac3d12d02f85797631cb1138fa9f1e9fb6686240c4cc85a766c1fcf784a4920560d23cd11b931c8ea

/data/user/0/com.nameown12/kl.txt

MD5 71d72d838612bc5d62d848f6becdb7d7
SHA1 2f4d662f7dd2746aefa1ba029207dd9a87238cdd
SHA256 8cf7f01480918227a0b19945496acc0e830a000b9e8618801a0780082cf622a2
SHA512 9e71439927ac1695964284d57d943f94c18bd5877f3961448282f4aad496d1b1e0dd8661cdd7af0be7911cc15b98e408e13cc4d0d659858dff0b7d992c9c4a2c

/data/user/0/com.nameown12/kl.txt

MD5 c541d45f93557aa544e802536e4e09e8
SHA1 12529671cb553deab60f30f699fff6e2421cda3e
SHA256 cb22eb2bbfffaa2f1a7d6b5fa5263343bc72ab7845e6c73d49af37d948ae5e36
SHA512 50867b24df26ed5fa1bb1335293104d753d586b27aede1281c5486b3b07fc9d9dc4e17d967b3945ed714eee523d27ff69ad238eb838deb3953ef7e4c33e376c6

/data/user/0/com.nameown12/kl.txt

MD5 8c2b9747f6387ec143a5ae56e287f496
SHA1 bf3199d6c747de09c925e8f94744ad4125f74b31
SHA256 45fc9d08c5760e5a97139c38925dc8001f09753598a2c0c73481f63886585d87
SHA512 22585b5f22709e691e280c645a3f362674b08beb474b850f5480497f11fb905d4e1c1bdddd4c90d203bd8593abff1733a2f88068e829af4a424f9c9ff38d19dd

/data/user/0/com.nameown12/kl.txt

MD5 e2c79c3fd46112b6a5f6abf2baaa4048
SHA1 b82cc2e162c579e95ee5f210a4be983001562080
SHA256 774e3ba47c2ff97f30ee6b1d490a6157e4f663bdf8a56039b5ec30461e8b7aaa
SHA512 4fc1ac39e10f6ad05a46deb42f9375ef3089d847240db3607cf7f3bd4b1b6ff3391f15ce7171ffacfaa9a29a2f64efbdec6c3151c85b7af64da668ab725756d8

/data/user/0/com.nameown12/kl.txt

MD5 d91e1467b77f253784b00c925e4fc047
SHA1 700707e946d26ae5a684b6c937c4933bada62ad6
SHA256 c01ba3bee44e0814f3688cd0f2ffeac15ca215a664d0b707a3994d80c86b4003
SHA512 fbf7225c80b4f5328517ec57c8c54161a6f06253c9bcbe1aa2bb30d742ac08127862a3f2ee36105b8a806eaf916efd85ea01aa8d752da7858fa3905878fdc021

/data/user/0/com.nameown12/kl.txt

MD5 d2185809cbc42e06a61f80e97da92551
SHA1 a29781862a08ea30bf012def9c31167df30423a7
SHA256 c932cd56f27bda24e7e3c51b2799970c4d1ed96834c7001c5fead26869555151
SHA512 7f29ea17f56d555e286789fe9580592a1a0c5e57ecc10d64d59bd5722d31dba99dacea158cff967700b53281c147be1c9c7d876a2f262cec0c61c01da77a489f

/data/user/0/com.nameown12/kl.txt

MD5 74b297d4ec487334369954eb7f884d1e
SHA1 1cdb5cf2da22bdf6d0108b9280fb831a76291828
SHA256 5a6f4f557f1a8ad41319bd8e77730a987db15d1f4ad9c4a1de8f8327fa9b1a0f
SHA512 0cfef692647415adc5cf1a3e5f0bf8b9dd8808bca3eaabf80b8d7cd25cca706aa6e4aa1ed1afa6fdb7681429e0cad174ad00d77e5b791229ba6334ebfe97b3a6

/data/user/0/com.nameown12/kl.txt

MD5 1dd287aafef4079950e13e61911039b8
SHA1 ccf7f69b55186a50ceeb642065d43867ff42267a
SHA256 b3f88afbe4b45da6c71fa41554a9157539ae324f76d1fc101dafc478db6ca237
SHA512 dd70b4863a682f9684f8b0cda9ff7b559be4580cc6379adfa1bc14bc8bdb3aa92fb39de8c31b9d979f9396de995960b8883bf93d21298a5668fcb5d1d087e6ad

/data/user/0/com.nameown12/.qcom.nameown12

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c