Malware Analysis Report

2024-12-07 03:14

Sample ID 241113-1x1nvszfre
Target 8fc1974dc696cd7552ec989b26283cedff9d4637524d7b9e753f4919b29567aa.bin
SHA256 8fc1974dc696cd7552ec989b26283cedff9d4637524d7b9e753f4919b29567aa
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fc1974dc696cd7552ec989b26283cedff9d4637524d7b9e753f4919b29567aa

Threat Level: Known bad

The file 8fc1974dc696cd7552ec989b26283cedff9d4637524d7b9e753f4919b29567aa.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo family

Octo

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Requests modifying system settings.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 22:02

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 22:02

Reported

2024-11-13 22:05

Platform

android-x86-arm-20240910-en

Max time kernel

21s

Max time network

150s

Command Line

com.actpound4

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.actpound4/cache/vemzcbbh N/A N/A
N/A /data/user/0/com.actpound4/cache/vemzcbbh N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.actpound4

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 oyunbaimlisi35.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.3:80 tcp
GB 142.250.187.196:443 tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.200.2:443 tcp
GB 142.250.178.14:443 tcp
BE 142.251.168.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 172.217.16.234:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 oyunbaimlisi35.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp

Files

/data/data/com.actpound4/cache/vemzcbbh

MD5 b89b67df14bd6c0d5d42b2045b46f20b
SHA1 4a6d8be000021f850a97de9209f237deee96df29
SHA256 e065279612f7cefcfc46f7fd11f77ce5e26765ecd03feda9bac74639c4d7cb48
SHA512 eac36b75797d41c8b6f8755d8954b75f76c36bdea6a07279978d4074a2c04a0f280bccd6597b90b1d23907d0ea662ab6443505e3d577aadee69049ff84627b4a

/data/data/com.actpound4/kl.txt

MD5 13ad49a1f8b280e9f37f54875b98f263
SHA1 629689c932c1fa99fb9d4759c4b52017386059f3
SHA256 ee4e36ae6da53ee54fa7f570ffbd9925b0514211cbc42fdcbd4f3e0522db78ce
SHA512 709326b1d43df9f25af0c198e170aad8555e1cb791bd8496e23807f0e93d19521a99655f45a6ea8ac11e6b69166e0a49e2d81111f1416caaf44efaf4f5861c7f

/data/data/com.actpound4/kl.txt

MD5 87c2a9cd7aa6a2ae2d09101350720efa
SHA1 42793bccf9c693a14685e90b5b069df395987625
SHA256 b7d894de3ecab920223d903f0afce6545193122046e7fef8e852035cfc747ead
SHA512 c534de4e5b9b1b9f8aa99db4f189b701647f5dab3a35a898c3c0bfd8dac3498eb206e87517d5c1854c09d5b9b206c94f1145a2b4d40183b1e08eec53c94c84cb

/data/data/com.actpound4/kl.txt

MD5 4a6132eb3b8e86bf647efe7e69e1c29a
SHA1 bad1685b0690b522285d6b7edd28f0d40b9efee2
SHA256 dd8a347508fd82651679c29beb909eedc82da22a95c3cc70f21a9770962247d5
SHA512 9da040ec5751cdb8a72bb8e2225ce342952a72fcab0e7a5d1a2f79bf9c08bb8f19141534e6c1d7149e492214cfb0237c53d398f0b5c6af83acad035dba68ef38

/data/data/com.actpound4/kl.txt

MD5 e7e32d1342821d0bba37a8a5bd6a0f42
SHA1 71c5e8a837a559abb1aadc14c1d09c6afab32674
SHA256 e8a8f3aaaefc85c581235b07337ed2c8fbec25a20fa46da300cfd05ac6a1ba2a
SHA512 e86a17b148666edc32206530d6146af91a3ff1331905d484969ffe1c722aedb4f743da8d28be0082395790843fd3ecda55c8c074e519ae736ea0c63786ea399f

/data/data/com.actpound4/kl.txt

MD5 5043e0dc73c5d8cbde22e2ef772034cf
SHA1 2c5ceadf1abc4d901940ec425501302fb4688ba1
SHA256 eb46e3295d0399b2b7e7d70e164f2fa19369995d0c340af09a853b886cceeed3
SHA512 fcb176305153f5a03f49c95ff3d3af984194e83adf0206c79d5baf845abba2fa249f90483a51ec3713d18e8be45f6b50c5cff6581d236d2ef59ec3bfe85af1b0

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 22:02

Reported

2024-11-13 22:05

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

152s

Command Line

com.actpound4

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.actpound4/cache/vemzcbbh N/A N/A
N/A /data/user/0/com.actpound4/cache/vemzcbbh N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.actpound4

Network

Country Destination Domain Proto
US 216.239.38.223:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 172.217.169.46:443 www.youtube.com tcp
US 1.1.1.1:53 malkafaniskm.com udp
US 1.1.1.1:53 mal1fukizmirli.com udp
US 1.1.1.1:53 fukiyibartiyom2.com udp
US 1.1.1.1:53 oyunbaimlisi35.com udp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
RU 193.143.1.4:443 oyunbaimlisi35.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.33:443 tcp
US 216.239.38.223:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.38.223:443 tcp

Files

/data/data/com.actpound4/cache/vemzcbbh

MD5 b89b67df14bd6c0d5d42b2045b46f20b
SHA1 4a6d8be000021f850a97de9209f237deee96df29
SHA256 e065279612f7cefcfc46f7fd11f77ce5e26765ecd03feda9bac74639c4d7cb48
SHA512 eac36b75797d41c8b6f8755d8954b75f76c36bdea6a07279978d4074a2c04a0f280bccd6597b90b1d23907d0ea662ab6443505e3d577aadee69049ff84627b4a

/data/data/com.actpound4/kl.txt

MD5 d6fbe642cf374cf26b5e7dc915000cd5
SHA1 7504f8d6518e91308550ab7e6e67937e5f0d22f3
SHA256 26d4dd4ba5dd00526f0c9bad1b1ac0a6347be1aadad5946e4f0317fa022031a0
SHA512 6856716dfbe08766036c8ed79f304a39b735493cd98bad8d8634626072c6b7bc751082356506b1c8f71a8851fe62cc8bd04924897506800f6c416538cad91e87

/data/data/com.actpound4/kl.txt

MD5 81f1465876c1faa48638b075e2171c89
SHA1 5fa8116e38c958ada8e32f026ff408e64a955742
SHA256 49c4a5fdc8127549d963b756552214265c90c6501f5f528c5ba15d16d21122ef
SHA512 f14082d7cf639e253e42bc8f40d55f3e8737fda1c53611e0786c89eeda6f6c6dc2bd7534009f45c88a4cee7f93893fc3e7f9e77af75eddd0bcf9138e8c3449e1

/data/data/com.actpound4/kl.txt

MD5 c39a87236b9cecfc6c4c979877284bea
SHA1 8106df60b0796308cf17e1316d78c0f90f91f05c
SHA256 63e0bc24399f0773e002a80e1a8998812f8797e774e8d26702b3ff98a0b6a64e
SHA512 10b8c277e262800b914e8047e97193a9ad8d95d3fd45880d78d914f1be28b81e80272db2a7bf01001794b5b462acc083ed6ad8876b6e733e55388e44580b0809

/data/data/com.actpound4/kl.txt

MD5 de166e9b8238c2665de4a6a4bbfc23e9
SHA1 555d15809f5c61e2bc7aef7bc3039fa8f0b565e1
SHA256 fe5a7ea57c855a1066c9674e7288ade4d9553b4444a61328bfb6750dd6d3c714
SHA512 6a1e81c3d26eb749e33f919e7482e18a908dcca67119a2422f3459be47211ffc3bda3824c6f1431c26a0c6adde56f3f239ce52cd2f8d4fe533fbae738dbb699e

/data/data/com.actpound4/kl.txt

MD5 133598c86b255f6f9c0ae990f573137d
SHA1 515ddd2610f996c1c0705f0695adf5e2c8b6338f
SHA256 a4fc2705aa1ff76fe030728ca2bad1898c99b89974c270f67dc34022410c527c
SHA512 9aabb3b4dc6ec64a0d6f2667acfdd0671467487239ac70871f65588acb73dd33e1589d8de0bb3efac7480b294fa869e5876763f59ca1f63ea58761f7dfafe974

/data/data/com.actpound4/cache/oat/vemzcbbh.cur.prof

MD5 c286ab8b70aba1289d6a9112a2f28585
SHA1 92d40305755cd4eafc5755e2607eb11caca93caa
SHA256 30bdf3e3aeef847ff372b2fe0d281b427d60700b80187fe200afb57d0cc0076d
SHA512 96d58cfc3136a3b740f3c287aead10946a4d747fb0116f88331765de6c71c6ce7fa53f816e100bd2a1b30b860a531f92032e0a014872c558020a0e3f7f6283ac

/data/data/com.actpound4/.qcom.actpound4

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c