Malware Analysis Report

2024-09-09 13:41

Sample ID 240531-111s2aga39
Target ea553f8c4ef122360c7eee3b8bb7a7b5ec0313cbee4395e8a7236472b071d507.bin
SHA256 ea553f8c4ef122360c7eee3b8bb7a7b5ec0313cbee4395e8a7236472b071d507
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea553f8c4ef122360c7eee3b8bb7a7b5ec0313cbee4395e8a7236472b071d507

Threat Level: Known bad

The file ea553f8c4ef122360c7eee3b8bb7a7b5ec0313cbee4395e8a7236472b071d507.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo payload

Octo

Prevents application removal

Makes use of the framework's Accessibility service

Requests accessing notifications (often used to intercept notifications before users become aware).

Removes its main activity from the application launcher

Requests modifying system settings.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Makes use of the framework's foreground persistence service

Checks CPU information

Checks memory information

Reads information about phone network operator.

Requests dangerous framework permissions

Acquires the wake lock

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-31 22:07

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 22:07

Reported

2024-05-31 22:10

Platform

android-x86-arm-20240514-en

Max time kernel

178s

Max time network

182s

Command Line

com.forcegovern81

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.forcegovern81/cache/xpwuidpzvn N/A N/A
N/A /data/user/0/com.forcegovern81/cache/xpwuidpzvn N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.forcegovern81

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 adile56tasarim.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 adbennaberortak.com udp
US 1.1.1.1:53 5adiletasarim.com udp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
US 1.1.1.1:53 yavasyavaslo261.com udp
GB 142.250.200.3:443 tcp
US 1.1.1.1:53 selammudur24.com udp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
GB 142.250.187.206:443 tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp

Files

/data/data/com.forcegovern81/cache/xpwuidpzvn

MD5 d223ce399299839edd0dc6b69bd21e7f
SHA1 657f18e08fd21935f05f38ffc071b5171050ec23
SHA256 a359c98fb211f7096ccaae82d8f1af522bd4706bc29e2583643deb2c979abb22
SHA512 f2d1f6598d7fdbdc9b763357750e73f0d3b22d2f222a78085a576e96b259e37df7bd2ea4577d4f78edc729a54ac48e951db895ac1478735d1c519cbd51f2c99c

/data/data/com.forcegovern81/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.forcegovern81/kl.txt

MD5 2e80150260bf9787881efd915fa37934
SHA1 d5f5f235a86f1126c31770ed9f1321ef56dd0aa6
SHA256 70e87f5682124cf0ee088420942d7517541895621effd3a8b073cc00d9aa3a03
SHA512 7b0fef482e8c6602055cf17ea12ace2587f8153cbaa848330b0a566ea81b0401220e116b33b933212ead25acc3b88ee9ca9aaf905611cfd7739c2fdb349df379

/data/data/com.forcegovern81/kl.txt

MD5 691370326534067d02d700cd7370a2a4
SHA1 332fb816af7e4421955d1cd0ca6edec417ae34f6
SHA256 4de800552aaca57f729cb80931b06feb3d443eb4f9fb204e981554615a7c18ab
SHA512 45a92a75a6f04d51ad520b87cae42a13def0c12cc4413485b2d6fe3a5a5c79039c39e4e974c13d7c80ed726eae40bf1f12e691c0c22fe96c16a7939fa9fbbfce

/data/data/com.forcegovern81/kl.txt

MD5 6b9dd4d43cbde51512e6fa2b75a5b02e
SHA1 f3279cc0f1b1e643b957244f67a0700677d8a51b
SHA256 e3bf6017c898c0728383276a8cf546e364915dc0421e01728f63d406eafe1e38
SHA512 7bd25f907276c85652db10015235af49ee87ae46af9c521e023c883d0e4773a0b8a9b4e4f1589cd7b91bb5993d74b6eded6915aa3f4cc1439c070fae0309fca2

/data/data/com.forcegovern81/kl.txt

MD5 60cf67e96cc07a31f9f772c5400012a4
SHA1 fa07653753fa381ed801c2c1c8ab0ef6114acd39
SHA256 2baaba159212de6688ab30b3be58b499185002d1ef68979499d6d11a700e985d
SHA512 1f439f65d689b9d51e49c8d51dd8e68f64e239ce1dc85c7710e37768c7d1936bcd6ace6bb9757df54e1d5c271043e3f2ee6f410c2d483eb8471cc42c96ba28b2

/data/data/com.forcegovern81/cache/oat/xpwuidpzvn.cur.prof

MD5 83812b6d9ded4a6eea4217589cb834c4
SHA1 f9502b470f2b38b55e9dc30b5f917cec791be7c9
SHA256 064a0ce3c18fd41c9293b60eb34e0da03daa7c6fab81bc5a1414ea479d2a987f
SHA512 0a98f93edbfe658e1ddce2959bd2b597f659ac8351f15e6984a44c5759f965aaa2cc359c513647d125f718937d44244fbe63ac8e254130adf5d2182d3213019f

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 22:07

Reported

2024-05-31 22:10

Platform

android-x64-20240514-en

Max time kernel

128s

Max time network

186s

Command Line

com.forcegovern81

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Prevents application removal

evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.forcegovern81/cache/xpwuidpzvn N/A N/A
N/A /data/user/0/com.forcegovern81/cache/xpwuidpzvn N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.forcegovern81

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 adile56tasarim.com udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 5adiletasarim.com udp
DE 138.201.79.103:443 5adiletasarim.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 selammudur24.com udp
US 1.1.1.1:53 adbennaberortak.com udp
DE 138.201.79.103:443 5adiletasarim.com tcp
US 1.1.1.1:53 yavasyavaslo261.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 216.58.201.106:443 g.tenor.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp
DE 138.201.79.103:443 5adiletasarim.com tcp

Files

/data/data/com.forcegovern81/cache/xpwuidpzvn

MD5 d223ce399299839edd0dc6b69bd21e7f
SHA1 657f18e08fd21935f05f38ffc071b5171050ec23
SHA256 a359c98fb211f7096ccaae82d8f1af522bd4706bc29e2583643deb2c979abb22
SHA512 f2d1f6598d7fdbdc9b763357750e73f0d3b22d2f222a78085a576e96b259e37df7bd2ea4577d4f78edc729a54ac48e951db895ac1478735d1c519cbd51f2c99c

/data/data/com.forcegovern81/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.forcegovern81/kl.txt

MD5 f735638b2e23d8286ad884bd94df018f
SHA1 d8b460e768809be60c4f72d7613929bc6ce52cac
SHA256 77b8386d35aef7c3274bc11e18dd8bba9dd6c81aef0a17b453b4791bee5189e2
SHA512 0a09d76dd145c087ee82e99dea87a65f4310aad58deb5738d2e51652f2d1b0496a43741d88b64455a22a359ab9680d1cd6abce3a762a490dbe01be287ab5cb7f

/data/data/com.forcegovern81/kl.txt

MD5 b268e1beff298f9dd4124803dae016af
SHA1 9ec29fdbc3c4dde7bb25499e6df1607aaa2df0e1
SHA256 c0f3e6e604ed781cde817c664747928502da8d32ae2b032d747e9a0bd249686a
SHA512 c6198555de24ff959b09a7fe36d2c7577d13359f43e9abdc2da96013ed4788547dacfe378209d7a236a390bc5fb12ba1e883f90d6c85c7ce7ec831f390a4b86f

/data/data/com.forcegovern81/kl.txt

MD5 035cc81632f43f3095348af987d84f91
SHA1 b20583eeb868b8b147c09f4d951bf0c052c9e5a0
SHA256 57dda7ad5503a7ee44d716f5f58c29c48b51772c471d7de8dd0b25f424a41e89
SHA512 1d1257ca80c51eb0ee13c166ede4b13f52f3da10db094db39b32a246fb2e2c7b177fd442b19e49f4c6dd2a495f027878cc0fb2b0f73a8ada3b20ee0ebc1ff079

/data/data/com.forcegovern81/kl.txt

MD5 d7fb7f2d4d4229d8ebf645b252c23ca6
SHA1 a87363c419d4be17168446ae1f1a46fb626b661e
SHA256 8504de35bd3528c37eb59e89ff6b8dac32f0f24b3474a60126593df446ed6966
SHA512 ea411c6eb8f2bf5c86e1e57e77903dc8578041e51f178fa844826b326f919fa8fb3556700e0f63de46772bbff22547386a9c5065c2edc15fcf870e70fcbcc232

/data/data/com.forcegovern81/cache/oat/xpwuidpzvn.cur.prof

MD5 4af0ebbee021274593ce9e1377d5882a
SHA1 4866d644699efdd5901b7fc76805b1213f72123a
SHA256 1b6e436ebb8c5287eddc2f5ee23ae064b81d5c258d075a8a5f73f3a080d0ff37
SHA512 1f72c037f3cdb50cb8003b3119cbd67b798860bc760dc33a64a230065f7c590283e85a86c2a43952354821c9762355bd867009fffdab07ec1e4e8e3b0ef9bec5