Malware Analysis Report

2024-10-19 12:58

Sample ID 240825-1xc8kaxeke
Target 2d45a8aedf9b50ac6bae9dd1b6bd0f63f01b6a363e54e672e33a83311584c46b.bin
SHA256 2d45a8aedf9b50ac6bae9dd1b6bd0f63f01b6a363e54e672e33a83311584c46b
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d45a8aedf9b50ac6bae9dd1b6bd0f63f01b6a363e54e672e33a83311584c46b

Threat Level: Known bad

The file 2d45a8aedf9b50ac6bae9dd1b6bd0f63f01b6a363e54e672e33a83311584c46b.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests accessing notifications (often used to intercept notifications before users become aware).

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

Requests modifying system settings.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 22:01

Reported

2024-08-25 22:07

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

179s

Command Line

com.directhorseqq

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.directhorseqq/cache/btzenoaruthqzic N/A N/A
N/A /data/user/0/com.directhorseqq/cache/btzenoaruthqzic N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.directhorseqq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 hava540derece.com udp
US 74.119.239.234:443 hava540derece.com tcp
US 1.1.1.1:53 havasarinliyorla234.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 74.119.239.234:443 hava540derece.com tcp
US 1.1.1.1:53 pikniktupu2534.com udp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 74.119.239.234:443 hava540derece.com tcp
US 74.119.239.234:443 hava540derece.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.directhorseqq/cache/btzenoaruthqzic

MD5 76eb7f7e6a328757ecf2b110b7c64e7f
SHA1 134b29f8aa07169bdc179746da234490f3f538c7
SHA256 71fd32ac11f16e41ce95e2d81ab7933599a4e68ebae4fc930bc2d9a309c0bb24
SHA512 934e211fccb3f47b9738cad7c5b226b705cffbaf78bbdc796aa6aea376a2ce5e59d55f80096c6af05729359868e846f91ffebf053a741124c973decc1c5421d9

/data/data/com.directhorseqq/kl.txt

MD5 01b807878098542713025458a7f92b27
SHA1 3c5389469110baee1b819561b203ab2274b0c590
SHA256 de44562fba117bbaef75a6626a4f3a12aa424a28fee458b149587f7f69dfd391
SHA512 44fa883555b433945272aeeed41b25c4ca8cd9ee780bec9230fd46aa8dcf85270d0e3d2c264bd0d5aa428a64a99c09c02dd956c5878f55c2b103d5c2b3de509e

/data/data/com.directhorseqq/kl.txt

MD5 cd7e58bdf25fbddb033ef16bdb873c79
SHA1 bf8b8344612ece4a8363b3703085589ef0229055
SHA256 ba8d474bf4967f3cdc4b2d2c8f689665dcdfb29320fbdfd9f01116588e91f0cf
SHA512 591573836f9691d6515d53c5a39f36383cdc9d8145c2fe0fade5eb6bb9408ccbd03acdc414d965a7b172b78a22ac08ffac3eb217f893cedb75b1e42992e80b35

/data/data/com.directhorseqq/kl.txt

MD5 5eb50f830e0219675050e7fdab82e18c
SHA1 2237ecdeb583c1b7d5ec3a958f67cecb13977da5
SHA256 6e0006a4b17d07b405f8bb91f3f58245015d0f99f38f844d97f0057b38bbef79
SHA512 1f31496a8f7203e9dbabe2f5654e695e9dbcdc40ff4ed6584e8f047180c492c1af833a7fd33e1db9cefb63185bcdeae350e2f9b7f83e1d812c838658bcfc1e64

/data/data/com.directhorseqq/kl.txt

MD5 fea7f2c5c6b5f21878ca4d4d059f6a53
SHA1 91203c2b9b52dc4cd2d232f74f59a1078d851ed6
SHA256 41c33f012697218f91ee557d88a11b92758cd9c280335761ef2148e4658a876c
SHA512 008d5ce1e9648552a8f13dd78546115a9f39691d7b723af96b69592df380d86d42582ecdeb766e1cce0573e659073c643a6056c5a1e1795db20995c9f74e3871

/data/data/com.directhorseqq/kl.txt

MD5 cf749a4bd041f300b6f20b44c5277e33
SHA1 2a47348913c8769b19d60f8738e167a83570e6c9
SHA256 e80aaf1bb86277f174cb4626b3f8fe9c67796ed444358b3638a05b5430ca6c1f
SHA512 dd33dcd3a9e2918a71358245602c52becdec4db26ff5162add8533922c21a0fa6e9347db49e711c4759b5f56bf76324f6fc43fdb7c6723e8b90df9615aa0dfbb

/data/data/com.directhorseqq/cache/oat/btzenoaruthqzic.cur.prof

MD5 2e95415d9c992130f18107ea8e948a32
SHA1 3f2b7f237e7a60c3c5b8f7de3c970cb9726c20dd
SHA256 5b53ea89a1925a88d8fec1e09a6e739d7c68984fff2665d1ffad2ac09137c14f
SHA512 a49dceffc71fcab5c7e1f5531c2d68fa457082697fd7bac612ee64689ca40ef266ebd8affe9f68a24e5fc0d266898952a8093e5a93668c78a60df13f189209cb

/data/data/com.directhorseqq/.qcom.directhorseqq

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 22:01

Reported

2024-08-25 22:07

Platform

android-33-x64-arm64-20240624-en

Max time kernel

178s

Max time network

143s

Command Line

com.directhorseqq

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.directhorseqq/cache/btzenoaruthqzic N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.directhorseqq

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
N/A 224.0.0.251:5353 udp
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 havasarinliyorla234.com udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 1.1.1.1:53 otururkenterliyorum42.com udp
GB 216.58.204.78:443 udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 pikniktupu2534.com udp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 216.58.201.100:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.178.10:443 remoteprovisioning.googleapis.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.178.3:443 tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
GB 142.250.178.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.178.3:443 udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.directhorseqq/cache/btzenoaruthqzic

MD5 76eb7f7e6a328757ecf2b110b7c64e7f
SHA1 134b29f8aa07169bdc179746da234490f3f538c7
SHA256 71fd32ac11f16e41ce95e2d81ab7933599a4e68ebae4fc930bc2d9a309c0bb24
SHA512 934e211fccb3f47b9738cad7c5b226b705cffbaf78bbdc796aa6aea376a2ce5e59d55f80096c6af05729359868e846f91ffebf053a741124c973decc1c5421d9

/data/data/com.directhorseqq/kl.txt

MD5 7ec2c1d4a2332b2b475db03b71bc919e
SHA1 7ec56c6758ecd1eb8f9ab7eba13e9703a4b54d55
SHA256 1b67878f9dd2486dd6b71ca3a1b752b2681d9ec1efb1c27a782901c781f11633
SHA512 5ab19e955546a6f32f89fe2c2a490ed155925aa009afa7d670eb17ce697585c348438a8f9604448a87ecac52a20825bd6258ac52e24fc828ffd78b529d6287c8

/data/data/com.directhorseqq/kl.txt

MD5 d1f7a4c1e85e8f54329a07c089a9abdf
SHA1 fab212e700c2bbfe6d47c40fb2660429f57a2b0e
SHA256 8dff5547cd601ef9a8ecfe44f4436e0c3af6abbee416a00b6ac1befa6ac1a986
SHA512 815a70b32aae246616cb26269867c2975fe6f1eaef2e7f8379136b184c87c0de5e61ae43cb3c640aa258516d82836e784e64e325bd7fcc4b793c480475be8d18

/data/data/com.directhorseqq/kl.txt

MD5 b6334512ddef58410fc51eec8f0765a3
SHA1 7f0bcb931426601eac4284bf3f40736f8629cc58
SHA256 f6ff0e4776a6ab3000191a3fe589f5db373701832f5a939b92251b8436d37fa6
SHA512 32d9c9ccea20972795099006bb7165acb2cf64bd66c6fdcac7cec19659b9a986c6082485e8a513f460f5b6d1020838f8c094f52ea54f54dc9e3fa7d440c27566

/data/data/com.directhorseqq/kl.txt

MD5 81683770158963ff1dce2ebafe119d53
SHA1 5cbe5fce1147e65210f50447df05712fc18e29af
SHA256 85e7d7b9849df02afe7ec1115fc549e15006057d444a8999647abc4eda886fc5
SHA512 4b451bcecd1b0c683e17f9061e13b122598f0c3ba8662ae06ca1ec8e10c695cce49efdbe919d7433dc92b3f4f11152b66f304e0b2e84f7c78a95c4eac75a8d3b

/data/data/com.directhorseqq/kl.txt

MD5 b481756195dd08268db51bc3a16af853
SHA1 4d4f55da2e9a7d88fe4da85a8996f32b77fd08c3
SHA256 f5c60d3999d75d47c93ce93a4fbc3885c10abbf08de90a44688dfdd940c24370
SHA512 b32b0863139a116d054b77d414a526daddb7d0394902766f82a75ea5e3fd475c3c89f4a9a158fb67366ff1472b85d3ba0f409a2abdcc29314aae0d15c3a7f5f1

/data/data/com.directhorseqq/cache/oat/btzenoaruthqzic.cur.prof

MD5 54e916c1512a76b96bb29c605e5b7364
SHA1 554b5f4922ef256ded11f2d710b41257961eb10a
SHA256 d7d9cf08c8ebc46abebc553215dcfedfdcf0278ee29429a16fea6c537e27dc5c
SHA512 209eba78e1852b95dd9855b2a750d172d10cf074ceef3d62ed23da32709f6722c317692c79c6b45756477aeb46a4247c037666ea0b651d5af8520efcf64aea9e

/data/data/com.directhorseqq/.qcom.directhorseqq

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c