Malware Analysis Report

2024-10-19 12:59

Sample ID 240826-1xpxcsyhqr
Target 6eb47249aeff32c31875be5b1bceea794e59ea65fd52ed9f4939e9514f9c6f22.bin
SHA256 6eb47249aeff32c31875be5b1bceea794e59ea65fd52ed9f4939e9514f9c6f22
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6eb47249aeff32c31875be5b1bceea794e59ea65fd52ed9f4939e9514f9c6f22

Threat Level: Known bad

The file 6eb47249aeff32c31875be5b1bceea794e59ea65fd52ed9f4939e9514f9c6f22.bin was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Acquires the wake lock

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Queries the unique device ID (IMEI, MEID, IMSI)

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests modifying system settings.

Declares broadcast receivers with permission to handle system events

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 22:01

Reported

2024-08-26 22:06

Platform

android-x86-arm-20240624-en

Max time kernel

42s

Max time network

166s

Command Line

com.forcecoldxw

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.forcecoldxw/cache/lthggrm N/A N/A
N/A /data/user/0/com.forcecoldxw/cache/lthggrm N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.forcecoldxw

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 1.1.1.1:53 slmla6242nbr.com udp
US 1.1.1.1:53 hava540derece.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 74.119.239.234:443 hava540derece.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.forcecoldxw/cache/lthggrm

MD5 7dce693e7f5823ffb25e19f284c026a0
SHA1 4601126cf82f3db4bb92bb70125cdadb794701ef
SHA256 ee9c517b4628eaf6bd70fce394f807d5e2236a41a2753fc9e23afa0f6c5aa604
SHA512 9dd32bcd2665d8fa5a5145f22128f000001f9991ddc9b60d943c8e52a584523cc5f4e1ae7b824e51819a5d0191434398cf90d85353c250d4502efb1ce810d63f

/data/data/com.forcecoldxw/kl.txt

MD5 54296323321f9d67b2a6fd5f08c7ddb8
SHA1 3748843f1f887e697353587190c0d9f6696aa717
SHA256 80bf7b9f46bef79c2736c0ab4ef75ac91b12acf411c88100679b2e152b4445f9
SHA512 55fca75f14d57ea9f626f04c79c22affde9daced251427f3e76473e97157ef65932487b9a35229309e234d5e25a29be980a7a62aa3665d6c43ea2541843b8881

/data/data/com.forcecoldxw/kl.txt

MD5 c21972ca4d28824315ebc6745bdb5abf
SHA1 3555d0d6e7eff73369525ed1bfb1c5c68ddf2324
SHA256 c46bc32f337bb5ba3a9b470fb75493da4d0e8fe77d255ce4b81f7366f4ef6906
SHA512 814f5d71acbb256578107379e86bfe44bde71bf437a339cb5ea2921e3e3dcfb733f3315ecc686229b3d81bb458370ee474702b1e89e052900ab2dadf73452544

/data/data/com.forcecoldxw/kl.txt

MD5 3917a3d59cf874f283437fe38c922356
SHA1 a146f70d8c537f56832ba747fecef996ba86de2a
SHA256 f3a45f39a3df9ddd3422b9044a835bd5c019f1fc1d6a55ba81576f687a1762f2
SHA512 815beb7b80d734e16eef3790a250477564adcb5a20fbdf120b931e8a55aa0c1cec4fb4631efd84b646167263b0ae8dd928014dc5296c7a6302c0c1815cfe8e53

/data/data/com.forcecoldxw/kl.txt

MD5 074e8c750a14b5a9162f26718ebb408d
SHA1 df820b4c2e1750729320101387b6db4eab5c44ec
SHA256 feb7a734c6fb8cb7242321d927b32ee741d9ab5f7f074557ffdc3ca8ae167b40
SHA512 ce00c8a14ca797d49179be028fc20b5e7282ce2a2acf15b72dd0671ca90bb2715e11f5b67c06687bbda5f214fc92a2eda231c3c28a611db1deaaf13f159b2c65

/data/data/com.forcecoldxw/kl.txt

MD5 a57ce628cc0655caf08e4c35b072af9f
SHA1 986ddec110609c86e06ae9d848e29dee08605aa8
SHA256 7713db3a90c9f14b1db4a286d2e5dd49654b37826a55518c8ed78493b019fd3c
SHA512 02a7cd54c4862fb93587185d0b64403755854e572f6fb8af74f8a6341fc6edf6442a06437b00e1237d303cc98af88456aced099df3b3aa6117038ff329d95e15

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-26 22:01

Reported

2024-08-26 22:06

Platform

android-33-x64-arm64-20240624-en

Max time kernel

179s

Max time network

172s

Command Line

com.forcecoldxw

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.forcecoldxw/cache/lthggrm N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests modifying system settings.

evasion
Description Indicator Process Target
Intent action android.settings.action.MANAGE_WRITE_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.forcecoldxw

Network

Country Destination Domain Proto
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 hava540derece.com udp
US 74.119.239.234:443 hava540derece.com tcp
US 1.1.1.1:53 havacerinlii34.com udp
US 1.1.1.1:53 selamcanoonaber.site udp
US 1.1.1.1:53 cehennemdirloo34.com udp
US 1.1.1.1:53 havasarinliyorla234.com udp
US 1.1.1.1:53 pikniktupu2534.com udp
US 74.119.239.234:443 hava540derece.com tcp
US 1.1.1.1:53 otururkenterliyorum42.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.68:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
US 172.64.41.3:443 udp
GB 216.58.201.99:443 udp
US 1.1.1.1:53 sicaklarbittikurtldk6215.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
GB 142.250.187.196:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 172.217.169.74:443 remoteprovisioning.googleapis.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
GB 142.250.187.227:443 tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 robetcotraslros5234.com udp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 slmla6242nbr.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 1.1.1.1:53 sicaktanbayilcam52.com udp
US 1.1.1.1:53 sicakdanbeynimyandii2.com udp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
US 74.119.239.234:443 otururkenterliyorum42.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp
RU 193.143.1.24:443 slmla6242nbr.com tcp

Files

/data/data/com.forcecoldxw/cache/lthggrm

MD5 7dce693e7f5823ffb25e19f284c026a0
SHA1 4601126cf82f3db4bb92bb70125cdadb794701ef
SHA256 ee9c517b4628eaf6bd70fce394f807d5e2236a41a2753fc9e23afa0f6c5aa604
SHA512 9dd32bcd2665d8fa5a5145f22128f000001f9991ddc9b60d943c8e52a584523cc5f4e1ae7b824e51819a5d0191434398cf90d85353c250d4502efb1ce810d63f

/data/data/com.forcecoldxw/cache/oat/lthggrm.cur.prof

MD5 2110905756d4cff92203005e4377e93b
SHA1 564913571ecc2eeafeb1effd677515b62ea252a3
SHA256 76fe3143283eaa0b94af341fd88c5965aee0f398663d61ef7cbc78b029176f92
SHA512 3a2d301b05cb6782efc350198c2ad34ee76e78a387665e7338d74b0218742abd8e3f0ebdf1a9bee5bce8f84069e30425275d8b3d7d7a0393d3489b64a14be4d7

/data/data/com.forcecoldxw/.qcom.forcecoldxw

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c