octo | 2fba8d6b343d6426c6ac80f241d5f898b313aa068fa8a642d396a129d9bebb01

Analysis

max time kernel
150s
max time network
144s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
25-04-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fba8d6b343d6426c6ac80f241d5f898b313aa068fa8a642d396a129d9bebb01.apk
Size

541KB
MD5

2f7893eacc1aa8f50ca532f168f0f254
SHA1

322e15a5aff3ca6e4e01840234cbed647c5bef28
SHA256

2fba8d6b343d6426c6ac80f241d5f898b313aa068fa8a642d396a129d9bebb01
SHA512

66eeb64ed82603f3c6caa481f80ff6b1ce245b83125086ccd14851ec59df6aa2ebeb1a2f252995bb83497fcfd6dce6a87caee2c63245882de93f87b444ad3aa3
SSDEEP

12288:Khn0/HwJdHS1BUnAlZHI/9Wb4rlRHF13c7STNz7xLTEpGIiGeAXnz:Cn0/ydHSnzDHIV9LHP3ISd7xLTgF1eAj

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://33moneycshlazim33.shop/MmExODA3MDAzZjA5/

https://moneycsasfasfh.shop/MmExODA3MDAzZjA5/

https://moneymaskalandd.shop/MmExODA3MDAzZjA5/

https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.classatlwq/cache/jemyrkrdbtpepnj	family_octo

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.classatlwq

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.classatlwq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.classatlwq

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.classatlwq

pid process

4175 com.classatlwq
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.classatlwq

description ioc process

File opened for read /proc/cpuinfo com.classatlwq
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.classatlwq

description ioc process

File opened for read /proc/meminfo com.classatlwq
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.classatlwq

ioc pid process

/data/user/0/com.classatlwq/cache/jemyrkrdbtpepnj 4175 com.classatlwq
/data/user/0/com.classatlwq/cache/jemyrkrdbtpepnj 4175 com.classatlwq
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.classatlwq

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.classatlwq
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.classatlwq

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.classatlwq
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.classatlwq

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.classatlwq
Acquires the wake lock 1 IoCs

Processes:

com.classatlwq

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.classatlwq
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.classatlwq

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.classatlwq
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.classatlwq

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.classatlwq

pid	process
4175	com.classatlwq

description	ioc	process
File opened for read	/proc/cpuinfo	com.classatlwq

description	ioc	process
File opened for read	/proc/meminfo	com.classatlwq

ioc	pid	process
/data/user/0/com.classatlwq/cache/jemyrkrdbtpepnj	4175	com.classatlwq
/data/user/0/com.classatlwq/cache/jemyrkrdbtpepnj	4175	com.classatlwq

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.classatlwq

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.classatlwq

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.classatlwq

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.classatlwq

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.classatlwq

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.classatlwq

com.classatlwq
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4175

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.classatlwq/cache/jemyrkrdbtpepnj

Filesize
449KB

MD5
24233108b647bb5955756d9e8f78d822

SHA1
f91c7768f355b20936949e628fb5ad03f4f9ab68

SHA256
f340715771794502f223a3fada82a41f125e764b833864f75eb149e6e34b415f

SHA512
8d30981a656b50634c41aa422f539cbc5f4a1fb9234307d6176543da25f5cb9c674b42072d57544f4f3dd14ef864764fd8c12009888e594ae98c9c459dc80d4e

Download Submit
/data/data/com.classatlwq/cache/oat/jemyrkrdbtpepnj.cur.prof

Filesize
525B

MD5
015abdd3a7d497ed4b75648ccadf9cea

SHA1
8c4ab4018b692037f6281de544171e2e08ebb9e3

SHA256
043231eef7a29a61ca05b10b0c0c1c12ca069193ab3831bca39747f59e990fef

SHA512
048aba74673e8cc8c8b2881886b3a85d1c77ab3b733a01866873384700db5d8256beab31d1f0e0210ee8aa60d5bd914312f080ec28cefa856d21159c8b5b9cd2

Download Submit
/data/data/com.classatlwq/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.classatlwq/kl.txt

Filesize
230B

MD5
e82fc4c0790db9ed37bf137bb0e9ffc0

SHA1
182b7e3605fded16adb0dd420270d394c0abb8af

SHA256
da6d80d71f36b2811f40f48dd91dafed9a3057dcfa77c36f507569e2be35c699

SHA512
9e1eb4489eccaccf69ec9952a36ec601d9eef2de9ded34c345917f768efd075cb94e7f12c1dbffc2888cff21a3e626e6b3505f211d9ba6e41f94c7fc33079e8e

Download Submit
/data/data/com.classatlwq/kl.txt

Filesize
54B

MD5
43732276523bc99d97c1e8dda266c518

SHA1
ae0e95dc8c57639b93a50b987af03e895d95749f

SHA256
33a2ada2455448cc2ee3bc23fbdf96bcb28d79747cc46c38031120bd6985695c

SHA512
96639688fc5a0fe0110dfde99ed15c590f2c711f6bb2c5aeb09d27c1f96a22c80546bab5698a65babf3eaeca7b951245c51667f7951f91818efecdb9c0f56fcd

Download Submit
/data/data/com.classatlwq/kl.txt

Filesize
63B

MD5
90af240dddc6c5b37916c881ffac8710

SHA1
464791a5b17ed26fbb9c0e2a44f59243506fec49

SHA256
aa49c04f75846975bf81cdff3253b0b5a9df6c60b35a1a1f0e1c79ef8f4ec077

SHA512
344f1d3409896910ac9c201496a13a64433866ef50dc1924c5206b860d854777cce94793341b941b912d523524381e8aa854e8b87bb7abec9396ce0f03038866

Download Submit
/data/data/com.classatlwq/kl.txt

Filesize
162B

MD5
049a7b9469af5067bbd015bb9b68ac08

SHA1
341481a7d35f8df88f15d4f1d93d843ccfd2654b

SHA256
9d99378aa47bcfbccfa6655906c56de5fe1082297693158668000d3be6432207

SHA512
76f86ac9a9a329ea9b5007d1a37921a943891f9f36d033b899768322465fb1a63981eae039447eb7e1ffc4fc2793ebd3eedb1adb71f8ba7ae9acd8f3a73e2789

Download Submit