octo | 2fba8d6b343d6426c6ac80f241d5f898b313aa068fa8a642d396a129d9bebb01

Analysis

max time kernel
152s
max time network
132s
platform
android_x64
resource
android-33-x64-arm64-20240229-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240229-enlocale:en-usos:android-13-x64system
submitted
25-04-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fba8d6b343d6426c6ac80f241d5f898b313aa068fa8a642d396a129d9bebb01.apk
Size

541KB
MD5

2f7893eacc1aa8f50ca532f168f0f254
SHA1

322e15a5aff3ca6e4e01840234cbed647c5bef28
SHA256

2fba8d6b343d6426c6ac80f241d5f898b313aa068fa8a642d396a129d9bebb01
SHA512

66eeb64ed82603f3c6caa481f80ff6b1ce245b83125086ccd14851ec59df6aa2ebeb1a2f252995bb83497fcfd6dce6a87caee2c63245882de93f87b444ad3aa3
SSDEEP

12288:Khn0/HwJdHS1BUnAlZHI/9Wb4rlRHF13c7STNz7xLTEpGIiGeAXnz:Cn0/ydHSnzDHIV9LHP3ISd7xLTgF1eAj

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://33moneycshlazim33.shop/MmExODA3MDAzZjA5/

https://moneycsasfasfh.shop/MmExODA3MDAzZjA5/

https://moneymaskalandd.shop/MmExODA3MDAzZjA5/

https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.classatlwq/cache/jemyrkrdbtpepnj	family_octo

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.classatlwq

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.classatlwq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.classatlwq

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.classatlwq

description ioc process

File opened for read /proc/cpuinfo com.classatlwq
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.classatlwq

description ioc process

File opened for read /proc/meminfo com.classatlwq
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.classatlwq

ioc pid process

/data/user/0/com.classatlwq/cache/jemyrkrdbtpepnj 4293 com.classatlwq
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.classatlwq

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.classatlwq
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.classatlwq

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.classatlwq
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.classatlwq

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.classatlwq
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.classatlwq

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.classatlwq
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.classatlwq

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.classatlwq
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.classatlwq

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.classatlwq

description	ioc	process
File opened for read	/proc/cpuinfo	com.classatlwq

description	ioc	process
File opened for read	/proc/meminfo	com.classatlwq

ioc	pid	process
/data/user/0/com.classatlwq/cache/jemyrkrdbtpepnj	4293	com.classatlwq

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.classatlwq

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.classatlwq

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.classatlwq

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.classatlwq

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.classatlwq

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.classatlwq

com.classatlwq
1⤵
- Makes use of the framework's Accessibility service
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4293

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.classatlwq/cache/jemyrkrdbtpepnj

Filesize
449KB

MD5
24233108b647bb5955756d9e8f78d822

SHA1
f91c7768f355b20936949e628fb5ad03f4f9ab68

SHA256
f340715771794502f223a3fada82a41f125e764b833864f75eb149e6e34b415f

SHA512
8d30981a656b50634c41aa422f539cbc5f4a1fb9234307d6176543da25f5cb9c674b42072d57544f4f3dd14ef864764fd8c12009888e594ae98c9c459dc80d4e

Download Submit
/data/user/0/com.classatlwq/cache/oat/jemyrkrdbtpepnj.cur.prof

Filesize
355B

MD5
38552563ee263c213c3035ac3b0f4a42

SHA1
033cab74e132bbb5faac085215f1e6b885263f6e

SHA256
48dea8454dd693ecc1ee5dfe7ebba9a65e8c727c77a931a5a0c04cf0e5edd181

SHA512
00e5e63a8db7f4ac2cb242ebe1b0cad92afc9d945eff2dbd2db2ece7effb3adf10b258c322f5f3fef0e07727e668c96af5506d7cf8b36336b567bc151e1840ea

Download Submit
/data/user/0/com.classatlwq/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.classatlwq/kl.txt

Filesize
64B

MD5
9f6d287dd9d310cbd338bcec1bb12e7a

SHA1
7195c97af827b74def5f356dca95aa867e97d2af

SHA256
5051ee062d799cb65947a0638d2e3933b3bb183b6d7ed3169ca34c79403067c6

SHA512
66c9ca826b1ce6cbfd917db5c3630332ceafd6ffaede85a6d3bb517919c8a6c564d1fc2c478682242e6a6221c6ac349fd3c92930ffe35f0f1c2f4b1a21602b85

Download Submit
/data/user/0/com.classatlwq/kl.txt

Filesize
214B

MD5
46c5f74542df9d30b5ad1998c6c2d209

SHA1
32c24a83f89407506dcd1ec7bf2488e3f1ea1e06

SHA256
b52dded55faa13b00e03ed4aeefc35ef7b7f787b5ab0eef33bd66aa8067acb99

SHA512
8250b9c8c99b4a9b0bf410f327fae3122bf28a1da905fa2f5577a1348d75492312c04cb93a6b5fa0f3d165a870a0fa289d3566b84d17e485249e10b59a93cdb9

Download Submit
/data/user/0/com.classatlwq/kl.txt

Filesize
52B

MD5
3ade2759b26547ab71ee9d13818f1453

SHA1
a5dfdc2474f3571dac16bb0196d1901f7b0b8441

SHA256
03aec4c2f4a78e28d7eb523624b25bb6952538ba52abb1afefb26bbdb4b627ae

SHA512
43f5c5ed02aa8da3633a17cb199f614a8dd7542f8a3fc4f443ebdc577f7b41e8fb6116b6824e33ff71e2fa07e37e2ca0f0c0b3e3b1fe3574bd8f641ac8c5c51f

Download Submit
/data/user/0/com.classatlwq/kl.txt

Filesize
79B

MD5
6b0665a6169fc01f83dabac1dfb697ff

SHA1
547d77c45534f230927baf18a45c0a54ee3d8f82

SHA256
218a51afa27913ba91c469519c93e9801437eeb3343c78d0281a3a494abf9f77

SHA512
34ffae80cacabd09c1ae54d0daa14ae88eac3a975d777bd8ae55d7378164f0b3c2106769cf1e3876b42e8cd72ea9ba5a2092d6dd7cf2a1af21f49a9a8563d977

Download Submit