octo | f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5

Analysis

max time kernel
179s
max time network
159s
platform
android_x64
resource
android-x64-20240514-en
resource tags

androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system
submitted
29-05-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5.apk
Size

509KB
MD5

95d94be9f18f9c1311f50810a495679a
SHA1

fa5752f396e19f085dd56c673073112d5d3aa135
SHA256

f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5
SHA512

c28ca69d77ba37cdfe84fbb787f6bd7ff3877af1218f528202a02e21aebc82e02255cf55731cfe15692524880065224c4a60e3fe95cbfc19d59a5ffc5adccbb3
SSDEEP

12288:aSBzSFlIIhwPpqgFKDS30JGyMXpeX2/7XoU:R0FGp3FKDA4MXgXSR

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/

https://moneycsasfasfh.com/MmExODA3MDAzZjA5/

https://moneycsasfasfh.net/MmExODA3MDAzZjA5/

https://2moneycsasfasfh.net/MmExODA3MDAzZjA5/

https://2moneycsasfasfh.com/MmExODA3MDAzZjA5/

https://3moneycsasfasfh.com/MmExODA3MDAzZjA5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.snowcompletefyq/cache/lletscw	family_octo

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.snowcompletefyq

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.snowcompletefyq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.snowcompletefyq

Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
evasion

Prevent Application Removal
T1629.001

Processes:

com.snowcompletefyq

description ioc process

Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.snowcompletefyq
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.snowcompletefyq

description ioc process

File opened for read /proc/cpuinfo com.snowcompletefyq
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.snowcompletefyq

description ioc process

File opened for read /proc/meminfo com.snowcompletefyq

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.snowcompletefyq

description	ioc	process
File opened for read	/proc/cpuinfo	com.snowcompletefyq

description	ioc	process
File opened for read	/proc/meminfo	com.snowcompletefyq

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.snowcompletefyq

ioc	pid	process
/data/user/0/com.snowcompletefyq/cache/lletscw	5143	com.snowcompletefyq
/data/user/0/com.snowcompletefyq/cache/lletscw	5143	com.snowcompletefyq

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.snowcompletefyq

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.snowcompletefyq
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.snowcompletefyq

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.snowcompletefyq
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.snowcompletefyq

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.snowcompletefyq
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.snowcompletefyq

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.snowcompletefyq
Acquires the wake lock 1 IoCs

Processes:

com.snowcompletefyq

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.snowcompletefyq
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.snowcompletefyq

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.snowcompletefyq

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.snowcompletefyq

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.snowcompletefyq

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.snowcompletefyq

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.snowcompletefyq

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.snowcompletefyq

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.snowcompletefyq

com.snowcompletefyq
1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:5143

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.snowcompletefyq/cache/lletscw

Filesize
449KB

MD5
2eb5d79a2030280606286bfdcb0c6e8f

SHA1
43da73a57e47b70678bfb652602af4c2ec65cad8

SHA256
5d5a7dbe2e41740bf7397f905762d4f6f461f546c58f6877abf179d9eddcb7b9

SHA512
8bb734e791dacb406d8ce5cacd58f22aa695608691a590f14f060bdfe8d08c4e37d0cd4ad71a0b8b5edaa769c0b5cb9ce64e7f344e7a79eb03690dbf29d29529

Download Submit
/data/data/com.snowcompletefyq/cache/oat/lletscw.cur.prof

Filesize
497B

MD5
0a9a77bb2943a3f5fd16bdaaaae7654a

SHA1
3acdf57876e6f1b3ea47bcc35a40b479e42b2a04

SHA256
2b4d5f3964435a7f1d4620ae9abda77bb5b5813e8b115e7bc25ad1b30ba2643b

SHA512
9751931dfd80f45912b23f8a07e75e412cc24cdd249a2ce45ce2cb81da4f72f3ddef41f3765c1c366ba018a68750d1501c5d2cb4cbf1cfe2862e1838fb0110e1

Download Submit
/data/data/com.snowcompletefyq/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.snowcompletefyq/kl.txt

Filesize
235B

MD5
8d9c8327c3bcd0d22cc33d87d1dad0f4

SHA1
19e63ad542ae8d994fbf8eea3face3f10f817930

SHA256
843e0657f1476051dcfea550047dbb8a7096b95facccf678dadd0b062540ab33

SHA512
72eeee6b84b87636e984a6388ef797e7c3974e0fe9b893de7ce49b6ba83a9e1fafeb222abb9c1af3338b49bc90963e978bf03b36e3b17762a0d90b7c606a5fcc

Download Submit
/data/data/com.snowcompletefyq/kl.txt

Filesize
45B

MD5
689370c58f241df8e17c9a23ffbfc31f

SHA1
684f5f28c8e0088913f008c079fc0fc47027c05f

SHA256
87e4c29298048ef83e56d88bbdd38cae37e8f89dee008e8c740dc7acaacd1bbe

SHA512
931f4e323c4da8c757daf9120b32120ed086eae7b7f3d84008b2387af19d72db73df196bf223e054a752406eb0fb55918a9eb2bcf21804d0e5a397aae75ed1f7

Download Submit
/data/data/com.snowcompletefyq/kl.txt

Filesize
66B

MD5
d9b733f5404134750dd0286e4525246a

SHA1
44f157234e411c7583a02f0afc6c2ba42cb04d42

SHA256
7ddb3c470db17a839de51f17e821c596c0923371cb44f5d18482b565109e5d77

SHA512
643a08f32327265127a561b1e36098dd0035cefef7242714fcd9711d266144eac5fc2efe2d38fa727a2409a1952ed377b282d3d18571f6ab8bf9ce109a1f48f2

Download Submit
/data/data/com.snowcompletefyq/kl.txt

Filesize
84B

MD5
039240f7c89fc00206997cdac015c577

SHA1
8491c2244bdd01b8ff73f39f06cd6d1980a0ef69

SHA256
bed322fed7f284bf64ce51f3a45fba3438f5cb56fdc17ab1014b27a1147ba3b4

SHA512
699d1e9a8d41254cabf2a35b65b6d39cccc0ed60a6428471708aa4816ad1e75cb47d971255e85c050349b170ccc1b64cd53d605cb7db9a869565c0908b9a91c7

Download Submit