octo | 9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529

Analysis

max time kernel
179s
max time network
145s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
29-05-2024 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529.apk
Size

541KB
MD5

ac3ed42f2f086c8f2365dfd69e9d293f
SHA1

ad4de654ef5132a4d1376f029c6a9c6532e0ec85
SHA256

9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529
SHA512

6fc7e2d4d7e0d416216d009a9cf992045857394a64720be1674290701143a51bc6ca5ac27df3bcdcd7dcc068822bcf1b5a14ad0eece6bc7252da0eb2a47fe384
SSDEEP

12288:Nts8AzI81cC/go8OaxwAcH6kTw4xq0P6CFwoy2I22KzwHdu18T3nZ:NN+I81cF7DRkS0Pi2AH9JT3nZ

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/

https://moneycsasfasfh.com/MmExODA3MDAzZjA5/

https://moneycsasfasfh.net/MmExODA3MDAzZjA5/

https://2moneycsasfasfh.net/MmExODA3MDAzZjA5/

https://2moneycsasfasfh.com/MmExODA3MDAzZjA5/

https://3moneycsasfasfh.com/MmExODA3MDAzZjA5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.objectuplz/cache/cappfw	family_octo

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.objectuplz

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.objectuplz
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.objectuplz

Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
evasion

Prevent Application Removal
T1629.001

Processes:

com.objectuplz

description ioc process

Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.objectuplz
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.objectuplz

pid process

4257 com.objectuplz
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
collection credential_access

Access Notifications
T1517

Processes:

com.objectuplz

description ioc process

Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.objectuplz
Requests modifying system settings. 1 IoCs
evasion

Processes:

com.objectuplz

description ioc process

Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.objectuplz
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.objectuplz

description ioc process

File opened for read /proc/cpuinfo com.objectuplz
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.objectuplz

description ioc process

File opened for read /proc/meminfo com.objectuplz
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.objectuplz

ioc pid process

/data/user/0/com.objectuplz/cache/cappfw 4257 com.objectuplz
/data/user/0/com.objectuplz/cache/cappfw 4257 com.objectuplz
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.objectuplz

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.objectuplz
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.objectuplz

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.objectuplz
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.objectuplz

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.objectuplz
Acquires the wake lock 1 IoCs

Processes:

com.objectuplz

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.objectuplz
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.objectuplz

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.objectuplz
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.objectuplz

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.objectuplz

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.objectuplz

pid	process
4257	com.objectuplz

description	ioc	process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.objectuplz

description	ioc	process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.objectuplz

description	ioc	process
File opened for read	/proc/cpuinfo	com.objectuplz

description	ioc	process
File opened for read	/proc/meminfo	com.objectuplz

ioc	pid	process
/data/user/0/com.objectuplz/cache/cappfw	4257	com.objectuplz
/data/user/0/com.objectuplz/cache/cappfw	4257	com.objectuplz

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.objectuplz

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.objectuplz

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.objectuplz

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.objectuplz

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.objectuplz

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.objectuplz

com.objectuplz
1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests modifying system settings.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4257

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.objectuplz/cache/cappfw
Filesize
449KB

MD5
cc924dc334167c501498c4ef40d59921

SHA1
88a01dff8c8b935bf69a689327b92e2e80129398

SHA256
0f666170c574f1c32d3e0882f6f32706e9c231ec731dd4403806f801dfad7711

SHA512
897b11c0fb4e376d002d22fd85a9c3e81173f9910d3274354ea51ed2b49897c43b0bc3f374d86654337cf887190f3c87dc2249d8f4ead86ab3d90e40b00d1803

Download Submit
/data/data/com.objectuplz/cache/oat/cappfw.cur.prof
Filesize
553B

MD5
8eb104e0dbd44e0dafe36eccae2c37bd

SHA1
ae60625523d53ac4277cc6399af04517672d389c

SHA256
cb2ec7d5768af1ebbfbfe6873039d015c6d925be622d8fc3710fd215605a7473

SHA512
13a6011ff7a8302bee10b09b32fdd4c70928e35975699618eb5d61d5f5dbe587a962e19daf89572db4b8fd71e145c7001b03abf989dabffe013d295bb23f82bd

Download Submit
/data/data/com.objectuplz/kl.txt
Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.objectuplz/kl.txt
Filesize
237B

MD5
12ef99db92bdc3a68449d7d9fdb51bba

SHA1
bad0012807063e0e4ab5c17a67a20163aa24527e

SHA256
8ef4fdebc3ee14d21454a65ac4079416e0de87581aac97f5de78876c3446ecd8

SHA512
4a60c50f30a00f54e319b490be19adc85cd61cb05c20aed12617ba9f7405b2601ccfaf068f67d1fea17cf27c07af67cdcf1186b6830df228198d6d130763737c

Download Submit
/data/data/com.objectuplz/kl.txt
Filesize
63B

MD5
641094979f7a9fdcbd03f887fa640123

SHA1
1ef65f9e29143ee4824600031f705f1c589d1f27

SHA256
12354593e3f27088d3c563902ce8aecbc2ea00da0edde3248c879ecafc6bd9e9

SHA512
a188e3d79591ada732e65438b94cf8d7c3d9979abdb5480f7f71b7f1f854b0a2d60248dc3670cf830453564a89a61925c48c19ff8b77804b54811aedb6bee6bf

Download Submit
/data/data/com.objectuplz/kl.txt
Filesize
63B

MD5
f9fdb4e1ec070fcdd2c3151c14faf247

SHA1
34771dde42ee07aead76b0be70bfa27ee39e5591

SHA256
829917f638a15050b2972dff43a25004771272fc4fab5889627016623b9a3d36

SHA512
3b2851ac1ba40ad88c0ed9e0d199f3544b7b32097893103d98193e98c8e6de8a6e7a7fe9a8a791fcef05130a63f24c479e5015544515cc2af82bfad9527d88bc

Download Submit
/data/data/com.objectuplz/kl.txt
Filesize
437B

MD5
ee8f4f7fee56df5fe0e9f81540268924

SHA1
ed01ec6aa6b2c0f260bba7c4762bc17690585732

SHA256
710f97e43707cae92eddfc74ce0492badfa11cf0209d5f5d007128d1db761f14

SHA512
04bbb0e95135cda2f40b378c501d9b127405727956877d55c2e85849c173d0ea5856cc954a101e8e350f37f73112ce3a3068dd261509aa2702fa32bbc45c5f8c

Download Submit