octo | 9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529

Analysis

max time kernel
179s
max time network
132s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
29-05-2024 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529.apk
Size

541KB
MD5

ac3ed42f2f086c8f2365dfd69e9d293f
SHA1

ad4de654ef5132a4d1376f029c6a9c6532e0ec85
SHA256

9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529
SHA512

6fc7e2d4d7e0d416216d009a9cf992045857394a64720be1674290701143a51bc6ca5ac27df3bcdcd7dcc068822bcf1b5a14ad0eece6bc7252da0eb2a47fe384
SSDEEP

12288:Nts8AzI81cC/go8OaxwAcH6kTw4xq0P6CFwoy2I22KzwHdu18T3nZ:NN+I81cF7DRkS0Pi2AH9JT3nZ

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/

https://moneycsasfasfh.com/MmExODA3MDAzZjA5/

https://moneycsasfasfh.net/MmExODA3MDAzZjA5/

https://2moneycsasfasfh.net/MmExODA3MDAzZjA5/

https://2moneycsasfasfh.com/MmExODA3MDAzZjA5/

https://3moneycsasfasfh.com/MmExODA3MDAzZjA5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.objectuplz/cache/cappfw	family_octo

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.objectuplz

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.objectuplz
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.objectuplz

Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
evasion

Prevent Application Removal
T1629.001

Processes:

com.objectuplz

description ioc process

Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.objectuplz
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
collection credential_access

Access Notifications
T1517

Processes:

com.objectuplz

description ioc process

Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.objectuplz
Requests modifying system settings. 1 IoCs
evasion

Processes:

com.objectuplz

description ioc process

Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.objectuplz
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.objectuplz

description ioc process

File opened for read /proc/cpuinfo com.objectuplz
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.objectuplz

description ioc process

File opened for read /proc/meminfo com.objectuplz
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.objectuplz

ioc pid process

/data/user/0/com.objectuplz/cache/cappfw 4578 com.objectuplz
/data/user/0/com.objectuplz/cache/cappfw 4578 com.objectuplz
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.objectuplz

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.objectuplz
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.objectuplz

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.objectuplz
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.objectuplz

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.objectuplz
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.objectuplz

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.objectuplz
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.objectuplz

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.objectuplz
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.objectuplz

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.objectuplz

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.objectuplz

description	ioc	process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.objectuplz

description	ioc	process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.objectuplz

description	ioc	process
File opened for read	/proc/cpuinfo	com.objectuplz

description	ioc	process
File opened for read	/proc/meminfo	com.objectuplz

ioc	pid	process
/data/user/0/com.objectuplz/cache/cappfw	4578	com.objectuplz
/data/user/0/com.objectuplz/cache/cappfw	4578	com.objectuplz

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.objectuplz

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.objectuplz

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.objectuplz

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.objectuplz

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.objectuplz

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.objectuplz

com.objectuplz
1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests modifying system settings.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4578

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.objectuplz/cache/cappfw

Filesize
449KB

MD5
cc924dc334167c501498c4ef40d59921

SHA1
88a01dff8c8b935bf69a689327b92e2e80129398

SHA256
0f666170c574f1c32d3e0882f6f32706e9c231ec731dd4403806f801dfad7711

SHA512
897b11c0fb4e376d002d22fd85a9c3e81173f9910d3274354ea51ed2b49897c43b0bc3f374d86654337cf887190f3c87dc2249d8f4ead86ab3d90e40b00d1803

Download Submit
/data/user/0/com.objectuplz/cache/oat/cappfw.cur.prof

Filesize
323B

MD5
f0c4015179869f2c089223f800cfba49

SHA1
00b01f52d5d695dced5a0ebb8738c7c347bbd866

SHA256
c13294542091c8e3cf22612e2cb4c1c9a3504050b2ddb9dc051485855d335a1f

SHA512
e1e88612cca4def1ed634cb2bf96ed459eece54b20fd243c195a15b5ac20cb23f6639d9eaeb063b524e29360cf7395c215474a9cb8574dcd95bb17d0c9e4076c

Download Submit
/data/user/0/com.objectuplz/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.objectuplz/kl.txt

Filesize
237B

MD5
fcdcc703df5b59e552dbc28d31338931

SHA1
ae834033b9fd8047a95585f0cf349f2587aea4ab

SHA256
0864e9e2d175a642307ef4550d6710115663cefc540c2ea06b43ded6d72171cf

SHA512
4aa5caa7e42e0f058621f6b88792f9bccd027c9debf9ff9246286d8569b09c967ae4d168dc90ec52a65462b516e9d92adbba37ed6ecfae7a0dd5567c8659619d

Download Submit
/data/user/0/com.objectuplz/kl.txt

Filesize
63B

MD5
52cf3525079e3012bba32815f4ef6895

SHA1
9a02fe5935bd2d4cc2b333c1b7939d4264de457c

SHA256
74349c5266bab8f15f8472c482bd1f9921af331f7121c9532b730688e6e99b2e

SHA512
64cf15861363a90e91c9f4376d6b285085cc214051c06f7383fea9eb6da8e8d5630d8d5c2aef639712e94c801eea090f10cff0b756cde76083636d0e931d29e5

Download Submit
/data/user/0/com.objectuplz/kl.txt

Filesize
75B

MD5
12a624f32df756e96632a223e9d0349f

SHA1
5b276e9934b26d5e932660638dfbaa0d68113e3c

SHA256
4bb6d565a24a52bc385598cc9e0f00af6f4fcb18901be88779a0fddcf74691f0

SHA512
9b6515515ea83276291806cad1f33a3313374a78a19e2d378270226d372f98162fd6ef7dad98fb0bf4ca1bfbd2e15eb2c401e15711e890363754650cf1646d28

Download Submit
/data/user/0/com.objectuplz/kl.txt

Filesize
63B

MD5
db276965d15c9233dc250e0e0f0a74e6

SHA1
7fe752fb22bbd26b97a61a9f4689caaec757b607

SHA256
b63f4c57a0e29fd3c7403c96d0db5bc45ef4bc9ddea9d78e2f1b80ae31283e8c

SHA512
1a2c0f89dd345612de27694b511585b23f544cc083a6b1c10e239f35f210c71e7d5b7b5062381ca97f25c9cf720f82e9151cf14368455f2dbcefd67f0dc2bf80

Download Submit