octo | 3bb977572649e33b2e76c19bd6cda558d48c68b6cf718219345e97bbbcf672be

Analysis

max time kernel
149s
max time network
153s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
14-11-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bb977572649e33b2e76c19bd6cda558d48c68b6cf718219345e97bbbcf672be.apk
Size

605KB
MD5

456336381fb676ab40cd61c825140195
SHA1

cd413d867c6f20b733fcb175ec8a17389b6a8a85
SHA256

3bb977572649e33b2e76c19bd6cda558d48c68b6cf718219345e97bbbcf672be
SHA512

311398b7f1900a9cc90c353ec3bb4b65aa4af6c031d58dad62ff5596a0589bb7a73e73e82e8746a4883bd4cdc81b1148bd719a740e2e490ee6a277846ed3500d
SSDEEP

12288:MTHDN+gS0QHiw4yiSnIF6BphqEINUvo+q3p+IphY//NscHzKys4hDLrMhdRTn:avSH34yirwBphMmvohwlRTKysIzgdRn

Score

10^/10

octo banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://7bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

DES_key

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-3.dat	family_octo
behavioral1/memory/4256-1.dex	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4256	com.makethewf

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.makethewf/code_cache/secondary-dexes/1731621711695_classes.dex	4256	com.makethewf
/data/user/0/com.makethewf/code_cache/secondary-dexes/1731621711695_classes.dex	4281	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.makethewf/code_cache/secondary-dexes/1731621711695_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.makethewf/code_cache/secondary-dexes/oat/x86/1731621711695_classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.makethewf/code_cache/secondary-dexes/1731621711695_classes.dex	4256	com.makethewf

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.makethewf
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.makethewf

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.makethewf

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.makethewf

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.makethewf
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.makethewf
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.makethewf
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.makethewf

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.makethewf

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.makethewf

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.makethewf

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.makethewf

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.makethewf

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.makethewf

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.makethewf

com.makethewf
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4256
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.makethewf/code_cache/secondary-dexes/1731621711695_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.makethewf/code_cache/secondary-dexes/oat/x86/1731621711695_classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4281

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.makethewf/cache/classes.dex

Filesize
446KB

MD5
01f6fed89a97a1e39432a603ffe63975

SHA1
604740d9a5a86c4bceb941235c3f85c6079913e4

SHA256
d5522c6b6b2f7ab7ab9e308cd1d3a840a76427c37247d440e7e7f81f50311c53

SHA512
e9b5b4b83c855756355424878e1424a2b5ca6102068da888f4ce0e221526520042af8cce7b23456fd82bef2cc3b0ce1f11b2fa2f881a73486f2656618058cc3e

Download Submit
/data/data/com.makethewf/code_cache/secondary-dexes/1731621711695_classes.dex

Filesize
1.1MB

MD5
6a360f83c4740ebe81669374cc3ea8dd

SHA1
fa6a35efd9e07d6219f4c2cb9fcbcaa35bddef73

SHA256
21908aa9f33ba304c396844ebfadb8509db79c95f6eb57925c16435756e96f67

SHA512
5d446977219560df2d12782708af96c7b9d90585a079622cead0bcb9255aa3d64d3240a7954f0080f5eaa406813e6e5bffa64d020daf099b1c85005c88664cea

Download Submit
/data/data/com.makethewf/files/profileInstalled

Filesize
24B

MD5
e97d2c5b2c856a1fbaf6059724f5d7d4

SHA1
7abc3094e5c163e65e142a03d2f08447cbd035f2

SHA256
61e7fca459612c5af4bac97f869024e1366404b509b649bed96831b60b3a1f76

SHA512
f9594ac41dbbf5bf6db71813562a4e2f5791439f0af96c01e69c18d11c4f28de287cc397d930698598dbd6c6aec311f7bc98d08b93cf2c8fac857bc3a8adf215

Download Submit
/data/data/com.makethewf/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
fbdc5ad1924816d1de93ee6a889855dd

SHA1
20aad59a981b0d3f9b5624474dbd7af834465274

SHA256
09241885ea5b49b0ee5f17df4e1bda80a50c0daef172d9f4091200a2ea55662d

SHA512
22e512989635d1bd7a025add95c3d99bfe849d8995d05bce663e95054d271e05f642649297e3d3566e7dd33fa0fb17320aa9729c8e31d373c78aa4c646ce93a5

Download Submit
/data/data/com.makethewf/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.makethewf/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
d228bcd51b5d2202cc0e3e878836c723

SHA1
04655b72872dca64e13b99dbe06d40f3cbe30605

SHA256
1834fd2875df22e67f8e1892e465f870660a890218f92f11514a2725c06c10b9

SHA512
dfa8a0afeb4e15a7e21e300d68b264ec4d600db5350446d77cf8caf81d018b0e19f1b277b6781ebfae982a7a837e60fd6e6ef891779c4aef9714798a4a79a05a

Download Submit
/data/data/com.makethewf/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.makethewf/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
4e047aa4c7cd39dfa66762e99b28c5be

SHA1
26746c931f4d8ea1575400c04731283aa42b5a4c

SHA256
1e97c2442ae7014d0e09fa070fb99455d206f1ec3ed09f8643a1ab308a8af4dc

SHA512
30a595eeb8953111faf82c784b1d75967221ea9d4d7a9846cca1d1bed28d4a2e6d1866d40da861afc1879bc23f2aac4d893a92b15f9fd4038f3f8728f204da9f

Download Submit
/data/data/com.makethewf/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
32821356bb49c2af991240930c325727

SHA1
acec20a486c3bb54021c675beb5bf1ebaf23b5b1

SHA256
3157295e2b502cbfb064be525916a82096ab6b88a429a77a7fe1f2392bd18623

SHA512
5cd7db469998ef4aa671ab3050b9e4b2d23521c90b4fcf084d3d59ed53f310248b8acf87539a2f994bb4590e7af233c1132cfa723ba173acb6e74df9980a6731

Download Submit
/data/data/com.makethewf/no_backup/androidx.work.workdb-wal

Filesize
124KB

MD5
4d2ed09eaa6e6738c7dc9a5ab43fd48f

SHA1
378053da870a780bf2dc267660e030ff51ead1a2

SHA256
3cd0074e8a0941ef200ffa51bcc6c5371b517c746630abe60bc1ebeddd61eba3

SHA512
6411f8a68405a2ed3b41bef6a08cefbcbf073505f7fa492f3a804652cdf1afdb9a42a0fae5cb8192562e36f8275c09e709fe120125ca4135f10513d2d75d00a8

Download Submit
/data/data/com.makethewf/no_backup/androidx.work.workdb-wal

Filesize
177KB

MD5
3778b0a37d6383f8c8c3ebba9b385e3b

SHA1
5a36c7108720e645c7195ab31c358468c22d65e2

SHA256
d4fee320470775e614ed96ad66d0b4891a9560c278812f01ebb7e3d0e8a27ccd

SHA512
641bb604d190d9b0331322397f8054c3d7ab84c925198029ece5eddda0243813333ac67ccdeb2f8c67d1867ab7bbe0a086ffdb18c2844570d9d46137a98367b5

Download Submit
/data/misc/profiles/cur/0/com.makethewf/primary.prof

Filesize
110B

MD5
760dfd318260d54060596ce4f24e5043

SHA1
3909840c95862e9f510242aba7396edd345f7822

SHA256
90df3a485ab231ef5982a0241d73b0acd6ad5e5722463cba8fdd3ddbb5330e48

SHA512
41c9de713b7d97b46b0493787542f6a839e4aa807f9a036378e928794758771516fbfe1c5463b71cd5917fa20f638046483ee6515f608a9bcf8bcebfa319c7b7

Download Submit
/data/misc/profiles/cur/0/com.makethewf/primary.prof

Filesize
118B

MD5
859a50d2c905d0243a4e6508bcf357d5

SHA1
d31cbbb5018007473e9ce7db81b00dce928d524b

SHA256
447e2862885f558bb247ebbe0242b5aa3c3256985d5fbb1e3c9129534e8a4877

SHA512
ea7d55cbe80998c699180ecbb51ebcd71bee74a58df57d9231fb2bb0f8c8e888e6d9cd765b337e78d859ad459bd6fc36066b264925e858b2e1cf212af84234e8

Download Submit
/data/user/0/com.makethewf/code_cache/secondary-dexes/1731621711695_classes.dex

Filesize
1.1MB

MD5
ab701a986dc9402cc2ba8eea79877c76

SHA1
9b536c13f6441de1f5df7982e12d84b5cf76f01e

SHA256
09c38125a1bdd061a5fcea9150435f5e7af6fd12faad06131b37a97a00e5343d

SHA512
3e2999602a0be9cf8792c1a5280da29e40ceb191f5aa05f03e2a6ce6c1716ff5628af8c98019db2400d31833d0513987398cd1e8e6d3905869edd91d3df18c67

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads