octo | 3bb977572649e33b2e76c19bd6cda558d48c68b6cf718219345e97bbbcf672be

Analysis

max time kernel
142s
max time network
155s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
14-11-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bb977572649e33b2e76c19bd6cda558d48c68b6cf718219345e97bbbcf672be.apk
Size

605KB
MD5

456336381fb676ab40cd61c825140195
SHA1

cd413d867c6f20b733fcb175ec8a17389b6a8a85
SHA256

3bb977572649e33b2e76c19bd6cda558d48c68b6cf718219345e97bbbcf672be
SHA512

311398b7f1900a9cc90c353ec3bb4b65aa4af6c031d58dad62ff5596a0589bb7a73e73e82e8746a4883bd4cdc81b1148bd719a740e2e490ee6a277846ed3500d
SSDEEP

12288:MTHDN+gS0QHiw4yiSnIF6BphqEINUvo+q3p+IphY//NscHzKys4hDLrMhdRTn:avSH34yirwBphMmvohwlRTKysIzgdRn

Score

10^/10

octo banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://7bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

DES_key

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral3/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.makethewf/code_cache/secondary-dexes/1731621713065_classes.dex	4440	com.makethewf
/data/user/0/com.makethewf/code_cache/secondary-dexes/1731621713065_classes.dex	4440	com.makethewf

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.makethewf
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.makethewf

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.makethewf

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.makethewf

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.makethewf
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.makethewf
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.makethewf
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.makethewf

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.makethewf

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.makethewf

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.makethewf

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.makethewf

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.makethewf

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.makethewf

com.makethewf
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4440

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.makethewf/cache/classes.dex

Filesize
446KB

MD5
01f6fed89a97a1e39432a603ffe63975

SHA1
604740d9a5a86c4bceb941235c3f85c6079913e4

SHA256
d5522c6b6b2f7ab7ab9e308cd1d3a840a76427c37247d440e7e7f81f50311c53

SHA512
e9b5b4b83c855756355424878e1424a2b5ca6102068da888f4ce0e221526520042af8cce7b23456fd82bef2cc3b0ce1f11b2fa2f881a73486f2656618058cc3e

Download Submit
/data/data/com.makethewf/code_cache/secondary-dexes/1731621713065_classes.dex

Filesize
1.1MB

MD5
6a360f83c4740ebe81669374cc3ea8dd

SHA1
fa6a35efd9e07d6219f4c2cb9fcbcaa35bddef73

SHA256
21908aa9f33ba304c396844ebfadb8509db79c95f6eb57925c16435756e96f67

SHA512
5d446977219560df2d12782708af96c7b9d90585a079622cead0bcb9255aa3d64d3240a7954f0080f5eaa406813e6e5bffa64d020daf099b1c85005c88664cea

Download Submit
/data/data/com.makethewf/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
70ffb1689cf72d9e1c460b9f9236ecc3

SHA1
ab9bd15564e6af418f3fcba3928c040af8f50add

SHA256
67e003f3ee10033f216789b85e25d3a2827a92d4ca071d9f481896c5901e500d

SHA512
11dac31a0ac91d5b5ac9509f83df38a8ff91305358ea08242d91584ccf4fd34963d3fe3169618b7dd01dc3fce4f187119924374d58d6397300973087b540d244

Download Submit
/data/data/com.makethewf/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/data/com.makethewf/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
0ab505464de75869c20ebfc99f194017

SHA1
32e7247d4c00dcf43d60f67b8372285da6e92a88

SHA256
5e660cb44ea89181db61c741387aee5b7f297baa2203f085d7f9275e541c5477

SHA512
705c51811616fcf48c30ee445f972f7187e8342457f79ac1bc6a9fcb1754c0e4924a146620e31271b0ee5931fa550926252f380f501cd5ba6902cace1a519741

Download Submit
/data/data/com.makethewf/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.makethewf/no_backup/androidx.work.workdb-wal

Filesize
169KB

MD5
c4ee858fc9877e54b16a1d2ca2d24515

SHA1
3b98f53c02f283f2abc527878c1f794680d52106

SHA256
75a34cc418354ee1919d07de3e0e5d4e6ebe3de85a285de5696bc04a266113af

SHA512
dced5c63999b5cdb95e65bb1963314790f8f9d4cbeb94466da7020f797020027239bae2ccb81373d784870f1ae3e5c5589c24d3f3d34cd6d4c42642ba61517c5

Download Submit
/data/data/com.makethewf/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
74c6ba631a4dae29d0113f3040021a51

SHA1
864b6f8b54b003046a573d3bdb959c46d68479a2

SHA256
5a1cd9ea13348c64f748089e4336c6da1aa5d80c36998d24787a231286cc9bc0

SHA512
b01883647589f1829f2675c7fa2f46bac0f2c79a00b35010fd405961065b72df9bb764aea8000eb2911300db1b0c58337bf5d6c6c519c64e55b8e21c640f8573

Download Submit
/data/data/com.makethewf/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
c7f2d92c2dc56f41b65d0da9850270ba

SHA1
c3824416de64402f7f7092b8a418fe6cfb358ccd

SHA256
d3332c17495a9784a789f86dc49fea72016dd6d3678b32eb750a658f9923c624

SHA512
4d6395259b9a5def7c0e3ef809d8a1022f998852259642c038e6908e3fc9fde0e45f57468449bec8116459668c25c87729c065cecfa5f8aef2354669001c4d9e

Download Submit
/data/misc/profiles/cur/0/com.makethewf/primary.prof

Filesize
110B

MD5
760dfd318260d54060596ce4f24e5043

SHA1
3909840c95862e9f510242aba7396edd345f7822

SHA256
90df3a485ab231ef5982a0241d73b0acd6ad5e5722463cba8fdd3ddbb5330e48

SHA512
41c9de713b7d97b46b0493787542f6a839e4aa807f9a036378e928794758771516fbfe1c5463b71cd5917fa20f638046483ee6515f608a9bcf8bcebfa319c7b7

Download Submit
/data/misc/profiles/cur/0/com.makethewf/primary.prof

Filesize
25B

MD5
b9d9e0f8902d129e1aeebff0ae7b725b

SHA1
cb0d2b4c9dd60a5c1fc6261fb581bcd3416fe781

SHA256
25a822139d06016af8be1296c0242b60e35074f94c713e03323636be1162ce91

SHA512
f158a9dc753e0cb41f71a98714ff02198c576bacdd792a6153fdaf6f9a7b52d8cfb6d09099a269d0c1b0d31e2ea5a307ea1db85115bdc6797887a6de36d597f6

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads