octo | 2f0aa32c38e9f003006134daec95065e57051ccb0dd94cc9aa49d9f800a702b0

Analysis

max time kernel
149s
max time network
153s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
18-11-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f0aa32c38e9f003006134daec95065e57051ccb0dd94cc9aa49d9f800a702b0.apk
Size

541KB
MD5

17ae964fc20b463648c46cc61570f60e
SHA1

d27fe181daa9683613fa89b973ac1a904b0efca5
SHA256

2f0aa32c38e9f003006134daec95065e57051ccb0dd94cc9aa49d9f800a702b0
SHA512

3bc57adbb0b444c59d67ee6649b139a06236114d648040696e8ed6934eefb6a81dc7cca070a060e2bcc152c069cefc00ecd526973d99dc97528d43467c4b3b30
SSDEEP

12288:MKDsIxOjGGix9nPk3GudqVTOIDwwBAAMOGchL+ImI:1nOBjdnIbBBFjJJ

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://176.111.174.92/ZTIyNTVmMmE1NzNl/

https://12logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://13logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://14logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://15logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://16logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://17logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://18logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://19logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://20logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://21logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://22logites432532s.xyz/ZTIyNTVmMmE1NzNl/

rc4.plain

Extracted

Family

octo

https://176.111.174.92/ZTIyNTVmMmE1NzNl/

https://12logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://13logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://14logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://15logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://16logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://17logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://18logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://19logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://20logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://21logites432532s.xyz/ZTIyNTVmMmE1NzNl/

https://22logites432532s.xyz/ZTIyNTVmMmE1NzNl/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.facemore72/cache/hdqdrvwhvz	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.facemore72

pid process

4255 com.facemore72
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.facemore72

ioc pid process

/data/user/0/com.facemore72/cache/hdqdrvwhvz 4255 com.facemore72
/data/user/0/com.facemore72/cache/hdqdrvwhvz 4255 com.facemore72

pid	process
4255	com.facemore72

ioc	pid	process
/data/user/0/com.facemore72/cache/hdqdrvwhvz	4255	com.facemore72
/data/user/0/com.facemore72/cache/hdqdrvwhvz	4255	com.facemore72

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.facemore72

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.facemore72
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.facemore72

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.facemore72

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.facemore72
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.facemore72

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.facemore72

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.facemore72

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.facemore72

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

Processes:

com.facemore72

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.facemore72
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.facemore72
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.facemore72

Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.facemore72

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.facemore72
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
collection credential_access

Access Notifications
T1517

Processes:

com.facemore72

description ioc process

Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.facemore72
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.facemore72

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.facemore72
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.facemore72

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.facemore72
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.facemore72

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.facemore72
Checks CPU information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.facemore72

description ioc process

File opened for read /proc/cpuinfo com.facemore72
Checks memory information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.facemore72

description ioc process

File opened for read /proc/meminfo com.facemore72

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.facemore72

description	ioc	process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.facemore72

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.facemore72

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.facemore72

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.facemore72

description	ioc	process
File opened for read	/proc/cpuinfo	com.facemore72

description	ioc	process
File opened for read	/proc/meminfo	com.facemore72

com.facemore72
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4255

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.facemore72/cache/hdqdrvwhvz

Filesize
450KB

MD5
bd29a237b7c72b7b67623cfbf581a64a

SHA1
c202e95116e1f7a60a1552880a4f67b21249af33

SHA256
865a5e46602897d6988f2d08a8a3d5252120de44677695e3753a195bc37d43f7

SHA512
f608edce40ab4303059ed7b4a7b601df6c74e28ad6d368b240a9605daf6fc7d71f0daed3fe656ff264de293f3bbd7458b9a32b6b489a5d317f51e0326be9ac1a

Download Submit
/data/data/com.facemore72/cache/oat/hdqdrvwhvz.cur.prof

Filesize
488B

MD5
6beeb1af32cf2db7650036ef96571ced

SHA1
ee0cac847b932d2096db6e1652f5b511d0a2d2a1

SHA256
858f1b3300cb6e42a69a48bfd39b78b52c8cae7a368698d66ef2ba4250d84adf

SHA512
89ebe6c11efa692381dc84eb2951b0b2ca1a2ab2eff61143ac766863716dcb4d7cb56f2234b02afc94995d3f7de4c7576c85d47b81f9271a0e005c6cf5ff4505

Download Submit
/data/data/com.facemore72/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.facemore72/kl.txt

Filesize
235B

MD5
3fd7e82b83300e031d33de0e2027a6f0

SHA1
fedd27fddfddba0754c7392150a9ffe4fdf8df02

SHA256
5ac7389a539792278796f1acd89ce99b907848e03d1031b95f23504da054ea1f

SHA512
f239d16e0e7ca8dcf93c5f49521a09eeefb788db5238ed814675ffd7c7927ed4a8d0d1f442bd228a90d668f684d027cd889e0dfb1786a0204083c93992876f83

Download Submit
/data/data/com.facemore72/kl.txt

Filesize
63B

MD5
18937287b9dc4d9d1e8d0ef34665a762

SHA1
48b7dd0e7ff06244673c896a8bb1a9eaefa0761e

SHA256
4d1b50be29bd9beb1303a1015dfc7f4778f230d035289e67bd07d908ba2a0160

SHA512
eed475f09e049be6725fe9f65178566952ab4872d7104d8c40db6ea2da33f48f38c5b725d3c6a7a85afb1b4cc559a28868ea066ce7b47e6693a713ab10a92861

Download Submit
/data/data/com.facemore72/kl.txt

Filesize
54B

MD5
b9fba8e554c3f7c35b6401fa23527ef7

SHA1
4b7615503b4e10c68d329482d9c23d762a2d3b0f

SHA256
2d23cef958b92d318a7f59116eef052307920306522285bcc2bced36a21d4f3d

SHA512
bd0e4531882c148b686965c589649355da28d8be1685ead0555fe515498d7ce56f671449388568ec815f8329504d8af310ca2ed75535ceb365b4cdaf88fea5a6

Download Submit
/data/data/com.facemore72/kl.txt

Filesize
433B

MD5
f29f300c6b98a88ff12f72695e9ad41c

SHA1
b3edda43fcad67d2c9a7ad675d0737ec5c2918fa

SHA256
4b23373bde74025840e2df4bf685ee91ef333b8d6b7337619ba2fa0a2548b95e

SHA512
7479f9cff68a983e3d3535cab2d3f3d027fa54e7a1b7ee8e097f8935e4ff738109af68d13f656572087f0a2913a02872408d07639729e48a671c2e89dc949f99

Download Submit