octo | a082de209475ef2eaee9a5db5ec329dcc67880f1bf3a98a27f3fb18035855c59

Analysis

max time kernel
149s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
01/12/2024, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a082de209475ef2eaee9a5db5ec329dcc67880f1bf3a98a27f3fb18035855c59.apk
Size

2.2MB
MD5

fca8afc4fa61d0ab38e5545cad57f563
SHA1

f2e730b4bfb3a6bc0885898fa326f43750ca96f0
SHA256

a082de209475ef2eaee9a5db5ec329dcc67880f1bf3a98a27f3fb18035855c59
SHA512

5a6f38d3871288417691ca86b00ff794a2735d08fdaad2789a3a01e0fd2d75899e1306879d22f0bd8b360d8a2622713d8ee42ae122c568c8ce1194ccb5f59fda
SSDEEP

49152:QCLOayuJ7Uz0AT7z+p6axJY5RhSoIGPxTUFRlWRZFbUEOWsf0VNrnA:QYOadU3zn5RhSotPQ+MEOW+KrnA

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://20hffqm13hac.top/MTU2OWE0NzJjNGY5/

https://4lmmw85977x2.xyz/MTU2OWE0NzJjNGY5/

https://kirijdnka15ca.pro/MTU2OWE0NzJjNGY5/

rc4.plain

Extracted

Family

octo

https://20hffqm13hac.top/MTU2OWE0NzJjNGY5/

https://4lmmw85977x2.xyz/MTU2OWE0NzJjNGY5/

https://kirijdnka15ca.pro/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4244	com.wasrule22

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.wasrule22/app_DynamicOptDex/qC.json	4271	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wasrule22/app_DynamicOptDex/qC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wasrule22/app_DynamicOptDex/oat/x86/qC.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.wasrule22/app_DynamicOptDex/qC.json	4244	com.wasrule22
/data/user/0/com.wasrule22/cache/zungpipkbm	4244	com.wasrule22
/data/user/0/com.wasrule22/cache/zungpipkbm	4244	com.wasrule22

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.wasrule22
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.wasrule22

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.wasrule22

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.wasrule22

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.wasrule22
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.wasrule22

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.wasrule22

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.wasrule22

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.wasrule22

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.wasrule22

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.wasrule22

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.wasrule22

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.wasrule22

com.wasrule22
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4244
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wasrule22/app_DynamicOptDex/qC.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wasrule22/app_DynamicOptDex/oat/x86/qC.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4271

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.wasrule22/app_DynamicOptDex/qC.json

Filesize
2KB

MD5
71a4c70d07030b607bb957c9824828dc

SHA1
7d63ac1f9e1fdb19db5823f7baaca634b8ec35db

SHA256
4514bf15c6e733ea29fc773b2db13eb54f82338c1e121e10fac66c20a204c1bd

SHA512
5a55b5a550595ffc042a2478c898b5ce53c2d589a1ec9ecd3a03bcabf9dca05a84c6d3a80de62889289f88b6325d18041770e010f6e5816a4bfd7709f0d2eef7

Download Submit
/data/data/com.wasrule22/app_DynamicOptDex/qC.json

Filesize
2KB

MD5
0eb8a8208d3cdcdda133f9a7cc067c11

SHA1
83fa9eab04cb49cc097bff09ba835e826b62a993

SHA256
9f0a408ae23f4d289fee6d01769e0ad129a78ae4f37c22c5000ee0b05958326d

SHA512
e1e6f1dba046284a60eb35243292aeacc78c93e3176c1f34cfda4ac9b71025d54afbeef7cedfceb896910064d2a102ee944e517d114ae034fe7c93774b619632

Download Submit
/data/data/com.wasrule22/cache/oat/zungpipkbm.cur.prof

Filesize
490B

MD5
1cdccfc9bc20e2a7cb447b764b4145dd

SHA1
f4b0ad56c3f1351b69ffdb3142d7c145238b1c9a

SHA256
10355814ad16bfbe5c4a073e8da1a9993e98cbbc76f9b84ba1084ee0bbe3f4ef

SHA512
e4636c972e0f08b84c0b87dc64dca69e66d41269a99ccab0513b1289a14814b2d37eb2f38761a225d7b51046e641cffe52729722e45da29c49ccb26751d4e566

Download Submit
/data/data/com.wasrule22/cache/zungpipkbm

Filesize
457KB

MD5
b580a346c06ae2785f2a73dfdc5d6477

SHA1
6772605b46b9b123a423b1517ea729283744b107

SHA256
ba3b4ebb8588e957b28e98bc5051e4e0a167ab23545f91ae8a88af0176a4ecd4

SHA512
13d3f2290a1472d23805411da01080ff4af5dc5f94e4503efca3eb43934dbde286fcae34c3586beaaca443ceb75044fdd6bbabb0f5bbd18877d43e9b51216186

Download Submit
/data/data/com.wasrule22/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.wasrule22/kl.txt

Filesize
230B

MD5
d7e4a043d731f118c2dab88160ce1980

SHA1
e7533597ab773eafd7362b529de44dffb53f9f75

SHA256
4e3e6299e502a675939019517adc916b3e96aca469343b68c5b313977cbd60ee

SHA512
55f45bdaa4967976c85d2ace1aa7c9674ecd9760c7eebefbb0a279db0c3858676be50ae7b4753030804540fcb81a5c41882f7a67a158d84dec480e31b3127950

Download Submit
/data/data/com.wasrule22/kl.txt

Filesize
63B

MD5
394f9470f1cfe132a107f039fe299523

SHA1
7099df828711ec38ae41592c640d1f3bd266b822

SHA256
975cba082c3fd4cf4bfed9f5052b16fc19bffc3a7a96961fbeead9dc3b68dbc8

SHA512
be00a1922b177fb8da6e21ac08dedb9ce16bcb406dfb808a7d826e8a934427c1fbe6ae5a3d48b0d6eae8baf47b8c6f1f54033fa5039615f0aa41aabf60d41b1d

Download Submit
/data/data/com.wasrule22/kl.txt

Filesize
54B

MD5
6a16f2eae52ace92fadb693117ce917b

SHA1
20c17c664af95c4ecb93d466cb1e22febee78c3f

SHA256
4768cd9fc8b021a6edb4f8b3ef8fbc6e5ec46b46787575fd79aa972b18b55af4

SHA512
176a3e9a32ccbbce9de71f5f13421879831b9c1c9a35d7c6b1b3986167b490fbacd40e5583a3fc059d4ebfc2c513d7ded64de1081854dfd14fc4b9e5e067c772

Download Submit
/data/data/com.wasrule22/kl.txt

Filesize
423B

MD5
385be28f27b00234d261e70ba0c3c19a

SHA1
577a48bf78589ce8a78bc367ca976ae1bc42c6c3

SHA256
2a01807899e938e7b30040572d4b03f832fbcfb46bfe00f28663153fcff43a18

SHA512
c35c59cf8c14cfc081d753ce13544147021031a9ce0df512cf9dbf61112f133c43f269484bac342fb95635cbf83a18ec020680809fb0257f01ca4ad52b5f41af

Download Submit
/data/user/0/com.wasrule22/app_DynamicOptDex/qC.json

Filesize
6KB

MD5
0e1b47f31fa7d7b483b3207c1d9bb97d

SHA1
82e3579c492f3e264deb7a689ae3fecc468d33d9

SHA256
901aeb12f2df26fef27ae108e48797317c4619116ba8396aa2e60317cb5f9404

SHA512
76c3f103634b5ff31a7791def0e4522b3cbc2bd42cf9ac5d0b450e813296e32ae7fd5a53544911233b83d6ac8768c470c74a9100bc9f753b9523597b5823f8ab

Download Submit
/data/user/0/com.wasrule22/app_DynamicOptDex/qC.json

Filesize
6KB

MD5
8b51b47080844133ced1fe1f7ba3cccf

SHA1
45fb88b67edf515aa9c170a0741ca62a6e514b2e

SHA256
928ad0d4d81f5fcb707c0492a619062b5fc33038614b7fc23d6cfad8561685bc

SHA512
60400b390df687431831b2e128c3a24713e9b9de82cf4e46546d3d7ce4334dd45bd1744cea85c0c5a0297802f7e8e7aab92303b9abd599608c2f6851d55c6e7a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads