octo | a082de209475ef2eaee9a5db5ec329dcc67880f1bf3a98a27f3fb18035855c59

Analysis

max time kernel
149s
max time network
132s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
01/12/2024, 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a082de209475ef2eaee9a5db5ec329dcc67880f1bf3a98a27f3fb18035855c59.apk
Size

2.2MB
MD5

fca8afc4fa61d0ab38e5545cad57f563
SHA1

f2e730b4bfb3a6bc0885898fa326f43750ca96f0
SHA256

a082de209475ef2eaee9a5db5ec329dcc67880f1bf3a98a27f3fb18035855c59
SHA512

5a6f38d3871288417691ca86b00ff794a2735d08fdaad2789a3a01e0fd2d75899e1306879d22f0bd8b360d8a2622713d8ee42ae122c568c8ce1194ccb5f59fda
SSDEEP

49152:QCLOayuJ7Uz0AT7z+p6axJY5RhSoIGPxTUFRlWRZFbUEOWsf0VNrnA:QYOadU3zn5RhSotPQ+MEOW+KrnA

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://20hffqm13hac.top/MTU2OWE0NzJjNGY5/

https://4lmmw85977x2.xyz/MTU2OWE0NzJjNGY5/

https://kirijdnka15ca.pro/MTU2OWE0NzJjNGY5/

rc4.plain

Extracted

Family

octo

https://20hffqm13hac.top/MTU2OWE0NzJjNGY5/

https://4lmmw85977x2.xyz/MTU2OWE0NzJjNGY5/

https://kirijdnka15ca.pro/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.wasrule22/app_DynamicOptDex/qC.json	4339	com.wasrule22
/data/user/0/com.wasrule22/cache/zungpipkbm	4339	com.wasrule22

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.wasrule22
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.wasrule22

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.wasrule22

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.wasrule22

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.wasrule22

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.wasrule22

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.wasrule22

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.wasrule22

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.wasrule22

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.wasrule22

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.wasrule22

com.wasrule22
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4339

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.wasrule22/app_DynamicOptDex/qC.json

Filesize
2KB

MD5
71a4c70d07030b607bb957c9824828dc

SHA1
7d63ac1f9e1fdb19db5823f7baaca634b8ec35db

SHA256
4514bf15c6e733ea29fc773b2db13eb54f82338c1e121e10fac66c20a204c1bd

SHA512
5a55b5a550595ffc042a2478c898b5ce53c2d589a1ec9ecd3a03bcabf9dca05a84c6d3a80de62889289f88b6325d18041770e010f6e5816a4bfd7709f0d2eef7

Download Submit
/data/user/0/com.wasrule22/app_DynamicOptDex/qC.json

Filesize
2KB

MD5
0eb8a8208d3cdcdda133f9a7cc067c11

SHA1
83fa9eab04cb49cc097bff09ba835e826b62a993

SHA256
9f0a408ae23f4d289fee6d01769e0ad129a78ae4f37c22c5000ee0b05958326d

SHA512
e1e6f1dba046284a60eb35243292aeacc78c93e3176c1f34cfda4ac9b71025d54afbeef7cedfceb896910064d2a102ee944e517d114ae034fe7c93774b619632

Download Submit
/data/user/0/com.wasrule22/app_DynamicOptDex/qC.json

Filesize
6KB

MD5
8b51b47080844133ced1fe1f7ba3cccf

SHA1
45fb88b67edf515aa9c170a0741ca62a6e514b2e

SHA256
928ad0d4d81f5fcb707c0492a619062b5fc33038614b7fc23d6cfad8561685bc

SHA512
60400b390df687431831b2e128c3a24713e9b9de82cf4e46546d3d7ce4334dd45bd1744cea85c0c5a0297802f7e8e7aab92303b9abd599608c2f6851d55c6e7a

Download Submit
/data/user/0/com.wasrule22/cache/oat/zungpipkbm.cur.prof

Filesize
418B

MD5
5f58a1e6d628c1ef3aa41db52a337172

SHA1
1c50252c0e93230ff9adc24580804db0a19aca6e

SHA256
f4e3536c70798a89793e749e7000ca8bec453719073acf6ac284221c5e9099ac

SHA512
5a3a1db22a2a55fd713d07b6232f4a69ce7d5af8706c215e91b7727f928b1bc29b6f97fee1a551a4ff1b94e9d4bfaee8fc58a267782dbb20bf7e6906b4024898

Download Submit
/data/user/0/com.wasrule22/cache/zungpipkbm

Filesize
457KB

MD5
b580a346c06ae2785f2a73dfdc5d6477

SHA1
6772605b46b9b123a423b1517ea729283744b107

SHA256
ba3b4ebb8588e957b28e98bc5051e4e0a167ab23545f91ae8a88af0176a4ecd4

SHA512
13d3f2290a1472d23805411da01080ff4af5dc5f94e4503efca3eb43934dbde286fcae34c3586beaaca443ceb75044fdd6bbabb0f5bbd18877d43e9b51216186

Download Submit
/data/user/0/com.wasrule22/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.wasrule22/kl.txt

Filesize
214B

MD5
a36db14eabbb2c1d969b649ee14ea621

SHA1
5ea8e7f056f37b99f6ec04eabe15e90561993ac1

SHA256
b85f871b007d8116d4e577de34ac3868812dde6e6976f0c50d347dd3600d917e

SHA512
802741f895354884e9753dd05bd81a9ffa076bcef5d1cf3b2e85ecef253179e03770951d6e42b344774ba3f90a4fd68df316f5a4542d9125217022db4a13be73

Download Submit
/data/user/0/com.wasrule22/kl.txt

Filesize
61B

MD5
18c3bf70c2e712101bde050935076a6c

SHA1
fe116638619ecd8564f85352d9ccafb83a753ddf

SHA256
1bb5d852fe93e83c6d43c50869eafe32ed1c7aacdd8ce5ccd917581e7932f610

SHA512
167b76981626cd00a9fc78d6c197d272d4de499dea497911c5728297ce051262c91e64439582a8c8bd1e252b572b5a2b3f5149d34ebc04662a9930cc88882ff3

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads