octo | 2f3e9fb3af79aaa80ff46083751d64e7c218eef83047b1413417b3f4fb9f7ddc

Analysis

max time kernel
149s
max time network
151s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
06-12-2024 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f3e9fb3af79aaa80ff46083751d64e7c218eef83047b1413417b3f4fb9f7ddc.apk
Size

2.4MB
MD5

4cbb8e43888b0e5c61aef7406d312dee
SHA1

e2c52c05bc7d56186eb73ead324229ec9de39395
SHA256

2f3e9fb3af79aaa80ff46083751d64e7c218eef83047b1413417b3f4fb9f7ddc
SHA512

62e5e8a8945cf445e04a561dbbbdedf0da38b7619404cad62c50567f23ff13f81ac2ab737aad0ec5692d0ee9cb2cc5a013b717aca594e19b088d6da0c602e2e6
SSDEEP

49152:Xjk3HZVaelSm4KEkBNhrcrBYS0cOuTNYQ1TKHePdqIWoG93CQc:YJVaelBDBNhrmPKHudqSGlxc

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://332237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://7237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://62237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://35237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://332137453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://34437453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://3637453981d0595033c23.com/N2IzYzFlOTM3MWU3/

rc4.plain

Extracted

Family

octo

https://332237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://7237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://62237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://35237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://332137453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://34437453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://3637453981d0595033c23.com/N2IzYzFlOTM3MWU3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.alldrive2/cache/wczxt	4263	com.alldrive2
/data/user/0/com.alldrive2/cache/wczxt	4263	com.alldrive2

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.alldrive2
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.alldrive2

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.alldrive2

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.alldrive2

Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alldrive2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alldrive2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alldrive2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alldrive2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alldrive2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alldrive2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alldrive2

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.alldrive2

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.alldrive2

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.alldrive2

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.alldrive2

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.alldrive2

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.alldrive2

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.alldrive2

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.alldrive2

com.alldrive2
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4263

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.alldrive2/cache/oat/wczxt.cur.prof

Filesize
527B

MD5
eca717f03695ffbf1f7c02d063074a91

SHA1
a7314d1508cac8f012079524a8d0e6e08a314ea3

SHA256
0b67c85ffd6faf3238687bb7e64b6912d70f4b20871b071b68af42e9123fbc64

SHA512
5bb27d9a494ec22258e7d4861bfecd6beca757ffd695f3f89e178852f692f28dd7d77aede0181ec2f14d9c9b0d4e07fe315c0b5b4d02ee2107e904c784d17ce4

Download Submit
/data/data/com.alldrive2/cache/wczxt

Filesize
2.3MB

MD5
a32b913cbd78bf5ce0ad3d08bb1f6e7f

SHA1
8190627ea91e0b6786d5b749597e14e4b78346c0

SHA256
a7ce5edad5b7c1d3ae66cd08468ed3c63a6eddc3c8c4b394b180bee39d46e6c1

SHA512
3f17f83c1e1f9eb9ac8991ce6ddf57da462cfebf3f0868874f3a8cd7875aa900cd92193bdb235e9760e5f0ddfa30aef06fa89391603fce4b0707dd6462efb414

Download Submit
/data/data/com.alldrive2/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.alldrive2/kl.txt

Filesize
237B

MD5
6c165bb3b1b9d5894751a15da2315adc

SHA1
020d9afef4b60749fbb1021c0bb28834e9e9cebf

SHA256
50c64eccaa9351027fe10e34d9ded996ea7dd426ff9881064cc0499919a3243f

SHA512
a9969e49a47e12078040314e1b35052ba0667e1ceb4c23b73703e26a0f01b43d66055c9e586789fd6053441ab5340f9a7f104610c09b5e99906dbd8d821dfd20

Download Submit
/data/data/com.alldrive2/kl.txt

Filesize
63B

MD5
542acfd61a237b57b2223bf8709bf156

SHA1
0edb580f0df4ff6be3a9c57e4bec39b4e0d53335

SHA256
412aca913f9a694cbf4ac748051d2d6de7b5b1147f548b8f5eab0df64295e94a

SHA512
847b4c7636326c59adc5ff0108bc894edd3033cfb6f81db5d3282ab8ea0e29323c02a503e29d36d9f65db40757240f7c47e805a49c13bf85fc55566fcded063c

Download Submit
/data/data/com.alldrive2/kl.txt

Filesize
54B

MD5
2dee82d91326f4557de93b8e406aaed1

SHA1
ae8fd6ffefdf902175c6c224f6c7b7e5a1092d2f

SHA256
1b5944105bcb2e2ec24872c695b7d4d058ba41ff9b684c38e68fc85d1fc5ab37

SHA512
8731eef3c57e61bb0b1f17a65087ccccd3a046b2dab9e9587e7c4113917db24399e2047b1721287366938267401d7ab2addbb4d1f9811616a752580006ad9f84

Download Submit
/data/data/com.alldrive2/kl.txt

Filesize
437B

MD5
78cbe3b7d0ffc8d7a53f3ebc6811c92c

SHA1
7d0fa07cffcc4611d9bb5cd8ad5847cdf96b701e

SHA256
9b59efb6bf465c1d3ea94cb43ba34a97bc75218b9735cf6a0959f766e56cd496

SHA512
4a29f964507581681c443a5eecfc6078fa04643951444348ca04f993ea4185e7a99fda98d9aeb87319630634dd5e8a99578dd19fe4056048153f3b384443f265

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads