octo | 2f3e9fb3af79aaa80ff46083751d64e7c218eef83047b1413417b3f4fb9f7ddc

Analysis

max time kernel
149s
max time network
156s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
06-12-2024 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f3e9fb3af79aaa80ff46083751d64e7c218eef83047b1413417b3f4fb9f7ddc.apk
Size

2.4MB
MD5

4cbb8e43888b0e5c61aef7406d312dee
SHA1

e2c52c05bc7d56186eb73ead324229ec9de39395
SHA256

2f3e9fb3af79aaa80ff46083751d64e7c218eef83047b1413417b3f4fb9f7ddc
SHA512

62e5e8a8945cf445e04a561dbbbdedf0da38b7619404cad62c50567f23ff13f81ac2ab737aad0ec5692d0ee9cb2cc5a013b717aca594e19b088d6da0c602e2e6
SSDEEP

49152:Xjk3HZVaelSm4KEkBNhrcrBYS0cOuTNYQ1TKHePdqIWoG93CQc:YJVaelBDBNhrmPKHudqSGlxc

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://332237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://7237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://62237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://35237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://332137453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://34437453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://3637453981d0595033c23.com/N2IzYzFlOTM3MWU3/

rc4.plain

Extracted

Family

octo

https://332237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://7237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://62237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://35237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://332137453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://34437453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://3637453981d0595033c23.com/N2IzYzFlOTM3MWU3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.alldrive2/cache/wczxt	4307	com.alldrive2

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.alldrive2
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.alldrive2

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.alldrive2

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.alldrive2

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.alldrive2

Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alldrive2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alldrive2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alldrive2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alldrive2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alldrive2

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.alldrive2

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.alldrive2

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.alldrive2

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.alldrive2

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.alldrive2

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.alldrive2

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.alldrive2

com.alldrive2
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4307

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.alldrive2/cache/oat/wczxt.cur.prof

Filesize
441B

MD5
7a679febca1447ee9eea9fb1ada1aa0f

SHA1
853ceb62065731bb5a061bb8cbbde16d9b026805

SHA256
ec0eac19e1844598f986c250a87f9639dd64b0416def1839ff64d4df022edcaa

SHA512
79aa5ad1eb0c28c8a3504cf761db553a58182554ab61d393ca6289d242f9b714a789efbe90fd61193427a548daa47e5ebe4ad730e48bfe83e77d8a6539914b52

Download Submit
/data/data/com.alldrive2/cache/wczxt

Filesize
2.3MB

MD5
a32b913cbd78bf5ce0ad3d08bb1f6e7f

SHA1
8190627ea91e0b6786d5b749597e14e4b78346c0

SHA256
a7ce5edad5b7c1d3ae66cd08468ed3c63a6eddc3c8c4b394b180bee39d46e6c1

SHA512
3f17f83c1e1f9eb9ac8991ce6ddf57da462cfebf3f0868874f3a8cd7875aa900cd92193bdb235e9760e5f0ddfa30aef06fa89391603fce4b0707dd6462efb414

Download Submit
/data/data/com.alldrive2/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.alldrive2/kl.txt

Filesize
221B

MD5
a12a42d9806b97c2f382cda32f49070e

SHA1
466879ff1715dc56388ca70265f3887a5f3a850a

SHA256
0780dcda0c56f6cb81e706aefd174a9754bd9829150290f1ca034d21d9932bb7

SHA512
26c9140c6daddf4425fb32e5d3dd33245d2748c71bdb91d754d8c2f66f5c2aff649484d1b1b08e89dd7c6f0f243cf0ea986c43f81f9e95b9dcd29af24d5b2c7d

Download Submit
/data/data/com.alldrive2/kl.txt

Filesize
52B

MD5
c34f4e5d637d441b90fe6eb81ed82336

SHA1
727c93bfac1adc81d6867960d1b8676115c0816c

SHA256
71dcd31cfdea49eeef01e5e125ca57957330c5ed2dc8eba3ca3c0b4d88a1eddd

SHA512
ee7b50c630472eb7d584fa9b8871e7e7d14a3dd134e50417d84c402c1596a981731b2c051a94a3b1b0cbb6b5d9f1d368accaebb0b69f37e4075b0f4853921830

Download Submit
/data/data/com.alldrive2/kl.txt

Filesize
70B

MD5
880dab14c2f8343bd96013db920e9d5b

SHA1
8371a6652bb0232d6aef07e61b7510897dcaf052

SHA256
37c368af7b5bc99a0d9095b720422d5c15384a52586dfe7dc2e5656126a29cc4

SHA512
525f67ff575277dab95b1a43635aa49a15dc74b6343842ff0c871c2bd9c2f3e62b9ca944198ccb5b53a74b2bba8bdf2ff2cb6d05630f7263af4c61e17150c149

Download Submit
/data/data/com.alldrive2/kl.txt

Filesize
504B

MD5
005a4029ead60206e9a7a1bbce66699a

SHA1
b8eda427e1dbb75ba44e8515d554f9b1e3dd21a2

SHA256
d12463e5149347a515ff03fde48aaa54350b3ae52f01b049d1746d6b8ae1e288

SHA512
845a0aa034880c7ee3935e6b67467d208038d8cea96486324051a19c46eeacfbf1b389ffd8827e13c2b59c6b66d96fd03f1be07343a046bd5c55500c7c6bc706

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads