octo | 1e679e0c82fab49ca5ea553d438a0ab64aa38d1459dbce9267dedc9f4aa97d76

Analysis

max time kernel
149s
max time network
152s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
09-12-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e679e0c82fab49ca5ea553d438a0ab64aa38d1459dbce9267dedc9f4aa97d76.apk
Size

2.4MB
MD5

9ea45f81ad333a3507c87e6670d6e96c
SHA1

36b7c2f50f371b3e4b1a6a55e91a7d414483e70b
SHA256

1e679e0c82fab49ca5ea553d438a0ab64aa38d1459dbce9267dedc9f4aa97d76
SHA512

c2403c3dd2c4b1af3d09ca837a02ab213f9c5e3f91fc318dd40bd6a79a0688aa5c14e9967a0d2a4ba54c5bf54153ff766aec692a77e132547c6d9856c197b11b
SSDEEP

49152:jO1UilpXgVrT7F8YNHxsL69IzyY7WbvLdac548vSPpRnYJh/Ob:eFglxxRiWLJac9vQ8Jh/Ob

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://934437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://88237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://662333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://96255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://28237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://162333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://26255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

rc4.plain

Extracted

Family

octo

https://934437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://88237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://662333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://96255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://28237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://162333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://26255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://934437453981d0595033c23.com/MzQ3NjU5NDBhMjNj/

https://7894437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://8774437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://5564237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://661544537453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.muchplace47/cache/atllfz	4263	com.muchplace47
/data/user/0/com.muchplace47/cache/atllfz	4263	com.muchplace47

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.muchplace47
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.muchplace47

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.muchplace47

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.muchplace47

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchplace47
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchplace47
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchplace47
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchplace47

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.muchplace47

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.muchplace47

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.muchplace47

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.muchplace47

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.muchplace47

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.muchplace47

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.muchplace47

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.muchplace47

com.muchplace47
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4263

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.muchplace47/cache/atllfz

Filesize
2.3MB

MD5
a04906b477f439d7ff65c23d5a7a92f1

SHA1
35291ce77785f708d11e390339d587083d1ae2ce

SHA256
88219b3c8bb7d06b9dcc84c2a5f7dbe412e4ccd6ce53ff7c8a66c7d085616315

SHA512
6348fa8b1d65b18351cf9ccd077b7d7d7f75030bc4d7ccf2b4261967ca21145456e37360e0729bcaf03155049c7bcc034d06f45cc7b19c4e03fa3d733d159761

Download Submit
/data/data/com.muchplace47/cache/oat/atllfz.cur.prof

Filesize
532B

MD5
9d747270e30509e2521296c8659e26c4

SHA1
8b8236c5e13749575393319c723b735a0a18fc47

SHA256
e29c1c8a03de3c608f5a45d0427ea936b6f3f8170cebab2d4583938ee96c0e5a

SHA512
b7af12fcdcb950358da1dad4412cf0c57b543647cd87f0b31fc21383ad80999a1b4d70bc98d172b231ce54221a968f1c476d6abb2c04cfe3db680ee7e0afd0ce

Download Submit
/data/data/com.muchplace47/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.muchplace47/kl.txt

Filesize
230B

MD5
5cf60b64f3124830d8ceb89276837e3e

SHA1
15b7cb43f0166b722855ae54444b3991e0ff8b1e

SHA256
58e86e2890ef76df1d5c9e0cca5a309ad8c3d8d06944484ca7896821be7b520c

SHA512
08a2552608845302d121e43d284e78474536395a04d327c6faf8fb203f68fff7d48e1058883c045c9e168d1fc49f08ab3a6c95d4b177de6fe86d558847d806a9

Download Submit
/data/data/com.muchplace47/kl.txt

Filesize
54B

MD5
1e5450cb208bc7662dd789cb9495ad4d

SHA1
d07a76470d68fc862c00f03d050b07a2356ba76e

SHA256
d1df3e2f407e7be85f0529cf82d08445c9491959616e8b705764e6c088cfd390

SHA512
5a4364c5c4f2c7ba682acc24933b90de13866fdecdda7df61dc2c02cd1cd146482c26eeed728f735bbf535c20a453a46e52c373eb97852989b78c22a2eb743fa

Download Submit
/data/data/com.muchplace47/kl.txt

Filesize
63B

MD5
f2b5d7989335dc6dc8e31e8f44701d4e

SHA1
632d76dc613837abacde9b37817eb532362c2980

SHA256
9bf7eb609126c1bca1bbf690da32b9c9745727b4edee6b8b92e8bf83a5816898

SHA512
71720bcebb73d40173a088fde877e8c90047d913905611e974c29166b230d805fe9b3d1b2e060b1f9199e70e2165c1ca38d4435cfd3b75655bc4c2482c96f693

Download Submit
/data/data/com.muchplace47/kl.txt

Filesize
423B

MD5
a348800dd58ff7d27eda3a97aaeb16d8

SHA1
e68c7e1418919e50447ce82f737bf8f3c5851679

SHA256
0656932fedd415965e58bfef0cc2b5febf8fdd606a1624efe01cfb4c38d72007

SHA512
42391d0a8cda0b5865bade8cd15373e74c3d65fbaf0cbc29d7cc937bf9a076341a4cc33c2b0f404de2f6ac125e54ed05fc73db204dbd22f579cafe3bc48bbec6

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads