octo | 1e679e0c82fab49ca5ea553d438a0ab64aa38d1459dbce9267dedc9f4aa97d76

Analysis

max time kernel
148s
max time network
152s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
09-12-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e679e0c82fab49ca5ea553d438a0ab64aa38d1459dbce9267dedc9f4aa97d76.apk
Size

2.4MB
MD5

9ea45f81ad333a3507c87e6670d6e96c
SHA1

36b7c2f50f371b3e4b1a6a55e91a7d414483e70b
SHA256

1e679e0c82fab49ca5ea553d438a0ab64aa38d1459dbce9267dedc9f4aa97d76
SHA512

c2403c3dd2c4b1af3d09ca837a02ab213f9c5e3f91fc318dd40bd6a79a0688aa5c14e9967a0d2a4ba54c5bf54153ff766aec692a77e132547c6d9856c197b11b
SSDEEP

49152:jO1UilpXgVrT7F8YNHxsL69IzyY7WbvLdac548vSPpRnYJh/Ob:eFglxxRiWLJac9vQ8Jh/Ob

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://934437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://88237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://662333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://96255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://28237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://162333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://26255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

rc4.plain

Extracted

Family

octo

https://934437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://88237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://662333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://96255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://28237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://162333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://26255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://934437453981d0595033c23.com/MzQ3NjU5NDBhMjNj/

https://7894437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://8774437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://5564237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://661544537453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.muchplace47/cache/atllfz	4788	com.muchplace47
/data/user/0/com.muchplace47/cache/atllfz	4788	com.muchplace47

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.muchplace47
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.muchplace47

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.muchplace47

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.muchplace47

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.muchplace47

Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchplace47
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchplace47
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchplace47
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchplace47
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchplace47
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchplace47
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchplace47
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchplace47

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.muchplace47

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.muchplace47

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.muchplace47

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.muchplace47

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.muchplace47

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.muchplace47

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.muchplace47

com.muchplace47
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4788

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.muchplace47/cache/atllfz

Filesize
2.3MB

MD5
a04906b477f439d7ff65c23d5a7a92f1

SHA1
35291ce77785f708d11e390339d587083d1ae2ce

SHA256
88219b3c8bb7d06b9dcc84c2a5f7dbe412e4ccd6ce53ff7c8a66c7d085616315

SHA512
6348fa8b1d65b18351cf9ccd077b7d7d7f75030bc4d7ccf2b4261967ca21145456e37360e0729bcaf03155049c7bcc034d06f45cc7b19c4e03fa3d733d159761

Download Submit
/data/data/com.muchplace47/cache/oat/atllfz.cur.prof

Filesize
388B

MD5
7b37aab04882f0db387ff5ada90ce45d

SHA1
a5375c816308284b12d96118e9b1552a864f7779

SHA256
6a8e150f3ed4dbb539d6c489ee3d602eeeffbedfcefe0897720ec65309725771

SHA512
f13685719b999ea5c3214e05b9e8470e325e57a93dee5d6892a404610983a746107af64482c7753e1d169ac43604cae372aca27f08383139d1ced10480f0daab

Download Submit
/data/data/com.muchplace47/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.muchplace47/kl.txt

Filesize
230B

MD5
dadd41b5b62367c1a7b031c5aa8667f4

SHA1
2f1fc7d040b563bd9096474072d0743d1ef92f56

SHA256
17a93297f38a2ba3dd070f606f28e85d68c7cbc86b85df1a1c5b07b1f394b05d

SHA512
6798177827b10f551cd7f0da77f8f9f732a2b7d330a7a7ce4687f88ddbf240ca9546a8e594d4a0136eba601b028847a8df54d88c3a0f50614671fcef0e85701d

Download Submit
/data/data/com.muchplace47/kl.txt

Filesize
63B

MD5
d71c6a5969ab9d30ef776919c2ff3c1d

SHA1
b712564c819064aff591d90b0d93e62913c34930

SHA256
6ab5f39e16ccfe65e74625c50b9a5e6759bd7899ad1a9843f3d5d7416bf81096

SHA512
8e3d595b87dd903d0de315ba0628aaa0779e2121037dd687b8f30a27e3b59eb71c050416c0f5e0b80b510c89543fdb3724c9e032d121e11213205064e4f9c681

Download Submit
/data/data/com.muchplace47/kl.txt

Filesize
45B

MD5
f0b15631c0a05874107077122c74fd08

SHA1
e991b89f30d67cfa9329e3d603d3b6f43b799273

SHA256
40aa03c5539c6ce53c479f969030680969f3ba8fdcf938591f6e9c0dd9ad1ba6

SHA512
5581efe18bba825fefe031fea3dd391662b88424671bc66dccf41647ed7389dc8147f4c31ee6f465e858af9b52d0da7360fa0c7e3d8516298d7160491c61141d

Download Submit
/data/data/com.muchplace47/kl.txt

Filesize
466B

MD5
b7bb098499df915296089c3f217b6251

SHA1
732ddb862edae18b75e0ef0a7d1dac9e20a9bb6e

SHA256
39510f33bc212b14a003e091847a51ac708470c5e93777cda902872e2ea827ee

SHA512
9cca3607231913a002c335ede9145d868eb36c320d8a41ad11342901dcc057e7bfb3b5d3fe7356d44211a1f886f345e9d2f708500437f13b9d412c99b342df67

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads