octo | 000e1154e43775f66d21293c18fefe158c9c65a775a5466d70cbb94a8c2a5b40

Analysis

max time kernel
149s
max time network
153s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
09-12-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000e1154e43775f66d21293c18fefe158c9c65a775a5466d70cbb94a8c2a5b40.apk
Size

2.4MB
MD5

c8c9c3ca4b0ceb2ab394b3b2156bd4ba
SHA1

e057780fd8879d35b385769f34700d261e66860d
SHA256

000e1154e43775f66d21293c18fefe158c9c65a775a5466d70cbb94a8c2a5b40
SHA512

15088e9964ecf1cb813d5ed28f3e8e41dcdfd710302240dd40e64624c42a856aa118bd16cdc07aff109f6c77fe97dd8bcfe79e74b1f053bc8bec0d85df3f6863
SSDEEP

49152:fb7dO72zzmlgaV0lOvWyrLAnEb6GdYY/z2+ZwAVNMitvEIV8e:/Y2z6gaq0vFvl6GuYrP+Srj+e

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://934437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://88237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://662333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://96255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://28237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://162333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://26255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

rc4.plain

Extracted

Family

octo

https://934437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://88237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://662333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://96255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://28237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://162333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://26255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://934437453981d0595033c23.com/MzQ3NjU5NDBhMjNj/

https://7894437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://8774437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://5564237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://661544537453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.twopaperjnqm/cache/olsllzmgwzobixs	4926	com.twopaperjnqm
/data/user/0/com.twopaperjnqm/cache/olsllzmgwzobixs	4926	com.twopaperjnqm

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.twopaperjnqm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.twopaperjnqm

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.twopaperjnqm

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.twopaperjnqm

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.twopaperjnqm

Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.twopaperjnqm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.twopaperjnqm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.twopaperjnqm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.twopaperjnqm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.twopaperjnqm

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.twopaperjnqm

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.twopaperjnqm

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.twopaperjnqm

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.twopaperjnqm

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.twopaperjnqm

com.twopaperjnqm
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4926

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.twopaperjnqm/cache/oat/olsllzmgwzobixs.cur.prof

Filesize
516B

MD5
814aac7cf801696790a1d11e23d41b16

SHA1
16c68e0dafda0b959a40e670ec726f4cb19fdd07

SHA256
480fb15e48dc40da91a86c1f66bb488a55bf28a00e1c0bdf3907e6c423b06cd3

SHA512
6b1ea05b78967577b96bbc553be7debe4c3eca6deac66eeed0f5df73a5a8d1eb31e5c258d0ec244a5c597f7492688d9b1cda5765bacdefef3c70bf6113e8ce11

Download Submit
/data/data/com.twopaperjnqm/cache/olsllzmgwzobixs

Filesize
2.3MB

MD5
080c1770c31c4de7ea7d39c72548a76d

SHA1
a66be31ee38bfe156543f87bb648f7b97857a525

SHA256
224e383e499ce025824c4f5eabf892fea7a2c4a2733493c64cbe1a92b4fe52ee

SHA512
b0ee4b5dc77be555a0b5809503fdf17c733ce48f6c9e75120e11e045985fae02d138a5a8b8d8008cd132b3f704daae94767e4cfa0336a10de13538cfcfb00c65

Download Submit
/data/data/com.twopaperjnqm/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.twopaperjnqm/kl.txt

Filesize
230B

MD5
fc380376c01fbcfe6f39d629e30e9fb4

SHA1
7b54028a88c2fb43b31c21a9dbc2313402daf8b3

SHA256
2a08f74e9232802c0ac8b970a47e542297d9310b7b62954fe5f7ff5b813dc75f

SHA512
abcb02f69bf555669656de42afa3c8300146e0c2b0a99a1f5dc2e3017f61792f524e02c57ecbfe95f0778c6c088ffc2018953e128d4b272d5ad52a0a61bafd24

Download Submit
/data/data/com.twopaperjnqm/kl.txt

Filesize
63B

MD5
15a976b9798a5bf7199eedd415d30740

SHA1
f8a2447550dbee0a5e562ccf91e4be979a58ce26

SHA256
419ca69b550a0a86c93f7b051cefbd389d266a65c049cb0ed86c3f944df6b8ba

SHA512
cd2b42ebc57b54dc1580ef1cd1b2d4604468e1b07e091ee95772580ef3ebaab61191258f0d5d9c290763ec14a37b4ca3f80f14eddbf5777f3446932c7dd6d279

Download Submit
/data/data/com.twopaperjnqm/kl.txt

Filesize
66B

MD5
bf6be3da0d0c8e73874f8593f0e5dcfe

SHA1
fa5f90ab22560c9f2c5198d5fca48b0a7035eb8f

SHA256
372c2c222324a0aae2acd96dd8e2a18c42a257048b498e90da064d28a3f5a43b

SHA512
49b1f6ddb9a1a02d17a503066c4955f93ff7da88d7234818b5e79af7a447c8d674f9d2b5f9b5cf386b5af5297d9dd36cf9543d90bf038fa60c7e8141fb7aecb6

Download Submit
/data/data/com.twopaperjnqm/kl.txt

Filesize
84B

MD5
d812d6007ab9ec0558a449fccc1841b3

SHA1
167d7410579cd4314d211e74e3e1a0448c29f995

SHA256
0db0e054dad742ac6799a5cf2d0797b1e6dda7ec7f0b763d2aa584453083cdf3

SHA512
7f1a74027a44a957a25ac2a89c08f7e16e2fab354fd5b686e435b2212fa09c97aa87e761302c6b608a843e938cd0f34a3c10995e8db67d21b6e97d7eb8946a1d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads