octo | 7b142300dfad84ccf3e6c615ca6c8857dd0e0cdf4bf042a88b6c16dbb6e92cfc

Analysis

max time kernel
153s
max time network
157s
platform
android_x64
resource
android-x64-20240221-en
resource tags

androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system
submitted
10-04-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b142300dfad84ccf3e6c615ca6c8857dd0e0cdf4bf042a88b6c16dbb6e92cfc.apk
Size

184KB
MD5

f82f541faf44125d7749caa6ce271470
SHA1

7c8ac231edfc1432b219cd7c94410908e66446f8
SHA256

7b142300dfad84ccf3e6c615ca6c8857dd0e0cdf4bf042a88b6c16dbb6e92cfc
SHA512

d49420e8b74c23dff40dad4506f88353e57b31af4509eb54766b62b5cc814b9ea7eade74fc9fa151430aa775f30cf39cf7d215703b884847c75adb18d95a4850
SSDEEP

3072:v5lhQefqu5dTkbdS65S/ecC2HQiINsYNr/FwLmbRULI6JzHBWq:v5l95tZWDIPIZBRch1

Score

10^/10

octo banker collection discovery evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://shoprise57899321.shop/YmQ5ZDVkMzRkZjE5/

https://emporiumwave245768.shop/YmQ5ZDVkMzRkZjE5/

https://worldfusion891056.shop/YmQ5ZDVkMzRkZjE5/

https://universevibe123459.shop/YmQ5ZDVkMzRkZjE5/

https://emporiumdelight987656.shop/YmQ5ZDVkMzRkZjE5/

https://thopris578993215.shop/YmQ5ZDVkMzRkZjE5/

https://empoiumwave245768.shop/YmQ5ZDVkMzRkZjE5/

https://worfusion891056.shop/YmQ5ZDVkMzRkZjE5/

https://unirsevibe123459.shop/YmQ5ZDVkMzRkZjE5/

https://eoriumdelight987656.shop/YmQ5ZDVkMzRkZjE5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

T1516

T1513

Processes:

com.beginhigh19

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.beginhigh19
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.beginhigh19

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
banker discovery

T1418.001

Processes:

com.beginhigh19

description ioc process

Framework service call android.content.pm.IPackageManager.getInstalledApplications com.beginhigh19
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.beginhigh19

description ioc process

File opened for read /proc/cpuinfo com.beginhigh19
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.beginhigh19

description ioc process

File opened for read /proc/meminfo com.beginhigh19
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

T1541

Processes:

com.beginhigh19

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.beginhigh19
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Acquires the wake lock 1 IoCs

Processes:

com.beginhigh19

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.beginhigh19
Reads information about phone network operator. 1 TTPs
discovery

T1422
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.beginhigh19

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.beginhigh19

description	ioc	process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.beginhigh19

description	ioc	process
File opened for read	/proc/cpuinfo	com.beginhigh19

description	ioc	process
File opened for read	/proc/meminfo	com.beginhigh19

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.beginhigh19

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.beginhigh19

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.beginhigh19

com.beginhigh19
1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Checks CPU information
- Checks memory information
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:5056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.beginhigh19/kl.txt
Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.beginhigh19/kl.txt
Filesize
230B

MD5
d38dd9b3b489828afc62d8e66cc0766e

SHA1
a2b2942a811233d4454c5c74b21fd732c86de51d

SHA256
8ac2d3853f8555ce83d85d257ee36e916cc8015b920093dddd4b3f68b3220bae

SHA512
f7f1095c46e4ba527d303f8c15efe850321b8f9ba5db6f40f9739db6bd6758facc38a951afe205491f8e2f44f6bd8144cf813f44fcd3e679c1beaaa3860aeeaf

Download Submit