octo | 47ae6f29e2a5dace840dfa18d91d556096c0e838f00619ac03a3c7c15e89d15c

General

Target

47ae6f29e2a5dace840dfa18d91d556096c0e838f00619ac03a3c7c15e89d15c.apk
Size

509KB
MD5

7998fe8c5f93185428c5bedec7249c03
SHA1

77196ff68ecc68091685db172d93c890807eb443
SHA256

47ae6f29e2a5dace840dfa18d91d556096c0e838f00619ac03a3c7c15e89d15c
SHA512

f24854e59ab09cc03389da7db49d35ff14c78a2f06a24f9bcad140eece9b2684c24cf25f9421892c536d64f9a70b864b35751db41c38032977197228b061be0f
SSDEEP

12288:gbVbVEkeOdq2+g5DMC4maUcXTVsoTB+B7u+njA:gZ9+g5DMCNNb77njA

Score

10^/10

octo banker collection discovery evasion infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

C2

https://kapandayarankal.shop/MjM2YTBkOGJlZjU1/

https://kanepedeyatan.shop/MjM2YTBkOGJlZjU1/

https://kapandayarkarnaval.shop/MjM2YTBkOGJlZjU1/

https://karakasabadakan.online/MjM2YTBkOGJlZjU1/

https://karakamazandar.com/MjM2YTBkOGJlZjU1/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.recordtoward9/cache/nappjcxmsyow	family_octo

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

T1516

T1513

Processes:

com.recordtoward9

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.recordtoward9
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.recordtoward9

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

T1628.001

Processes:

com.recordtoward9

pid process

4185 com.recordtoward9
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.recordtoward9

description ioc process

File opened for read /proc/cpuinfo com.recordtoward9
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.recordtoward9

description ioc process

File opened for read /proc/meminfo com.recordtoward9

pid	process
4185	com.recordtoward9

description	ioc	process
File opened for read	/proc/cpuinfo	com.recordtoward9

description	ioc	process
File opened for read	/proc/meminfo	com.recordtoward9

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

com.recordtoward9

ioc	pid	process
/data/user/0/com.recordtoward9/cache/nappjcxmsyow	4185	com.recordtoward9
/data/user/0/com.recordtoward9/cache/nappjcxmsyow	4185	com.recordtoward9

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

T1541

Processes:

com.recordtoward9

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.recordtoward9
Acquires the wake lock 1 IoCs

Processes:

com.recordtoward9

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.recordtoward9
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

T1422
Reads information about phone network operator. 1 TTPs
discovery

T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

T1628.002

Processes:

com.recordtoward9

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.recordtoward9
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.recordtoward9

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.recordtoward9

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.recordtoward9

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.recordtoward9

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.recordtoward9

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.recordtoward9

com.recordtoward9
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4185

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.recordtoward9/cache/nappjcxmsyow
Filesize
449KB

MD5
ec4594f549df012d9373e524d46c33a7

SHA1
7a7f702f075ca1dc83093759de464d9255c2eb12

SHA256
fb5f0b78d2a04d7e9370c5a16a3130df3dbf6a4a625ee4a5fe5d331d77c5c40c

SHA512
3fc4213bf577074c207f49b8bf7a213b223fe25304fb3941ea454e88ff3d496fdbd0314262d3a782a4b7ba8a9916d5518c96f314e92f4c34c37408208431010b

Download Submit
/data/data/com.recordtoward9/cache/oat/nappjcxmsyow.cur.prof
Filesize
431B

MD5
1d6db553800f2ae7831d28140e2e723d

SHA1
94667a1f68307135905715ed18b64ea13f0cf808

SHA256
451e7b810f52eddc013b0c883fec3e1479f542156a9fef0a3fd976c0db30ac0e

SHA512
2271ca1618ab50f602b09b0bda863d976263d7ea5908b2481b58f33d4f594405be1dd174de218c82a9673f872bb9fd77e0537db45765fdec87d4b96e3ce8ae20

Download Submit
/data/data/com.recordtoward9/kl.txt
Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.recordtoward9/kl.txt
Filesize
237B

MD5
5831745fa97b80955cfa1dd3d832564b

SHA1
d534110b6242fa18682140fcddd5a707ce2526b6

SHA256
a8273a46e2b7aff9b73c24c520fef832e5f4976e53367d31081d5d65dd3fbad9

SHA512
b23bb9182b66f1a9f96a976ddb2bbd53b310c4a4c93e2961420e30b136c9585d642a4927264c4856912626f00c1538243ced8961c630686a9294c6d307a0c15d

Download Submit
/data/data/com.recordtoward9/kl.txt
Filesize
63B

MD5
3786cd9f6100ac40ad1365cb8294e319

SHA1
2ace8d92f123dcacb923a6ab980b6f4289de99a6

SHA256
b552e4e1701041615b53774edc99002ef5bbccb4c37903b728e1259bb3e3f355

SHA512
091788ffc0e3b97a861d90b5e07be29d36d99ae76ad7d3b7c4079873da12b480701a862d3bcc9d87e6730522d1719aefe172d8835b709f2fede326765b459231

Download Submit
/data/data/com.recordtoward9/kl.txt
Filesize
45B

MD5
b7b428c4164a70383109457578cf175a

SHA1
fc760f1251a454df1a5884d74fdcc070c2a7a6a9

SHA256
f0299c49ea80a836b2f85e25f44078a478c460a563b5b7e278bdbe5357936527

SHA512
235ee184196f8fea48c6c22c0b63567a80f65e9f399b0b1e49a4b605c14c3a43a5c3a85c31cfc40fa17c7f05a82a10e2b7d6be4cc8a73a5b0051277b7202aac1

Download Submit
/data/data/com.recordtoward9/kl.txt
Filesize
151B

MD5
e6416f0995558bb34e83b11cc7c047cb

SHA1
d60da4bb743a61c2e8c3d363871408ce83d40053

SHA256
a1999bebd831e54cc1fbeac2eda071c0c47fec8a62edd35f580105ba4219aef0

SHA512
e10bb9753f467168eb09bdd8c6216391a4759f1a2d88bd2c8b15082a2ee8e18705be566326b69ee0153327688f9f320dfbbcc2817ff36cefaa1269ade35b9c21

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads