octo | df096deb86121239ee8332be356cb47a3c47398cbf8bca775e009e2342cfae3a

Analysis

max time kernel
150s
max time network
150s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
23-04-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df096deb86121239ee8332be356cb47a3c47398cbf8bca775e009e2342cfae3a.apk
Size

1.5MB
MD5

cc1274948304fda99d0e10a01e1fb671
SHA1

9b33a91f5c8b0ea17dde921bcefcbfc7d2481601
SHA256

df096deb86121239ee8332be356cb47a3c47398cbf8bca775e009e2342cfae3a
SHA512

d93375752ac21b4faaae5a34567fa0eefedec8239f08f449954dccafc5e5cea3628b271fb3918a4f1b999684df9c932e15889f8d04b46c7f43b92f25108510e2
SSDEEP

49152:KCki/x3DikWtF9Nav4cXkYUm2QAE4KoSTkX+ZGZbmq7:KCp12kW39NoCFz1X+ZQ/7

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://musherpicka.live/MTU2OWE0NzJjNGY5/

https://golevasi800.top/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.site/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw1.site/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.biz/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp1.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp1.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.space/MTU2OWE0NzJjNGY5/

https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.turnexample15/cache/lvseceqyhd	family_octo

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

T1516

T1513

T1417.001

T1417.002

Processes:

com.turnexample15

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.turnexample15
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.turnexample15

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

T1628.001

Processes:

com.turnexample15

pid process

4228 com.turnexample15
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.turnexample15

description ioc process

File opened for read /proc/cpuinfo com.turnexample15
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.turnexample15

description ioc process

File opened for read /proc/meminfo com.turnexample15

pid	process
4228	com.turnexample15

description	ioc	process
File opened for read	/proc/cpuinfo	com.turnexample15

description	ioc	process
File opened for read	/proc/meminfo	com.turnexample15

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.turnexample15/app_DynamicOptDex/KdWGMKn.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.turnexample15/app_DynamicOptDex/oat/x86/KdWGMKn.odex --compiler-filter=quicken --class-loader-context=&com.turnexample15

ioc	pid	process
/data/user/0/com.turnexample15/app_DynamicOptDex/KdWGMKn.json	4256	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.turnexample15/app_DynamicOptDex/KdWGMKn.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.turnexample15/app_DynamicOptDex/oat/x86/KdWGMKn.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.turnexample15/app_DynamicOptDex/KdWGMKn.json	4228	com.turnexample15
/data/user/0/com.turnexample15/cache/lvseceqyhd	4228	com.turnexample15
/data/user/0/com.turnexample15/cache/lvseceqyhd	4228	com.turnexample15

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

T1541

Processes:

com.turnexample15

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.turnexample15
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

T1422

Processes:

com.turnexample15

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.turnexample15
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

com.turnexample15

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.turnexample15
Acquires the wake lock 1 IoCs

Processes:

com.turnexample15

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.turnexample15
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

T1628.002

Processes:

com.turnexample15

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.turnexample15
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

T1471

Processes:

com.turnexample15

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.turnexample15

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.turnexample15

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.turnexample15

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.turnexample15

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.turnexample15

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.turnexample15

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.turnexample15

com.turnexample15
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4228

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.turnexample15/app_DynamicOptDex/KdWGMKn.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.turnexample15/app_DynamicOptDex/oat/x86/KdWGMKn.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.turnexample15/app_DynamicOptDex/KdWGMKn.json
Filesize
2KB

MD5
0650bf185606e7cc01e7c4466f25e212

SHA1
89a8ddbfac4348a67a5af895ad33d56b4d58e090

SHA256
59c46e834a5b0f4d33e4a6c84fb01fdab554c212ca7ec0c7d3acb1cc951b01a4

SHA512
a3c1dd5cba20190589769e55124aef28ed124a048babf5252c008c3b85b7a2781d7e0276863a7346170929edcce9b336d988b2e2588ec70c68805529b890313d

Download Submit
/data/data/com.turnexample15/app_DynamicOptDex/KdWGMKn.json
Filesize
2KB

MD5
870bc7b6b33cc3383021cb941c9bdb0f

SHA1
8ef83733a941f70e30d3610153dee5b4e72a59b5

SHA256
ebce94a14cae9c422c4a07ddea1bcb83895d66913d05ab29957f1c42477129a0

SHA512
c00483728fb319ece3682a03d1086c09942454a91ecd09764a164a9e1647345ca163a2c3be320d8c51c66e6ffcba548398fa73dee3f1c859e9c679c1af7ab229

Download Submit
/data/data/com.turnexample15/cache/lvseceqyhd
Filesize
271KB

MD5
6f3cf16d8a64cda396cf0e14be0dee13

SHA1
b99ff2737cdd8244e3cd7b616279b3e6a138526a

SHA256
f85d16490d4a5725516476ff48bece912ae923f132f42cd88a22197929f2cfc6

SHA512
fffbe48dbb14fec6435ca28556a1ff2e01f4e9259194fe6c85e76329c23f94e8344e2a780aa44d931b6dbf04f9d210cfed0ce5e9b9746539fe04983142b9173a

Download Submit
/data/data/com.turnexample15/cache/oat/lvseceqyhd.cur.prof
Filesize
457B

MD5
15aac8b61f7d3e6221fc68446514acad

SHA1
bbd1ac06b8d45fcdebdfb206d0ead2c08ef8466d

SHA256
0bf4dd4701b9fd4cd3ddcf96632b265f55a66eb6bc2526112584afdc516463c3

SHA512
a8b9ba499cab56a5ae6cc154337817e1dc9e028e2342cf35351fd230a5ebbecc8b5ccf81275d95f16f8f30b9f6e79f115e346fa309679f19e27ee7ba4a3adf4f

Download Submit
/data/data/com.turnexample15/kl.txt
Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.turnexample15/kl.txt
Filesize
230B

MD5
8bf06b74168b3c589f9d39a4ea6fbfa5

SHA1
5651410734f4fee6fafbe9c33e2cf73ec18a9504

SHA256
57c06b823ca2e5a1afb9e249c428509990ca5a6c5f2fb9c3f7b99361fc3cf960

SHA512
ebc500e5c5b7f68aab5b3d43390fe1379d5a7263eb227219d64a714b853add3d38195787b4157e5b8305efc15cfa3aa6b2a2a40d5054f8066bbd7f307fe53cee

Download Submit
/data/data/com.turnexample15/kl.txt
Filesize
69B

MD5
dfbef8507863b7012fb246d21de9ffc5

SHA1
75bf9d1cdd30090143abb5c23da73d8490fc550f

SHA256
458319366181d83cd36f508dd619a4d955f30050fc18d8e6a46985f6d01af354

SHA512
b3c11ac818220595523b8567c6bceca5dc7e7e22ecdf9cb9ac07dac1666e0ec4da009716da52fe52d2d6eefff4dd2e1041bda135d1cf8394c9b5dd354995ae3e

Download Submit
/data/data/com.turnexample15/kl.txt
Filesize
63B

MD5
97c80ab67ecfccf4eaffb9830c81f10c

SHA1
df592610835acff7ed5a04ffb82d40d620e1d0d4

SHA256
69603fadbc667d3385d0272aa5ff999be70a9cd9d273df23265787377ea04972

SHA512
60a45ebb744025f4ea325e1ffff4ec50aece88047beecb21e851918add054d171ddbd9b5a790bfcef63c7c617595e3cfc959bd4f54e5091e1903162b0b18a173

Download Submit
/data/data/com.turnexample15/kl.txt
Filesize
423B

MD5
9124097651ebc9330a3e5535941c0a76

SHA1
6e8bf072a91a61c84193bb5e2e89276bbd7d7a81

SHA256
c56dc7e9cbf1ec9cc50ca9ed437b5dfea87ea397bc68a645810fb7f34db2e31f

SHA512
985d0372e3648e7918dc6fc15499584273353e8d9ef177bc783a125c6f1f5981efc13988de13aa9e3f2e166e20c7cb06bdc1f5e14e367cfc099606c7cbb62c24

Download Submit
/data/user/0/com.turnexample15/app_DynamicOptDex/KdWGMKn.json
Filesize
6KB

MD5
83fb60c128e122eae540598672627cc8

SHA1
ba16e1bddaa119dc48defb1d10117a72196edec6

SHA256
53f5c5e9a62ed3bc3080b13c2bf6ee80003ec0322a3a4655cf9ee90b9abe192e

SHA512
c4a30500fc1c528933e69aab4be93f3509e96d999865187dc339baa669f86e19f0c8092aa61a111382684a3dfa1d7ca7c8da73340bd252fe703523e1f97c25af

Download Submit
/data/user/0/com.turnexample15/app_DynamicOptDex/KdWGMKn.json
Filesize
6KB

MD5
5ae419f42981cff6894434c9f79467c3

SHA1
00c55eadd6fc960a89f6d6e27f6f8b02431e0f55

SHA256
eca7f673d1be3ef858c03ec4f79c07467fe4dd9f37e47c4a325ca433f09d594b

SHA512
314438b93ee9bb03cf49ef2a3339a5ece79dc6bbdb7f681770e418e5349a991e9b98c4e290814959deb1d4b3979dc51e0254adcb2da9727ea2b69e3929d6f762

Download Submit