octo | 9d1ce9b45a92e764359b87cfa6c882242ed6a0402a56f24832d60cbd88337459

Analysis

max time kernel
179s
max time network
187s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
28-05-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d1ce9b45a92e764359b87cfa6c882242ed6a0402a56f24832d60cbd88337459.apk
Size

537KB
MD5

2649c55dd38707ed353261b54ca0630b
SHA1

0e7d650230e4e8cba2006f4cbcd106733d9e9804
SHA256

9d1ce9b45a92e764359b87cfa6c882242ed6a0402a56f24832d60cbd88337459
SHA512

3de4d7db22a4201923ddc4d7f0063c0d34beb2a9bbf7d49900f0694f9536642e77ff3bcb2a1a75a713e50ea3717aaadb6de7f012b4431592f8cd5206c3807256
SSDEEP

12288:ZhOTOE68iehj1VuNJbFMnF/ZaDLtt/qW5YZPn5R:ZCHfiEuTuBaDJpqFlnX

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://94.232.249.36/MmE0ODdiNjkyNzdi/

https://89divos.art/MmE0ODdiNjkyNzdi/

https://89divos.tech/MmE0ODdiNjkyNzdi/

https://89divos.shop/MmE0ODdiNjkyNzdi/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.whateverwhatever/cache/ntygrhadjbuptz	family_octo

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.whateverwhatever

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.whateverwhatever
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.whateverwhatever

Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
evasion

Prevent Application Removal
T1629.001

Processes:

com.whateverwhatever

description ioc process

Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.whateverwhatever
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
collection credential_access

Access Notifications
T1517

Processes:

com.whateverwhatever

description ioc process

Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.whateverwhatever
Requests modifying system settings. 1 IoCs
evasion

Processes:

com.whateverwhatever

description ioc process

Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.whateverwhatever
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.whateverwhatever

description ioc process

File opened for read /proc/cpuinfo com.whateverwhatever
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.whateverwhatever

description ioc process

File opened for read /proc/meminfo com.whateverwhatever

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.whateverwhatever

description	ioc	process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.whateverwhatever

description	ioc	process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.whateverwhatever

description	ioc	process
File opened for read	/proc/cpuinfo	com.whateverwhatever

description	ioc	process
File opened for read	/proc/meminfo	com.whateverwhatever

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.whateverwhatever

ioc	pid	process
/data/user/0/com.whateverwhatever/cache/ntygrhadjbuptz	4652	com.whateverwhatever
/data/user/0/com.whateverwhatever/cache/ntygrhadjbuptz	4652	com.whateverwhatever

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.whateverwhatever

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.whateverwhatever
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.whateverwhatever

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.whateverwhatever
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.whateverwhatever

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.whateverwhatever
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.whateverwhatever

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.whateverwhatever
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.whateverwhatever

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.whateverwhatever
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.whateverwhatever

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.whateverwhatever

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.whateverwhatever

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.whateverwhatever

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.whateverwhatever

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.whateverwhatever

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.whateverwhatever

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.whateverwhatever

com.whateverwhatever
1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests modifying system settings.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4652

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.whateverwhatever/cache/ntygrhadjbuptz

Filesize
477KB

MD5
65cb593886751d7394957a9da951aaf8

SHA1
64eedc22cbde9f912d227744f9ebe6b8e6f638f8

SHA256
8a6242f184ede2ac58585af93dc550c4b7a824570bc881222afa5071fb50d4bf

SHA512
13ab53b5c34be5e6a0aa93ee6d8761d8797d1626a9005c2ede2e23547daec56a58902e8e87e13ae7e4540618abbff5857233c7bfdc0601aeeabe263fc46e3766

Download Submit
/data/user/0/com.whateverwhatever/cache/oat/ntygrhadjbuptz.cur.prof

Filesize
340B

MD5
b4433dce4ad1ef58f622d67702448941

SHA1
f06abc8ed949e6732a7babd1990ed48156b6ac86

SHA256
6ecc81ecef1e1071978029d78235094c9b690c9a9bc47378ccbb8da3a5e6addf

SHA512
a696bed2c18b0ff36109b6b04f257b067e8407cffa0c87d8537253d42bb460907a9e0431412175014b6106d6211e85da52e3ffb9dc4197cc4e2dc4260d4e690e

Download Submit
/data/user/0/com.whateverwhatever/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.whateverwhatever/kl.txt

Filesize
237B

MD5
da88236c888f6e9b1424bfd7bd570ba8

SHA1
64329dce7024897193415517f9954ee40e09c16d

SHA256
d78029b486c91961b25143da2aa5fd464e8de1369727a9b521660db073a455f9

SHA512
22a0e4260d4badfa9765f0a5825bbc703037a5b58f43f60b57f9d71175c640d914e1e0465e1e09565b2791d9c9ef99913f4389a751461f6c65d08405eac3398f

Download Submit
/data/user/0/com.whateverwhatever/kl.txt

Filesize
63B

MD5
30203167a30b41318383750bf328e43d

SHA1
5cf9baa5c8aa75e41d5b93a6dbadbc652a185071

SHA256
7289a152185f214397299479c2625d6588d87aad597986ba34f6cebc22c1d816

SHA512
c3c526e9680053ff5f04108b52e021b4e0371d1d9c45e7cc5227564eb8672ece91a51103123cd87a6577ee0d947fb2c229d45fffabf035843df18c8693f66919

Download Submit
/data/user/0/com.whateverwhatever/kl.txt

Filesize
75B

MD5
d0ca935dbc3eb52b07a4a8a6724260aa

SHA1
c6a2d84187faf5eb400d3983adf4dbf9113aedde

SHA256
96ccc5127f78541862d18355b1c606c0b9ba36eba085a09eaea53efaf50269c2

SHA512
bc43dc134a09cd98582e34f3c35b406828cdc02982038db5d9bb54d782db405983d54291138a04beb1fbcc5432dbf55302097d875c35dc526797425cfd91f981

Download Submit
/data/user/0/com.whateverwhatever/kl.txt

Filesize
79B

MD5
bfe22531527ac7e3caf76d67136933d8

SHA1
75ae6b8248dff764829d1d148d0ad39dfae164eb

SHA256
d937892a87c7532934477931f63a3ea459946ba0205d3aeb270319d935e5f75e

SHA512
2c5d54be5d8d7e099610e51fbb509d784a7cd21309e9f673f6d8bbd2f232e34aa387f67fba0387380c665c82cafdf148b57ac7a4087b5f7f49527b65bae60620

Download Submit