octo | bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5

Analysis

max time kernel
179s
max time network
185s
platform
android_x64
resource
android-x64-arm64-20240514-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
submitted
28-05-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5.apk
Size

537KB
MD5

0e22ede9e904c6e28cda207001b993af
SHA1

a9edadc76597182d7bdbfc1225f569b7c98bdfe3
SHA256

bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5
SHA512

738cf0bba0c78099ec60fb79b3d4221ca8fdf31551fddacf4c2c14c1d3ad1f4ea6a8279fda2cdecd3e68d5d9d762cf076ce95bc43a7651672ec61ea8f345a7fc
SSDEEP

12288:shOTOE68iehj1VuNJbFMnF/ZaDLtthoW5Y9Tnv2:sCHfiEuTuBaDJjoFNnu

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://94.232.249.36/MmE0ODdiNjkyNzdi/

https://89divos.art/MmE0ODdiNjkyNzdi/

https://89divos.tech/MmE0ODdiNjkyNzdi/

https://89divos.shop/MmE0ODdiNjkyNzdi/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz	family_octo

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.whatev2erwh2atever

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.whatev2erwh2atever
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.whatev2erwh2atever

Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
evasion

Prevent Application Removal
T1629.001

Processes:

com.whatev2erwh2atever

description ioc process

Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.whatev2erwh2atever
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
collection credential_access

Access Notifications
T1517

Processes:

com.whatev2erwh2atever

description ioc process

Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.whatev2erwh2atever
Requests modifying system settings. 1 IoCs
evasion

Processes:

com.whatev2erwh2atever

description ioc process

Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.whatev2erwh2atever
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.whatev2erwh2atever

description ioc process

File opened for read /proc/cpuinfo com.whatev2erwh2atever
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.whatev2erwh2atever

description ioc process

File opened for read /proc/meminfo com.whatev2erwh2atever

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.whatev2erwh2atever

description	ioc	process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.whatev2erwh2atever

description	ioc	process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.whatev2erwh2atever

description	ioc	process
File opened for read	/proc/cpuinfo	com.whatev2erwh2atever

description	ioc	process
File opened for read	/proc/meminfo	com.whatev2erwh2atever

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.whatev2erwh2atever

ioc	pid	process
/data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz	4488	com.whatev2erwh2atever
/data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz	4488	com.whatev2erwh2atever

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.whatev2erwh2atever

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.whatev2erwh2atever
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.whatev2erwh2atever

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.whatev2erwh2atever
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.whatev2erwh2atever

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.whatev2erwh2atever
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.whatev2erwh2atever

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.whatev2erwh2atever
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.whatev2erwh2atever

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.whatev2erwh2atever
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.whatev2erwh2atever

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.whatev2erwh2atever

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.whatev2erwh2atever

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.whatev2erwh2atever

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.whatev2erwh2atever

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.whatev2erwh2atever

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.whatev2erwh2atever

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.whatev2erwh2atever

com.whatev2erwh2atever
1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests modifying system settings.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4488

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz
Filesize
477KB

MD5
65cb593886751d7394957a9da951aaf8

SHA1
64eedc22cbde9f912d227744f9ebe6b8e6f638f8

SHA256
8a6242f184ede2ac58585af93dc550c4b7a824570bc881222afa5071fb50d4bf

SHA512
13ab53b5c34be5e6a0aa93ee6d8761d8797d1626a9005c2ede2e23547daec56a58902e8e87e13ae7e4540618abbff5857233c7bfdc0601aeeabe263fc46e3766

Download Submit
/data/user/0/com.whatev2erwh2atever/cache/oat/ntygrhadjbuptz.cur.prof
Filesize
349B

MD5
eb08918bcef2afa8962b5a56c602d2d7

SHA1
f36cbb96055cec54b0f8586b712c41e55fd4d9fc

SHA256
dfba4c970473672166bdfb2ea78ceab25b15589bbc51153af6e4952872769409

SHA512
4f16d0c358e5754c89d9485362d0e3a8311763698dad1f0c2221bf62aef22459c9cff039ab6e0e5b2e0ab2cf201fc55faf8e150cdc8562350a1d28e5ff0c128c

Download Submit
/data/user/0/com.whatev2erwh2atever/kl.txt
Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.whatev2erwh2atever/kl.txt
Filesize
237B

MD5
336eff83a1359b833ef07c9297c6d3aa

SHA1
a980b66f3f0818d8badf6ec3923d2cf2ae6ea3d7

SHA256
dc94785197863fe5c93dab04aff78ea62db482a2725621d99b5745bc8a369bc4

SHA512
155507664b3bc655c49259604465e5f2201bcd8365b58eac0988d57b947ac2f541b697dcc5badd00f13d33c0e242c546f40587c7a58129a45d76b55277abd172

Download Submit
/data/user/0/com.whatev2erwh2atever/kl.txt
Filesize
45B

MD5
83e4c95693c4e373f180ddd71ef1e8d8

SHA1
d983e53517f0288ccc339088f2c368561534e2bb

SHA256
fc973707e5e620784cbaf6d44019b965a76bd9041ac636d8d7f36d5763a890df

SHA512
c1d415043ee0609aa1e97a670d4a177705db0e90105870ba42c8d3aab728b5411e89e82df9cf1d314f2e9b3546caf60fc439834adbb414ce8191d0fd13c36a20

Download Submit
/data/user/0/com.whatev2erwh2atever/kl.txt
Filesize
63B

MD5
b3506b6d4fa1c395fc64af865ff306dd

SHA1
6bc4023a93a757c7e3bab0d78b3c9ca00ff7e8cd

SHA256
3b6297c2f612abaa95868f75597f73dff22c36919ea7f9097ac0d4e530fd7a3e

SHA512
dc4662d7393e2c42d3b7bfc113b964027c8ea11e2390f46d3099463f783473b576b3e51b8cd36c52568bc3116e4d2fc130765fa122a54b005a63d50f19023932

Download Submit
/data/user/0/com.whatev2erwh2atever/kl.txt
Filesize
75B

MD5
0aa0e50682cfc55d25977718b1928cae

SHA1
a1677f1ad0528d4d187939413c1ce257f77b41bd

SHA256
dedcdf28c9e6cfe204f28947ff70da4899fe7394620b9f24fbf98691bc42f57d

SHA512
61ec7e4ad585f09aa06bb7a92925d1e93d7e9aed8cc78161549c4a7b09b5b16cf5ce3e4d23fbaa5499926e23e455f0af960ee2d2e527039295926d7a754ec63f

Download Submit