octo | 9b9c00b599a5bc9b4017b091f249c2806d892ad31d552bd3df460d7cb863cf14

Analysis

max time kernel
179s
max time network
145s
platform
android_x86
resource
android-x86-arm-20240611.1-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240611.1-enlocale:en-usos:android-9-x86system
submitted
18-06-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b9c00b599a5bc9b4017b091f249c2806d892ad31d552bd3df460d7cb863cf14.apk
Size

517KB
MD5

b2fb1ba8c5a154f110250ee96a0a368a
SHA1

16fcf9b02008c8e9e9ba7e96f39d3c95beacc079
SHA256

9b9c00b599a5bc9b4017b091f249c2806d892ad31d552bd3df460d7cb863cf14
SHA512

64746d95e02817e6beb69df6f6e6c16ca79e604da099f97f427010cc7ce5089af2a8224a86f9c0a964a736c2bb402b1f13ef1acdb9069142e66972ea610cfa56
SSDEEP

12288:UjznDXnDOpsVKQmnZr1JCWlRpuHWZi+2L8slyNP+s:CznDzOiVKQIbRMWZlslSP+s

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://juxleq.top/MjE2YTczY2MxNjA0/

https://fozkiv.xyz/MjE2YTczY2MxNjA0/

https://wemdap.top/MjE2YTczY2MxNjA0/

https://zupqel.xyz/MjE2YTczY2MxNjA0/

https://rizyat.top/MjE2YTczY2MxNjA0/

https://gikmuv.xyz/MjE2YTczY2MxNjA0/

https://xotpin.top/MjE2YTczY2MxNjA0/

https://werboq.xyz/MjE2YTczY2MxNjA0/

https://hudxap.top/MjE2YTczY2MxNjA0/

https://nevdiz.xyz/MjE2YTczY2MxNjA0/

https://kovjep.top/MjE2YTczY2MxNjA0/

https://yiqvux.xyz/MjE2YTczY2MxNjA0/

https://qowzef.top/MjE2YTczY2MxNjA0/

https://tupfij.xyz/MjE2YTczY2MxNjA0/

https://leoyuz.top/MjE2YTczY2MxNjA0/

https://xepmeq.xyz/MjE2YTczY2MxNjA0/

https://qidvob.top/MjE2YTczY2MxNjA0/

https://gufwap.xyz/MjE2YTczY2MxNjA0/

https://xulqir.top/MjE2YTczY2MxNjA0/

https://lupzod.xyz/MjE2YTczY2MxNjA0/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.airtellql/cache/dmbgcypmavpl	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

T1628.001

Processes:

com.airtellql

pid process

4264 com.airtellql
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

T1407

Processes:

com.airtellql

ioc pid process

/data/user/0/com.airtellql/cache/dmbgcypmavpl 4264 com.airtellql
/data/user/0/com.airtellql/cache/dmbgcypmavpl 4264 com.airtellql

pid	process
4264	com.airtellql

ioc	pid	process
/data/user/0/com.airtellql/cache/dmbgcypmavpl	4264	com.airtellql
/data/user/0/com.airtellql/cache/dmbgcypmavpl	4264	com.airtellql

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

T1516

T1513

T1417.001

T1417.002

Processes:

com.airtellql

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.airtellql
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.airtellql

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

T1422
Acquires the wake lock 1 IoCs

Processes:

com.airtellql

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.airtellql
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

T1541

Processes:

com.airtellql

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.airtellql

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.airtellql

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.airtellql

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

T1629.001

Processes:

com.airtellql

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.airtellql
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.airtellql

Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

T1422

Processes:

com.airtellql

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.airtellql
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

T1422
Reads information about phone network operator. 1 TTPs
discovery

T1422
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
collection credential_access

T1517

Processes:

com.airtellql

description ioc process

Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.airtellql
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

T1628.002

Processes:

com.airtellql

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.airtellql
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

com.airtellql

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.airtellql
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

T1471

Processes:

com.airtellql

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.airtellql

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.airtellql

description	ioc	process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.airtellql

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.airtellql

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.airtellql

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.airtellql

com.airtellql
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.airtellql/cache/dmbgcypmavpl
Filesize
450KB

MD5
555d7d83ed1e7fd974b12869150211a6

SHA1
dd238b54cf6d8d1bd76903e06a46f21d3f5d2620

SHA256
505d2049a856697ce0d0ffcb24e92c33fce95b55bb195f902f3afecea417d869

SHA512
76cd63f13fddb0185aea7699c9dbf16aaf93693c68070e733f6a404d43c424c1673aa1bef92aaafbabf88e3fbf6eff35485ba0c94227a30f10fa682ebb05fbb1

Download Submit
/data/data/com.airtellql/cache/oat/dmbgcypmavpl.cur.prof
Filesize
531B

MD5
7d1d11314f720c9b978abb5c337c3dfd

SHA1
d2726bb329adbe1bd98cc772bf1ced4e74c65606

SHA256
d7d006dc755e501d27034da34c69fea60f4c0ce9f572d0afc12dc70026b6bccc

SHA512
b4673ca63a74ca567d58b54dd3bea2566406ff07e7280947deb99628cb41bfc6643748cfb9fa5b597398efeb16414763b26a11baadc48cea36b8725d5905aceb

Download Submit