octo | b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc

Resubmissions

05-08-2024 12:08

240805-pa55aavhjp 10

02-08-2024 15:48

03-01-2024 17:25

24-12-2023 19:17

14-12-2023 08:27

03-11-2023 03:07

01-11-2023 22:00

Analysis

max time kernel
329s
max time network
336s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
02-08-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc.apk
Size

509KB
MD5

60609814e43a1c814b30435f15d361ed
SHA1

61431ed485c98b8a291e289a7e17e8d3e6db3660
SHA256

b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc
SHA512

8efba5603fd4217b9c9c96e28a69f9f262568f76d43fd959d6914694808488f089f01fa92e2d04f44d5aa0859efcfb34fb080dc7b3a49502469598ab90a662fe
SSDEEP

12288:KwGWfjEhy4pNodk6TZFo9nheT5BQ4YvnAu:KnWf0y4GNIsmRvnAu

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://84.54.50.100/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass2.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass3.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass4.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass5.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass6.net/Njk4Zjk4YjdjODY3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.broughtbluea/cache/pxcpq	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.broughtbluea

ioc pid process

/data/user/0/com.broughtbluea/cache/pxcpq 4999 com.broughtbluea
/data/user/0/com.broughtbluea/cache/pxcpq 4999 com.broughtbluea

ioc	pid	process
/data/user/0/com.broughtbluea/cache/pxcpq	4999	com.broughtbluea
/data/user/0/com.broughtbluea/cache/pxcpq	4999	com.broughtbluea

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.broughtbluea

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.broughtbluea
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.broughtbluea
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.broughtbluea

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.broughtbluea

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.broughtbluea
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.broughtbluea

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.broughtbluea
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.broughtbluea

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.broughtbluea

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.broughtbluea

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.broughtbluea

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.broughtbluea

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

Processes:

com.broughtbluea

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.broughtbluea
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.broughtbluea
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.broughtbluea
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.broughtbluea

Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.broughtbluea

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.broughtbluea
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.broughtbluea

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.broughtbluea
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.broughtbluea

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.broughtbluea
Checks CPU information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.broughtbluea

description ioc process

File opened for read /proc/cpuinfo com.broughtbluea
Checks memory information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.broughtbluea

description ioc process

File opened for read /proc/meminfo com.broughtbluea

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.broughtbluea

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.broughtbluea

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.broughtbluea

description	ioc	process
File opened for read	/proc/cpuinfo	com.broughtbluea

description	ioc	process
File opened for read	/proc/meminfo	com.broughtbluea

com.broughtbluea
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4999

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.broughtbluea/cache/oat/pxcpq.cur.prof

Filesize
478B

MD5
ec238f6d4931ae1ca43febdfebc40624

SHA1
ae7e82a8c7dc9a4b4c338905fe9c92311d72d0c8

SHA256
3f5b893407dcb88eda71cf406b2f3a916a6760e0b7ba0010d19d63b03a9a7e6b

SHA512
276a8251f6c497bd6c457ffdb3fddbdeaa0869c8b092fbe3ea839415840165a423a1e9206a3bcf35e736373455b258d2480fc65022f09d28d07e059e1cedcbe6

Download Submit
/data/data/com.broughtbluea/cache/oat/pxcpq.cur.prof

Filesize
449B

MD5
4032a55d1629494ce4a776841cc6d1b7

SHA1
aa5423fc9de09207ea730b832e46799948a16587

SHA256
97e4d927d4e6b9fc28d8cc7bd706e87b1d4188d684969eedb9956a4c2d29caac

SHA512
0460d464c9f0271264f32be678a83f4930df5c9cc6a1269dc3821d380e13d814e94fb10383df4ab7c4148eeb258138a3efa89ce4f0d50484d0bdf27f7b1fed2a

Download Submit
/data/data/com.broughtbluea/cache/pxcpq

Filesize
449KB

MD5
fb15ea8794c6547c5ca8f58577e433a6

SHA1
47c530ac1858cbc7584429190a07c3c4313857ac

SHA256
908588c8de2b52b69f30917583d91ac67f96c7682c017df3943d3979c9fc6095

SHA512
9cb724a385917e949052b84be546cd61a952474ee8671743034463b356de4c5bc60732b07287c326da65c4cced7f8c8247b348bbb5abb436c86fedbcb4da90c9

Download Submit
/data/data/com.broughtbluea/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.broughtbluea/kl.txt

Filesize
230B

MD5
adea358ea55b63c1ac518f4c333dfc5b

SHA1
1d4c76cc6bdcd616fd433c12aaebfe27b574b68c

SHA256
682638e0c026a21b569a9c7e4ef18978bce0d1fa4842cc4033cb1b0fc537aa29

SHA512
1b7729b35129bbb594cf5d3e7b4fe19fa41f3886d1fdf12b36c6bda6bc9326b06c913712b79bf2cde4535ce05b19b7913d25b70471e732eb2422d33ddac4578e

Download Submit
/data/data/com.broughtbluea/kl.txt

Filesize
68B

MD5
e85a1ee5cf3815492a637c93c09b7c8c

SHA1
66659d8718ef790062702c599699ebe554cf8415

SHA256
c1c1e9c262a79cb49e2aa08764e67bfb8cce954618f5505c111bfa4ea3dcd44b

SHA512
76ef2871716162d834eb4a7b3bed4593321ccfc1efc13cf54f253e58790e13a730ca1a2ab048d18b62dcc953f82e33a51d2361090cf1ff625770c91c374fa695

Download Submit
/data/data/com.broughtbluea/kl.txt

Filesize
68B

MD5
4542d13c07eda4e67f28f9a94b24657e

SHA1
b26c0b2bc7a5f578a0481e067597c821e5cef9c1

SHA256
330a468ac2eb3aedeac3cb4abcb7fe923eee5f622ebe969ee3ac9a7878a580cc

SHA512
201fbdaaba0856e87305c75a7004fdc0f5f42b976da369ff2866737be24be60a30a778e60e38078d19c1248cedf43671c88b969eeb49248c82e1a034c873b368

Download Submit
/data/data/com.broughtbluea/kl.txt

Filesize
76B

MD5
b2c13580b1d24511c1494c5131b4fa52

SHA1
c0a3dd53ee5b3db3e6f7b68bb09be7e450673be1

SHA256
fd58b4fcf7538462c549d344344700323d338067f432914321334eb5b9ae6758

SHA512
be29146935c322f35ab776e7e98748474b8891abb9cd2d03ec7dcd4d8edcdf69c0b68d69f99339ed0c598b4bca0905d0ea2e5e94ff0c00f6c9ffafd5f83dd904

Download Submit