octo | b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc

Resubmissions

05-08-2024 12:08

240805-pa55aavhjp 10

02-08-2024 15:48

03-01-2024 17:25

24-12-2023 19:17

14-12-2023 08:27

03-11-2023 03:07

01-11-2023 22:00

Analysis

max time kernel
329s
max time network
337s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
02-08-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc.apk
Size

509KB
MD5

60609814e43a1c814b30435f15d361ed
SHA1

61431ed485c98b8a291e289a7e17e8d3e6db3660
SHA256

b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc
SHA512

8efba5603fd4217b9c9c96e28a69f9f262568f76d43fd959d6914694808488f089f01fa92e2d04f44d5aa0859efcfb34fb080dc7b3a49502469598ab90a662fe
SSDEEP

12288:KwGWfjEhy4pNodk6TZFo9nheT5BQ4YvnAu:KnWf0y4GNIsmRvnAu

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://84.54.50.100/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass2.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass3.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass4.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass5.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass6.net/Njk4Zjk4YjdjODY3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.broughtbluea/cache/pxcpq	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.broughtbluea

ioc pid process

/data/user/0/com.broughtbluea/cache/pxcpq 4477 com.broughtbluea
/data/user/0/com.broughtbluea/cache/pxcpq 4477 com.broughtbluea

ioc	pid	process
/data/user/0/com.broughtbluea/cache/pxcpq	4477	com.broughtbluea
/data/user/0/com.broughtbluea/cache/pxcpq	4477	com.broughtbluea

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.broughtbluea

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.broughtbluea
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.broughtbluea

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
collection credential_access impact

Clipboard Data
T1414

Transmitted Data Manipulation
T1641.001

Processes:

com.broughtbluea

description ioc process

Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.broughtbluea
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.broughtbluea

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.broughtbluea
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.broughtbluea

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.broughtbluea

description	ioc	process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.broughtbluea

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.broughtbluea

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.broughtbluea

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

Processes:

com.broughtbluea

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.broughtbluea
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.broughtbluea
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.broughtbluea
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.broughtbluea

Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.broughtbluea

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.broughtbluea
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
collection credential_access

Access Notifications
T1517

Processes:

com.broughtbluea

description ioc process

Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.broughtbluea
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.broughtbluea

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.broughtbluea
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.broughtbluea

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.broughtbluea
Checks CPU information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.broughtbluea

description ioc process

File opened for read /proc/cpuinfo com.broughtbluea
Checks memory information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.broughtbluea

description ioc process

File opened for read /proc/meminfo com.broughtbluea

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.broughtbluea

description	ioc	process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.broughtbluea

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.broughtbluea

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.broughtbluea

description	ioc	process
File opened for read	/proc/cpuinfo	com.broughtbluea

description	ioc	process
File opened for read	/proc/meminfo	com.broughtbluea

com.broughtbluea
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4477

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.broughtbluea/cache/oat/pxcpq.cur.prof

Filesize
322B

MD5
5b1e686b3e663973a58834a808ad10ee

SHA1
dd54220caa4d250fbe6e43f437275a2fb3805cfd

SHA256
3deb2d8a2b3073ccbda163f7e14196021d7b059d3b37383fab8a6006c5e276e5

SHA512
6951b597dfd62efacd0bcf6dcd62b1e2b1c47de60e31e964493c9b808a020cb021570c70d8892fa09f8cc010ee44c33446e9a3f67f1a4476f8a713510699cb63

Download Submit
/data/user/0/com.broughtbluea/cache/pxcpq

Filesize
449KB

MD5
fb15ea8794c6547c5ca8f58577e433a6

SHA1
47c530ac1858cbc7584429190a07c3c4313857ac

SHA256
908588c8de2b52b69f30917583d91ac67f96c7682c017df3943d3979c9fc6095

SHA512
9cb724a385917e949052b84be546cd61a952474ee8671743034463b356de4c5bc60732b07287c326da65c4cced7f8c8247b348bbb5abb436c86fedbcb4da90c9

Download Submit
/data/user/0/com.broughtbluea/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.broughtbluea/kl.txt

Filesize
230B

MD5
fdbbc007d4ac33ecc6fa1cce9dfd6786

SHA1
3a783ed8ac1f1034007dc3ff9102478e5316fd18

SHA256
c4be245c232355ab85257916172aac27c2044ed063b24e901c8832a7fea56daf

SHA512
bcd68c532b4e5fc3e35c7b040e2a61f115b262c4ca1090edc6108b2e0940824ac70e2eba992412fc8fc3216916dace60e92f5c35aa1d923eab84811955d1b54a

Download Submit
/data/user/0/com.broughtbluea/kl.txt

Filesize
45B

MD5
d802324e86143bf58854b7918bf200fa

SHA1
f9b62c18347018d29db2851b2cea8126c87bf5bb

SHA256
d587cb4977659b791fcce4efc8546892cdac5d204cf474eb68b9de7b56507fac

SHA512
f5d71c4298feffff7ac4070ec5f3cdc882919b0f37454d3d3bced96b1554cfb813b5da160cd6778bb930ddb877575df4b775d92e1f9de86c7c36346b756c91af

Download Submit
/data/user/0/com.broughtbluea/kl.txt

Filesize
63B

MD5
82a63e2a3a7c2328d62eb9d39c54dd59

SHA1
19d7ea83fb89a06e7f23d4f5f919b22cb023a8bd

SHA256
a1229b2d0022e4e1314061b4fb2833faafa18502688a1b5822c23605f29f9b7f

SHA512
8dab3f8e5f84c123265bc1b7679b5259210bcec388ad2df474e1f40ce54c9620e4c5aafd78f6c9278f8f104b939403a15fb6d76314193e951df2e07f760a4007

Download Submit
/data/user/0/com.broughtbluea/kl.txt

Filesize
466B

MD5
5a21f58fab7131af5567c6ff8700fb9f

SHA1
a94260c1107979fd762c776939c666e36b646bb8

SHA256
0616284feeb23bb39e087e23ef28346c6d4e9154df701d1037cf4726f33cfcde

SHA512
f733b7655306582629e4f760c40dc770cfbbd1f65b54406b5755b1443922e258d1cbba87910869d9a05a5aadd9d15deeaf7a4223e2ce4e50add0b73573509bca

Download Submit