octo | b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc

Resubmissions

05-08-2024 12:08

240805-pa55aavhjp 10

02-08-2024 15:48

03-01-2024 17:25

24-12-2023 19:17

14-12-2023 08:27

03-11-2023 03:07

01-11-2023 22:00

Analysis

max time kernel
329s
max time network
334s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
02-08-2024 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc.apk
Size

509KB
MD5

60609814e43a1c814b30435f15d361ed
SHA1

61431ed485c98b8a291e289a7e17e8d3e6db3660
SHA256

b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc
SHA512

8efba5603fd4217b9c9c96e28a69f9f262568f76d43fd959d6914694808488f089f01fa92e2d04f44d5aa0859efcfb34fb080dc7b3a49502469598ab90a662fe
SSDEEP

12288:KwGWfjEhy4pNodk6TZFo9nheT5BQ4YvnAu:KnWf0y4GNIsmRvnAu

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://84.54.50.100/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass2.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass3.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass4.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass5.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass6.net/Njk4Zjk4YjdjODY3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.broughtbluea/cache/pxcpq	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.broughtbluea

pid process

4317 com.broughtbluea
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.broughtbluea

ioc pid process

/data/user/0/com.broughtbluea/cache/pxcpq 4317 com.broughtbluea
/data/user/0/com.broughtbluea/cache/pxcpq 4317 com.broughtbluea

pid	process
4317	com.broughtbluea

ioc	pid	process
/data/user/0/com.broughtbluea/cache/pxcpq	4317	com.broughtbluea
/data/user/0/com.broughtbluea/cache/pxcpq	4317	com.broughtbluea

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.broughtbluea

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.broughtbluea
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.broughtbluea

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.broughtbluea

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.broughtbluea
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.broughtbluea

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.broughtbluea

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.broughtbluea

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.broughtbluea

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

Processes:

com.broughtbluea

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.broughtbluea
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.broughtbluea
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.broughtbluea

Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.broughtbluea

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.broughtbluea
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
collection credential_access

Access Notifications
T1517

Processes:

com.broughtbluea

description ioc process

Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.broughtbluea
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.broughtbluea

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.broughtbluea
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.broughtbluea

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.broughtbluea
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.broughtbluea

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.broughtbluea
Checks CPU information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.broughtbluea

description ioc process

File opened for read /proc/cpuinfo com.broughtbluea
Checks memory information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.broughtbluea

description ioc process

File opened for read /proc/meminfo com.broughtbluea

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.broughtbluea

description	ioc	process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.broughtbluea

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.broughtbluea

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.broughtbluea

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.broughtbluea

description	ioc	process
File opened for read	/proc/cpuinfo	com.broughtbluea

description	ioc	process
File opened for read	/proc/meminfo	com.broughtbluea

com.broughtbluea
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4317

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.broughtbluea/cache/oat/pxcpq.cur.prof

Filesize
463B

MD5
fc86d0221570cb0157f92c4727902b23

SHA1
1d46b2700a14d2700f018c2d3f9eee2c7fc0152f

SHA256
a6b39a5f8b140a252d1dae9cd658efb56ea663049df5a685e5aa5db21d5a35dc

SHA512
4b3a6bd2fb56839c9c782f269e385a3f02445dd1cc3eaa5ad70140274e2299b746c757d381ac0efdbaf4c2d996618dc98059f6b0cbf85c2011119cdbab2ce6bd

Download Submit
/data/data/com.broughtbluea/cache/oat/pxcpq.cur.prof

Filesize
491B

MD5
d036ff031b71a936c11d0416ab65566b

SHA1
babf08b7ec0f31776b0fd3a9f5ff0b5778802ae7

SHA256
512df5ea038216c33499ffca8dd12b2e09e3a3158467a2541798588e4424fcad

SHA512
b655fbc2004c352a3d5140cf3a0bda446f572b1ffced3eff09487c5b75dde3ff4c4f090a4b678e7998e2c685df1bd9965c30330aaa8f73c8b1525be0debe4961

Download Submit
/data/data/com.broughtbluea/cache/pxcpq

Filesize
449KB

MD5
fb15ea8794c6547c5ca8f58577e433a6

SHA1
47c530ac1858cbc7584429190a07c3c4313857ac

SHA256
908588c8de2b52b69f30917583d91ac67f96c7682c017df3943d3979c9fc6095

SHA512
9cb724a385917e949052b84be546cd61a952474ee8671743034463b356de4c5bc60732b07287c326da65c4cced7f8c8247b348bbb5abb436c86fedbcb4da90c9

Download Submit
/data/data/com.broughtbluea/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.broughtbluea/kl.txt

Filesize
230B

MD5
a83ecdb86deadd47e92368814b07c944

SHA1
8e327b10a097a9a26bb6c892a73ca55e34fa3838

SHA256
6984bb6286a63a5c0385c5ddda1a3e59058374c25676abf7a77ed71f69b121a1

SHA512
3238fd9878c4fac61bfbe17a4650a5fa7270e7b2ffb850b5c2102335671459a0837903d89673d382dce715ea07e8524c4de00a664612fad973839d26f8fbbf84

Download Submit
/data/data/com.broughtbluea/kl.txt

Filesize
63B

MD5
13940fdda24b04dcaffe3563ba37ca8a

SHA1
6d93252a2c49a2a60915004d64fac944aa470cdd

SHA256
64581b00e369d22d1cb1a1738d77a84bd4584128a20d2a2357d991f37ad15abc

SHA512
5449467d2ad040fdef46d74e65f0fc0551435f9d29ba7677054af576c64c298616d04ed2d7b1922d1aeabd6019df89ca45022151e98f3c56afc266b98ec2fc90

Download Submit
/data/data/com.broughtbluea/kl.txt

Filesize
54B

MD5
e392c24da3880b1b871597ca46bec577

SHA1
c38e7a6725df93dbd44093c092b77633601d4bbe

SHA256
3ac76dfeb9f648a56309b0aba02f79e148f1ca7a98aabbbbc0e1b5e20b3e0946

SHA512
f194ecda02d4bf17e25284980cfa6a8306d9ff020c145de8a12d83598a7123c219a6c8c372408a24de44b57bf35632f65cc946eb22d09dc0c6616f0827e0ce4b

Download Submit
/data/data/com.broughtbluea/kl.txt

Filesize
423B

MD5
34c2e15578f43af04fd1d037d8f00a54

SHA1
6c854ac92bd6e80101f8fdba7f1302cb022040e0

SHA256
ab41a82cb9fdf404bbb9773382e5e8fed639d26ac25079001ac17985c4705d7d

SHA512
02547d164549ad0d8e45c636a5c61400341fa9515967f9371ba9a22ac7e1cd67563a7185e848b83af89c89820bbbf8bd1c1fbd841a6e62d82b0e39b8ca8ca3eb

Download Submit