Resubmissions
05-08-2024 12:08
240805-pa55aavhjp 1002-08-2024 15:48
240802-s893nszfkj 1003-01-2024 17:25
240103-vzshdabae6 1024-12-2023 19:17
231224-xznwasbhh7 614-12-2023 08:27
231214-kclffacdhn 1003-11-2023 03:07
231103-dmbwesbb4s 1001-11-2023 22:00
231101-1wx7cadf5y 10Analysis
-
max time kernel
329s -
max time network
337s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
05-08-2024 12:08
Static task
static1
Behavioral task
behavioral1
Sample
b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral2
Sample
b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral3
Sample
b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc.apk
Resource
android-33-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc.apk
Resource
android-x86-arm-20240624-en
General
-
Target
b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc.apk
-
Size
509KB
-
MD5
60609814e43a1c814b30435f15d361ed
-
SHA1
61431ed485c98b8a291e289a7e17e8d3e6db3660
-
SHA256
b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc
-
SHA512
8efba5603fd4217b9c9c96e28a69f9f262568f76d43fd959d6914694808488f089f01fa92e2d04f44d5aa0859efcfb34fb080dc7b3a49502469598ab90a662fe
-
SSDEEP
12288:KwGWfjEhy4pNodk6TZFo9nheT5BQ4YvnAu:KnWf0y4GNIsmRvnAu
Malware Config
Extracted
octo
https://84.54.50.100/Njk4Zjk4YjdjODY3/
https://pakuxxxnatationclass.net/Njk4Zjk4YjdjODY3/
https://pakuxxxnatationclass2.net/Njk4Zjk4YjdjODY3/
https://pakuxxxnatationclass3.net/Njk4Zjk4YjdjODY3/
https://pakuxxxnatationclass4.net/Njk4Zjk4YjdjODY3/
https://pakuxxxnatationclass5.net/Njk4Zjk4YjdjODY3/
https://pakuxxxnatationclass6.net/Njk4Zjk4YjdjODY3/
Extracted
octo
https://84.54.50.100/Njk4Zjk4YjdjODY3/
https://pakuxxxnatationclass.net/Njk4Zjk4YjdjODY3/
https://pakuxxxnatationclass2.net/Njk4Zjk4YjdjODY3/
https://pakuxxxnatationclass3.net/Njk4Zjk4YjdjODY3/
https://pakuxxxnatationclass4.net/Njk4Zjk4YjdjODY3/
https://pakuxxxnatationclass5.net/Njk4Zjk4YjdjODY3/
https://pakuxxxnatationclass6.net/Njk4Zjk4YjdjODY3/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
resource yara_rule behavioral3/files/fstream-1.dat family_octo -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.broughtbluea/cache/pxcpq 4317 com.broughtbluea -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.broughtbluea Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.broughtbluea Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.broughtbluea -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.broughtbluea -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.broughtbluea -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.broughtbluea -
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.broughtbluea android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.broughtbluea android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.broughtbluea -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.broughtbluea -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.broughtbluea -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.broughtbluea -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.broughtbluea -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.broughtbluea -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.broughtbluea
Processes
-
com.broughtbluea1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4317
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390B
MD54d4dd6b66f26c687a4742214238dbf99
SHA1a5ea5e3dd8f4c7f862cf3cc355a5dc1c72204d50
SHA256d8f915450229bbe7a978d6eb68b2a84dbe2d93333e287e3f7f773e48f7781253
SHA512f36330c0c465d703c4cd2e6c56258643f8afd3cdf96517ed760b86eddf15817cbb66649ba48d4bc2249030542fffb3294fb121deb8e3995d7a7c7c8681c70271
-
Filesize
403B
MD5d219a7de9b85244b092aa365d26e9098
SHA1d9cba6e50d02825e5d36caa51160d79d0ff7d3f6
SHA25676fa358159a6c590146b7fcbf5407af778e5ed8585be294daac8844680e1f0f5
SHA5120cc272030f972f410fd47debc14debd5d5e040d7a545722429c67937025a48fb84b3886f4361221d49d1a3140eb31f77e34248bed1b6d4976f90bcb2127b30c3
-
Filesize
449KB
MD5fb15ea8794c6547c5ca8f58577e433a6
SHA147c530ac1858cbc7584429190a07c3c4313857ac
SHA256908588c8de2b52b69f30917583d91ac67f96c7682c017df3943d3979c9fc6095
SHA5129cb724a385917e949052b84be546cd61a952474ee8671743034463b356de4c5bc60732b07287c326da65c4cced7f8c8247b348bbb5abb436c86fedbcb4da90c9
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
214B
MD5575b0a98386b8a166118c76f0c49f395
SHA1fd379f72012526c72185208773bcc23674b0b8ab
SHA256315c73098468ecf7c312a7f415be8a8101f826d51c0306ebb435bda979b680f8
SHA512eefaa3eb3779db5ff701a92ec842367ec56ab1e2aee3dd4f8e44b3e903ebe50c521cfdc93aec6c2e943a92a74c48fb9e3ff8baa7138f136aae28ff15855e6ca9
-
Filesize
60B
MD5a550bd6272382b9cd12c85fafbf648fc
SHA11df135f3d55a122c3e5197c9edab1920d3f36dbe
SHA256932ff842792eeded31314d6f78bbc5dc4ba66b7ee75d4409865d001004885f10
SHA512af2e0754f7cd982b43ef4542e5174ff5dfdeed76462fa47f7981b202b67b64a575cff4b8ec73c87fdef7fd9fbd34aa0d8f900798329276f8aa67794928f4ac93
-
Filesize
68B
MD5ba093bb1a5bd70927facc649e7d5349a
SHA1ea2f6c5aa58d4492b996fe1fba16f5d88ea6d788
SHA256bbba3389e2259092073032d77d2de4280fb79abe04a472da39ea7103bc5bed91
SHA51259b702fc26549ce0a907f0a282aa56ccc764ce65b04681e08ab358d9138c5c8108441b0a504f2bb0f89f1214a2090fce45c6839a4281916efbf5246a3fd7fab0
-
Filesize
76B
MD5fa72d1d6fa25d234b0a56654c60874e0
SHA1f89983c0d96113ca7a97579deca2c684d5b56b6d
SHA2562a3d830fa9d9d733fc338dcd10f94ee783f3fd7cbd0c2a889afbe599db35353b
SHA51245dc73762b447c7068de95eb07572771bdced85b12da6696f8747e26cba41195865e55147259eba15f339e5626c6d6a3091d7f29182471b690f39f9f55d57ac6