octo | b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc

Resubmissions

05-08-2024 12:08

240805-pa55aavhjp 10

02-08-2024 15:48

03-01-2024 17:25

24-12-2023 19:17

14-12-2023 08:27

03-11-2023 03:07

01-11-2023 22:00

Analysis

max time kernel
329s
max time network
337s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
05-08-2024 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc.apk
Size

509KB
MD5

60609814e43a1c814b30435f15d361ed
SHA1

61431ed485c98b8a291e289a7e17e8d3e6db3660
SHA256

b38019f9e80c2166a4e09eed0cd15bad651263f0ff3ea26199a08896ffd8e1fc
SHA512

8efba5603fd4217b9c9c96e28a69f9f262568f76d43fd959d6914694808488f089f01fa92e2d04f44d5aa0859efcfb34fb080dc7b3a49502469598ab90a662fe
SSDEEP

12288:KwGWfjEhy4pNodk6TZFo9nheT5BQ4YvnAu:KnWf0y4GNIsmRvnAu

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://84.54.50.100/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass2.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass3.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass4.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass5.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass6.net/Njk4Zjk4YjdjODY3/

rc4.plain

Extracted

Family

octo

https://84.54.50.100/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass2.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass3.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass4.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass5.net/Njk4Zjk4YjdjODY3/

https://pakuxxxnatationclass6.net/Njk4Zjk4YjdjODY3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

resource	yara_rule
behavioral3/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.broughtbluea/cache/pxcpq	4317	com.broughtbluea

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.broughtbluea
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.broughtbluea
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.broughtbluea

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.broughtbluea

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.broughtbluea

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.broughtbluea

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.broughtbluea
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.broughtbluea
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.broughtbluea

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.broughtbluea

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.broughtbluea

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.broughtbluea

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.broughtbluea

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.broughtbluea

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.broughtbluea

com.broughtbluea
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4317

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.broughtbluea/cache/oat/pxcpq.cur.prof

Filesize
390B

MD5
4d4dd6b66f26c687a4742214238dbf99

SHA1
a5ea5e3dd8f4c7f862cf3cc355a5dc1c72204d50

SHA256
d8f915450229bbe7a978d6eb68b2a84dbe2d93333e287e3f7f773e48f7781253

SHA512
f36330c0c465d703c4cd2e6c56258643f8afd3cdf96517ed760b86eddf15817cbb66649ba48d4bc2249030542fffb3294fb121deb8e3995d7a7c7c8681c70271

Download Submit
/data/user/0/com.broughtbluea/cache/oat/pxcpq.cur.prof

Filesize
403B

MD5
d219a7de9b85244b092aa365d26e9098

SHA1
d9cba6e50d02825e5d36caa51160d79d0ff7d3f6

SHA256
76fa358159a6c590146b7fcbf5407af778e5ed8585be294daac8844680e1f0f5

SHA512
0cc272030f972f410fd47debc14debd5d5e040d7a545722429c67937025a48fb84b3886f4361221d49d1a3140eb31f77e34248bed1b6d4976f90bcb2127b30c3

Download Submit
/data/user/0/com.broughtbluea/cache/pxcpq

Filesize
449KB

MD5
fb15ea8794c6547c5ca8f58577e433a6

SHA1
47c530ac1858cbc7584429190a07c3c4313857ac

SHA256
908588c8de2b52b69f30917583d91ac67f96c7682c017df3943d3979c9fc6095

SHA512
9cb724a385917e949052b84be546cd61a952474ee8671743034463b356de4c5bc60732b07287c326da65c4cced7f8c8247b348bbb5abb436c86fedbcb4da90c9

Download Submit
/data/user/0/com.broughtbluea/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.broughtbluea/kl.txt

Filesize
214B

MD5
575b0a98386b8a166118c76f0c49f395

SHA1
fd379f72012526c72185208773bcc23674b0b8ab

SHA256
315c73098468ecf7c312a7f415be8a8101f826d51c0306ebb435bda979b680f8

SHA512
eefaa3eb3779db5ff701a92ec842367ec56ab1e2aee3dd4f8e44b3e903ebe50c521cfdc93aec6c2e943a92a74c48fb9e3ff8baa7138f136aae28ff15855e6ca9

Download Submit
/data/user/0/com.broughtbluea/kl.txt

Filesize
60B

MD5
a550bd6272382b9cd12c85fafbf648fc

SHA1
1df135f3d55a122c3e5197c9edab1920d3f36dbe

SHA256
932ff842792eeded31314d6f78bbc5dc4ba66b7ee75d4409865d001004885f10

SHA512
af2e0754f7cd982b43ef4542e5174ff5dfdeed76462fa47f7981b202b67b64a575cff4b8ec73c87fdef7fd9fbd34aa0d8f900798329276f8aa67794928f4ac93

Download Submit
/data/user/0/com.broughtbluea/kl.txt

Filesize
68B

MD5
ba093bb1a5bd70927facc649e7d5349a

SHA1
ea2f6c5aa58d4492b996fe1fba16f5d88ea6d788

SHA256
bbba3389e2259092073032d77d2de4280fb79abe04a472da39ea7103bc5bed91

SHA512
59b702fc26549ce0a907f0a282aa56ccc764ce65b04681e08ab358d9138c5c8108441b0a504f2bb0f89f1214a2090fce45c6839a4281916efbf5246a3fd7fab0

Download Submit
/data/user/0/com.broughtbluea/kl.txt

Filesize
76B

MD5
fa72d1d6fa25d234b0a56654c60874e0

SHA1
f89983c0d96113ca7a97579deca2c684d5b56b6d

SHA256
2a3d830fa9d9d733fc338dcd10f94ee783f3fd7cbd0c2a889afbe599db35353b

SHA512
45dc73762b447c7068de95eb07572771bdced85b12da6696f8747e26cba41195865e55147259eba15f339e5626c6d6a3091d7f29182471b690f39f9f55d57ac6

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads