octo | 9bf9b54ff34459ea77c1d3c849de9bc557b40c9a13ac9e20254eaf1569ceb05e

Resubmissions

06-08-2024 07:44

240806-jkt7watclj 10

05-08-2024 06:12

240805-gx86fssfmf 6

05-08-2024 05:57

240805-gnvlpsycrj 6

01-08-2024 10:08

240801-l571ksvfrr 6

Analysis

max time kernel
329s
max time network
332s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
06-08-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E-IFADE-VATANDAS.apk
Size

1.1MB
MD5

bc5dc768e5d005ff2b8e0ecdb84fe048
SHA1

cf87b335e4b086f03dfa9e5d8e129844584b7601
SHA256

9bf9b54ff34459ea77c1d3c849de9bc557b40c9a13ac9e20254eaf1569ceb05e
SHA512

5e23581beb23eafb9690ca58045271dddc68fab72af4b34ec6c41bdfbcab15b04fc0abd9977f93bd7cdcffe5ac606cd9bc9d82b3dcd47d210c7615619746efa9
SSDEEP

24576:l6m2oE2rOjocdTq1P5KnU2UdHD9aIWzeNZHhO6G24+fZfjHo2qnO:dE2r9cdTq1PiU5D9aIW6lO6G24+fZLIU

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://104.248.139.201/MDAyNTg1MTVhMTA3/

rc4.plain

Extracted

Family

octo

https://104.248.139.201/MDAyNTg1MTVhMTA3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

resource	yara_rule
behavioral4/files/fstream-1.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4314	com.beginhigh19

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.beginhigh19/cache/nhsqwzy	4314	com.beginhigh19
/data/user/0/com.beginhigh19/cache/nhsqwzy	4314	com.beginhigh19

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.beginhigh19
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.beginhigh19

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.beginhigh19

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.beginhigh19

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.beginhigh19
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.beginhigh19
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.beginhigh19

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.beginhigh19

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.beginhigh19

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.beginhigh19

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.beginhigh19

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.beginhigh19

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.beginhigh19

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.beginhigh19

com.beginhigh19
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4314

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.beginhigh19/cache/nhsqwzy

Filesize
448KB

MD5
0e61a147862f80d05f98cca723e6121a

SHA1
bd2e9c5ad3fb953e2ff2935df27128d9b39b7214

SHA256
5fec3818bed5c62b8b417893eef7cf47254e4ec81193e670bb9a601df2850213

SHA512
782bd75b66bd229e89e07b939c38ff7e96a423cc957703643a3b761e81f9dd26f52038ed3bb7475663fd77b838a5d53588fc62937111aba4aaaad94800edce20

Download Submit
/data/data/com.beginhigh19/cache/oat/nhsqwzy.cur.prof

Filesize
460B

MD5
3f17e680c59033d3a0c4d6c34f4ffc84

SHA1
71938569b6e0861323bca6f9bd82473b60ae1a37

SHA256
f2c54eb2a8636a1d125c7ebe9971175e567b4bbdb60e44c3864f60f3cce42b4a

SHA512
1409be4a0978adc9449bdcf52baaacd94bd3c665c1e9791832cca0ab734c27ff5af3df75e7a03ca090d0c3571881c8ce1f7968dc17451c8e90e7f4673f4ea2ff

Download Submit
/data/data/com.beginhigh19/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.beginhigh19/kl.txt

Filesize
230B

MD5
b246002e07a2b49b7b87868cd1168492

SHA1
4e4b1c9cde03f420d9a263c309aa5b85b5bfe2fd

SHA256
5e7b02b64b80209e592057baa23195dc9ab5cf47eb4f6c6527e8f6c8413f4114

SHA512
f6eca643a48c24a612741315cc7363f8741b3de0f012f9e5031afc0f0f80345626e05b6c5b587a7c2a58e5ab6c66d683deec5e9d22267636537d3cf7f6951f04

Download Submit
/data/data/com.beginhigh19/kl.txt

Filesize
63B

MD5
bc9778a18b1bf532149956d6d98a69f5

SHA1
51b71d96cca9cf6f8eb26798ad354875e121d6d0

SHA256
63ac5006acbdd7025554b34efd105cd5ac5784ad96bc2a6d6f7409be82c9e8c1

SHA512
e3e105b8aa93e6016e39dd32392965901eeb70e3752825fbaf108dad5b481aa9b3b400df492bddcdd65bd6a75efaeab3906e27abafe49206e25d8477511ab169

Download Submit
/data/data/com.beginhigh19/kl.txt

Filesize
54B

MD5
7002711da3616a8cf909bbda8f000bda

SHA1
c636c1abf0a3439009327a10ef5a94af25a795b9

SHA256
86fa850086470462f20b50980ea81a86192bd84efc9da62aadd813818b9a0058

SHA512
86fffb8a5fe8de58fd3457a79f1238276a46a7badbd49a9e019eb96966046f3857cddc9da31b31592961185668e2ef248c4c4633a314abe8be15c9dc9774a01f

Download Submit
/data/data/com.beginhigh19/kl.txt

Filesize
423B

MD5
ffec97051bef959036626242d00e2fbb

SHA1
69b3124a812b24b528b4642e6132d6070ce50bc4

SHA256
20aa1275f4b6093c7a984c5d4beda37375d08439adab5ae5b5aa577b9d641e84

SHA512
63717eeb88926a69ee51a7670a6782707414db6c22c25d5138bca4534ae3d5bb2d70defc75bdf1da7037e3a12d348ff652de842612eae58fcfabc1e7c47c565d

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads