octo | 751e36d86f2f903206e38392a760387e091265118d39a256428cae4b312fb0cf

Resubmissions

30/09/2024, 09:53

240930-lwmy2stbje 10

23/09/2024, 16:05

240923-tjz2vasalk 10

Analysis

max time kernel
299s
max time network
307s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
30/09/2024, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

751E36D86F2F903206E38392A760387E091265118D39A256428CAE4B312FB0CF.apk
Size

8.3MB
MD5

32c0bf4fcff08cc439754ed4e79d54f7
SHA1

77556c54dcca1995747d1ca58d4edaf5ea5aefb6
SHA256

751e36d86f2f903206e38392a760387e091265118d39a256428cae4b312fb0cf
SHA512

bd50ef51d75fe6d6f8f35e961668a9f2adb1ba1fc798cc4023a878d66cff3a97c843346928e31bacbc91e26aa00043d19c7064c1f5a226b7c6634bbd0400c93e
SSDEEP

98304:FhBlNYEzf6wj7KRspPDnQmkJZDb5iSRGZ2VK/G4JKJCkC:zBomfdj7KR0DQmkJJbr9UOqmpC

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://520865f8baa00f539e6958472424bae2.com

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/memory/4450-1.dex	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.dcell_volume42/app_that/ljuwim.json	4450	com.dcell_volume42
/data/user/0/com.dcell_volume42/[email protected]	4450	com.dcell_volume42

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.dcell_volume42
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.dcell_volume42

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.dcell_volume42

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.dcell_volume42

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.dcell_volume42

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.dcell_volume42

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.dcell_volume42

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.dcell_volume42

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.dcell_volume42

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.dcell_volume42

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.dcell_volume42

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.dcell_volume42

com.dcell_volume42
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4450

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.dcell_volume42/.global.com.dcell_volume42

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.dcell_volume42/app_that/ljuwim.json

Filesize
1012B

MD5
32095d309c495c91e88e334739ed2ce4

SHA1
f50a573cd48612fe56fd03dc84c8473ba56ee3ca

SHA256
fb09025c513eeb9dc57e51e9b068d5ad83c9ea6963fa24bacfd3b5b263a679fc

SHA512
a4c2e21d0dda6bd058a1eba38fa3ab6ac13a65498250ba8f8408a3f398963bd92739076be1a42ba956481b63f93d73d62271bb03b70e6edb4903a2f42b9fe54c

Download Submit
/data/data/com.dcell_volume42/app_that/ljuwim.json

Filesize
1012B

MD5
f468a01c5add684e9b7780a2f11c569a

SHA1
d4172c518cc9883ae92fd5bcc3999f72f31eef7a

SHA256
6859893e71ab36c05e5709e0d5134e224055b818d88fa4257c521bf3e4d8ff2f

SHA512
6c11f27852de2ddec3df66709ff50f637da7f8e2b0817f31caede3d32cbd3709525d5490febbc3f207589bb93f8074bab6f76b09fcfb40b4e3bf1891f759fef0

Download Submit
/data/data/com.dcell_volume42/files/.p

Filesize
322KB

MD5
77dc50489b9323274732d27dc8a4e803

SHA1
0e02a3595b62489d0739d771881da8604d117c65

SHA256
c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820

SHA512
0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

Download Submit
/data/data/com.dcell_volume42/oat/x86_64/[email protected]

Filesize
473B

MD5
6c2b2b76ae78be1b8b4dc42e850373df

SHA1
4002119c04f6a816aa3797c7fbc588f4ca4dcd2b

SHA256
8f58599340968a14690e3494afae447d6ef9cfe70ef79c901e780427cc4cf05d

SHA512
61e1a1baaed151b6afc47a1647641e6adf9e6949ed61ffb8909d034dce6df1203db9792e8da21498b082c7d7fb2176bf1e0be42db3ad47640f361930cb4155b8

Download Submit
/data/user/0/com.dcell_volume42/[email protected]

Filesize
525KB

MD5
87579306477288e8bdfda7c30138ace0

SHA1
f1d51485f9f95c57ff362ef7d2afcb333cbd1b31

SHA256
fb1be6ea55e2744d049b7c5bde71314b51e0926e859b64ad0dd4d2990e4bc7c7

SHA512
27347feb6274d1707d925599d72106a9e5ac1e62725b97df8f692b9d4aada2cdc0577136fab07d5607ad4f972dbbca3a3f4d748eeed39c97a2cfafefce6f9bdb

Download Submit
/data/user/0/com.dcell_volume42/app_that/ljuwim.json

Filesize
1KB

MD5
009e24530882f2f739ff7d772d1cb240

SHA1
cb2cb8a5a92b7d63306eb2d00bc01bef68fd9da6

SHA256
62b6d21b8c914a006ff007aeb817304693488549bf74cb90a57e930b09f45917

SHA512
7c06e2f65122c3f453d7a3d68345d28b7c1c6c3e0ab102f3fa05d7f9a52c9a7f08b4710ff65e5f13fe98fc37a3aa988d6edddaadb78feea4ac056d90a3e838fe

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads