octo | 7ecdb7004bd1d790bb2d5ed69bcf8182c1960e9d3734fbfb1e49b92bc378b64c

Analysis

max time kernel
149s
max time network
153s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
02-10-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ecdb7004bd1d790bb2d5ed69bcf8182c1960e9d3734fbfb1e49b92bc378b64c.apk
Size

527KB
MD5

ab881e9d2a42c64a8cbbe8c35d48d9d5
SHA1

02b0d0a0ce16aee06234ebeae9cc03b48f963510
SHA256

7ecdb7004bd1d790bb2d5ed69bcf8182c1960e9d3734fbfb1e49b92bc378b64c
SHA512

288dd27f92f7f4ab1e1aaf8bb64f2ccb0611a260e9a50a6d3a10c78992e808b58f56db54b17f3c4a96ac92785243f6b0101194b867ba98f7e2dfa2f890248a72
SSDEEP

12288:25vbveLiLsE8FDSUzpTXL9B7GwD4668QeFwcMP20J32AK:EbveLiOFmCpTpB79DR6B6MrK

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://2fdghhoo11.top/doc/

https://3fdghhoo11.top/doc/

https://4fdghhoo11.top/doc/

https://5fdghhoo11.top/doc/

https://6fdghhoo11.top/doc/

https://7fdghhoo11.top/doc/

https://8fdghhoo11.top/doc/

https://9fdghhoo11.top/doc/

https://10fdghhoo11.top/doc/

https://11fdghhoo11.top/doc/

https://12fdghhoo11.top/doc/

https://13fdghhoo11.top/doc/

https://14fdghhoo11.top/doc/

https://15fdghhoo11.top/doc/

https://16fdghhoo11.top/doc/

https://17fdghhoo11.top/doc/

https://18fdghhoo11.top/doc/

https://19fdghhoo11.top/doc/

https://20fdghhoo11.top/doc/

https://21fdghhoo11.top/doc/

rc4.plain

Extracted

Family

octo

https://2fdghhoo11.top/doc/

https://3fdghhoo11.top/doc/

https://4fdghhoo11.top/doc/

https://5fdghhoo11.top/doc/

https://6fdghhoo11.top/doc/

https://7fdghhoo11.top/doc/

https://8fdghhoo11.top/doc/

https://9fdghhoo11.top/doc/

https://10fdghhoo11.top/doc/

https://11fdghhoo11.top/doc/

https://12fdghhoo11.top/doc/

https://13fdghhoo11.top/doc/

https://14fdghhoo11.top/doc/

https://15fdghhoo11.top/doc/

https://16fdghhoo11.top/doc/

https://17fdghhoo11.top/doc/

https://18fdghhoo11.top/doc/

https://19fdghhoo11.top/doc/

https://20fdghhoo11.top/doc/

https://21fdghhoo11.top/doc/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4348	com.sizehim0

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.sizehim0/cache/kdaifgdlrqcp	4348	com.sizehim0
/data/user/0/com.sizehim0/cache/kdaifgdlrqcp	4348	com.sizehim0

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.sizehim0

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.sizehim0

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.sizehim0

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sizehim0
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sizehim0

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.sizehim0

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.sizehim0

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.sizehim0

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.sizehim0

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.sizehim0

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.sizehim0

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.sizehim0

com.sizehim0
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4348

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sizehim0/cache/kdaifgdlrqcp

Filesize
448KB

MD5
21500139719df86474d609909e6ff961

SHA1
bb9fcafae51873d46743a00f40a6b36468fca33e

SHA256
eb79f712951ab351c690c4340d6f88363a8be80a3ee4cc8d12f9bba271f9b448

SHA512
54c626bb0713b0052f8d2a0eda9b5a184a292f1d20ccf6e938895b72f2b9af2f467b13fef0235a34225f59d3b886a1ad845ec744863ecf14e332522c432acfa2

Download Submit
/data/data/com.sizehim0/cache/oat/kdaifgdlrqcp.cur.prof

Filesize
487B

MD5
5a25d02bf61d4deb1237ae30ca76d788

SHA1
9a96a231e4592fef42b6f553739f13497980a93f

SHA256
c47baa99cb65dcb03ea562a9c8b8ffabf6c7fdbd89112dc3c357f12f7b7644d3

SHA512
a72f56ce1253c917b460e2e71db180730051de90fd54fd5719958e90571811740b9dd3869b6c160d0e2ae9963938df1b4d0c3b8dc8f4c17c7efbfdd5e71f8e5a

Download Submit
/data/data/com.sizehim0/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.sizehim0/kl.txt

Filesize
63B

MD5
401c71b39918a379161b165e1bbbcdb1

SHA1
3f3f05d2ca2b7478e4baa9db6e8466b733963b31

SHA256
4c3807d1b50ea78d1d0e4e890272180111d5528a9b6fe6f15164a62d8ff655ba

SHA512
8c2462a9efa0c9667876d2ae50bf496eba87706c740a2ad31a7b7db7380cf2559a23a276108422e00f6bf4c6ac4c2469172b1b2d36658469dd5d429e87f7719a

Download Submit
/data/data/com.sizehim0/kl.txt

Filesize
54B

MD5
f4c652199bcfe12b0c7a95e58b74075b

SHA1
71cf1ee9720c0f286d435578bb3b997e72f94164

SHA256
ef50ce64eb11b0d7b80f6a18c3f5521a1549d3699debf58bb4f25fcb1b919c86

SHA512
23f7543fcfeddd106ce07056bb53503a4b947eb50dd1075aa5bb7009859aee5c86a284df920ba20cd78ba917bae3be5a4988f99149c93d2f24833b7e33a70c78

Download Submit
/data/data/com.sizehim0/kl.txt

Filesize
63B

MD5
774b3d5be6e4565ad547e2c2b2504244

SHA1
7d9911511f30d7f1ff039ec6187359c49c7cf4f2

SHA256
2c4885f7e10bcffe73a25c461ee01ee8663dcf552d508c16cfc9e1391d7ea69c

SHA512
5810bc5b3ebfefd1fee4758b0826738011b589e251c933297345c33a7c584525e3b3e560aba62a231e322b9f1789d724328e0240afd2836c3a98a4983f3bbdde

Download Submit
/data/data/com.sizehim0/kl.txt

Filesize
433B

MD5
f5e08bca8474ab769adca2c495333a26

SHA1
e2266ab6d7c00c00b261ba822ab02558ec2e117f

SHA256
b83761c920d849b50a3d5fd3d317cfdb6b4bb033db339ead8f86b56fb4e7b503

SHA512
1b2e32c4185c91603a75b14b3a4fae1def719caa303fc45bb9f627b7cc4781240499017ceb9411157ad526b741aed82157b6fffe1394ae5b64c17b7544d4bd87

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads