octo | a18968ad0a59325f5dfe4e12fb964fc19bd823a4d32ff653e1f8cdb9fb500f05

Analysis

max time kernel
149s
max time network
152s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
09-10-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a18968ad0a59325f5dfe4e12fb964fc19bd823a4d32ff653e1f8cdb9fb500f05.apk
Size

509KB
MD5

536df62c65fc30707b94d6c640426a32
SHA1

87b456dc71f89542ff7b785283e2a37ad2288095
SHA256

a18968ad0a59325f5dfe4e12fb964fc19bd823a4d32ff653e1f8cdb9fb500f05
SHA512

39774903d7bfe921ae900f189a837dedf4a36e9a2066c481f45e9b126a79e31fd874d1bef787b6115deb8d05d83279917b93d65a7ebaf5b04f4feb8de9bb5cae
SSDEEP

12288:Qgdj16q0TGnpkrEQKgB/aLKtCWO/L7vmWoBnD:B1wGp2EqB/aLKId/LSnD

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://guvenilirislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirshopislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirislemlershop.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirmarketingislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirislemlermarketing.com.tr/NGNkNTc3MjllZTM1/

https://shopguvenilirislemler.com.tr/NGNkNTc3MjllZTM1/

rc4.plain

Extracted

Family

octo

https://guvenilirislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirshopislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirislemlershop.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirmarketingislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirislemlermarketing.com.tr/NGNkNTc3MjllZTM1/

https://shopguvenilirislemler.com.tr/NGNkNTc3MjllZTM1/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4220	com.roomknow21

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.roomknow21/cache/jncpiyajr	4220	com.roomknow21
/data/user/0/com.roomknow21/cache/jncpiyajr	4220	com.roomknow21

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.roomknow21
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.roomknow21

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.roomknow21

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.roomknow21

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.roomknow21
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.roomknow21
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.roomknow21
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.roomknow21

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.roomknow21

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.roomknow21

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.roomknow21

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.roomknow21

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.roomknow21

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.roomknow21

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.roomknow21

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.roomknow21

com.roomknow21
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4220

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.roomknow21/cache/jncpiyajr

Filesize
448KB

MD5
24994cdedbeb09fc37a87e8b3247c48e

SHA1
71ff0a502d21604cba131aaeb896c84167523b99

SHA256
efa5ad51d536659036876d1b5e35a48cacdb21e3903ff92e3783bee84600706f

SHA512
a812dfcc4ab1befc22f1b0ab62c55ca6e341d4e9b72dd55e6fe3f25765c2390b9974eaa81b8195ef421514ba3a140e701af83e03766f924fa4361cba3d34077b

Download Submit
/data/data/com.roomknow21/cache/oat/jncpiyajr.cur.prof

Filesize
443B

MD5
b9c846dc21aef5d28551d0ba56c017c9

SHA1
04817f90ec05ac018b0b951ba4e9c9ea927c0bf5

SHA256
c5dd84ee48ce5c529c1a08ed5a8d297a2bc3af783148caf67d05eaa0ad3525bd

SHA512
34edf787a8beeabba184a728adaef78bc30cef1e71f735055869df455d00223b25bfb270abeee6b2e0a89db021a72b2d6cf1e8027aa104ec4ba1d46779ea8670

Download Submit
/data/data/com.roomknow21/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.roomknow21/kl.txt

Filesize
230B

MD5
d436b8af0e0417d98c57d048945ec265

SHA1
8fc396a644e59027a7ab9ec49949f27954fdee8e

SHA256
c7edb49ee8f1e605e7483de790b0ab65fb893269bbcf37d8f91e89ce99d51cd8

SHA512
974c038b35a83bbaa4b5f8a639daf537b164bfd898a568272f420610791cba052ba1f5485b3821f144a705fed5243efa277c4618c396f35fd12d0ed39dc7d430

Download Submit
/data/data/com.roomknow21/kl.txt

Filesize
63B

MD5
b066e6f4e1909bb1a04d2f0f74a91529

SHA1
93a0b2098449e87cb8c3839f56fbb9c221c0abb2

SHA256
60983f930be06d5548ba54159b76deb889e6cc39b0bbd3296443693539ef5a0d

SHA512
a7daeafc7bff365d90bda0dacb2cbd716c7fcea8ceb623b1fb3efed1fdea4be6b7f5606430c296a2209a23d10a9f3a307d06b8bbde3366ce5dceeae4b2982346

Download Submit
/data/data/com.roomknow21/kl.txt

Filesize
54B

MD5
2d61519ff9c6c4f122f08c991c8db859

SHA1
a14a47eb8ebef39b838e275356c87703ec15aae4

SHA256
b5c80ef39b39527456d14a358fca1ee59d7a66d4aec9e7f682779cb3eab9703c

SHA512
646f244bab7965b11d83ad0b94b114369f85060bd62ea761e08a420599b1ae3cab450039d888a3315e0f48a5bc747bf1c10364aa0c72536923208ae3b7a811e4

Download Submit
/data/data/com.roomknow21/kl.txt

Filesize
423B

MD5
a0c931019379cf358198189ab3190e41

SHA1
e95bfc4e854de81cb4944b5076e489c9507a1c91

SHA256
1176b53747e2d037643319389665f16ea990a9bb9a7cf90090d2847bc8c6f81c

SHA512
f921af494a31967d69dedc963cf089f8d8cf018db9c64ca3d62a52f23ad27cff142bad31d983fd6ec635d77a2e2ade3ee279a3149369a293e4ee3159a75d8e3c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads