octo | a18968ad0a59325f5dfe4e12fb964fc19bd823a4d32ff653e1f8cdb9fb500f05

Analysis

max time kernel
148s
max time network
150s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
09-10-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a18968ad0a59325f5dfe4e12fb964fc19bd823a4d32ff653e1f8cdb9fb500f05.apk
Size

509KB
MD5

536df62c65fc30707b94d6c640426a32
SHA1

87b456dc71f89542ff7b785283e2a37ad2288095
SHA256

a18968ad0a59325f5dfe4e12fb964fc19bd823a4d32ff653e1f8cdb9fb500f05
SHA512

39774903d7bfe921ae900f189a837dedf4a36e9a2066c481f45e9b126a79e31fd874d1bef787b6115deb8d05d83279917b93d65a7ebaf5b04f4feb8de9bb5cae
SSDEEP

12288:Qgdj16q0TGnpkrEQKgB/aLKtCWO/L7vmWoBnD:B1wGp2EqB/aLKId/LSnD

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://guvenilirislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirshopislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirislemlershop.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirmarketingislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirislemlermarketing.com.tr/NGNkNTc3MjllZTM1/

https://shopguvenilirislemler.com.tr/NGNkNTc3MjllZTM1/

rc4.plain

Extracted

Family

octo

https://guvenilirislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirshopislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirislemlershop.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirmarketingislemler.com.tr/NGNkNTc3MjllZTM1/

https://guvenilirislemlermarketing.com.tr/NGNkNTc3MjllZTM1/

https://shopguvenilirislemler.com.tr/NGNkNTc3MjllZTM1/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.roomknow21/cache/jncpiyajr	5065	com.roomknow21
/data/user/0/com.roomknow21/cache/jncpiyajr	5065	com.roomknow21

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.roomknow21
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.roomknow21

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.roomknow21

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.roomknow21

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.roomknow21

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.roomknow21
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.roomknow21
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.roomknow21
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.roomknow21

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.roomknow21

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.roomknow21

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.roomknow21

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.roomknow21

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.roomknow21

com.roomknow21
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5065

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.roomknow21/cache/jncpiyajr

Filesize
448KB

MD5
24994cdedbeb09fc37a87e8b3247c48e

SHA1
71ff0a502d21604cba131aaeb896c84167523b99

SHA256
efa5ad51d536659036876d1b5e35a48cacdb21e3903ff92e3783bee84600706f

SHA512
a812dfcc4ab1befc22f1b0ab62c55ca6e341d4e9b72dd55e6fe3f25765c2390b9974eaa81b8195ef421514ba3a140e701af83e03766f924fa4361cba3d34077b

Download Submit
/data/data/com.roomknow21/cache/oat/jncpiyajr.cur.prof

Filesize
466B

MD5
1ae154629ac5be03b6bcc79495e14f28

SHA1
cdc6a0c3888d0462140c69274f541411c29ccd1f

SHA256
085d13e3d5a00780298efe42f94af29b42edf47c1826a61e42d2d22e64cf4455

SHA512
4a75f5659804621cdd6d2dc12c0a0a934147be91f11eba580556208485c14497cc75293f677a8f30f130a447857ffcc4901281fcaa8b08ba587a581761086ee7

Download Submit
/data/data/com.roomknow21/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.roomknow21/kl.txt

Filesize
230B

MD5
d23231db58a96ff94f26e69c6fabfce8

SHA1
3e98b641a49df82e9d7756bb62a0dfe8daefa9f5

SHA256
b80f21e33a0695b5a4dcfef5994fe279e451f1827db71f0add52cc9b4c60879a

SHA512
0b12d79dac629472aa7f3ae4204e286456d85f80febeb28208db3746a6f0e6d8f9ff531e4cfb7af21988a4377c8a59d8c4749fd75f2b4733bc658970fe2a2175

Download Submit
/data/data/com.roomknow21/kl.txt

Filesize
63B

MD5
2e0b790aab1da6faa1d0bbebb07be9b8

SHA1
42fba28d365586aa24fcf5572cf684298aa5f7ce

SHA256
ecb22cee338ee03a66ff6776fb7b42a13bf7fc618024ec63370e8c6d987827a0

SHA512
72a47164dd0fcd6d8d223db633a1aa7f7db76ccbc1e10384c664ee3d50fc5473aad0e20098d2eaa71ca987519d2603684a6ec0df5044f409cc942e41834546a6

Download Submit
/data/data/com.roomknow21/kl.txt

Filesize
45B

MD5
395c3a8b6c31bc7e6ad7f0f98c6c3a28

SHA1
e305442de53237662f0a75e286403a691bba5ee7

SHA256
167dd1ee767ba5b344a2c6db2d7b9b6e5c654037971c455fbf34c4f5cafc925d

SHA512
f9db635d6438fd8e2475fbf44472b868ec694b42f5212b4b864b1c6cec5cd127051078eb078e4d15637ee08e5387adbc129d9323dae2b5e719492053ea036f36

Download Submit
/data/data/com.roomknow21/kl.txt

Filesize
423B

MD5
da55ae60cabf1ec060b66eba28a44e4e

SHA1
90db2de5eacddf1b2d4f7d5fc52b5f0812ffac35

SHA256
0ed1286345eb283c49c09471354e8fa665306d838095e2006cc5fbb5aff0639c

SHA512
caa2d76fcbe6cc4cdc37dcd7ab732bcbca20a6b8eb42926c006962e9e6175c405402ad183e43cf465fad35b979ce915d7b333a538876f6015b6c3496e7707a4d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads