octo | 705df33b395876e2a595e2417b0bf5b422b65e3d5f0276e736a33bfe37753ef2

Analysis

max time kernel
148s
max time network
151s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
19-10-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

705df33b395876e2a595e2417b0bf5b422b65e3d5f0276e736a33bfe37753ef2.apk
Size

561KB
MD5

9b5d29e2c4f3295c4738a9047fc13a07
SHA1

46cecd4c1db7cf3016afd15fda41c29bd116914b
SHA256

705df33b395876e2a595e2417b0bf5b422b65e3d5f0276e736a33bfe37753ef2
SHA512

46e611ce2085d18d0f844be6d03490c5c93827c2f9f472b289c5f4541562ed2713fb83cb73227d8a0e1f3aac8566c6452d9060171884803932bb0ac8a00e2d0c
SSDEEP

12288:oh0p6oBz+RWEkZZK/7FwdJXxQKp2JAhKYAGGKcydjxA+nZ:oh0p6oBzAiZyBwdTQBVYZGHyttnZ

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://pethsop332.com/MzQ1Yzk1ZGQ4ODY3/

https://2pethsop332.com/MzQ1Yzk1ZGQ4ODY3/

https://3pethsop332.com/MzQ1Yzk1ZGQ4ODY3/

https://4pethsop332.com/MzQ1Yzk1ZGQ4ODY3/

https://5pethsop332.com/MzQ1Yzk1ZGQ4ODY3/

https://6pethsop332.com/MzQ1Yzk1ZGQ4ODY3/

rc4.plain

Extracted

Family

octo

https://pethsop332.com/MzQ1Yzk1ZGQ4ODY3/

https://2pethsop332.com/MzQ1Yzk1ZGQ4ODY3/

https://3pethsop332.com/MzQ1Yzk1ZGQ4ODY3/

https://4pethsop332.com/MzQ1Yzk1ZGQ4ODY3/

https://5pethsop332.com/MzQ1Yzk1ZGQ4ODY3/

https://6pethsop332.com/MzQ1Yzk1ZGQ4ODY3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.letsound8/cache/sphxqdxgenrwb	4637	com.letsound8
/data/user/0/com.letsound8/cache/sphxqdxgenrwb	4637	com.letsound8

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.letsound8
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.letsound8

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.letsound8

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.letsound8

Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.letsound8
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.letsound8
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.letsound8
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.letsound8
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.letsound8

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.letsound8

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.letsound8

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.letsound8

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.letsound8

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.letsound8

com.letsound8
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4637

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.letsound8/cache/oat/sphxqdxgenrwb.cur.prof

Filesize
294B

MD5
6b679eb4edee01a1a533320b544edc85

SHA1
0ebf73ca3919107c027a5efec978859e2325d3d0

SHA256
1237bc8b09f256749b3aee32bd2a2eed88b5588177764ff6826b058cc1ddb8cd

SHA512
983e8719bdc34c2497dba3be8f2ee73c97ab398875a52ecd6a35cc575fabe63a07e31de52e215ed921999f1ebef2c1e7794f1fff8c354787f072df5fe4ac4fca

Download Submit
/data/data/com.letsound8/cache/sphxqdxgenrwb

Filesize
448KB

MD5
ed8bf619765f68ba6993d253ac3e4e0d

SHA1
5ef85a6aab09ab7d3da59d5fa00d63c00fc020d8

SHA256
cb4256226b0e2443ee6ac120487854fb99971462568a0627ddda11b6a0a6810d

SHA512
33014f8a7f92ea315534a0bbcb023edcded04107a719292458b6c9a08595045118f9762cba7d2aef7ebe8819092587d8d7e234b766b3884cef0dfb84c625cc0b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads