octo | 0b91df5b8b86b91f84407af496df310820f04322bff3c17fd33eb78565fdc972

Analysis

max time kernel
150s
max time network
153s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
29-10-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b91df5b8b86b91f84407af496df310820f04322bff3c17fd33eb78565fdc972.apk
Size

576KB
MD5

49953fbd7d6a3ef9f5070f6e40c3f8dd
SHA1

8c6a413e2cbfb8410d9393757e0465cc6e5effa2
SHA256

0b91df5b8b86b91f84407af496df310820f04322bff3c17fd33eb78565fdc972
SHA512

b1b636a743b8e04e95dedf7b0bad8b453a1f011c0d491cc125d258d9fee1b069ffdbb946295e7eaa96a5e71a0fe620b3887baa2cd3bd1e8e719659f8de4057e0
SSDEEP

12288:fqzHJaTXcCRdUl1e/iQlordVb/b43n21rSl2fhh5WiN1fyMmQt2qnYQNjP:fKARdts5VbTq219wW1tF2qnbNjP

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://maradakalman.shop/ZDUzODlhNjExYmFl/

https://marabalardanken.shop/ZDUzODlhNjExYmFl/

https://karamakasa.shop/ZDUzODlhNjExYmFl/

https://karamarabad.shop/ZDUzODlhNjExYmFl/

rc4.plain

Extracted

Family

octo

https://maradakalman.shop/ZDUzODlhNjExYmFl/

https://marabalardanken.shop/ZDUzODlhNjExYmFl/

https://karamakasa.shop/ZDUzODlhNjExYmFl/

https://karamarabad.shop/ZDUzODlhNjExYmFl/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-4.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.beginhigh19/code_cache/secondary-dexes/base.apk.classes1.zip	4485	com.beginhigh19
/data/user/0/com.beginhigh19/cache/nhsqwzy	4485	com.beginhigh19

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.beginhigh19
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.beginhigh19

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.beginhigh19

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.beginhigh19

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.beginhigh19

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.beginhigh19
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.beginhigh19
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.beginhigh19
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.beginhigh19

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.beginhigh19

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.beginhigh19

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.beginhigh19

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.beginhigh19

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.beginhigh19

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.beginhigh19

com.beginhigh19
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4485

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.beginhigh19/cache/nhsqwzy

Filesize
449KB

MD5
18b183a4e344ed38af065d54b82fb34b

SHA1
29ff8dd18ce901e8d3ed82a2baae1ab49dee806e

SHA256
83b205d23f00e2b88a712ac3148b5c81069762d2aa09a25df4adc37a2665cbc3

SHA512
51b0167f85b1bcd9c522640f0e6131a13db400174b58376ad9fe90b0fdacccd9eb9ac3bf8d761c136b85c5b943f3005932d97d46ab3f5cc65532db6aea6d1484

Download Submit
/data/user/0/com.beginhigh19/cache/oat/nhsqwzy.cur.prof

Filesize
398B

MD5
4b76512a019e4f3ea9c2b902aa9328a5

SHA1
1005cd2e1bae083e39cb10c774a155e2eb0e2648

SHA256
f6b5b5ef2b29b38673b6cdfb575aebd70082819ee5c83f4b70be3a84d1c74998

SHA512
40c6a47a93d223a690eb8c7544d68a8d34d64fa5f0ae75c9c3b675dc727ce8166bfd3b3b82f7c3e4c475d918e43e4f113ad82da353a4093b42c0918bab35a8db

Download Submit
/data/user/0/com.beginhigh19/code_cache/secondary-dexes/base.apk.classes1.zip

Filesize
2KB

MD5
8d07b626eb8d8d13bbd92a8475bd6685

SHA1
9bdb6ad46d075da0877f4f359b238ee57a8a40e1

SHA256
a38858cdae7ce92a43bb126e034ce4a19e649acf02159a1b2fa2e6dfd6272dd7

SHA512
e642dcef8eaac5dca708d170e6715f8e9ebc8546fbdcc5cf64bf830ff1a62ab7f9db878fe7d2fa9858e81e7fda5099a3e87072c544330893c3e4e96f949c1c64

Download Submit
/data/user/0/com.beginhigh19/code_cache/secondary-dexes/tmp-base.apk.classes2283869537823057538.zip

Filesize
1KB

MD5
82ffaa7ffd4e8a05e7ebf81cd83084f6

SHA1
3bb941e5f8440125209cdb670c2ba94e7697d267

SHA256
274b4645bcd3c19ea8a73834cc82450b3365f7c9e5714df96894df1774293b49

SHA512
5799c55e8e0f019db1320d19023a405436700a6f723058367d1ef4826d390f27aaea807d33aa559839625186ac4e33fa3c690f9744264b457ecad51278cd5af9

Download Submit
/data/user/0/com.beginhigh19/kl.txt

Filesize
64B

MD5
bb3c31cb66e04ede485360b04e82fbcb

SHA1
bc97af72c0ed2cff16720d85a11bb1363a71dc18

SHA256
7e9afc50374226ecb1b08c8fe9e85b9e2ef1c9b490a09ead7d2c276f325958e1

SHA512
9d2807d7acc1545c83d1bef09e3b4b83b214eeb242fec16f63bacf055c0e9ac8109a64f8b93c55e69c5671931a0a40d7906cb780366fc8f4d51e8cc8817d2d7c

Download Submit
/data/user/0/com.beginhigh19/kl.txt

Filesize
68B

MD5
f704fb8a20b5ce8590bb63d0ccf9ce6e

SHA1
40cbc4202f3cf4e161019dd7c320a788d2bfead0

SHA256
dff08dff5a95797fbb1137fa6ce9d1319588badc07891c7cb8d161e72c43016f

SHA512
bef9b7b19832ff2536c4a3e9339ce67bea8ffb8bd43759c7aeb19a2100f80d2664798e21e2b090f6b0d05ff514f5323b6cba437414519ec1ddbe87fe91bbd78e

Download Submit
/data/user/0/com.beginhigh19/kl.txt

Filesize
76B

MD5
a144b588ccaa19dc19c111545a8bafc7

SHA1
4b7eb207687e7d77502ca315fad5809837096ad4

SHA256
ee14ab88692f5f85e55697e1bc944b4f4e676e8276b22552dfc4e03d80eee0a0

SHA512
738803554edc3448d10a480eaa419ac2751d97f666db9c49c82e13d61bc5334a39af5865694f2f32a378af8939c6fd54b83cd97bc1c18dcfba68248813ecf4b6

Download Submit
/data/user/0/com.beginhigh19/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.beginhigh19/kl.txt

Filesize
214B

MD5
2f18290bca8648deeb89480a2d55bb3d

SHA1
9027eed175b9ce7c09a380b95e3b0a8c6945f5dd

SHA256
70b4d0abb5556a1d4f397fa58d6891f0d1ab487081c796a2ab62d3bbf7a22a90

SHA512
2399ac47f714dba1d7df123aa3b618275e1fc9f99ad42b587bbf53ca30f345b48214842aea20db3c4cb23db8e01c5950a5348d873bd5d149a67df6fadd447f40

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads