octo | 96b62ea7bdbca4b3871843c1336b9f6b76a1d9d158fc95e92a911ae8c7a3514c

Analysis

max time kernel
149s
max time network
156s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
04-11-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96b62ea7bdbca4b3871843c1336b9f6b76a1d9d158fc95e92a911ae8c7a3514c.apk
Size

561KB
MD5

d10b890071e44c3d11c79883ea8e3479
SHA1

9aebd943ec499841c207f3a4b35e44f0b360d496
SHA256

96b62ea7bdbca4b3871843c1336b9f6b76a1d9d158fc95e92a911ae8c7a3514c
SHA512

406123358c8c3817e1ae399363bf421aadb1444883155aa445337c523a023751b05bec765b747a62dc9d3d58b7f6685bf29ca9a0da1e5a9e0b56ebae7e79d9fd
SSDEEP

12288:uIrisIw/Mb9steXdSS4dItZgRFFoEAy0u/4gAvDI4KKwnl:uIrisd/xt6STGeFiEhP/w0Kwnl

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://yeyrekhospital.com/ZjUwYTMzYjliZDZk/

https://hamsiyunus342.com/ZjUwYTMzYjliZDZk/

https://mlbumlml2342r.com/ZjUwYTMzYjliZDZk/

https://cilginrtelfoncu3351.com/ZjUwYTMzYjliZDZk/

https://mlfkumal333.com/ZjUwYTMzYjliZDZk/

rc4.plain

Extracted

Family

octo

https://yeyrekhospital.com/ZjUwYTMzYjliZDZk/

https://hamsiyunus342.com/ZjUwYTMzYjliZDZk/

https://mlbumlml2342r.com/ZjUwYTMzYjliZDZk/

https://cilginrtelfoncu3351.com/ZjUwYTMzYjliZDZk/

https://mlfkumal333.com/ZjUwYTMzYjliZDZk/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.lateeye9/cache/vfrnrl	4480	com.lateeye9
/data/user/0/com.lateeye9/cache/vfrnrl	4480	com.lateeye9

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.lateeye9
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.lateeye9

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.lateeye9

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.lateeye9

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.lateeye9
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.lateeye9
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.lateeye9
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.lateeye9

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.lateeye9

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.lateeye9

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.lateeye9

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.lateeye9

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.lateeye9

com.lateeye9
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4480

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.lateeye9/cache/oat/vfrnrl.cur.prof

Filesize
301B

MD5
a452184ed3c611efebf6f1b16d5b068e

SHA1
d210096b5a000f56797644225057546808caae63

SHA256
aa30af8f601c95d46041882572901d80b7e9fbcac37de4506cf75e10ff96659f

SHA512
7b762888e0370fe9f004444b675f3d3dfbed97aae009d2b1215950f19c475514c5e2c0e838e89359e787fb0e7ddc505394f8aa0652d334df659fa46e55562de5

Download Submit
/data/data/com.lateeye9/cache/vfrnrl

Filesize
448KB

MD5
7f604a50e6671975c69bf587436ce196

SHA1
1db2b6ca1e6e6307ee1c7424e75e25de84f5cdd7

SHA256
0f2bc839f7d9c5a99727d52d9f5b1d1bf523a5784e4db747f2bca05a944075ad

SHA512
61aba0e9c614ec00ce798f48197d9d7bbbdf748083edddecb887098ab7771d315510645086604e377eb841e27858e5e0ff40760325f2fffd5ca13d3cd9933534

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads