octo | 525b4f9bbb5f275e4d15ccc7be8720b60e0170822ee0777b8e47971cb6dfdec9

General

Target

525b4f9bbb5f275e4d15ccc7be8720b60e0170822ee0777b8e47971cb6dfdec9.apk
Size

2.4MB
MD5

8b2f0576d9c5646478cb3789894906cd
SHA1

f742f6d543343993ae95d9b5fc278c352339250b
SHA256

525b4f9bbb5f275e4d15ccc7be8720b60e0170822ee0777b8e47971cb6dfdec9
SHA512

6873e18f99eb41f7f3535969babc98d07f4a836f52f372f78ccd6824a60e57a81814fb9efba4274246c59d6303c0666d4a059a43b28706c08e176b79c29803b8
SSDEEP

49152:ZqHDnWoUzYveF7I8EpAyGCX0THCYKdFcU69l+ZvQuhqjsrwd0N4O304Qc3+TM4RN:W3Uzn7TEmyGCYZcO3uhqwUd0SQGc3+w0

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

rc4.plain

Extracted

Family

octo

C2

https://malkafaniskm.com/NzY2NDZkZmViYjZj/

https://fukiyibartiyom2.com/NzY2NDZkZmViYjZj/

https://malkafali222.com/NzY2NDZkZmViYjZj/

https://oyunbaimlisi35.com/NzY2NDZkZmViYjZj/

https://mal1fukizmirli.com/NzY2NDZkZmViYjZj/

Attributes

target_apps
at.spardat.bcrmobile

at.spardat.netbanking

com.bankaustria.android.olb

com.bmo.mobile

com.cibc.android.mobi

com.rbc.mobile.android

com.scotiabank.mobile

com.td

cz.airbank.android

eu.inmite.prj.kb.mobilbank

com.bankinter.launcher

com.kutxabank.android

com.rsi

com.tecnocom.cajalaboral

es.bancopopular.nbmpopular

es.evobanco.bancamovil

es.lacaixa.mobile.android.newwapicon

com.dbs.hk.dbsmbanking

com.FubonMobileClient

com.hangseng.rbmobile

com.MobileTreeApp

com.mtel.androidbea

com.scb.breezebanking.hk

hk.com.hsbc.hsbchkmobilebanking

com.aff.otpdirekt

com.ideomobile.hapoalim

com.infrasofttech.indianBank

com.mobikwik_new

com.oxigen.oxigenwallet

jp.co.aeonbank.android.passbook

jp.co.netbk

jp.co.rakuten_bank.rakutenbank

jp.co.sevenbank.AppPassbook

jp.co.smbc.direct

jp.mufg.bk.applisp.app

com.barclays.ke.mobile.android.ui

nz.co.anz.android.mobilebanking

nz.co.asb.asbmobile

nz.co.bnz.droidbanking

nz.co.kiwibank.mobile

com.getingroup.mobilebanking

eu.eleader.mobilebanking.pekao.firm

eu.eleader.mobilebanking.pekao

eu.eleader.mobilebanking.raiffeisen

pl.bzwbk.bzwbk24

pl.ipko.mobile

pl.mbank

alior.bankingapp.android

com.comarch.mobile.banking.bgzbnpparibas.biznes

com.comarch.security.mobilebanking

com.empik.empikapp

com.empik.empikfoto

com.finanteq.finance.ca

com.orangefinansek

eu.eleader.mobilebanking.invest

pl.aliorbank.aib

pl.allegro

pl.bosbank.mobile

pl.bph

pl.bps.bankowoscmobilna

pl.bzwbk.ibiznes24

pl.bzwbk.mobile.tab.bzwbk24

pl.ceneo

pl.com.rossmann.centauros

pl.fmbank.smart

pl.ideabank.mobilebanking

pl.ing.mojeing

pl.millennium.corpApp

pl.orange.mojeorange

pl.pkobp.iko

pl.pkobp.ipkobiznes

com.kuveytturk.mobil

com.magiclick.odeabank

com.mobillium.papara

com.pozitron.albarakaturk

com.teb

com.tmob.tabletdeniz

com.vakifbank.mobilel

tr.com.sekerbilisim.mbank

wit.android.bcpBankingApp.millenniumPL

com.idamobile.android.hcb

logo.com.mbanking

com.openbank

com.google.android.apps.walletnfcrel

com.samsung.android.spay

com.cardsapp.android

cz.bsc.rc

cb.ibank

com.bifit.mobile.ubrr

com.bssys.mbcphone.ubrir

net.bl

com.bifit.mobile.bin

com.webmoney.my

com.polehin.android

com.bitcoin.mwallet

io.totalcoin.wallet

com.quppy

com.sharpdev.fxcoin

com.advantage.RaiffeisenBank

hr.asseco.android.jimba.mUCI.ro

may.maybank.android

ro.btrl.mobile

com.amazon.mShop.android.shopping

com.amazon.windowshop

com.ebay.mobile

com.idamob.tinkoff.android

com.akbank.android.apps.akbank_direkt_tablet

com.akbank.softotp

com.akbank.android.apps.akbank_direkt_tablet_20

com.fragment.akbank

com.ykb.android

com.ykb.android.mobilonay

com.ykb.avm

com.ykb.androidtablet

com.veripark.ykbaz

com.softtech.iscek

com.yurtdisi.iscep

com.softtech.isbankasi

com.monitise.isbankmoscow

com.finansbank.mobile.cepsube

com.magiclick.FinansPOS

com.matriksdata.finansyatirim

com.vipera.ts.starter.QNB

com.redrockdigimark

com.garanti.cepbank

com.garantibank.cepsubesiro

biz.mobinex.android.apps.cep_sifrematik

com.garantiyatirim.fx

com.tmobtech.halkbank

com.SifrebazCep

eu.newfrontier.iBanking.mobile.Halk.Retail

tr.com.tradesoft.tradingsystem.gtpmobile.halk

com.DijitalSahne.EnYakinHalkbank

com.ziraat.ziraattablet

com.matriksmobile.android.ziraatTrader

com.matriksdata.ziraatyatirim.pad

de.ingdiba.bankingapp

de.comdirect.android

de.commerzbanking.mobil

de.consorsbank

com.db.mm.deutschebank

de.dkb.portalapp

com.de.dkb.portalapp

com.ing.diba.mbbr2

de.postbank.finanzassistent

mobile.santander.de

de.fiducia.smartphone.android.banking.vr

fr.creditagricole.androidapp

fr.axa.monaxa

fr.banquepopulaire.cyberplus

net.bnpparibas.mescomptes

com.boursorama.android.clients

com.caisseepargne.android.mobilebanking

fr.lcl.android.customerarea

com.paypal.android.p2pmobile

com.wf.wellsfargomobile

com.wf.wellsfargomobile.tablet

com.wellsFargo.ceomobile

com.usbank.mobilebanking

com.usaa.mobile.android.usaa

com.suntrust.mobilebanking

com.moneybookers.skrillpayments.neteller

com.moneybookers.skrillpayments

com.clairmail.fth

com.konylabs.capitalone

com.yinzcam.facilities.verizon

com.chase.sig.android

com.infonow.bofa

com.bankofamerica.cashpromobile

uk.co.bankofscotland.businessbank

com.grppl.android.shell.BOS

com.rbs.mobile.android.natwestoffshore

com.rbs.mobile.android.natwest

com.rbs.mobile.android.natwestbandc

com.rbs.mobile.investisir

com.phyder.engage

com.rbs.mobile.android.rbs

com.rbs.mobile.android.rbsbandc

uk.co.santander.santanderUK

uk.co.santander.businessUK.bb

com.sovereign.santander

com.ifs.banking.fiid4202

com.fi6122.godough

com.rbs.mobile.android.ubr

com.htsu.hsbcpersonalbanking

com.grppl.android.shell.halifax

com.grppl.android.shell.CMBlloydsTSB73

com.barclays.android.barclaysmobilebanking

com.unionbank.ecommerce.mobile.android

com.unionbank.ecommerce.mobile.commercial.legacy

com.snapwork.IDBI

com.idbibank.abhay_card

src.com.idbi

com.idbi.mpassbook

com.ing.mobile

com.snapwork.hdfc

com.sbi.SBIFreedomPlus

hdfcbank.hdfcquickbank

com.csam.icici.bank.imobile

in.co.bankofbaroda.mpassbook

com.axis.mobile

cz.csob.smartbanking

sk.sporoapps.accounts

sk.sporoapps.skener

com.cleverlance.csas.servis24

org.westpac.bank

nz.co.westpac

au.com.suncorp.SuncorpBank

org.stgeorge.bank

org.banksa.bank

au.com.newcastlepermanent

au.com.nab.mobile

au.com.mebank.banking

au.com.ingdirect.android

MyING.be

com.imb.banking2

com.fusion.ATMLocator

au.com.cua.mb

com.commbank.netbank

com.citibank.mobile.au

com.citibank.mobile.uk

com.citi.citimobile

org.bom.bank

com.bendigobank.mobile

me.doubledutch.hvdnz.cbnationalconference2016

au.com.bankwest.mobile

com.bankofqueensland.boq

com.anz.android.gomoney

com.anz.android

com.anz.SingaporeDigitalBanking

com.anzspot.mobile

com.crowdcompass.appSQ0QACAcYJ

com.arubanetworks.atmanz

com.quickmobile.anzirevents15

at.volksbank.volksbankmobile

it.volksbank.android

it.secservizi.mobile.atime.bpaa

de.fiducia.smartphone.android.securego.vr

com.isis_papyrus.raiffeisen_pay_eyewdg

at.easybank.mbanking

at.easybank.tablet

at.easybank.securityapp

at.bawag.mbanking

com.bawagpsk.securityapp

at.psa.app.bawag

com.pozitron.iscep

com.vakifbank.mobile

com.pozitron.vakifbank

com.starfinanz.smob.android.sfinanzstatus

com.starfinanz.mobile.android.pushtan

com.entersekt.authapp.sparkasse

com.starfinanz.smob.android.sfinanzstatus.tablet

com.starfinanz.smob.android.sbanking

com.palatine.android.mobilebanking.prod

fr.laposte.lapostemobile

com.cm_prod.bad

com.cm_prod.epasal

com.cm_prod_tablet.bad

com.cm_prod.nosactus

mobi.societegenerale.mobile.lappli

com.bbva.netcash

com.bbva.bbvacontigo

com.bbva.bbvawallet

es.bancosantander.apps

com.santander.app

es.cm.android

es.cm.android.tablet

com.bankia.wallet

com.bestbuy.android

com.jiffyondemand.user

com.latuabancaperandroid

com.latuabanca_tabperandroid

com.lynxspa.bancopopolare

com.unicredit

it.bnl.apps.banking

it.bnl.apps.enterprise.bnlpay

it.bpc.proconl.mbplus

it.copergmps.rt.pf.android.sp.bmps

it.gruppocariparma.nowbanking

it.ingdirect.app

it.nogood.container

it.popso.SCRIGNOapp

posteitaliane.posteapp.apppostepay

com.abnamro.nl.mobile.payments

com.triodos.bankingnl

nl.asnbank.asnbankieren

nl.snsbank.mobielbetalen

com.btcturk

com.ingbanktr.ingmobil

tr.com.hsbc.hsbcturkey

com.att.myWireless

com.vzw.hss.myverizon

aib.ibank.android

com.bbnt

com.csg.cs.dnmbs

com.discoverfinancial.mobile

com.eastwest.mobile

com.fi6256.godough

com.fi6543.godough

com.fi6665.godough

com.fi9228.godough

com.fi9908.godough

com.ifs.banking.fiid1369

com.ifs.mobilebanking.fiid3919

com.jackhenry.rockvillebankct

com.jackhenry.washingtontrustbankwa

com.jpm.sig.android

com.sterling.onepay

com.svb.mobilebanking

org.usemployees.mobile

pinacleMobileiPhoneApp.android

com.fuib.android.spot.online

com.ukrsibbank.client.android

com.Plus500

eu.unicreditgroup.hvbapptan

com.targo_prod.bad

com.db.pwcc.dbmobile

com.db.mm.norisbank

com.bitmarket.trader

com.plunien.poloniex

com.mycelium.wallet

com.bitfinex.bfxapp

com.binance.dev

com.binance.odapplications

com.blockfolio.blockfolio

com.crypter.cryptocyrrency

io.getdelta.android

com.edsoftapps.mycoinsvalue

com.coin.profit

com.mal.saul.coinmarketcap

com.tnx.apps.coinportfolio

com.coinbase.android

com.portfolio.coinbase_tracker

com.bitpay.wallet

com.bitcoin.wallet.btc

com.blocktrail.mywallet

org.electrum.electrum

com.paxful.wallet

com.bitcoin.pocketbook.btc

net.bitstamp.app

de.schildbach.wallet

piuk.blockchain.android

info.blockchain.merchant

com.jackpf.blockchainsearch

com.unocoin.unocoinwallet

com.unocoin.unocoinmerchantPoS

com.thunkable.android.santoshmehta364.UNOCOIN_LIVE

wos.com.zebpay

com.localbitcoinsmbapp

com.thunkable.android.manirana54.LocalBitCoins

com.thunkable.android.manirana54.LocalBitCoins_unblock

com.localbitcoins.exchange

com.coins.bit.local

com.coins.ful.bit

com.jamalabbasii1998.localbitcoin

zebpay.Application

xmr.org.freewallet.app

com.bitcoin.ss.zebpayindia

com.kryptokit.jaxx

com.cajasur.android

app.wizink.es

com.grupocajamar.wefferent

caixagalicia.activamovil

com.abanca.bancaempresas

net.inverline.bancosabadell.officelocator.android

es.caixageral.caixageralapp

com.bankinter.bkwallet

com.db.pbc.mibanco

com.indra.itecban.mobile.novobanco

es.openbank.mobile

es.pibank.customers

es.bancosantander.empresas

com.indra.itecban.triodosbank.mobile.banking

es.univia.unicajamovil

com.westernunion.moneytransferr3app.es

www.ingdirect.nativeframe

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.familyweightaju/cache/qutamuqlaz	5115	com.familyweightaju
/data/user/0/com.familyweightaju/cache/qutamuqlaz	5115	com.familyweightaju

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.familyweightaju
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.familyweightaju

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.familyweightaju

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.familyweightaju
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.familyweightaju
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.familyweightaju
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.familyweightaju

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.familyweightaju

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.familyweightaju

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.familyweightaju

com.familyweightaju
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5115

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1

T1407

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Credential Access

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Network Configuration Discovery

3

T1422

Lateral Movement

Collection

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.familyweightaju/.qcom.familyweightaju

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.familyweightaju/cache/oat/qutamuqlaz.cur.prof

Filesize
402B

MD5
e54a9adb86d5eb90b3f376898ed9092d

SHA1
c450a881da71fef7f31d0d03045c44a07f5575fe

SHA256
f0e70fe4709b4096d701c3029b5c0ed92eed0f087663b46b9a71b08a62bd293c

SHA512
4cf74e836c03d1ccd37a5be907788e12650fc7e9aa335e8f6e2495a297537488503b332409be323e21cfc1fd6cff1166d75375280cce34db4afff867a6db6a83

Download Submit
/data/data/com.familyweightaju/cache/qutamuqlaz

Filesize
2.3MB

MD5
6f571ab8956fd3a758b5669960af024a

SHA1
a905494b0e74008616a9671d1e1105796f5bed80

SHA256
a4f3f77220eeda4c3d48b4b40c2a8392f81ca3ca42c9740ae4e4a24ab0af3ec5

SHA512
ad3ac015ee22b8ec53cf182ac5fff0a08bad761d87b40b48513af3289a0aa6b5c3df07da7c85b7c05f7814f5615114910c3c3831f2255f27ec06774b4330a100

Download Submit
/data/data/com.familyweightaju/kl.txt

Filesize
63B

MD5
1a23b479201145597332fd443fa226cb

SHA1
0526a66d27cca553320393d25fd4914f97c01b1d

SHA256
4dd40971053abea697c9ddbcaac6d69a905a21b70ebb14e87a0a63210cf74641

SHA512
315a4217e4cdb206c21f8535c18067eb7218e29efe6ef9449520a1b31607f8571726e7b33a9387b3c2d9e01810ad9b48ba878e42364d6f5055be4504fbcb6485

Download Submit
/data/data/com.familyweightaju/kl.txt

Filesize
45B

MD5
b7592a2d11172e631d393fc7058bb068

SHA1
99a3a47e195414cc9337e1f5798da9936effa557

SHA256
2e2b4c23356be5c77bb40e2f2b15be97aa69e62ac759b38fcc6556bd8ec9df85

SHA512
9b88539c4d53429cc624316439c8fca6595cd83ff34f4e7a95144f58ffa4389aaf63844106cc669234975e8699791cf4211b0aef044fbea493655bb30fb2c12c

Download Submit
/data/data/com.familyweightaju/kl.txt

Filesize
67B

MD5
3b8722c7e1246f2a711d37c6c91f8533

SHA1
998dd16ce23c2dc759feccd4e8eaa5a8174d8023

SHA256
34291295d6641f97f6f796c37ada1668a40efc396d7418a3379354bde40359be

SHA512
3c7b11a7454e5b370c995773eb8322c25dceff42b691c61aa7ab57ea9441ded07b902e4025414f2038f20de3dafebd87b9ad42384f28b28f6c65fda2b58913b0

Download Submit
/data/data/com.familyweightaju/kl.txt

Filesize
437B

MD5
3ab0fc90e7dc1f16920073e3befb0f94

SHA1
3020aa17ec85557fab8de3c9f8abcfad2f05462e

SHA256
143b864ee0f50d1f6565e68f158635403d29a183b5668345a29c9790670f6771

SHA512
71be5eb9cfa86ef442d83a14db31e70ef2d9419a096c665a6118d566212cfbe9eed947e06e136525cea9b1f3ce2513502b8933a6736ceb5aeeea5c98ce00be66

Download Submit
/data/data/com.familyweightaju/kl.txt

Filesize
84B

MD5
505b4085e5bf740d463659cee91f8dc3

SHA1
3d4f53177aba73b02d79e062c7f7d1c9b4a7673a

SHA256
9f41ca5e77d5815ba95997b4c44195793426de843f9c21ab3bbe1d62a95ff804

SHA512
98d8173d739adc182cce99216d4c039a319e9391d498f6a2001668024861b0008aee2cd9d11f01983d01b72904311501afc44bb192d2e8d2664325cde3f1747f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads