octo | f1db585bf49c0702877fc062aa8f469755d9049a3e98bd11d037d5c9c6ce5e96

Analysis

max time kernel
94s
max time network
93s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
05/11/2024, 17:47 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1db585bf49c0702877fc062aa8f469755d9049a3e98bd11d037d5c9c6ce5e96.apk
Size

2.4MB
MD5

8efe9d3dc12b9698f8a9391bfab18753
SHA1

5fed224ccd3ca48b7332724ed8e2e9d331abb339
SHA256

f1db585bf49c0702877fc062aa8f469755d9049a3e98bd11d037d5c9c6ce5e96
SHA512

587eb0ada7e87bc9b52cf01e17d096a703a91a7532f32e8acfb5d0d9c54d01df0efd1521bd22f675e2924a5cff06947eca1cd15cac29b152cab10bde7015f5f4
SSDEEP

49152:x39Oyd8gLECiBStCbyQx1PBuH2sc7HIWlGYZiw2fSMUNGdScOy8q96eK:32gY4UbzucNdZiw2f1Uwd/8m6b

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://4bb139030b74564533981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://9bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://5bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://7bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

rc4.plain

1
7YfgS40rIKh8OVzUddb

Extracted

Family

octo

https://4bb139030b74564533981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://9bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://5bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://7bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

AES_key

1
3534353639643261616165373137363333356136376266373265383637333666

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4338	com.amongwarmlkza

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.amongwarmlkza/cache/ntjdpoat	4338	com.amongwarmlkza
/data/user/0/com.amongwarmlkza/cache/ntjdpoat	4338	com.amongwarmlkza

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.amongwarmlkza
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.amongwarmlkza

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.amongwarmlkza

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.amongwarmlkza

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.amongwarmlkza
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.amongwarmlkza
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.amongwarmlkza
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.amongwarmlkza

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.amongwarmlkza

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.amongwarmlkza

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.amongwarmlkza

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.amongwarmlkza

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.amongwarmlkza

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.amongwarmlkza

com.amongwarmlkza
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4338

Network

DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

172.217.16.238
DNS

5bb1332453233981d0595033c23.com

Remote address:

1.1.1.1:53

Request

5bb1332453233981d0595033c23.com

IN A

Response

5bb1332453233981d0595033c23.com

IN A

213.159.75.106
POST

https://5bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

Remote address:

213.159.75.106:443

Request

POST /YmZiMzU0OTU5NGIz/ HTTP/1.1
Packets-sent: 60170
Content-Encoding: gzip
Content-Length: 3506
Host: 5bb1332453233981d0595033c23.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.22.1
Date: Tue, 05 Nov 2024 17:48:14 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 24
Connection: keep-alive
DNS

4bb139030b74564533981d0595033c23.com

Remote address:

1.1.1.1:53

Request

4bb139030b74564533981d0595033c23.com

IN A

Response

4bb139030b74564533981d0595033c23.com

IN A

213.159.75.106
POST

https://4bb139030b74564533981d0595033c23.com/YmZiMzU0OTU5NGIz/

Remote address:

213.159.75.106:443

Request

POST /YmZiMzU0OTU5NGIz/ HTTP/1.1
Packets-sent: 60170
Content-Encoding: gzip
Content-Length: 293
Host: 4bb139030b74564533981d0595033c23.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.22.1
Date: Tue, 05 Nov 2024 17:48:14 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
DNS

semanticlocation-pa.googleapis.com

Remote address:

1.1.1.1:53

Request

semanticlocation-pa.googleapis.com

IN A

Response

semanticlocation-pa.googleapis.com

IN A

142.250.187.234

semanticlocation-pa.googleapis.com

IN A

172.217.169.74

semanticlocation-pa.googleapis.com

IN A

142.250.200.42

semanticlocation-pa.googleapis.com

IN A

216.58.212.234

semanticlocation-pa.googleapis.com

IN A

142.250.178.10

semanticlocation-pa.googleapis.com

IN A

216.58.204.74

semanticlocation-pa.googleapis.com

IN A

172.217.169.10

semanticlocation-pa.googleapis.com

IN A

142.250.187.202

semanticlocation-pa.googleapis.com

IN A

216.58.213.10

semanticlocation-pa.googleapis.com

IN A

216.58.201.106

semanticlocation-pa.googleapis.com

IN A

172.217.16.234

semanticlocation-pa.googleapis.com

IN A

142.250.200.10

semanticlocation-pa.googleapis.com

IN A

142.250.180.10

semanticlocation-pa.googleapis.com

IN A

142.250.179.234
POST

https://4bb139030b74564533981d0595033c23.com/YmZiMzU0OTU5NGIz/

Remote address:

213.159.75.106:443

Request

POST /YmZiMzU0OTU5NGIz/ HTTP/1.1
Packets-sent: 60170
Content-Encoding: gzip
Content-Length: 3506
Host: 4bb139030b74564533981d0595033c23.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.22.1
Date: Tue, 05 Nov 2024 17:49:16 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 24
Connection: keep-alive

142.250.200.46:443

tls, https

915 B
40 B
1
1
142.250.200.46:443

tls, https

915 B
40 B
1
1
142.250.200.46:443

tls, https

915 B
40 B
1
1
172.217.16.238:443

android.apis.google.com

tls

2.9kB
6.7kB
12
15
213.159.75.106:443

https://5bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

tls, http

4.6kB
1.9kB
11
7

HTTP Request

POST https://5bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

HTTP Response

200
213.159.75.106:443

https://4bb139030b74564533981d0595033c23.com/YmZiMzU0OTU5NGIz/

tls, http

3.1kB
98.0kB
44
72

HTTP Request

POST https://4bb139030b74564533981d0595033c23.com/YmZiMzU0OTU5NGIz/

HTTP Response

200
213.159.75.106:443

https://4bb139030b74564533981d0595033c23.com/YmZiMzU0OTU5NGIz/

tls, http

4.6kB
1.9kB
11
7

HTTP Request

POST https://4bb139030b74564533981d0595033c23.com/YmZiMzU0OTU5NGIz/

HTTP Response

200

224.0.0.251:5353

3.3kB
10
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

172.217.16.238
1.1.1.1:53

5bb1332453233981d0595033c23.com

dns

77 B
93 B
1
1

DNS Request

5bb1332453233981d0595033c23.com

DNS Response

213.159.75.106
1.1.1.1:53

4bb139030b74564533981d0595033c23.com

dns

82 B
98 B
1
1

DNS Request

4bb139030b74564533981d0595033c23.com

DNS Response

213.159.75.106
1.1.1.1:53

semanticlocation-pa.googleapis.com

dns

80 B
304 B
1
1

DNS Request

semanticlocation-pa.googleapis.com

DNS Response

142.250.187.234

172.217.169.74

142.250.200.42

216.58.212.234

142.250.178.10

216.58.204.74

172.217.169.10

142.250.187.202

216.58.213.10

216.58.201.106

172.217.16.234

142.250.200.10

142.250.180.10

142.250.179.234

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.amongwarmlkza/cache/ntjdpoat

Filesize
2.3MB

MD5
b8fd9b839e47295a71bf5a0d6fbfffa7

SHA1
bef35e27e6593ef93768fef3766ac2980c1a5e24

SHA256
4ab6d2f489522f5f2794b55132f8e7c86cbb3346e32dcb56b4d9aa5f257ffc41

SHA512
d760637074459893fe3100c0cb3cfb3c469c0d13b69f2b7924671505b5e64f09ea8bf0984d587b4a7f62bf4bdacdc2fd209f070ef316bacfebad8c71251e421c

Download Submit
/data/data/com.amongwarmlkza/cache/oat/ntjdpoat.cur.prof

Filesize
418B

MD5
6ea286f2f5a9e6e1e49b522239b4ce69

SHA1
92e2c81fd190187e228b5bff5710e6a92f043a77

SHA256
136f5dad16802597fbd3fce31987e74bbdd7173afe7b9580203dec314167bd54

SHA512
9360db809d7baada18993b3ed6bc1fd7e351281079ca955094b800398b1ebaf47235fcea06dec980ea25d4d1e333d4943be2f5f908d4b8617ea1a413e0f14eaa

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.