octo | 6e60cb4b65f565e16c8ad10ca1cbb2b7315d9724348488948c6709f865b3566c

Analysis

max time kernel
149s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
06-11-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e60cb4b65f565e16c8ad10ca1cbb2b7315d9724348488948c6709f865b3566c.apk
Size

1.4MB
MD5

60bde64195a30beaf3f561eff11c98a3
SHA1

87067806e7326aa887f44fd86d80faa2ed9d2435
SHA256

6e60cb4b65f565e16c8ad10ca1cbb2b7315d9724348488948c6709f865b3566c
SHA512

62f59186c488b24a78e1d50818271e4dcbcd35c4f12a884e27068f18eea9bf8f2519bccc9d1f9b4112f145209364857b948e1ba0a97b22d1f84c6ca320478721
SSDEEP

24576:pDRRRRPpGSIZfJ4jfVttqtlOtb4N60auptTtve+071XDaZODZH7mq9qnYYnAE4Kc:pDRRRRPFIVJ4Ztg4tb4NDau/tv271Xmm

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://cm603lzeyxdw.site/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw1.site/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.biz/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp1.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp1.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.space/MTU2OWE0NzJjNGY5/

https://yjf241z0uu75.info/MTU2OWE0NzJjNGY5/

https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/

rc4.plain

Extracted

Family

octo

https://cm603lzeyxdw.site/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw1.site/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.biz/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp1.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp1.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.space/MTU2OWE0NzJjNGY5/

https://yjf241z0uu75.info/MTU2OWE0NzJjNGY5/

https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4221	com.bodyfooda

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.bodyfooda/app_DynamicOptDex/KJYnHO.json	4221	com.bodyfooda
/data/user/0/com.bodyfooda/cache/iynbzbtcayiol	4221	com.bodyfooda
/data/user/0/com.bodyfooda/cache/iynbzbtcayiol	4221	com.bodyfooda

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.bodyfooda
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.bodyfooda

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bodyfooda

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.bodyfooda

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.bodyfooda
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.bodyfooda

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.bodyfooda

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.bodyfooda

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.bodyfooda

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.bodyfooda

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.bodyfooda

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.bodyfooda

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.bodyfooda

com.bodyfooda
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4221

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.bodyfooda/app_DynamicOptDex/KJYnHO.json

Filesize
2KB

MD5
40db7864da0f75d65e5622a8dd30f7be

SHA1
593b0f03c00b8c2f7b7c17ac6963369d45bd485c

SHA256
1e5456d529b344622188c060230f641e6f8920a430f3c0bd1721b9b06d5da0ba

SHA512
bf843f6a50385de2ad04e0bf49d8d968d48df878e22245b101032e56356940d5c3ff53370e64de47ddf9458c6de6dab7f2570de5a5b4edc6d45d8f897d164525

Download Submit
/data/data/com.bodyfooda/app_DynamicOptDex/KJYnHO.json

Filesize
2KB

MD5
7236ad0d1f1a2676f9b5f0344fe3539c

SHA1
2ffe3d4168bad22eaf263d878de2251d49764374

SHA256
e8f1fabcf5baa912f0292df48f99a1f56459f0c9d824c764f5ec148993e048ba

SHA512
e243dd6784f85a0bc0857d57dafca8ca81dd1a188c185ac34f3b879fb16012cf34cc9f859b60ceb2fd1c58ad3bf413b800b3ce90ead62f7dcd44e4c1955f812e

Download Submit
/data/data/com.bodyfooda/cache/iynbzbtcayiol

Filesize
271KB

MD5
895760778e8d8fabe596da433d4f9450

SHA1
ef150ebc5a56b8eccb9a3eae18825946be104183

SHA256
403d18b7d329f454f1bf96fd9462b252d4c8b81c954134fa9725eab5a4e75968

SHA512
6c41f8f0b73d7b32a4661070d4599fb8054578c130f5a587dc620b9308c9b76e729e99b03ee934166ce639fc9b0dbfa07b9291c51916aa1695fcdfd510254daa

Download Submit
/data/data/com.bodyfooda/cache/oat/iynbzbtcayiol.cur.prof

Filesize
472B

MD5
8533e2541fdf24fa70c4e1ce5bb17d85

SHA1
0dce991b7c3d39132e2742f3d9d9dccb5ece5fcb

SHA256
7d56c38214626beeb7667397be10a2cab1deff4d2b26fb1aa7559e40ce305fea

SHA512
55706f60a5985b97792ae4ad961f0b1f02913b97fc501e17159becba196c8179bb93d6531787a0464e92e0fb5645a890a4b08ad2aa73169ed1d5cc002a4b654c

Download Submit
/data/data/com.bodyfooda/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.bodyfooda/kl.txt

Filesize
230B

MD5
acf13dcc3b18d9f02f1c4df58b7c581f

SHA1
6d028a7b105776a6df4ad14bb42211591e33eaa2

SHA256
fb5bc6c5d87ceb0eeed37d42a0d6429147b8a3a8ba90274af0349dcc56ec430e

SHA512
8f5f82c1335ec1632e2c36a1e668a636d6ebee35348115ab6f6ceb75614c291a6cb11ddd6ffc9ce00fbb899f3d8ee56e168682a1dd02da1f5f8a19babd1b4803

Download Submit
/data/data/com.bodyfooda/kl.txt

Filesize
63B

MD5
c9566517b461f60d8058b4c4c495b6bb

SHA1
3ed7147063e6a3d008fc80e14fddb821472cc9ba

SHA256
c91b3220a7bd7acfdb144cf65a30dcff47aaa7d6c1ec4513bf2e923d5e604a91

SHA512
e63d791dd5148e721f7570495d98de5dfdb7cf5943dc2b4ac590460d753947b0db96d03e9102fe3f023f7b41b9183f542f1a1712ea4e08e41c9408669cf3101b

Download Submit
/data/data/com.bodyfooda/kl.txt

Filesize
54B

MD5
32884769f665867069e7d668f92143b6

SHA1
64ebba4e154f242f24b675b27e2c7d0ad50f951c

SHA256
b73fb3abb4dc488a1b8dd13aef1234aba56cbade16c84951e0ae4ac161beaa00

SHA512
73f89391cacd2c4de2add4be2d0932bf71b9411f894060f8ff2a17836dc2eece07082d3da4ef03c0438684f7b78e16736af00dc7fc16a95acd40e42bb4f4dfb7

Download Submit
/data/data/com.bodyfooda/kl.txt

Filesize
423B

MD5
8cbb1cd152a84f326c8c10a1e8749389

SHA1
6b9b324f10222ba4dff99ac422dd7b2887d44de7

SHA256
8df6a7e18926a74d7cab95be0e65783a8b5c67d9c7cf44f1b7c134ada7b9e167

SHA512
f88dc9de97cc49f1eb9ca8bbb2c794a7ebf3fd0492ead324ed33696437cd67a4ea5295617d7d96cfa5eeff1805bb45fe705efdb64191d8589f78e9f182042bda

Download Submit
/data/user/0/com.bodyfooda/app_DynamicOptDex/KJYnHO.json

Filesize
6KB

MD5
f2f1f56e3d747544a43a971227efdac7

SHA1
dfdfd674e76eb9e80315ad583985e80e0e8362e9

SHA256
939281d1a894721d07cdbabcf6a1eca6e8c269fce08b57a93e6568f478128f41

SHA512
65501370554fc7c40eb13b896115537b9eb6aad8488055611ebc79dcaf728e50043fe22200137f2b20184cb0a2b732fed5f60ffc68325f9ffd37a23e27da2708

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads