octo | 6e60cb4b65f565e16c8ad10ca1cbb2b7315d9724348488948c6709f865b3566c

Analysis

max time kernel
149s
max time network
150s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
06-11-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e60cb4b65f565e16c8ad10ca1cbb2b7315d9724348488948c6709f865b3566c.apk
Size

1.4MB
MD5

60bde64195a30beaf3f561eff11c98a3
SHA1

87067806e7326aa887f44fd86d80faa2ed9d2435
SHA256

6e60cb4b65f565e16c8ad10ca1cbb2b7315d9724348488948c6709f865b3566c
SHA512

62f59186c488b24a78e1d50818271e4dcbcd35c4f12a884e27068f18eea9bf8f2519bccc9d1f9b4112f145209364857b948e1ba0a97b22d1f84c6ca320478721
SSDEEP

24576:pDRRRRPpGSIZfJ4jfVttqtlOtb4N60auptTtve+071XDaZODZH7mq9qnYYnAE4Kc:pDRRRRPFIVJ4Ztg4tb4NDau/tv271Xmm

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://cm603lzeyxdw.site/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw1.site/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.biz/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp1.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp1.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.space/MTU2OWE0NzJjNGY5/

https://yjf241z0uu75.info/MTU2OWE0NzJjNGY5/

https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/

rc4.plain

Extracted

Family

octo

https://cm603lzeyxdw.site/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw1.site/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.biz/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp1.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp1.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.space/MTU2OWE0NzJjNGY5/

https://yjf241z0uu75.info/MTU2OWE0NzJjNGY5/

https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.bodyfooda/app_DynamicOptDex/KJYnHO.json	4947	com.bodyfooda
/data/user/0/com.bodyfooda/cache/iynbzbtcayiol	4947	com.bodyfooda
/data/user/0/com.bodyfooda/cache/iynbzbtcayiol	4947	com.bodyfooda

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.bodyfooda
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.bodyfooda

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.bodyfooda

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.bodyfooda

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.bodyfooda

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.bodyfooda
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.bodyfooda
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.bodyfooda

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.bodyfooda

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.bodyfooda

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.bodyfooda

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.bodyfooda

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.bodyfooda

com.bodyfooda
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4947

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.bodyfooda/app_DynamicOptDex/KJYnHO.json

Filesize
2KB

MD5
40db7864da0f75d65e5622a8dd30f7be

SHA1
593b0f03c00b8c2f7b7c17ac6963369d45bd485c

SHA256
1e5456d529b344622188c060230f641e6f8920a430f3c0bd1721b9b06d5da0ba

SHA512
bf843f6a50385de2ad04e0bf49d8d968d48df878e22245b101032e56356940d5c3ff53370e64de47ddf9458c6de6dab7f2570de5a5b4edc6d45d8f897d164525

Download Submit
/data/data/com.bodyfooda/app_DynamicOptDex/KJYnHO.json

Filesize
2KB

MD5
7236ad0d1f1a2676f9b5f0344fe3539c

SHA1
2ffe3d4168bad22eaf263d878de2251d49764374

SHA256
e8f1fabcf5baa912f0292df48f99a1f56459f0c9d824c764f5ec148993e048ba

SHA512
e243dd6784f85a0bc0857d57dafca8ca81dd1a188c185ac34f3b879fb16012cf34cc9f859b60ceb2fd1c58ad3bf413b800b3ce90ead62f7dcd44e4c1955f812e

Download Submit
/data/data/com.bodyfooda/cache/iynbzbtcayiol

Filesize
271KB

MD5
895760778e8d8fabe596da433d4f9450

SHA1
ef150ebc5a56b8eccb9a3eae18825946be104183

SHA256
403d18b7d329f454f1bf96fd9462b252d4c8b81c954134fa9725eab5a4e75968

SHA512
6c41f8f0b73d7b32a4661070d4599fb8054578c130f5a587dc620b9308c9b76e729e99b03ee934166ce639fc9b0dbfa07b9291c51916aa1695fcdfd510254daa

Download Submit
/data/data/com.bodyfooda/cache/oat/iynbzbtcayiol.cur.prof

Filesize
470B

MD5
20d1833dea35c4c16c9cede596ccbb38

SHA1
5a726a3da23862a674d5018f4d65c98d1cafa581

SHA256
e56d344e600f69caf618467f70027be8dc209ea7ee8a918e823e21c293b464fe

SHA512
d86a93bc3509faf89eb8b802f9e06dc0a87e890f83dfd89b45cfeb7762a8410d00252aa13004d658e2b9610e4de0c673a825ad86d9219e9e6fc81fc00a63de7f

Download Submit
/data/data/com.bodyfooda/kl.txt

Filesize
76B

MD5
8fa83e27bee754a6274dca8514370806

SHA1
814b61ac75908e22511df4da8191f8c53ef5759a

SHA256
54ac583e999d81b1a42d0376a591e42d8c079833957fac08d254dc87c2e23e0c

SHA512
6a1eeaf87aefbc739e7defe44e003251add3925235de1b915c845a4b1ab9ae7e70b173bb6b967f9139d00ffb11c318fe222a8fd80bb5e7852677992fce111a4a

Download Submit
/data/data/com.bodyfooda/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.bodyfooda/kl.txt

Filesize
230B

MD5
64477aa2dd6422e4725c400d86998d65

SHA1
fac71984abe1ef9fd66e588c8c678f48134d5108

SHA256
2e015d22af571686ec9c4f9528dbef2f547a6be336db8089ac97dffb04ea5392

SHA512
ac2ab3d1e75e6ea5a7c10b2514c19166d3bf2a17d2c3c4f4563595dcf6b35541a01f120a697506523d9a6a56f4a5082eaa1c22560fd2c656ed9ccdbff9d57932

Download Submit
/data/data/com.bodyfooda/kl.txt

Filesize
68B

MD5
5d832ba6eaf8e7ac412a18f136e0f500

SHA1
a9fcbe72b5a71de5a51689ddec253e247211853f

SHA256
05e38c184ddb9d1bc75933ada15d61e9e9404736745fa7855414d65ac8a27205

SHA512
69849b2946bd0d3f7c85e7d7018a322d0716b4d42e0f80c6bae115d2ba7ff90ab031e51cbd61e506bea081ed6e5aaf6b47e079062e97e4e67a4ee898c5e5da3e

Download Submit
/data/data/com.bodyfooda/kl.txt

Filesize
68B

MD5
0fa4f7bc2a4c0dab7f81cef3fef09c87

SHA1
8e9ba7ec5a7e1a34d9acda0eae0bd56d34bbf364

SHA256
27e32501b30053f68475723db597558b542d6f91deb59176f85db758d57d867b

SHA512
8898501d896c37410ffcc1e8cddb470a436b2e1b82b3c91f7ba97febe185f7aab619d31c4759cf9401f274a8c7c37c231a5b336e2b6bb16a65e29ed4dbf5bb30

Download Submit
/data/user/0/com.bodyfooda/app_DynamicOptDex/KJYnHO.json

Filesize
6KB

MD5
f2f1f56e3d747544a43a971227efdac7

SHA1
dfdfd674e76eb9e80315ad583985e80e0e8362e9

SHA256
939281d1a894721d07cdbabcf6a1eca6e8c269fce08b57a93e6568f478128f41

SHA512
65501370554fc7c40eb13b896115537b9eb6aad8488055611ebc79dcaf728e50043fe22200137f2b20184cb0a2b732fed5f60ffc68325f9ffd37a23e27da2708

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads