octo | dd5999d30913072a1dc303331b177b18beb12a6d9676e99becf9c9daab377092

Analysis

max time kernel
149s
max time network
150s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
08/11/2024, 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd5999d30913072a1dc303331b177b18beb12a6d9676e99becf9c9daab377092.apk
Size

541KB
MD5

84eafc918e0cbaf206bbfddb904c8f84
SHA1

ecd3e61f46a5bebfaa12cb15c78c2eb258fc849c
SHA256

dd5999d30913072a1dc303331b177b18beb12a6d9676e99becf9c9daab377092
SHA512

1754cc195eef134beb91fdfbe7dbbdb7b3adad7bc58e8d7e43509aab13f47f436e4b87193d8a8732d9dda0f18aaa67b85ec03d90f01dd6dca3c0804d52e9e4f9
SSDEEP

6144:ziBF6XMfn4ADKYuuRABr03dgmsC3aR6CM1yEcFF/yTy6yXbSNEayJ3BrpeuvnOgX:zGitADtuu/f6PXF/2vENLrpCi52qynF6

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://79.110.62.121/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

rc4.plain

Extracted

Family

octo

https://79.110.62.121/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4364	com.growfamilyu

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.growfamilyu/cache/azlisdjdilhs	4364	com.growfamilyu
/data/user/0/com.growfamilyu/cache/azlisdjdilhs	4364	com.growfamilyu

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.growfamilyu
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.growfamilyu

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.growfamilyu

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.growfamilyu

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.growfamilyu
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.growfamilyu

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.growfamilyu

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.growfamilyu

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.growfamilyu

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.growfamilyu

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.growfamilyu

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.growfamilyu

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.growfamilyu

com.growfamilyu
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4364

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.growfamilyu/cache/azlisdjdilhs

Filesize
450KB

MD5
5f0cd5e0042fc32bb33ae4719437c898

SHA1
b51cfff35bb31556861bc36bda7e11f691521376

SHA256
395c70aa7f61367f97801e68921b4269786246ee619519648a83e4e7837a8e8b

SHA512
69ce016478933e3076be9c87be5ae416e44d3e92f78e8cb14f16f3951bafd4656588fa408ed9e564481bf5958afd0175286060270b7440006cda014f76c6d349

Download Submit
/data/data/com.growfamilyu/cache/oat/azlisdjdilhs.cur.prof

Filesize
483B

MD5
f1f2580521b7aeed6ed0fdbcd3e49814

SHA1
94f53e06c37b4e3d5111ff6a02e0555d02d0450a

SHA256
8f05977eb38acf08af74eb4c0bcc2540bda92156cdf63a0889707e8bd543a9a4

SHA512
f3aad888b61c70d66dfc7fefb7289372c61cf0522c9e00a54246192f1fdfb59b65335979cd392dbb75b3b7a78756136b9e5d225a9cfc1810858efe66f5443157

Download Submit
/data/data/com.growfamilyu/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.growfamilyu/kl.txt

Filesize
234B

MD5
f3fe27c9cba6cf9db35bd7b9f80afc13

SHA1
4cabbc996ebb8c2d5a76b1cdb59575ff8247183a

SHA256
ea7bc5e793f899a45b4a0b625e6f12ea127dd3cf1e9fdcbe8eebc1af779645ef

SHA512
73a5f9b50e9d6e5a5679b091bd4d92f9932996540aab817545e299f33ecad937a2372a3be5119bc6900c08415d8aa2250fa44f20948d372af0b6800b436ee423

Download Submit
/data/data/com.growfamilyu/kl.txt

Filesize
54B

MD5
e97a21bcfd343428e7441afe2672994b

SHA1
235a282cb534e7216f8d38d45050c9f5b333f886

SHA256
f121031b347ee777620bd4a848c34d9bc55b30bc50bc9474040966109325c0e5

SHA512
3bdd0f6d31e16b802e8b280e38d0b40aa1d061a34d80bbd1fadd18863a5dfc8890137b0e749f250a7edd0c9571e3830731381c90d7945ce38ed158d4b7caacfd

Download Submit
/data/data/com.growfamilyu/kl.txt

Filesize
63B

MD5
c01f0878ad39eca26dc84104b213a6b3

SHA1
947b1f205a98f86bfec3556441f5421599ef1c00

SHA256
f9cb2f712aedbe47d35237174afde10a130d56c7a5b6f6d8e4ba070438c9f477

SHA512
f003540856965086cabad26d34e811aac178cbb8eee8b447ad816427d4de5be74be3f1fe3a773632621e032079bf9407e5918c5e01e69d703d05c09673e3bd4e

Download Submit
/data/data/com.growfamilyu/kl.txt

Filesize
431B

MD5
02cd8ced5770d5fabdd391174521df9f

SHA1
27e87a6090eea03b7f871947f7bca951801b51a0

SHA256
ca446f19db06c9fb9daf5b53a5e931638389c0f4e4dc9f508f246bdc59e32687

SHA512
8a72290dd47297e9b30d39b1202739e150128831eeaec5ecbabd348916c1c0fb2314d1923faa206f5f5d3d1242f5d1dc0c74125b10e2376ad48500ba7c215d94

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads