octo | f9e9fac41647f9548ad98d5cb2c307fce6e95979e4c230f4c55a77858f4f791d

Analysis

max time kernel
149s
max time network
145s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
14-11-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9e9fac41647f9548ad98d5cb2c307fce6e95979e4c230f4c55a77858f4f791d.apk
Size

1.4MB
MD5

b0d33a4db6bba9bb1533b74bf6c0e946
SHA1

8cfee67dd0151554043a5b3245e921431baeb2d6
SHA256

f9e9fac41647f9548ad98d5cb2c307fce6e95979e4c230f4c55a77858f4f791d
SHA512

0dc1e071754a94afa3c2b8b186d768dad9dfe1a68af22ee37bc3e456dcf890942c0afd6794c72e438ca93ee575277efc7f237b4ac3ad71a406479e66383e57a3
SSDEEP

24576:EEEnWITfOn2OO7NY0r3eRpicV9kTNaZu+bmknSjv0fXNkZODZH7mqDOqdqMAE4Kf:kTfu226OnV9ggI2moXmZGZbmq6SqMAEV

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://cm603lzeyxdw.site/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw1.site/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.biz/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp1.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp1.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.space/MTU2OWE0NzJjNGY5/

https://yjf241z0uu75.info/MTU2OWE0NzJjNGY5/

https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/

rc4.plain

Extracted

Family

octo

https://cm603lzeyxdw.site/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw1.site/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.biz/MTU2OWE0NzJjNGY5/

https://arw2he7x57wp1.pw/MTU2OWE0NzJjNGY5/

https://9r8i1u84t2gp1.online/MTU2OWE0NzJjNGY5/

https://cm603lzeyxdw.space/MTU2OWE0NzJjNGY5/

https://yjf241z0uu75.info/MTU2OWE0NzJjNGY5/

https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.poseyourllm/app_DynamicOptDex/EEZl.json	5240	com.poseyourllm
/data/user/0/com.poseyourllm/cache/gjultpyfqb	5240	com.poseyourllm
/data/user/0/com.poseyourllm/cache/gjultpyfqb	5240	com.poseyourllm

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.poseyourllm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.poseyourllm

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.poseyourllm

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.poseyourllm

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.poseyourllm

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.poseyourllm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.poseyourllm

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.poseyourllm

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.poseyourllm

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.poseyourllm

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.poseyourllm

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.poseyourllm

com.poseyourllm
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5240

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.poseyourllm/app_DynamicOptDex/EEZl.json

Filesize
2KB

MD5
0583567d476ae0995893b9564382e516

SHA1
ccc949d98e5e7c52dae53a9b0eb41ce9c3836691

SHA256
c84a3bb7a973bd20fb01df349cbfa6493b6dcab1be1f89af4a374a9762e07098

SHA512
207a401dd4351bb3f612e865764db5fe88aaebea5a8a1796e112ac7879b070493d2c45a9f776dd3ac455ab93ddf4f6239e67627a763c63b251580a87d397c046

Download Submit
/data/data/com.poseyourllm/app_DynamicOptDex/EEZl.json

Filesize
2KB

MD5
1892be461d640bc8e1271d52fec93a11

SHA1
e2ead3cb7e48c06f7851daa32aded4ce76888964

SHA256
5cc5e0b330c3ba8e09b90ee18a488296e701cf545c831442e35082bb069cb7c9

SHA512
2fce532735ad806445875dbae74477859e42fe246d422ac90aad1624d5a9daeebb496c82f1efbb452db3e4c38c20559072083beb014e315f7223507292bcb795

Download Submit
/data/data/com.poseyourllm/cache/gjultpyfqb

Filesize
271KB

MD5
6ca857db384682689c7ef39c809de76e

SHA1
09fc0267ef163a2a19fb27e83f0030e9d77c2998

SHA256
860a4e46bacb1eb77acb9d35f889c8b8168189f88131e8c8296191a52921c7ad

SHA512
4735f2f26f470d689f161e7163485a34ffcf719e0b4213edeee0afe4ea581a0e6e1d34fc1d554e07925d5b27c6e3803fdd8c9771f7f36bebfda60f5c9e123d3f

Download Submit
/data/data/com.poseyourllm/cache/oat/gjultpyfqb.cur.prof

Filesize
483B

MD5
a006617bfb0e14e6256ccd4e97b6e7a2

SHA1
233a3d79903321e38b56c7d870acf3ca0bedaccf

SHA256
5153d296f7789fb29d21348a110607c850ee190f7dde32005bee5cb0f7995d77

SHA512
cffcb8ef963dcce6ff53cd79e2cf9c2957eea37b5285fcd9f12278b9f7d37d88b0429cdc46eea36a9c21f10a12b85f2b3433d0d7e2602502639538d06046f2d5

Download Submit
/data/data/com.poseyourllm/kl.txt

Filesize
423B

MD5
9201a6bee9edb482583e81affbb81545

SHA1
2b886b647ef3e7ce5c4ea136c69c9c8fa186db03

SHA256
ce540184efaee79db0792e27e684fa94a0d9cb640c105b9cda859f09ab5e33a7

SHA512
13eb3687ef8c461309e5d32b0423db3d4caecf459646b67c43350a8ca78e640ca3c8ef3e8fdf934dc53120c3a2b9e2c7151466e12762f3e0839ab6500e2606d5

Download Submit
/data/data/com.poseyourllm/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.poseyourllm/kl.txt

Filesize
230B

MD5
0c3946360cd0922dd72a560a62d983f8

SHA1
e39d087ce7c09829215aa899246bef0db070967e

SHA256
97db086178ca5aed6a3b2ba56671c724bc160c5dcc390546fd65cd37eea8d9e1

SHA512
c1c6d47d8ef96b1be40d411448b26f8808e2d8b63074eebbb62f96bdf5a164e7b426312472669d38971ffbb6364df6567276f812be4e518f12e9e7d9be86447b

Download Submit
/data/data/com.poseyourllm/kl.txt

Filesize
63B

MD5
591da25f68079be731881e935c39d705

SHA1
b1134199a50523a21feeebf057e7a87eba7b637a

SHA256
a527ff4ad1f21afb05a065276c2cadbf61f39909e050418b0e5370f5e79c2c03

SHA512
3bf5103bf4be475943d3694ab724b5061b567368e661108d8bf472a805c49eb37b0ad698939fcfe18d67530a67093463b998efd677aa87720f6124362ab4976d

Download Submit
/data/data/com.poseyourllm/kl.txt

Filesize
45B

MD5
6f64f075806bd0c7754e730abbbaedb0

SHA1
deed6b080a8f29227a1e7937d9740205aa52a521

SHA256
7cba91c9700f28262cab131b0807e4172b3f3616e78e24ef2df44faf15a90467

SHA512
f479a1611c56ad9588c0746f3b14ad45fc679b4e2cf622fd0aef8937ecb9f00419a19b431a58561a65f7263bc2a4f637cb559b88c2e99b75f2c7dd18161db2bc

Download Submit
/data/user/0/com.poseyourllm/app_DynamicOptDex/EEZl.json

Filesize
7KB

MD5
0c3bf19df117ce0a62f470aff08504fe

SHA1
450af8d3ded7b54575b22c811754b08018d37f26

SHA256
320487b60b919d4efc70486f3abcd172b78255d8ebb6649f7a144570c1705cb5

SHA512
78abd1516537e81e6006b6863af84bf7e256e560b7c63af6858a65369670b886891b7c088b2453c0e7416fe5771fb6f79492edc3d62b34fcb4da3c604d1491fc

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads