octo | 20e462fbbec9b42950198abc250ea15d15f6385b650bb5d0dfe49deed9453247

Analysis

max time kernel
149s
max time network
132s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
14-11-2024 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20e462fbbec9b42950198abc250ea15d15f6385b650bb5d0dfe49deed9453247.apk
Size

1.8MB
MD5

c136d8597dcfbdd92f381aca4c9ccbad
SHA1

d2263c1b0d2845b3367f82be87256630272e420a
SHA256

20e462fbbec9b42950198abc250ea15d15f6385b650bb5d0dfe49deed9453247
SHA512

e1ae8c62a130d0cfeb9ccdc397c0869b34219b01b70c6fa9f92756a61fbfba08ea1d9d3d6e1db901ec272e34489908ee40a7821ab0aa2f4dbaeac459874e8852
SSDEEP

49152:gh9WeqkDlLT22bFDCDROdPYfF8YWWXuZGZbmqfaQTAE4KoSA:g+uDlLT2KFDK4dPYfFJXuZQ/fyj

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://akshdkjashdkjhas.online/MTBiYTAyMTk0NzJj/

https://huhiuhihuiuhiu.site/MTBiYTAyMTk0NzJj/

https://poipoupiupoupou.fun/MTBiYTAyMTk0NzJj/

https://tfutfutfuutfuf.pics/MTBiYTAyMTk0NzJj/

https://ryertyetretretre.shop/MTBiYTAyMTk0NzJj/

https://trststerstrstrsrtsrs.store/MTBiYTAyMTk0NzJj/

rc4.plain

Extracted

Family

octo

https://akshdkjashdkjhas.online/MTBiYTAyMTk0NzJj/

https://huhiuhihuiuhiu.site/MTBiYTAyMTk0NzJj/

https://poipoupiupoupou.fun/MTBiYTAyMTk0NzJj/

https://tfutfutfuutfuf.pics/MTBiYTAyMTk0NzJj/

https://ryertyetretretre.shop/MTBiYTAyMTk0NzJj/

https://trststerstrstrsrtsrs.store/MTBiYTAyMTk0NzJj/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4317	com.happenbothmadq

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.happenbothmadq/app_DynamicOptDex/MA.json	4345	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.happenbothmadq/app_DynamicOptDex/MA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.happenbothmadq/app_DynamicOptDex/oat/x86/MA.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.happenbothmadq/app_DynamicOptDex/MA.json	4317	com.happenbothmadq
/data/user/0/com.happenbothmadq/cache/vxhcyrj	4317	com.happenbothmadq
/data/user/0/com.happenbothmadq/cache/vxhcyrj	4317	com.happenbothmadq

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.happenbothmadq
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.happenbothmadq

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.happenbothmadq

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.happenbothmadq

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.happenbothmadq
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.happenbothmadq
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.happenbothmadq

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.happenbothmadq

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.happenbothmadq

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.happenbothmadq

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.happenbothmadq

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.happenbothmadq

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.happenbothmadq

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.happenbothmadq

com.happenbothmadq
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4317
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.happenbothmadq/app_DynamicOptDex/MA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.happenbothmadq/app_DynamicOptDex/oat/x86/MA.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4345

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.happenbothmadq/app_DynamicOptDex/MA.json

Filesize
2KB

MD5
0ad4cc0b6c3fd1cefa2ee741c05aff58

SHA1
6e022b4475193fb05e944e57664088364dcdc87f

SHA256
bf4c74b76f72b3fc1fe135acaa760c2f9c778954c17e3ed58950d07f713a4def

SHA512
9a2d152fd0d4c5c60eb931432b4ff354f5d73a83896fff273cc30512264a1da6e49b6d20404c502dfd2c813782851c5844d7f041da50605726d84cff485e067d

Download Submit
/data/data/com.happenbothmadq/app_DynamicOptDex/MA.json

Filesize
2KB

MD5
bb8dc7088fc883be7100818af398011d

SHA1
7d4318fdc49a92bbe2c684322fa454925a921a92

SHA256
ce2cadeffa7b6d1498127b588d4d85567a63adbaff33d4f4dd69c9cdfdfb878c

SHA512
0303023c331150730e87398e6fcc15b78874e2522636c5238085a7675f5dda3c6f4987d135cf90b6bd00d8615afb3055c75f1d4fff5f759d435a272e5bf8ca7d

Download Submit
/data/data/com.happenbothmadq/cache/oat/vxhcyrj.cur.prof

Filesize
471B

MD5
6eee586c5b83f797e185b7425d0ebb74

SHA1
463ff475fec3cf6c1a1072f3c662551435dce0dc

SHA256
becc79511e19071d966bd16c9166d10c40015e88cfa226e964aa9b0931d44cbd

SHA512
f36b2190863334af8c555d976fdd57f992152ae913b302b9ad0be3b20c0a083c5f75a6a2266fda6ea9949c64300de0cf62ec0e6c6e5bef0a35247fd3fbbd9539

Download Submit
/data/data/com.happenbothmadq/cache/vxhcyrj

Filesize
450KB

MD5
17b3b699cbb4ef6b4dbdb10d64b5a9b2

SHA1
da4d0611d12029ac6c116b81662792827d02dfb8

SHA256
109429a1bf890d277ad125e94b36558c5e2b33b65c065dcb43aad989b1e3c208

SHA512
d2096d0d8ceef6626833a1afab4445637fac5cacabce70ff37908bc3334a9e664bdc2e81b045d8ecc377e73c0632d63fe991976c40e8265f90504c1730434329

Download Submit
/data/data/com.happenbothmadq/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.happenbothmadq/kl.txt

Filesize
237B

MD5
abb6ac359079d51b822ff6471cd85248

SHA1
7c8ca8f43b79b12c3ca767f40cc7de669a512214

SHA256
89f1aa214232156162cf7babac68fde9a717287cce2d29d41c378ffae66a5d5a

SHA512
709712608ec6ab3e9c5bbd6daeb7364a5ebeea3f6f5251d1cfefe78d5e2a211fd32018f4ab6dc1b0d47ec2a63aaa02fc0f5fe18933d956fccb2e534c9369e224

Download Submit
/data/data/com.happenbothmadq/kl.txt

Filesize
63B

MD5
8f9ead1df0c06cd0a8c6c405abc0ccf0

SHA1
dcc9f01029db3094debfad3ea6df76832ec75bba

SHA256
91975a4af862f02f2847c589ef1c783bee2d366dc49b7d6082004f4f12974076

SHA512
e49481e4b92e504d5afc691293cce8ccf8b7af932df7d8b5e508ffada53e1fc9f10362eaf8e238f01b179fbba4ec8db43015501410813867f5556cc57f5b4b82

Download Submit
/data/data/com.happenbothmadq/kl.txt

Filesize
54B

MD5
65028538d23e73042a3afbb030c1721a

SHA1
5762fe16b1f088f0fcb0d749d7d02248d3697576

SHA256
e8025285ce74c46a3f6ce31daf2aa0dc8d7f1ab2fb575d70c2d6a6883bb0ad60

SHA512
f3a2e57b1f04e900a4b2117d621c75b0f4af3c2103b416469066a092761d195bcf8fb44989b687fd7c2a76cdf7400358a047be88d47269c8dfdd57c78a8b3a6a

Download Submit
/data/data/com.happenbothmadq/kl.txt

Filesize
437B

MD5
c862b619357d07711f909d51aa5735f9

SHA1
2b903ed037d3bd9e51f747569e540d156ba08419

SHA256
3de363ade15cfa07751e460cbc73a5509f8458b5c13065c4194070e3e3bcc6f0

SHA512
891c95d36725948b18600a84c87cbafed00ce511410048283bc33af803d70d62f2d63b940cbcd14f6939d13534ba94e8cde00078116498326d52e51cdef3c600

Download Submit
/data/user/0/com.happenbothmadq/app_DynamicOptDex/MA.json

Filesize
7KB

MD5
95a2c29c997504b999b03f0983733ffb

SHA1
3868a882f36c28dc1d2889be1aa2301497aa10b9

SHA256
c5c6aa8c8b1bf0867518440e3b7d970ffa9c59106076ff422a64adf479c38259

SHA512
66d805d1cf17e9c8b6eb1ef2edd0b1e8e313c279019def680d7061db9753dd697b0e3f71ed57bce9d85d4be9a0a4f17b596e09072e889e5d55728f1d69b3ed4c

Download Submit
/data/user/0/com.happenbothmadq/app_DynamicOptDex/MA.json

Filesize
7KB

MD5
d6e6c519edfd581fbe391d102fe8d69a

SHA1
8a2f66cc6321985b355e07fc256ac921fe1a2229

SHA256
b6a0a003a3b0c6cf7390215379085f8fb58e8e05acdee551560a51c1057ff087

SHA512
e4345929506926bc442bb5c73b27352cbbdb5adbdddba7a49927b827dd6ad1d376d3ba8a930d38cf6802ac0a97b0079cbde110d02d93a48e2192b18eba5aed37

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads