octo | 90d134fe452c1fa52076c9d9e23d115f08c279bc8c8ec32a192117578e71f79e

Analysis

max time kernel
148s
max time network
158s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
15-11-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90d134fe452c1fa52076c9d9e23d115f08c279bc8c8ec32a192117578e71f79e.apk
Size

605KB
MD5

98d0d38d446ae7f4dfe59917d04b65f6
SHA1

ec1d8eeb42f26ab03216334c615de74447b8ea45
SHA256

90d134fe452c1fa52076c9d9e23d115f08c279bc8c8ec32a192117578e71f79e
SHA512

6e987bfdc119c5bd43b85d656918798a9dc61bd960f0641cdc6568b5eeb6165359a9b7fe5a343c7802fbd428ca7b84e9089e0dbc7a0c49caf1a26475a3b53c0b
SSDEEP

12288:OP0xl6DH6gM8semYIWU2pLjr2IBDfTgSSxf+QXeLmts4hDLrMhdIm3VKZ:OaoeB2IWxLjHBDTgS4+CAmtsIzgdIm3I

Score

10^/10

octo banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://7bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

DES_key

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-3.dat	family_octo
behavioral1/memory/4255-1.dex	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4255	com.completeremember8

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.completeremember8/code_cache/secondary-dexes/1731708027065_classes.dex	4255	com.completeremember8
/data/user/0/com.completeremember8/code_cache/secondary-dexes/1731708027065_classes.dex	4281	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.completeremember8/code_cache/secondary-dexes/1731708027065_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.completeremember8/code_cache/secondary-dexes/oat/x86/1731708027065_classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.completeremember8/code_cache/secondary-dexes/1731708027065_classes.dex	4255	com.completeremember8

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.completeremember8
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.completeremember8

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.completeremember8

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.completeremember8

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.completeremember8
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.completeremember8
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.completeremember8
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.completeremember8

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.completeremember8

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.completeremember8

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.completeremember8

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.completeremember8

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.completeremember8

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.completeremember8

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.completeremember8

com.completeremember8
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4255
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.completeremember8/code_cache/secondary-dexes/1731708027065_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.completeremember8/code_cache/secondary-dexes/oat/x86/1731708027065_classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4281

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.completeremember8/cache/classes.dex

Filesize
447KB

MD5
55a9581a83232f85c541fef828d52e31

SHA1
1d330262fe57e17c36ee15b5ef163db8a49a99e2

SHA256
837428bf0546218256a320d7f751e9ac5695e3b3fc4c8d99d51a863ea28651df

SHA512
d0131daf6c68b3be38b7aacd8401864584d546b72e7bd0bf327ed8984abaaa531cc0c78e4c1c6996d8a64943ef93a0ab5929a0b421939835af6d3fd38c7b7488

Download Submit
/data/data/com.completeremember8/code_cache/secondary-dexes/1731708027065_classes.dex

Filesize
1.1MB

MD5
ffa252f7a4b4c98e5bc5e7e3575bfe64

SHA1
b37a7297d75b296af758756f2afbc6bc15c96b39

SHA256
c6152ff2121c749c50885129137c922470094c42d9d353eadf5ab8d1df574574

SHA512
de50eaafb76e1900f2a31178037174f804113f80cf3dc01960b072d8543caa806d3d8786eb41ebf1812ee363a748eece03759539cbf6454b78f803c34f8e638f

Download Submit
/data/data/com.completeremember8/files/profileInstalled

Filesize
24B

MD5
708d48673256a2ccab3bb18b9c4ec805

SHA1
06f2c75c15318aa54d6a1024a3124aa5e66fd1e8

SHA256
1937d372e6e4a449175dd0490829c7b117e8879fbc5de21baf7dab4138e2d91d

SHA512
47fab6eeba3d4917ee9f258b8bf043b29eb1e29e5f51b83d6ae714f2ef2054bc76697c289702b88f3ff9bba4a6a3f7c913021b1c443987e178cab64cada18fc6

Download Submit
/data/data/com.completeremember8/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
c8eefa62e35776ea24065586153f005c

SHA1
2f6fe609211ccf29c214425fe3bd4fa194a2ccdc

SHA256
9c3d404cd1d4b9fbb0e19f17ed08b7509d12c2ccfd03d5600868e2d8e8567aab

SHA512
a9cfca356a8b9704e5a060a97df923c0c68e488c45c5e522c46b9d22c2bc1df0254a4da386e752e0b862152d384a6dc948cddf0c74bae0f0146982cfb98bbc3c

Download Submit
/data/data/com.completeremember8/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.completeremember8/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
6b23d45a8e497a90f23f475bd63b2b79

SHA1
7bf89554ff2dc9603c13e2f02fe3744641d73a0a

SHA256
4a01ec2c18035c030baf2f76762cb4a6c972b2bb35843a2413d949693669d864

SHA512
9117a5f28a5090a0aaffa1e6f2b32a97ed2eaecc74f74822a1e9bd140c5fe6c1135a108710d7845e948c1906fd010b380bbd84d9a5e03e31e476bef9917f47c9

Download Submit
/data/data/com.completeremember8/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.completeremember8/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
0bd073283d6084ba6011d6bfad4cfed2

SHA1
0b2c56f1653685fb5ba1471dd8a739064e17c3e7

SHA256
b8868d492fe35f572a1d3e12fe6afd938f6ab83398ac482d712433f74fa547ed

SHA512
bd4917b42ff6b497e4bf0b9d8da233c35dd3853621ac7b5081736bf9a9588983f7e50c0b6a26711cf2ee6ee847d12192ba1b34c5ad5ec08a59dc2bd48cc54df1

Download Submit
/data/data/com.completeremember8/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
11ad7ccf8a69f6797923be4d5f417402

SHA1
ed8e6f867bb23c4cce1049403d26f7cfb32000a7

SHA256
e24a1e23a0066cbbc31e24c496a2cd8e3f384e0ab8d7f3d15b11496fc7b0482e

SHA512
2387664c823078037be7ead8e237770e7c35fdf8a9f4d8a0061b23acb90be3f696bbebbc11604c3a3f4698a7de9e373af08018ce80f95fa5680e659f7618ea2b

Download Submit
/data/data/com.completeremember8/no_backup/androidx.work.workdb-wal

Filesize
124KB

MD5
e2b4db817940321b2b8dbe1fe479813a

SHA1
20c50de0cb2f3cc6f7b6247a1366f240f5f25c76

SHA256
43b7c33345de70bcbd0aa23120276be3a9e8304a9463d3209b05bd0b5718c20a

SHA512
9bfebefe2254b71fd4e756969358e5f723c90db76b554b54dbd7d47bf6f5c6a5a3e49e4816b6461912145010cc1737842a44df77558a0691def7359eb63caea6

Download Submit
/data/data/com.completeremember8/no_backup/androidx.work.workdb-wal

Filesize
177KB

MD5
c27b75ddbb731ddf3aa5b47fe163d20c

SHA1
224a7f460ac942dd0f0f8d4c462c1330d3145336

SHA256
fc5f3538f31014ae1cf3c6ff8dfc84b7dc2bb8c20fdea9da35c8926227458874

SHA512
6916f8eb63dd68d2de0e472df7f72618c54ae531df017c0bc204beff20749ae9c18fdc2679ccf7eaebed29d6046190b7815584efe1a9c9d3828d49c16a66162e

Download Submit
/data/misc/profiles/cur/0/com.completeremember8/primary.prof

Filesize
112B

MD5
15af1cdcfaedb837b19131fdd2a1d2cf

SHA1
cff26d94e13e265c921c6fd53a0453b4a1b6fa33

SHA256
78588d2f38d110e0ded2a212ce0694301965b7b9c4981e9e373e2415c69a777b

SHA512
462f65a932e0052f369311c997a9957d3350bf8784486cd4365381e15fa9550b7af5ee12ec5e5ad6dca27abe621d01c4ed4beaba62dabc16ebf332dfb990cbcf

Download Submit
/data/misc/profiles/cur/0/com.completeremember8/primary.prof

Filesize
121B

MD5
06d13ff996f99c8a6397799fd85e521b

SHA1
1c79a80959c5a461d4e1b07fd9d894d27965b938

SHA256
f1bb03f5c90f21f1a2b0a2f9f1fa0b6995d521d6f4963516d3088a37eb379396

SHA512
19be2aa985113032d84c1d0d66e094bb7a42a48a9ff5ffbd817b22f093bd8127c4860798116c68524cae4d477942d6f11d1747b7b9284efeb948a07184ba0166

Download Submit
/data/user/0/com.completeremember8/code_cache/secondary-dexes/1731708027065_classes.dex

Filesize
1.1MB

MD5
cc3a7298a9f72932d806c5e5259913af

SHA1
2b387f4899d80e4fcb80b777815e23032d2bb6ea

SHA256
795683174ce0c047c3b11d95f5046dbf34613e5347f3ebf17d7d40f9eaf9c70d

SHA512
2bb2a0a8e50a778eccf1c51df809414cdf4194975a8b5871cb0a96ab5baf6037d04640315acc99c1d3e143eba2c9f8a858e6d68dc431d2b3dce8f66d9c985fbf

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads