octo | e603c5cc6349913bc866f9fdef16fe0144b2daf81505a1ef9efa23c4bd44085c

Analysis

max time kernel
149s
max time network
153s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
16/11/2024, 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e603c5cc6349913bc866f9fdef16fe0144b2daf81505a1ef9efa23c4bd44085c.apk
Size

2.0MB
MD5

e1869f35d0d95cb1ec9236b32be35da5
SHA1

c165cec4a14f8e310c9827a792301dbcce96e746
SHA256

e603c5cc6349913bc866f9fdef16fe0144b2daf81505a1ef9efa23c4bd44085c
SHA512

8ed2b9d6a8e6c8b47f543ef3e6f7163d920669949c9ff12a9c8fbd30cd0813149de26082bd6e809e12e4467bcdc91b39df73543a683917628843404800df356a
SSDEEP

49152:XqX15ZKEo3Hh88waxJyKXNI17q3VlJaXBpKQigAAg:XqXZ1o3Hh81axJyhq3V+X79igg

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://85.209.11.84/YjcyMWYzZjc5OTUy/

https://32fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://33fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://34fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://35fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://36fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://37fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://38fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://39fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://41fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://42fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://43fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://44fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://45fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://46fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://47fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://48fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://49fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://50fdghhoo11.com/YjcyMWYzZjc5OTUy/

rc4.plain

Extracted

Family

octo

https://85.209.11.84/YjcyMWYzZjc5OTUy/

https://32fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://33fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://34fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://35fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://36fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://37fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://38fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://39fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://41fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://42fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://43fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://44fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://45fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://46fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://47fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://48fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://49fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://50fdghhoo11.com/YjcyMWYzZjc5OTUy/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.findsoon0/app_DynamicOptDex/sEAu.json	4777	com.findsoon0
/data/user/0/com.findsoon0/cache/mjkmfsjufedbme	4777	com.findsoon0
/data/user/0/com.findsoon0/cache/mjkmfsjufedbme	4777	com.findsoon0

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.findsoon0
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.findsoon0

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.findsoon0

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.findsoon0

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.findsoon0

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.findsoon0
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.findsoon0
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.findsoon0

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.findsoon0

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.findsoon0

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.findsoon0

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.findsoon0

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.findsoon0

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.findsoon0

com.findsoon0
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4777

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.findsoon0/app_DynamicOptDex/sEAu.json

Filesize
2KB

MD5
787e5d6042741cbc1e038ebd72fdc962

SHA1
e49d24dd0925f88fd06842d738cc9ebcf9df4220

SHA256
782ad05078b6a8985666cd99589d136288627d5c1b519a23aa78a874d81c17d7

SHA512
e33e1d9db6c7786049c244e0038df4293a80a89dbc7584841e49bb588133c70d69d03988c42ed04fba300b7991d061984e12389d72d60bd7420c6f184a1a2a9c

Download Submit
/data/user/0/com.findsoon0/app_DynamicOptDex/sEAu.json

Filesize
2KB

MD5
b9d18d15cd4d6ea499f01abb931e17f0

SHA1
199292ece639194fbac670f4bcc156d6e001db2f

SHA256
f55cdcf9600c7feb41d90aeac607466e73de776fa855dc1db30f4165100a586c

SHA512
da17da2c31b562e705dbf78ac66372b2aae5ac1f14e758a78cc2f97dee558b66687271d517fa5925afc99dfdb2cde592c12f41cb1b419aa80765aff8cc1d3f45

Download Submit
/data/user/0/com.findsoon0/app_DynamicOptDex/sEAu.json

Filesize
6KB

MD5
971f7dc04310049f3b571bc5fb540834

SHA1
af8df12c444656cddddffe6eae3acd560ff174bb

SHA256
fc9be0d765d2f491ce6a3f73f1baa123e4ddb25eb32af8e9b3c53ef5103aba16

SHA512
8bfb71576308d9bb7c33b010bdac84b1e91c9a2267e3db7f4ddbd09806e5b95dd616e7f3dc705e473165ff7423fba966cd4d83792840ec595d4edc6f8db5494f

Download Submit
/data/user/0/com.findsoon0/cache/mjkmfsjufedbme

Filesize
457KB

MD5
54a1be9c2d8d116bddb449d803699376

SHA1
93f16f54cfc855d52b4dd72f785ebacf8cfa65a6

SHA256
42268e8d1a19caa5bd7e074f37fd5adaccb9bfe379c49e1b80b3caa02fce875e

SHA512
30081fdd9ef5e7c593bc97cc80287ee8a1e956d53d66a8aac39a75cd7edf822c36be3c75903e532c78584a57a0de9deaee102f87434c7dc60a5abf068ddc5cae

Download Submit
/data/user/0/com.findsoon0/cache/oat/mjkmfsjufedbme.cur.prof

Filesize
336B

MD5
0a3324d13b3e2c3db331da1c1dd8f1f8

SHA1
ae3f15ed9ca0e75faa7b7602743f6a59360495bb

SHA256
85843f68be26cfa9a06677a3b5452b5fc1c894ac44c96034fa2bb807ba980b85

SHA512
475d261673b631b6ece54fa3158cf332bffe592a94b1a8f233e349ec8dfe0d2f82d3aa07f370b84498f60ec003247938e95a7c77b8c7b0ec3078e2060cd2acd1

Download Submit
/data/user/0/com.findsoon0/kl.txt

Filesize
470B

MD5
d0593baab6b78ca9f472d6756becabee

SHA1
06f4349a2628d0f24bcca7f0f84a005fc25552da

SHA256
f5461c424369f61a7e1860fbbe95ad7c461b32f41c86d103ce91c52f93835be1

SHA512
4877c2de06da364b08b0927be41f0c6f288389253b3c945fbe595166bb739077b393d84cf340474568345bcb40faa35c8be4414d0b2107b97945fccca24ce9d8

Download Submit
/data/user/0/com.findsoon0/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.findsoon0/kl.txt

Filesize
232B

MD5
95ef06f342806b5313b2d32423a2787a

SHA1
2888d6078ec5309de55ff834fde407c966206b06

SHA256
98c0b72e72a378efb3c92989f7bdfed700770913593843774539b0f4896302d9

SHA512
c84d708723813d4129cb41a8c4ba066e37466c04c7e87329a6ba0072f170c224b09c471ad6fb821c0b8bba1f79ee4070655758a03481a7eca76b6aee893c3e7b

Download Submit
/data/user/0/com.findsoon0/kl.txt

Filesize
63B

MD5
e133292d3893c3969e9d9678e27fe1ed

SHA1
9b038286c8a5c330b15bc709ef08b9b4b39ac3a0

SHA256
062d8e30bd7505b344f0baa2a8468eabd27024e7a9df95207c1d277b32068064

SHA512
aa0d228938d7d1c058abc0fab2fb0636750fe902d9d355b1156d2d02aa3d72e662370bc0c4626ba6d0593d654d9294a710ab0d2cf04962700dcb5d0385aa6b6e

Download Submit
/data/user/0/com.findsoon0/kl.txt

Filesize
45B

MD5
17eecb79d1c8af07b834954d15a2511b

SHA1
06d0721f5dafff54b4fde74632a680239b2bddc4

SHA256
5082b4494763b420d5cb6a58a2d20e5554689f44715b7066578b7fbd7f0fbfaa

SHA512
1cf9f8467901d23659b45064d19932131fc61a52efbca876d1cd94204b18c7043db8bcaf9697d90d579ecdd8afc79dd61a6702f9f874020f22441a8320bf4d6d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads