octo | 935ed9c6ef3cf2aaca2e642f01ae4a10ab05ac2977d81fa7fb883b10a68c8584

Analysis

max time kernel
148s
max time network
157s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
16-11-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

935ed9c6ef3cf2aaca2e642f01ae4a10ab05ac2977d81fa7fb883b10a68c8584.apk
Size

605KB
MD5

4aa67b670c8ec8e8e5989259c8b79a8e
SHA1

043044521057199178bacae64acdb74fa4fceafb
SHA256

935ed9c6ef3cf2aaca2e642f01ae4a10ab05ac2977d81fa7fb883b10a68c8584
SHA512

cff2d9915be5fdfc3ece57d19ff19dcb4fc27b2e03b38c090ce902cee81f6f2a37393dae29eccd61ac66b056217911e0426c69dba5f0aa3c636ca2b23e8591c1
SSDEEP

12288:f9Sd4l6LPUq3Vf9IMSl/6t3jQSnjlnK4xxdrF6dun74us4hDLrMhd1f8:Fu4l6LzIjYQSnjlrdx6dun74usIzgdt8

Score

10^/10

octo banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://7bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

DES_key

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-3.dat	family_octo
behavioral1/memory/4305-1.dex	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4305	com.sawtryap

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.sawtryap/code_cache/secondary-dexes/1731794428628_classes.dex	4305	com.sawtryap
/data/user/0/com.sawtryap/code_cache/secondary-dexes/1731794428628_classes.dex	4330	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sawtryap/code_cache/secondary-dexes/1731794428628_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.sawtryap/code_cache/secondary-dexes/oat/x86/1731794428628_classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.sawtryap/code_cache/secondary-dexes/1731794428628_classes.dex	4305	com.sawtryap

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.sawtryap
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.sawtryap

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.sawtryap

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.sawtryap

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sawtryap
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sawtryap
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sawtryap
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sawtryap

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.sawtryap

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.sawtryap

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.sawtryap

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.sawtryap

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.sawtryap

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.sawtryap

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.sawtryap

com.sawtryap
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4305
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sawtryap/code_cache/secondary-dexes/1731794428628_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.sawtryap/code_cache/secondary-dexes/oat/x86/1731794428628_classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4330

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sawtryap/cache/classes.dex

Filesize
447KB

MD5
7439dbebc89b6d5bf5d60ce9bce7f372

SHA1
bd4a9e2f8cbae2dfe565dbfde4a71860253fcd06

SHA256
d8a0befdc55799579b648fc4c49627580bc28e33f534f450bdeb33f97d534dbf

SHA512
5a16e90d5b08894de2982e2af6fa5ffba62e74af6d850770eefb1cf1cedf18185017c36a6b9889234d2999a641b68cc187d6cad6e32c646a7433f0476d8f991c

Download Submit
/data/data/com.sawtryap/code_cache/secondary-dexes/1731794428628_classes.dex

Filesize
1.1MB

MD5
4a9505711d86bf2f6825570cc2f51fda

SHA1
26324e43842737036eb17a539bd566959eabc186

SHA256
7ab60ca0a844475b5631c7ef55ee362b6ad0e5f9aafd05ccabf2a987ea155796

SHA512
ff080b20e17fcfbc3b76d1ba6c88e77dba303b1b0301b0c26694840aa69bdb37cb7768a0957c8f742846b9f6272d5fbaff6eafc1a15b4a71c521d14161d3d59b

Download Submit
/data/data/com.sawtryap/files/profileInstalled

Filesize
24B

MD5
03f60079ab840a3a7822b69f88ad258c

SHA1
97dff418851262b980e3aa84a39820ffa39a2037

SHA256
a79532632fc90ab19bfe02a7ebd2346d07d918f7d72ac59c8af4d5799b11a3b7

SHA512
1d015ef1be234367ac58bd67a1ed3806f3c5875725bf46e9e4deaf104cb31877b8406bcebfe24853f1e3a47de28017c10d6936375926cb32f2f3bc8e6f334939

Download Submit
/data/data/com.sawtryap/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
b2e1e4382f6e855dc8cd58ec0abf0584

SHA1
6c6533da1f4e7cc9866753f1f0d793e6208a2bcd

SHA256
477ab9a06d225cd99e1eb68eac37e41d0aee170b8cdcf23e296e8cfbdecc06be

SHA512
b9f62c98eb3f95be0dfac2f5270668593750d46e119f8d3a70a1015cb958fcc31ffba19f28904e26a4fd068f0277bbc1880f32efb47efd807cccefed48242095

Download Submit
/data/data/com.sawtryap/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.sawtryap/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
d7e2fa87868f1b0c6e4d0a92310e2dd9

SHA1
35885a146d30b272e3e1d0662caa6a9de40cefde

SHA256
31bfceeca24c8eac81abd21758207055a8016082b2c0bb7e7bb07b382f0641e2

SHA512
4c709e81fe8c7ee59963df89f643ee04fa9938323347212a6cd5164950a4520633dac006d672f48dde0a9ef96a5cb19003c184adb3e6a54505c0cabe76ed1092

Download Submit
/data/data/com.sawtryap/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.sawtryap/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
812a1cc74dffaf10318cabd41a2b2159

SHA1
61b8d2fc1a5f404a8077a6bd3ecd5a96fa89ef43

SHA256
42ee9aabf36fb2aed6b1e6902444dfdfa595373afb39d6a0cb1a88afc6727e48

SHA512
3c972c196a9e34a1e7acc364b3817a488fe303d527441f72e52c7b268021ff7519129739a69fb36e8ed6961f909830b1cabd68fed71608ae99cd95ddc4871f5c

Download Submit
/data/data/com.sawtryap/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
4f67a89dfcd1005fdcae15ce29d3255c

SHA1
64bfa047948a1ab9b90461b655bbda4e7f1cbddd

SHA256
f8ccc30b5def8f64a091bb2348d79237fb084de993f2eeeaee184efb2ff4a1ac

SHA512
632ba2c679f97fb82fb8bb66cdff096426c4bff0042633a5b1ed4cafce824ee7a2cea0764f4bae45708c7ab3da33d8f7e6d657b1714d879932c01be564afd9ff

Download Submit
/data/data/com.sawtryap/no_backup/androidx.work.workdb-wal

Filesize
124KB

MD5
8fb3e2532a9d4be6a2089c2329e387be

SHA1
7518a9d3c5d891cae3ccfad17640f3f386d6fe22

SHA256
118142f7b235df4c2813cca9f4c52a975664850db6537640d528fa82aa5c0ea4

SHA512
25d7de0923fd4d6574975163da2a16fa3fe12a488afc1906c339205b78612b504944257fc3503eacd655c76e5007ce77d55c1b6d938f8c227f3117e6e4207644

Download Submit
/data/data/com.sawtryap/no_backup/androidx.work.workdb-wal

Filesize
177KB

MD5
05523143ad67b103aec95fe473ace703

SHA1
07160de5cf0f1145a12011c63c379ade4aa5bd69

SHA256
4d9c974d9f160462a4681583f16d242cdc59e6eb229f547d3305cd37cbbecf4f

SHA512
77e946063ed94592dd4b5fc24e48a7d4cb4812f699b1d9c2e8b2ec6016f8219f9de87b9bfb13c917aacdc07d4c38cc010f4aca153af2e019183c132fdb2ebebc

Download Submit
/data/misc/profiles/cur/0/com.sawtryap/primary.prof

Filesize
106B

MD5
5451948bbec030966e4a15280defc4ff

SHA1
9e2ccc7266b0cf2902879e41fdce2fe00517cb85

SHA256
303cfbfbe755be507e2cb0490d3010c110d2bb23a6d935cd929a8b30fa594faa

SHA512
3fd40acac791e309f8ef366133d6d48b889d29916ade5267aefe96d57ced68cb8621d8fb304693ade07af762655bf36febcd56622bd6803d709601d4f79ef354

Download Submit
/data/misc/profiles/cur/0/com.sawtryap/primary.prof

Filesize
119B

MD5
43152633ed42ec80f232e485813c4801

SHA1
1a62cacde57a7a5ad55da135c17d67301704870d

SHA256
137ce066950fa20c774e4e8f5da5b93cf209719ec4cabbb4d125e3be904014a0

SHA512
49414c9b27d21e9780c9210b293769d7eef325716084690898821327b7dd5c7759db31d1fdef5db00d9e2dc036bd36ec193de01b4953c2648d201ec1fa91ee6c

Download Submit
/data/user/0/com.sawtryap/code_cache/secondary-dexes/1731794428628_classes.dex

Filesize
1.1MB

MD5
420d77d44517f2cb55044862dfdabbe7

SHA1
3daf0649a486cfed68d04fd41bad21cfcd65a3d2

SHA256
ad8139f3f83364e15aba8ee250e5acab9e30b37331c629f74f62d0b59b440274

SHA512
f9b95fbb23e44126946de051daa9d70399687c4f79d2d92e2e736321a5c8eeef28313aba949ed46f0ad725394c0a842b26c078d84f516cd3366e2c67cfc04b94

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads