octo | 935ed9c6ef3cf2aaca2e642f01ae4a10ab05ac2977d81fa7fb883b10a68c8584

Analysis

max time kernel
148s
max time network
152s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
16-11-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

935ed9c6ef3cf2aaca2e642f01ae4a10ab05ac2977d81fa7fb883b10a68c8584.apk
Size

605KB
MD5

4aa67b670c8ec8e8e5989259c8b79a8e
SHA1

043044521057199178bacae64acdb74fa4fceafb
SHA256

935ed9c6ef3cf2aaca2e642f01ae4a10ab05ac2977d81fa7fb883b10a68c8584
SHA512

cff2d9915be5fdfc3ece57d19ff19dcb4fc27b2e03b38c090ce902cee81f6f2a37393dae29eccd61ac66b056217911e0426c69dba5f0aa3c636ca2b23e8591c1
SSDEEP

12288:f9Sd4l6LPUq3Vf9IMSl/6t3jQSnjlnK4xxdrF6dun74us4hDLrMhd1f8:Fu4l6LzIjYQSnjlrdx6dun74usIzgdt8

Score

10^/10

octo banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://7bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

DES_key

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.sawtryap/code_cache/secondary-dexes/1731794423646_classes.dex	5162	com.sawtryap
/data/user/0/com.sawtryap/code_cache/secondary-dexes/1731794423646_classes.dex	5162	com.sawtryap

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.sawtryap
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.sawtryap

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.sawtryap

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.sawtryap

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sawtryap
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sawtryap
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sawtryap
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sawtryap

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.sawtryap

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.sawtryap

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.sawtryap

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.sawtryap

com.sawtryap
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:5162

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sawtryap/cache/classes.dex

Filesize
447KB

MD5
7439dbebc89b6d5bf5d60ce9bce7f372

SHA1
bd4a9e2f8cbae2dfe565dbfde4a71860253fcd06

SHA256
d8a0befdc55799579b648fc4c49627580bc28e33f534f450bdeb33f97d534dbf

SHA512
5a16e90d5b08894de2982e2af6fa5ffba62e74af6d850770eefb1cf1cedf18185017c36a6b9889234d2999a641b68cc187d6cad6e32c646a7433f0476d8f991c

Download Submit
/data/data/com.sawtryap/code_cache/secondary-dexes/1731794423646_classes.dex

Filesize
1.1MB

MD5
4a9505711d86bf2f6825570cc2f51fda

SHA1
26324e43842737036eb17a539bd566959eabc186

SHA256
7ab60ca0a844475b5631c7ef55ee362b6ad0e5f9aafd05ccabf2a987ea155796

SHA512
ff080b20e17fcfbc3b76d1ba6c88e77dba303b1b0301b0c26694840aa69bdb37cb7768a0957c8f742846b9f6272d5fbaff6eafc1a15b4a71c521d14161d3d59b

Download Submit
/data/data/com.sawtryap/files/profileInstalled

Filesize
24B

MD5
f0778003aecf4dae898fcf358b9f9c5c

SHA1
8c5cf9147649b54884961667701aa2700cdc932a

SHA256
ad7738e56deaf4afac214d74a3b9158bf76580f2567225a5b5b8bf638d977e84

SHA512
07d1f738d0b0ebe9a31c1c70c63cde272b3f9b99af8bf5ddca7ff6ef8ad3b439b9cae65f00476ec8f00db64ca02a2c55ff2b59ebc589704a53400f00ec265dd6

Download Submit
/data/data/com.sawtryap/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
4e9cbb0000d4dd453d31678187fb2c9f

SHA1
ee925fed5e3599a6f9dc254c05b0ab247fb0c372

SHA256
eea4405a40f6802e58b940a86e4b40efa115a30b6d98fe527f7837da4a08dcc0

SHA512
4ad0dd74c93bb5d3b35369c42b1802b96b95a7a93639275316b7553d9b776adf5c60e2d0d1a5966c0d61cf97a5cb6a149b337b06c63039f96ac345766575b371

Download Submit
/data/data/com.sawtryap/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.sawtryap/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
b4b0a09128fae6966069af4ce5258535

SHA1
01a3ce74dd782f399dc29cdfcce2dd51ec02ccf0

SHA256
274c373c35701a417832009c6e8f71ba7bb6f89c96e03fa3fdc327bb60ac262d

SHA512
ff2e10d498a15a50ae17d7ae9b9129d0304f86018a37da79918b2a4dad4be9e00dcb9c39bb07c6c08b6e94a0410a92d936063b0941fd4679d886bc3e058546cb

Download Submit
/data/data/com.sawtryap/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.sawtryap/no_backup/androidx.work.workdb-wal

Filesize
124KB

MD5
0071d4b02a95210093ba225638941df2

SHA1
7d736e4462d079bdc5e2e167c0a9e3cd9937c2c8

SHA256
e80cf6a66a71e0e1d00107c844f6f812f530df9006294c13e77033f88f833882

SHA512
8d7134e6520034d691304f2192b33a9d64c19ea4bfbb65a7df0f4b63f7dd34363f873a5ea513fb61c737a39e70335e2cea25e37000c708475dec2548e9450394

Download Submit
/data/data/com.sawtryap/no_backup/androidx.work.workdb-wal

Filesize
177KB

MD5
c9a57f902fd983ddf6214d0d9a561cc2

SHA1
e848463accf2c8e52c9be07565f8db5c059ad7e9

SHA256
ae13940143529fdb368d05237533b2c3c4e15c06bf87119b4d777363ab933b6b

SHA512
8a0952e2388cc2319fa7b7d9d910f27203bdfc8b59db0af9189c7073852dcf9bb1b2b969689568d4f6066d6e8af5b3d9c662601c429a285e07eda416f5d0861c

Download Submit
/data/data/com.sawtryap/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
dde88d93e55b240c526446161c139722

SHA1
b737cbb9206076c1ed3ae1079031363940f2eef2

SHA256
08065971830d6c581b19da4f1e7080613a19fa8928c61030240faf2df7d3b88e

SHA512
80ef241b39cc9b71f7a25b3f4652dabacee6727a46235ef7aec5e31a05d66f4060bfd6a60100a798b70d6d4347f89b267253a750772f96ff9a298c8ed92dc340

Download Submit
/data/data/com.sawtryap/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
66f951943a1376284fddcabc53bffffd

SHA1
d619e9eec367da3cf97507ed3c9d12f6f0179533

SHA256
0ad20306b770e51c331bbff50ef6f4466054192202bdc263307440340523ce97

SHA512
ea77c67d925ae9e652fc516a29cf911a33e7bc4a66219878833be4ff473497ac1468d8d5c14cf2139873488344f7e843385bea6369e88f8c7579e6a99493f9bc

Download Submit
/data/misc/profiles/cur/0/com.sawtryap/primary.prof

Filesize
106B

MD5
5451948bbec030966e4a15280defc4ff

SHA1
9e2ccc7266b0cf2902879e41fdce2fe00517cb85

SHA256
303cfbfbe755be507e2cb0490d3010c110d2bb23a6d935cd929a8b30fa594faa

SHA512
3fd40acac791e309f8ef366133d6d48b889d29916ade5267aefe96d57ced68cb8621d8fb304693ade07af762655bf36febcd56622bd6803d709601d4f79ef354

Download Submit
/data/misc/profiles/cur/0/com.sawtryap/primary.prof

Filesize
25B

MD5
b9d9e0f8902d129e1aeebff0ae7b725b

SHA1
cb0d2b4c9dd60a5c1fc6261fb581bcd3416fe781

SHA256
25a822139d06016af8be1296c0242b60e35074f94c713e03323636be1162ce91

SHA512
f158a9dc753e0cb41f71a98714ff02198c576bacdd792a6153fdaf6f9a7b52d8cfb6d09099a269d0c1b0d31e2ea5a307ea1db85115bdc6797887a6de36d597f6

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads