octo | 69004f172da0121ae1313812e97dfc67ecc2f3c6b75231ff52565b534fb8bd7b

Analysis

max time kernel
141s
max time network
158s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
16-11-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69004f172da0121ae1313812e97dfc67ecc2f3c6b75231ff52565b534fb8bd7b.apk
Size

605KB
MD5

6a5b6a3038012f9953b13a708f8b7265
SHA1

4429f716eed529788601c14552aa48a7ca634a2c
SHA256

69004f172da0121ae1313812e97dfc67ecc2f3c6b75231ff52565b534fb8bd7b
SHA512

e8ef81e3d48fe123ab99b6a1e623b311ea5871e8115b84530f346e58f70978c561c3c7b0f0648f155b1d3504ad5c72bd18913eb3c6d08fb4bdacf1b9b25e07ab
SSDEEP

12288:wv2Hpn70EYGXC95tSmRYcdREahbmraMVfVjURfVsyXVy4IqnvRms4hDLrMhdCi:NHFlZyFSmicdea4uMVfVoRfSyfIqnvRv

Score

10^/10

octo banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

DES_key

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral3/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.marklargel/code_cache/secondary-dexes/1731794433021_classes.dex	4655	com.marklargel
/data/user/0/com.marklargel/code_cache/secondary-dexes/1731794433021_classes.dex	4655	com.marklargel

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.marklargel
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.marklargel

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.marklargel

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.marklargel

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.marklargel
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.marklargel
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.marklargel
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.marklargel

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.marklargel

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.marklargel

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.marklargel

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.marklargel

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.marklargel

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.marklargel

com.marklargel
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4655

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.marklargel/cache/classes.dex

Filesize
447KB

MD5
fb7a7e53367ceee6bac148fc05f7fb92

SHA1
3c1659aaff3eba6cf751bc654737856f2618d3d6

SHA256
4c6dcc8089fe262438b61e0b7debad4b6506689485489f74dfedcb8992972d0a

SHA512
0b4a0c169f87a71860c8c41840e2eac3acca7ef82c8e15ac7705be82d4b873600aa0b3ea73f4ed27283f1896acfdaf7ec190de623349e38ddb64f856c58d21f3

Download Submit
/data/data/com.marklargel/code_cache/secondary-dexes/1731794433021_classes.dex

Filesize
1.1MB

MD5
9aa8d5d67565669133c579ae21386638

SHA1
4e15670cabd3a4420f1251ee6b59c28685da284b

SHA256
d52cab89c8f4269e0fe2f4050b42b0842984f402bd766613b34b8f83d0c7d62a

SHA512
a12281391f2e69e1aab5c1a28007499b09bc53a2e4dba8537d243ea8720643e85d882a3703b53479eb020ad621bb1fffde983fbb1eb5ac7f0948cb51c4bbe202

Download Submit
/data/data/com.marklargel/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
adb2b06b0726c4d73149dd9b4f4287cb

SHA1
a5d39f566a9102d0cfae5c73002085ae67277363

SHA256
fe8b19e8274ceeb4ced660ede539fb268ecd3981d0c5ded52d0fe862f9635d86

SHA512
8666a6b7753456005c3a0be0e10f1b9ed1806f97d0e4545cb238989bd3108e90b5d20966d74743f56772c57a070bf90ece7ef40b6a2c71b874dfaa90b53de26f

Download Submit
/data/data/com.marklargel/no_backup/androidx.work.workdb

Filesize
4KB

MD5
7e858c4054eb00fcddc653a04e5cd1c6

SHA1
2e056bf31a8d78df136f02a62afeeca77f4faccf

SHA256
9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

SHA512
d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

Download Submit
/data/data/com.marklargel/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
00300fe94e80ef72c98675e74b3cd05c

SHA1
14dfc16419fb71d6dcdc1dfec332328596e78a05

SHA256
eaef02126afff335e7c009086b315bdaa2bbafee589575931b33d19f3d4a9044

SHA512
2c2c67f2d876bd1c7ccabe183411b5ba54756aa32df118b10cc6e73da299bfc712b4a91cdac9a3e96b58fa581939bc83188daa196d46cfa09e6a8fc9010ad6ca

Download Submit
/data/data/com.marklargel/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.marklargel/no_backup/androidx.work.workdb-wal

Filesize
169KB

MD5
ad75142782daea88e02e1915ae5bf836

SHA1
c12be6320c9806d13051803b348a480df010e968

SHA256
3e6318e9ce1af3997732d88b1e1700d31125b91d4fc364eef470f63b2628c90f

SHA512
d247da9dc3e128fb88c9c960c9e2f1547d07ecca0b16c4e5c2eea51e5adc99685cd408d477dfbc90c9cc6afb9d201ccd84fa6078d839dcb7c2eea0c53af8e78f

Download Submit
/data/data/com.marklargel/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
91da3a6177c415075cdca0449c02e2e4

SHA1
e6818e437b4703fa4579b6e4908d2d3193152098

SHA256
3d6204cc2ebbfa454389240d5ba0c373dd612f9fd54b595a0e3d4b9274ad6b44

SHA512
50b40cfe59c5207c6e6b5f30b7bc4719993759a53c377a2f2c4adbcc8365f673a362bc964783704e84089f48e8ddeb03062ee885aaf37e5baff59da4eca4699a

Download Submit
/data/data/com.marklargel/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
0e0dbbd916868b98b4432359c11b5df1

SHA1
dd5b2f33865a2b2fe0bfd51cc33d9c75ea7d83f3

SHA256
5bd26542404a785a4f3c24524fa38106714b94f781c68f3564afd06d663df171

SHA512
8f39f20daa5cfa65a23145bdd082f069e6971ccd5f39b02da9a131d35459748311a8835d51fa125b31488aa7655fe64ca41959179e281c3e55df1ba730d9a059

Download Submit
/data/misc/profiles/cur/0/com.marklargel/primary.prof

Filesize
112B

MD5
56c8e82adad0d7ce546d7b1ef2d8f07b

SHA1
78dbc8d0a2e54aa79052a00541f2ce8bcd33640a

SHA256
99685baaffdb6dbe0954b71f34c4f7cc306acb30aa19e40535a390b0e74f27a8

SHA512
8e32239ecf25098997805eeb37b28fafcc928e4944b191c830b03d7109e3ba2a3271697a5905de37d9979d0199ba808900cd361530d0edbbd47c85377ace0bfd

Download Submit
/data/misc/profiles/cur/0/com.marklargel/primary.prof

Filesize
25B

MD5
b9d9e0f8902d129e1aeebff0ae7b725b

SHA1
cb0d2b4c9dd60a5c1fc6261fb581bcd3416fe781

SHA256
25a822139d06016af8be1296c0242b60e35074f94c713e03323636be1162ce91

SHA512
f158a9dc753e0cb41f71a98714ff02198c576bacdd792a6153fdaf6f9a7b52d8cfb6d09099a269d0c1b0d31e2ea5a307ea1db85115bdc6797887a6de36d597f6

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads