octo | 0a878d9178c95ad2a518471d2d97d6dfb50b5e9bc1bd0e053a3fa85c787b891b

Analysis

max time kernel
149s
max time network
133s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
17/11/2024, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a878d9178c95ad2a518471d2d97d6dfb50b5e9bc1bd0e053a3fa85c787b891b.apk
Size

2.2MB
MD5

081bd06adceac9e3b5b19d9369156634
SHA1

84b4b256e482bad6dfa694a96e9b4ea5fcc9fc0f
SHA256

0a878d9178c95ad2a518471d2d97d6dfb50b5e9bc1bd0e053a3fa85c787b891b
SHA512

77f30b67b577f1fc5c4450b92211c85163eb94e4c6b0a2ed8e2fe4e1436ef1d0ccd115255d71272ca60c6890ce8c0d75aa65ee2eb7c7454b1f3625eebb172eae
SSDEEP

49152:DwufK3pY9s83fPmN+yOp97eYCyczag2XiZGZbmqQa6qAE4KoSx:DwuUY9sUfPmNfOeYQz/2XiZQ/Q5g

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://chrownna.top/ZmU2YzQ2NjZlNjc2/

https://lauytropo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqq.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqq.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgroup.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetok.com/ZmU2YzQ2NjZlNjc2/

rc4.plain

Extracted

Family

octo

https://chrownna.top/ZmU2YzQ2NjZlNjc2/

https://lauytropo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqq.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqq.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgroup.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetok.com/ZmU2YzQ2NjZlNjc2/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4252	com.halfseeqp

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.halfseeqp/app_DynamicOptDex/YrTGbO.json	4252	com.halfseeqp
/data/user/0/com.halfseeqp/app_DynamicOptDex/YrTGbO.json	4277	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.halfseeqp/app_DynamicOptDex/YrTGbO.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.halfseeqp/app_DynamicOptDex/oat/x86/YrTGbO.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.halfseeqp/cache/vbznvnvecysuk	4252	com.halfseeqp
/data/user/0/com.halfseeqp/cache/vbznvnvecysuk	4252	com.halfseeqp

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.halfseeqp
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.halfseeqp

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.halfseeqp

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.halfseeqp

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.halfseeqp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.halfseeqp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.halfseeqp

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.halfseeqp

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.halfseeqp

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.halfseeqp

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.halfseeqp

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.halfseeqp

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.halfseeqp

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.halfseeqp

com.halfseeqp
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4252
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.halfseeqp/app_DynamicOptDex/YrTGbO.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.halfseeqp/app_DynamicOptDex/oat/x86/YrTGbO.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4277

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.halfseeqp/app_DynamicOptDex/YrTGbO.json

Filesize
2KB

MD5
70ef485aa51f14f59a5e2997127a586e

SHA1
bce9e0f81308508ed401d7152ec4f029f29e1edd

SHA256
a415981f4450ccb964ef1623d5ab40e1d47f6e95c3fa6d5204bcd606fead2f57

SHA512
abbb84c24545a1f5db40a47503fced30a600403f84c475fec0995619bdad01f6c397145ed4123634959449a4b9a0f714cf575fbeb25ee4562b40dc919e7f5fc3

Download Submit
/data/data/com.halfseeqp/app_DynamicOptDex/YrTGbO.json

Filesize
2KB

MD5
8ff7172d8017703945f25fa5d2fd516a

SHA1
82b1670ac887ade6081a2f40149b908485cdad7d

SHA256
06ff9288cd367273ce886a37583827557b01d4fca1970476a907b7c43d386340

SHA512
44c0b7e9312ce1009c385712084dc0c8fc997a5617c7145d062799a38106548fd49211c945a41200eae3cdb403a45b00d5b0a4f2a4f7bc668ad877645519f85b

Download Submit
/data/data/com.halfseeqp/cache/oat/vbznvnvecysuk.cur.prof

Filesize
466B

MD5
617075e0eb370685a0b7e9d453876769

SHA1
afcb66dba156dabe3e84c419809613c263b8acaa

SHA256
9f3048978f5f5afe261d5d2218f27f82d39a4952aef0695c52c8cdd35c26215c

SHA512
72dcb174bbf56c3c39dfe771515e84613c25a96b9d533650e25c2e9828889a2ee037b9a7c52ac6b6c0284a53f01c2e59319ecb9a450b1bb92ee8ff4e68fc9554

Download Submit
/data/data/com.halfseeqp/cache/vbznvnvecysuk

Filesize
448KB

MD5
c786ed856d4ed11d259d73cae47bcc7f

SHA1
14617e3bfdca890da694b7f7f1dc0d3ae85f39a5

SHA256
1492a7cdffbd232b4f738c529f85fdd2a198cc62331f7746357043458e8ebca6

SHA512
c07d31a9b404c8815f3a276a0d1a28df9830805a9c030a1f638577164246919067d78aa887df02a1ce0af140c77e8d89ee62d55685663150dcd9238b522f77b1

Download Submit
/data/data/com.halfseeqp/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.halfseeqp/kl.txt

Filesize
237B

MD5
9ba10b84315344694f53f137cf75a5e3

SHA1
a54a2f349b05584ff5da69b3a424f929a95589eb

SHA256
3d87049a0abfa4404c311592c6993660c438ee3882f074dd23fcf9e794028bc5

SHA512
0dd77667905b10b7ea92dd8136a93f18e76ea4ef9fd996ba979753caa7fbe985f651597b77ec163ed6633fc10b9533c2f4744695b98d1a0b45f902839bab1514

Download Submit
/data/data/com.halfseeqp/kl.txt

Filesize
54B

MD5
e5de675ba120dc85a4ffcbc874e7def7

SHA1
973ec56f6de6e70962e2e83dfc0630506c548985

SHA256
a36a3b84687fb215b359e65df4d890cd18ec5bac0ddeb7407f04adf27584ca5e

SHA512
03ad2af1b2755d0635e072149b908b4eac1ed26b37c879d64b449cb8cb890b9de118d666e52af6b14de979c08eb8c47da92924915232d47e349495568b05c9c3

Download Submit
/data/data/com.halfseeqp/kl.txt

Filesize
63B

MD5
4d226a024128a482b7b31cfc8d6f3832

SHA1
a2b3427790d6893bd24c17036b9b7a25b58b9dfe

SHA256
b20be653c9cf77b59d11b811cf7d6a77f69f8b16341bdf66161adca6e34f1860

SHA512
c9f1f2218586646ef7fb89d5f5408915a6a4802d161e88ab1a1cc12f5aaa47c764dd2d2262b69ff19a9f20dd0043d47e0531e10cea43e2d10382fa04c91ddc15

Download Submit
/data/data/com.halfseeqp/kl.txt

Filesize
437B

MD5
83a1243e73c499782f28e127c1f2cd26

SHA1
f9f6b4b07a6e53ec386a14457b5ae699c9cfd865

SHA256
c6dbfa4e83bc939d03d0e994ac6ca13aa357771890c37e1f9e4ed87ed0f298fd

SHA512
5807a5c806e4d16a7b2602272c8474b5d7bea954b4116d32ad2c080d74c67fef30a037200d6a69c3ac7b0985c56a31a9cb7420727229f09d8ee7ae2964016e7c

Download Submit
/data/user/0/com.halfseeqp/app_DynamicOptDex/YrTGbO.json

Filesize
6KB

MD5
c0391f77f35f2ed994fb11e76d632219

SHA1
4c68bdb8ab4f9b16f7b805d33ea4cd73edf9f36b

SHA256
5186e9a7e260f53e8c0b3407dd9c72d3a4c057ee4946634ed20bd8ed3e0ad96d

SHA512
d935741500bceb28d0fb9e02cd241a3cbcfe0cf7bdd2f4ad8d7cf55a493cfd7b844507893759a916c90b7b1b4d5b6d987888a2b8a7877501fb8eca3bc68acc2a

Download Submit
/data/user/0/com.halfseeqp/app_DynamicOptDex/YrTGbO.json

Filesize
6KB

MD5
941f6ba9962e1c4565512205cb319bb1

SHA1
47ebdb3e2f19bbbe44f7ebbf550cbb2dd62b1359

SHA256
321fa09377cd3915f8a621172fd851487d4a3a6c9cb3b0315318d2b8d5e40a8b

SHA512
8075b671926d24dcece0c10a5d32ee547b90013e77afb541f7a13dea210b8ec3dee57827386659a72c4c79e233f4dcc6ca2a93efc57e669ca07d162d25f95404

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads