octo | 0a878d9178c95ad2a518471d2d97d6dfb50b5e9bc1bd0e053a3fa85c787b891b

Analysis

max time kernel
149s
max time network
132s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
17-11-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a878d9178c95ad2a518471d2d97d6dfb50b5e9bc1bd0e053a3fa85c787b891b.apk
Size

2.2MB
MD5

081bd06adceac9e3b5b19d9369156634
SHA1

84b4b256e482bad6dfa694a96e9b4ea5fcc9fc0f
SHA256

0a878d9178c95ad2a518471d2d97d6dfb50b5e9bc1bd0e053a3fa85c787b891b
SHA512

77f30b67b577f1fc5c4450b92211c85163eb94e4c6b0a2ed8e2fe4e1436ef1d0ccd115255d71272ca60c6890ce8c0d75aa65ee2eb7c7454b1f3625eebb172eae
SSDEEP

49152:DwufK3pY9s83fPmN+yOp97eYCyczag2XiZGZbmqQa6qAE4KoSx:DwuUY9sUfPmNfOeYQz/2XiZQ/Q5g

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://chrownna.top/ZmU2YzQ2NjZlNjc2/

https://lauytropo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqq.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqq.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgroup.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetok.com/ZmU2YzQ2NjZlNjc2/

rc4.plain

Extracted

Family

octo

https://chrownna.top/ZmU2YzQ2NjZlNjc2/

https://lauytropo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqq.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqq.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgroup.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetok.com/ZmU2YzQ2NjZlNjc2/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.halfseeqp/app_DynamicOptDex/YrTGbO.json	4448	com.halfseeqp
/data/user/0/com.halfseeqp/cache/vbznvnvecysuk	4448	com.halfseeqp
/data/user/0/com.halfseeqp/cache/vbznvnvecysuk	4448	com.halfseeqp

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.halfseeqp
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.halfseeqp

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.halfseeqp

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.halfseeqp

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.halfseeqp

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.halfseeqp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.halfseeqp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.halfseeqp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.halfseeqp

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.halfseeqp

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.halfseeqp

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.halfseeqp

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.halfseeqp

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.halfseeqp

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.halfseeqp

com.halfseeqp
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4448

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.halfseeqp/app_DynamicOptDex/YrTGbO.json

Filesize
2KB

MD5
70ef485aa51f14f59a5e2997127a586e

SHA1
bce9e0f81308508ed401d7152ec4f029f29e1edd

SHA256
a415981f4450ccb964ef1623d5ab40e1d47f6e95c3fa6d5204bcd606fead2f57

SHA512
abbb84c24545a1f5db40a47503fced30a600403f84c475fec0995619bdad01f6c397145ed4123634959449a4b9a0f714cf575fbeb25ee4562b40dc919e7f5fc3

Download Submit
/data/user/0/com.halfseeqp/app_DynamicOptDex/YrTGbO.json

Filesize
2KB

MD5
8ff7172d8017703945f25fa5d2fd516a

SHA1
82b1670ac887ade6081a2f40149b908485cdad7d

SHA256
06ff9288cd367273ce886a37583827557b01d4fca1970476a907b7c43d386340

SHA512
44c0b7e9312ce1009c385712084dc0c8fc997a5617c7145d062799a38106548fd49211c945a41200eae3cdb403a45b00d5b0a4f2a4f7bc668ad877645519f85b

Download Submit
/data/user/0/com.halfseeqp/app_DynamicOptDex/YrTGbO.json

Filesize
6KB

MD5
941f6ba9962e1c4565512205cb319bb1

SHA1
47ebdb3e2f19bbbe44f7ebbf550cbb2dd62b1359

SHA256
321fa09377cd3915f8a621172fd851487d4a3a6c9cb3b0315318d2b8d5e40a8b

SHA512
8075b671926d24dcece0c10a5d32ee547b90013e77afb541f7a13dea210b8ec3dee57827386659a72c4c79e233f4dcc6ca2a93efc57e669ca07d162d25f95404

Download Submit
/data/user/0/com.halfseeqp/cache/oat/vbznvnvecysuk.cur.prof

Filesize
342B

MD5
791dcd7b762eeef312034321f7e559dc

SHA1
1da07b2c2359ac0e1a9dbd292d5b339fabe2d32e

SHA256
0b8a12e1bb3598f7cdf83c23b27ddee9bca1d705234bbe5db04d3a317a632845

SHA512
6d080a85d39c943c7a2420a98bcfd76a61985ef1223526b0c4d72821e7ba03ac3b208a77c1de0d40997c5c3bcf07936a0a368fa864cab1097453ab8d7a7e7acd

Download Submit
/data/user/0/com.halfseeqp/cache/vbznvnvecysuk

Filesize
448KB

MD5
c786ed856d4ed11d259d73cae47bcc7f

SHA1
14617e3bfdca890da694b7f7f1dc0d3ae85f39a5

SHA256
1492a7cdffbd232b4f738c529f85fdd2a198cc62331f7746357043458e8ebca6

SHA512
c07d31a9b404c8815f3a276a0d1a28df9830805a9c030a1f638577164246919067d78aa887df02a1ce0af140c77e8d89ee62d55685663150dcd9238b522f77b1

Download Submit
/data/user/0/com.halfseeqp/kl.txt

Filesize
480B

MD5
c48ad2edd2298cc72f6f91e1869d45cf

SHA1
4d7ae5d98f138271a59c5c0c62c870f3b0d1ed24

SHA256
48d1a201e8162d65df4ee294488d83b39d118af12995ae40b89d2693bea12158

SHA512
3f6419c9c1c393a56d4ad5d83649eb84796f7b4a99fb0c7282d11338aefc6ff1d89394c81ca2523e74c7f442546a84e3628b17f81100a7082299a7c2c08b1fb1

Download Submit
/data/user/0/com.halfseeqp/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.halfseeqp/kl.txt

Filesize
237B

MD5
0005e33bebc2a38264ee3cc60d0cf13d

SHA1
3eb896d396cfca7d30e8d8262857563204c0bc63

SHA256
c1df79fc681aa781d3743daa6066b3df1d0bacb2ef50de3252cc9abe68a169d3

SHA512
43b1e1127a5bab44cbb5574903c2db551201ab38da1ebf4ad43364061987a5cff4ad3f44242ebfb1540a1d68ad2d2d44e033df8648b99def75b8c4b09bb6c600

Download Submit
/data/user/0/com.halfseeqp/kl.txt

Filesize
64B

MD5
7160c743bb0a580ebb97e1838dda4a5b

SHA1
b7a43bce4b6c6e13b7bb62004f501b16e2ecb90a

SHA256
2f0119c73dcc544796062664899739821df0d0ed66bbb2887c599e488c42e6b8

SHA512
029e4c6a83ca80d905684def4400238cf613e1b3a72cc3d5668da1056fc71ebd4cd4a664040b59db51ac0363d78946f02e1bcf094d6302e7c72d1fbdc5e9ba44

Download Submit
/data/user/0/com.halfseeqp/kl.txt

Filesize
45B

MD5
d2f1d788c084dacc976d677c19d131dc

SHA1
04096e88ec2d883f6aa619684e82c77c121e7ba8

SHA256
736d5e1344fb65f77af969804d3821dc5760573a972adc676b85e789a1310a6f

SHA512
7af7ed5eb0eafed74cfad6f9a0d9544b717c6ea4c709a84275f1c6d7adadbf35653c38182bde294d3ab5e4b92a1ae193a14fa8ce92c56d831e607d9df8525dc4

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads