octo | 3797a11be0590ab2a5420501672263d784f7019bd9aae7d3c15931e21af0225c

Analysis

max time kernel
148s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
17-11-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3797a11be0590ab2a5420501672263d784f7019bd9aae7d3c15931e21af0225c.apk
Size

1.7MB
MD5

9a3b89f2fa21e9e581bbc49b8766e7c4
SHA1

1e8bd4848aa90a780371f35fb4c01d1a290310b6
SHA256

3797a11be0590ab2a5420501672263d784f7019bd9aae7d3c15931e21af0225c
SHA512

a01846e7089dd8d08714d04a5a176af171617dd8456c52327743def9ba6649de2241f63ba93547231190fc9c2a86af84508a436ed6c1698933063de8dd23414b
SSDEEP

49152:U50wLqOv/TkCmkAIwfQAatbQ0DXs93gwbd:45L9ZmXH8DX6d

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://barabara2e1.me/ZWU1ZTRhMzU1Zjdi/

rc4.plain

Extracted

Family

octo

https://barabara2e1.me/ZWU1ZTRhMzU1Zjdi/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.mandirect9/cache/luzqxznfsghfql	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.mandirect9

pid process

4248 com.mandirect9
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.mandirect9

ioc pid process

/data/user/0/com.mandirect9/cache/luzqxznfsghfql 4248 com.mandirect9
/data/user/0/com.mandirect9/cache/luzqxznfsghfql 4248 com.mandirect9

pid	process
4248	com.mandirect9

ioc	pid	process
/data/user/0/com.mandirect9/cache/luzqxznfsghfql	4248	com.mandirect9
/data/user/0/com.mandirect9/cache/luzqxznfsghfql	4248	com.mandirect9

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.mandirect9

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.mandirect9

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.mandirect9

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.mandirect9
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.mandirect9

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.mandirect9

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.mandirect9

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.mandirect9

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

Processes:

com.mandirect9

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.mandirect9
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.mandirect9
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.mandirect9

Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.mandirect9

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.mandirect9
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
collection credential_access

Access Notifications
T1517

Processes:

com.mandirect9

description ioc process

Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.mandirect9
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.mandirect9

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.mandirect9
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.mandirect9

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.mandirect9
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.mandirect9

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.mandirect9
Checks CPU information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.mandirect9

description ioc process

File opened for read /proc/cpuinfo com.mandirect9
Checks memory information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.mandirect9

description ioc process

File opened for read /proc/meminfo com.mandirect9

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.mandirect9

description	ioc	process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.mandirect9

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.mandirect9

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.mandirect9

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.mandirect9

description	ioc	process
File opened for read	/proc/cpuinfo	com.mandirect9

description	ioc	process
File opened for read	/proc/meminfo	com.mandirect9

com.mandirect9
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4248

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.mandirect9/cache/luzqxznfsghfql

Filesize
461KB

MD5
1ea273a651ffc79827c35ee2387b55d4

SHA1
41ef6c8c89d8579199d8013e51426a79c98a2c1d

SHA256
44d58061eb00b2f08cd8b5484f9a0417b68b9c1b5b7af094ca4f3a76fe24f51e

SHA512
afa8e0ee596e81722be821dd1de35a9963be201a7c84736b7a21fe12466b4d96bced23d4d6e0bab259ad8bba33b3c6e59ee7cb24e3c843e68fd1b6bb0903282c

Download Submit
/data/data/com.mandirect9/cache/oat/luzqxznfsghfql.cur.prof

Filesize
469B

MD5
49525275b8058c828fe73a1c27ed7778

SHA1
e0f4fd5a599ded8e26711cec508e4b4324443db9

SHA256
732823b7ba1cd1c1c22eeda629a4da426c3935102d61d2874964283c18fdf418

SHA512
90f7d65da9dc54e0ceb29a2c032bc2adaea4d3ded5364a86fd719acaad1d7cad24fab2d20115e9df25505c007340b23a5aa9fc66d91f95727af59f183a3ee167

Download Submit
/data/data/com.mandirect9/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.mandirect9/kl.txt

Filesize
73B

MD5
245dfdbd0c1aa68cb2614ea38ef20b53

SHA1
6cf60253b65d73ce2a3c770c02dfedb592cbdf8d

SHA256
892770c78e11466a24122d6a1fa2353f0e1012c3d81f6084c3d51064ec70d162

SHA512
284cc807cad684aaeef87649fc29e17e29742285020320ea569d64af683222c7824137d8b2a634a22752d221f2a9f1933acbdc3954e73bd39f7c24d74bd929b1

Download Submit
/data/data/com.mandirect9/kl.txt

Filesize
237B

MD5
a52ff1f85a0ca0434f38210ca745d5cc

SHA1
cd4e9fa47d6405f5fb772a6310b0daa3eaca0c41

SHA256
a701c85505dbfdb933f80add254c08c2261a5087599216645fb66e3f301cea12

SHA512
f1745fe497603cd591a478ffe0245668497f65d7b0605cbd9a0154e3e50faffa7d409ced4988dad5997122543bfc8c52594b42d539a66e56fd65cdd00cc5c913

Download Submit
/data/data/com.mandirect9/kl.txt

Filesize
54B

MD5
6c616e905c66568df31c328df66843ce

SHA1
7d2cc01f930ffd257a9c4e05aadcbbb1ba36ca79

SHA256
117bff82e6aee8a6df3cf9e62c2574b15d49ea601f0518f6e83fdfe8282e58f4

SHA512
cdadc72ccf1f47598d4274a9aea621faa2053e17005ecd9923a72e29b28787889c68279687877015920b6ecebb5f9096296503585e5dc0031bb08e63fb9a5714

Download Submit
/data/data/com.mandirect9/kl.txt

Filesize
449B

MD5
2fe01de3c76b24d6400fb99aaaaa307c

SHA1
ee3d90efa184ae0859232d6f9a8dafa62b62e846

SHA256
0070491730b419c8278a66718c35b62db1c596514a0b5975c118d7d826d83b91

SHA512
a2f994fccc58bff37ee9ffab46b7d18364e51a6b8cebe83540f163577e4a34d13d709fe738af3320a378e0d0bfd0d4c62d1b98107b55c319ad38823c11732952

Download Submit