octo | dc69c74be98939f4940807d2268b5b32ed2f2729b2ba068591caf0254160a6d6

Analysis

max time kernel
149s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
20-11-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc69c74be98939f4940807d2268b5b32ed2f2729b2ba068591caf0254160a6d6.apk
Size

2.0MB
MD5

40265050e0136239ffc1ac9d782e31ae
SHA1

753c262257602605e79946ed42fa855da101761d
SHA256

dc69c74be98939f4940807d2268b5b32ed2f2729b2ba068591caf0254160a6d6
SHA512

03512268e0a9440c5f35a5c3b08f97a0c60b4bc5c11fa3cfd843089ad83d049cfb5ee525f00adf0b8334b5b413e23fae0287899f737cc1f9f4473155c85a654b
SSDEEP

49152:BTT+7AgEUy1I8ehFC1l8+E5RMoznNlJnFm:dT+dEUy1I3FCzE5R/z5c

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://jtfersion.com/YWFiM2VkMmFmNWFh/

https://kineomager.net/YWFiM2VkMmFmNWFh/

https://aberinogerd.com/YWFiM2VkMmFmNWFh/

https://nolevibanget.net/YWFiM2VkMmFmNWFh/

rc4.plain

Extracted

Family

octo

https://jtfersion.com/YWFiM2VkMmFmNWFh/

https://kineomager.net/YWFiM2VkMmFmNWFh/

https://aberinogerd.com/YWFiM2VkMmFmNWFh/

https://nolevibanget.net/YWFiM2VkMmFmNWFh/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4259	com.carrybuild4

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.carrybuild4/app_DynamicOptDex/UtCj.json	4287	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.carrybuild4/app_DynamicOptDex/UtCj.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.carrybuild4/app_DynamicOptDex/oat/x86/UtCj.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.carrybuild4/app_DynamicOptDex/UtCj.json	4259	com.carrybuild4
/data/user/0/com.carrybuild4/cache/txwpunphgcavnew	4259	com.carrybuild4
/data/user/0/com.carrybuild4/cache/txwpunphgcavnew	4259	com.carrybuild4

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.carrybuild4
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.carrybuild4

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.carrybuild4

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.carrybuild4

Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.carrybuild4
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.carrybuild4
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.carrybuild4
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.carrybuild4
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.carrybuild4
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.carrybuild4
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.carrybuild4

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.carrybuild4

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.carrybuild4

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.carrybuild4

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.carrybuild4

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.carrybuild4

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.carrybuild4

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.carrybuild4

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.carrybuild4

com.carrybuild4
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4259
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.carrybuild4/app_DynamicOptDex/UtCj.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.carrybuild4/app_DynamicOptDex/oat/x86/UtCj.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4287

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.carrybuild4/app_DynamicOptDex/UtCj.json

Filesize
2KB

MD5
099566ba3010bf29dd0b74d16dfd2c81

SHA1
c81c115b5d9fdcb9ad2d3bfa2dbf894797d89d1b

SHA256
190e41c7cfd4487f40877e4f69c24415c787fb3224ad13500ab97f74a2f4a526

SHA512
265a474e2ef6261a27be1e1dca73ce8806f66fe103365208a40f64de238d7d510dd9cb7b3522ce0483e56cbbac25a363ff4458589b6fdd54583ea9572d7e4863

Download Submit
/data/data/com.carrybuild4/app_DynamicOptDex/UtCj.json

Filesize
2KB

MD5
50aaaee161ff33560781ae6474091699

SHA1
7312861b1c038912c23d0cdbff2876a4456cddfe

SHA256
c3705004cfb2a4a8a39511c8940fd2a8d0fd4220fbd3c10a32f75c03ed0f55ab

SHA512
01a0b15b71572836b4d1940ed7efe8bb0d03e11bc11b772710b1cf794e9d4293d24813bfe910fc3d834162b916079eac4c6a5d818f7e9b469f56c2ee740c482b

Download Submit
/data/data/com.carrybuild4/cache/oat/txwpunphgcavnew.cur.prof

Filesize
450B

MD5
d2633a58b969cf5d01c8fdb9a45aba82

SHA1
c98a2da9cf74857b1d05dcbae9eba5549a92da36

SHA256
7afac8f2c6020fafdcf44795f906a0a19ebdf61edcd2878a68a9ee9052330e67

SHA512
c21ecc30142cef602fa85d64e2829d86a5fc463eace90cc54deda6420568ca6baff8faebb1378736f5681e1dd0f474d4639dc38723a81908425407bf3a5404ba

Download Submit
/data/data/com.carrybuild4/cache/txwpunphgcavnew

Filesize
448KB

MD5
251f5be95aad11c7a231d88b37b0154d

SHA1
6e694c35ff718a617e9999aae12a63711c8e7c1c

SHA256
09272d112558b22a70359becd2a292cb110b9e2f33202cb5cb491bd08c8bd6c2

SHA512
2f63110429eff2ac05d18f40d80ce26909f1071fc1bff75a1d1b2603b0b61a37794b7f2ba1da6d37000c1b20dd7c22881ac1c7adf201ce7523c6e6d37822558f

Download Submit
/data/data/com.carrybuild4/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.carrybuild4/kl.txt

Filesize
237B

MD5
0a042311a77e301cad946cba12d23d15

SHA1
a35c0d6620c24ff1fe84835ffdac1cf316e1f8e7

SHA256
e2445ddc093bd1e4fe8c159ffef9ffa8f4fd72f2b24182901dd5d82c99e2d049

SHA512
1358246d9a9ee5598a858cadf30ed9f35e33723c71372aee0b86ace6ad3ded353ac7c60f35f7317ecdadb8ae6d70ec69f71ff68eb59aaa2308c75c346e1cb8d9

Download Submit
/data/data/com.carrybuild4/kl.txt

Filesize
54B

MD5
7bcd6b98de006887303c26d1a4b43601

SHA1
36efce3730ccb4f780669862953177f7ab7401d8

SHA256
b4252438becfdd61599e3c13d988d078ed231156837a06d7e6c80502da98a600

SHA512
f4410e5fda8efe2b1ef537015be74a7f1b67328f2f6ac76aedc3b770db31585358daf39ceb8084685d770e6d91d8f70f0e2e88850f1fd96bff3cd8472867e687

Download Submit
/data/data/com.carrybuild4/kl.txt

Filesize
63B

MD5
fb397321bd45932b32cd079def1e4d82

SHA1
148d1d8abbdc69d5165ec1500bd722e02c65e912

SHA256
7bf27a6c1178e1bc408adca6e0fd1a14d0cc2a1f316429c8473691e1827a4c7a

SHA512
b824af6a2d4996bdbed5ca68eb21ab2ce4fe62234c49e974d7ceace6f8010eeffd7a07a512cea9a693137847ed7d0c9460eca6babfdb93d5903526e0b8b12cb2

Download Submit
/data/data/com.carrybuild4/kl.txt

Filesize
437B

MD5
8128772c3f1d2c27d9dd48fdb727811b

SHA1
eb42e02bc24f871810da582e5004f4947e7d10b1

SHA256
b277a94b61a22276fad43a317b25eaf90186c4224a1a4e64d39afa8a1bcf7109

SHA512
57b4395f11b5174c5e7931e37ef45ab07316cbb7f6381fdd973ddd59364e2600d4ea0dec6462c2f317322dbc915766dbe551a271b2dc3cf0974f4af6f55b38d1

Download Submit
/data/user/0/com.carrybuild4/app_DynamicOptDex/UtCj.json

Filesize
5KB

MD5
8f1f2f6b45f9369e93ac5b44769ee061

SHA1
0f743529c007b0539a85e3fbba737f28a960d9b1

SHA256
fb06246892d73af62075cf4fbc461af5e77970398b885f3a7af0e71c714460e9

SHA512
3d5ba9626c7884e18e4c900b0d40f9ce23312d569b900068de205e684d3839b121c23f6b45796995b81900bd4f3658f8021867f35c4f2e85a6ed6cbe32b1302b

Download Submit
/data/user/0/com.carrybuild4/app_DynamicOptDex/UtCj.json

Filesize
5KB

MD5
11a3b3fc2b85c30bdeb8ce89f5b2d568

SHA1
1fc9f3d1ae372011bcc2303d2de88630965b1535

SHA256
0811480d39d338a846fee5db302b07d598edec4ea9ef4c2a361d181299172649

SHA512
53490fd84c941e88c140cf0baf146322b943e8aff003e389840938c4146cabb06061daa3c9aa5687418bc52dea0ed2453d746069363f90f1947ac04dd836b3c4

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads