octo | b23d6ed3feee24c8602e7e4313c1f3247575490468890721d35b3719a72d2bb7

Analysis

max time kernel
73s
max time network
154s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
20-11-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b23d6ed3feee24c8602e7e4313c1f3247575490468890721d35b3719a72d2bb7.apk
Size

541KB
MD5

071294694a7e883ac8ea8a2b7bcc078c
SHA1

9cc247e8df72cd7938a43004864a235930d8c948
SHA256

b23d6ed3feee24c8602e7e4313c1f3247575490468890721d35b3719a72d2bb7
SHA512

2445a097dbb624977fc1a5983c288c9744ee44183dd31f241b3fb913f421295cc73e22fc64a1b889741844b9f38c14b9c6675befee374ac48315dd39ee4453fc
SSDEEP

12288:exsDdlmR3oliBbDBk0mDHvAkZ2y4Bc5biBgkk/PIVIvaK1ozVQgJ:exsDuRYib+rDHvAkZ2mbK2P9vaK1oJQ0

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://sila52bolumtekparca.net/YTFlMzViNjNiNWM3/

https://95.214.27.124/YTFlMzViNjNiNWM3/

https://sysbrsssti.com/YTFlMzViNjNiNWM3/

https://sysbrsssti2.com/YTFlMzViNjNiNWM3/

https://sysbrssstiz.xyz/YTFlMzViNjNiNWM3/

rc4.plain

Extracted

Family

octo

https://sila52bolumtekparca.net/YTFlMzViNjNiNWM3/

https://95.214.27.124/YTFlMzViNjNiNWM3/

https://sysbrsssti.com/YTFlMzViNjNiNWM3/

https://sysbrsssti2.com/YTFlMzViNjNiNWM3/

https://sysbrssstiz.xyz/YTFlMzViNjNiNWM3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.weightwantb/cache/rmlqgpofohvvd	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
evasion

Download New Code at Runtime
T1407

Processes:

com.weightwantb

ioc pid process

/data/user/0/com.weightwantb/cache/rmlqgpofohvvd 4932 com.weightwantb
/data/user/0/com.weightwantb/cache/rmlqgpofohvvd 4932 com.weightwantb

ioc	pid	process
/data/user/0/com.weightwantb/cache/rmlqgpofohvvd	4932	com.weightwantb
/data/user/0/com.weightwantb/cache/rmlqgpofohvvd	4932	com.weightwantb

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.weightwantb

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.weightwantb

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.weightwantb

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.weightwantb
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.weightwantb

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.weightwantb

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.weightwantb

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.weightwantb

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

Processes:

com.weightwantb

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.weightwantb
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.weightwantb

Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.weightwantb

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.weightwantb
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.weightwantb

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.weightwantb
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.weightwantb

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.weightwantb

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.weightwantb

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.weightwantb

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.weightwantb

com.weightwantb
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4932

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.weightwantb/cache/oat/rmlqgpofohvvd.cur.prof

Filesize
461B

MD5
4ca8607818f2e77851c44db3693714b8

SHA1
76bcbf4124b783f61e2de14fa5eaf0513b53965f

SHA256
c66cafc7f9ba3d6970e484c0fa1a273dfd5bc498b5b9bab92e75afe9b3a1d4d8

SHA512
45170b563a0a7988e48d41b9625be6c90dc4c68199f4dde0776713de8070bab9d3226596a7df7642b625e32d103f3a13891faff5a9836361e8e0339ad82487d3

Download Submit
/data/data/com.weightwantb/cache/rmlqgpofohvvd

Filesize
449KB

MD5
d3bd41e8a2c2f3d9d8866452a0e155b6

SHA1
3c4cf085df90a0a7cbd2a5776fa733581fab8904

SHA256
25f363a9124feb1058e230d8c695f572f7b53502d4bbb2365038bf7387a3f445

SHA512
72f76b6b261aa747f6458873e765f8a1ec789e456d9e73c9d074c16bd438f0e11da9cd470e60ea52aab113408a333c10d642886a9bc0d7a36b42deb44e6effcf

Download Submit