octo | f1b9e3f4b8e23f56d14ea0d6ecf91e5022a7548a28c6bb0b1db6a2c274cd9ff3

Analysis

max time kernel
149s
max time network
150s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
22-11-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1b9e3f4b8e23f56d14ea0d6ecf91e5022a7548a28c6bb0b1db6a2c274cd9ff3.apk
Size

605KB
MD5

83d6844871ac04108a595028c172aa85
SHA1

1e51f9ff7995dd45fcc0a70b83ed96f54cfb1cd1
SHA256

f1b9e3f4b8e23f56d14ea0d6ecf91e5022a7548a28c6bb0b1db6a2c274cd9ff3
SHA512

2c45cb676ad3848c7df2e77fe12f90637bb36a2fc5eb90f6c7c67d63140b17adeb5eb96299cc089e0b045ceea942396d29578d6903a88250ea89ffa3d78488fc
SSDEEP

12288:VvNGODutF1Gplj0L41r+/gFuYXpxshdHYhn/t5PXfNIjXs4hDLrMhdKoDr:VvcOqxGplYL2r+ArXXOH8n/t5POjXsIS

Score

10^/10

octo banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

DES_key

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-3.dat	family_octo
behavioral1/memory/4307-1.dex	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4307	com.picturefar0

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.picturefar0/code_cache/secondary-dexes/1732313346082_classes.dex	4307	com.picturefar0
/data/user/0/com.picturefar0/code_cache/secondary-dexes/1732313346082_classes.dex	4367	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.picturefar0/code_cache/secondary-dexes/1732313346082_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.picturefar0/code_cache/secondary-dexes/oat/x86/1732313346082_classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.picturefar0/code_cache/secondary-dexes/1732313346082_classes.dex	4307	com.picturefar0

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.picturefar0
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.picturefar0

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.picturefar0

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.picturefar0

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.picturefar0
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.picturefar0
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.picturefar0
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.picturefar0

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.picturefar0

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.picturefar0

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.picturefar0

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.picturefar0

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.picturefar0

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.picturefar0

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.picturefar0

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.picturefar0

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.picturefar0

com.picturefar0
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4307
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.picturefar0/code_cache/secondary-dexes/1732313346082_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.picturefar0/code_cache/secondary-dexes/oat/x86/1732313346082_classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4367

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.picturefar0/cache/classes.dex

Filesize
448KB

MD5
5cf9d631f22561e02a179f71dff0ceb4

SHA1
e0b80130b2f9f54b950ecf20b3ec7de0649525ee

SHA256
a92ede0ec9f2196b880a00142716620cb25f5eddd64b79f410e66f40d44c0bef

SHA512
066c941846a4f9b47448f404a00f212d567cc24560820fc025c2dd033ebb8a50078ba8f631a00ad9c1c1b7bf9509517e76b10f391130384c7c63025afac4dbda

Download Submit
/data/data/com.picturefar0/code_cache/secondary-dexes/1732313346082_classes.dex

Filesize
1.1MB

MD5
ca1d5993f0a3a8478c9c751c1dcfa80b

SHA1
93297024888afd532d42a384c4e835d22230bb7c

SHA256
4da400e359bed2f4fe26735fcf56d02e66a711402d9ddf71c1dc5e681d022572

SHA512
0123f94694a2d15309c4e1f14de06a5628c7b6a14cf89bb64cc575fac2e1ee9a5f0b03f084edd43186e9f898b1b91c0722073cd941a47a0368e0e7049ed55969

Download Submit
/data/data/com.picturefar0/files/profileInstalled

Filesize
24B

MD5
fa2d1c870f882bac408b5da7783e57e7

SHA1
3a0b0a89d8692b7d317c0c08e358d77faff772b4

SHA256
86afe081e2f227ff78c96206311035039d4a7517b72408de0de9f9935bdba6f8

SHA512
115814f8b7ebf59ce333683b8c7cc41231ff8f83010dcce3c9d2847055df7a10ffc3f46e1645dd4d51e4fec51ce982879c5a9b1092215d4b53906547886edbd5

Download Submit
/data/data/com.picturefar0/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
6f20d5a381265e6423efa118e0fcbd5f

SHA1
ef5ed3ccd118b9b30828c49d3a27d774d995f6b7

SHA256
5c32412b880619d1b3454c7689c63fbb790c1cb53525168fd7524eff1d565d99

SHA512
7d2ce5b5c59d6ef811b8419844595d22bf326f29148639842dd0ced6683c8ebe2515b9080797f6f4633f7b6459b3765390baabbbd26d3e53a13c68cb657ec045

Download Submit
/data/data/com.picturefar0/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.picturefar0/kl.txt

Filesize
235B

MD5
27c004642843a3934dd61b74c58627d2

SHA1
82c07c30f0fde9c21b81bb867ebb467dbfce62dd

SHA256
534d5f06ae6c79afe2abd05b79d2962fddcdea74e84a2eef9c9af552c68d7793

SHA512
55ef71eb3782591449ef49ed8bb41514a52695e7bdd6cced14017b966f2ec4fcea3afd861ec0f75286469e832f4e2d903a0f2889663b1f7a7e8f496a7ef9698e

Download Submit
/data/data/com.picturefar0/kl.txt

Filesize
63B

MD5
73173e2e804b2a05058e56d6eae1c25f

SHA1
742156d1a822906554fbaafbb3324d4efdc344e3

SHA256
f308f6a1100404997722608c72567ae545cf5bfd6a519690bfb8096e77569e3e

SHA512
bf7c477d40795b8089a910c2931641c9368911e98204b6f325d4055915bff096f85fe9efa3186fae6eccc35e6895c61d0ca0dfd8ad329f6589258aca84043c55

Download Submit
/data/data/com.picturefar0/kl.txt

Filesize
54B

MD5
7954dd7ac7e1851a340b53cbe34809b6

SHA1
309d9890892bd1a3adb0d19fb0dc07d034c01e5d

SHA256
420ffe80875299be45101fd71cb9ead44b6c3b1205638c1065e75fb0f3807a70

SHA512
5348ef7f4b54905e42b54c45bf0039bafab1c3dcf06f9beaedb17639f780f1e4b2650c92e39358528dd313f79392cb81e216d53f6728d111b1a1609ea371d5cd

Download Submit
/data/data/com.picturefar0/kl.txt

Filesize
433B

MD5
b4d5480a51f2092dd9516a8f02899285

SHA1
56c0d51e44328e058301295662c3341340f1ec3d

SHA256
6e6cdbfc9f3ecd54b42a7f373d462e9e0d08c81f1b48847d1dc0c7d36a553793

SHA512
ca5d2a7cbf403de069279897452802ca7f93c6db0096112c721c48ae01ed31221fdec376f20b7e5c91b3c700c603065012e2938c84185e597d2b0836f8d0533b

Download Submit
/data/data/com.picturefar0/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.picturefar0/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
ddea59f59e20ce24bf6a30c196e0d135

SHA1
f775d432b3823e735ec3220be612416bae890ca5

SHA256
dd07e449f7c73f0ec7dae294fcffdf5531619b00a18c4d95bd7d82115695b5a9

SHA512
cc571dc8b54128e7bf0c1fc20ffc7d1723d18a8beafd1b82e01a49e00705cd4ab77e5c1bda7ad7f4b8f63db55953b76d888d8906765b5ad4ffff808e02163841

Download Submit
/data/data/com.picturefar0/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.picturefar0/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
411a39ebbcfbdb1a3ae0f1b4e29dc500

SHA1
c3850444c70f3e48c91d2ef231f9f59f4624a4be

SHA256
f5751a8063a8250d8d83a901fb66a0e908d21e5c88259fc938eb53e6e2813690

SHA512
06193b683e8e690358f7028d9757df50a477e99afe7e1dbbc97677f7698e52ffedd124ab2e8162570c353116ee8dda4be034c2987c61a803974ecb4a0dd0fb53

Download Submit
/data/data/com.picturefar0/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
05a92cc20fbf8de3f5a804317cf2d7df

SHA1
527626522d09d241ff97a39c0382a318c4007ff7

SHA256
287d35cd176a36415226e53802184869545879f0a1cdcc6508b3f6c6cce4f25b

SHA512
b46af83bddb2cea4e629a3c42cd5abc8741014c899247625df1ee2d65932064eee166b550e929def5ad22067bdc84dfb7a4bced50a4ccc3f06ca678da6452f06

Download Submit
/data/data/com.picturefar0/no_backup/androidx.work.workdb-wal

Filesize
177KB

MD5
9ee089fdc55f08ca5b821d7e822bcd34

SHA1
c545331e85b6135fb9e11c8ebf0b6a01f71287b7

SHA256
4877bdc264b39c57253b5e00e3817095bca364c77abb733004adcebf6307254f

SHA512
5ec86433d168d522ea538d0009464951ca64e89e413da47714a6f99a965525be5793caccb7b4d5ca2696d3f7366a164964593a28d7320f6eb8aa303928a9803b

Download Submit
/data/misc/profiles/cur/0/com.picturefar0/primary.prof

Filesize
110B

MD5
ea61925ce1e0d2204353d3b5e18d70d3

SHA1
e06689c665ea00a557b97fc72aab61b7fb8238f2

SHA256
edf8fb91f3eadf13fccf008c8b2e0c15d9f31caf65d60a207eafe2acde0cffa0

SHA512
14df0d1afc48fcf2ad3ade6eea1005ce40f964d89ac7c87e4d5ea6218709753164729cdd1585eba01927240769f7981b5a5babaaa888ddb49f9e61c2979755c1

Download Submit
/data/misc/profiles/cur/0/com.picturefar0/primary.prof

Filesize
25B

MD5
b9d9e0f8902d129e1aeebff0ae7b725b

SHA1
cb0d2b4c9dd60a5c1fc6261fb581bcd3416fe781

SHA256
25a822139d06016af8be1296c0242b60e35074f94c713e03323636be1162ce91

SHA512
f158a9dc753e0cb41f71a98714ff02198c576bacdd792a6153fdaf6f9a7b52d8cfb6d09099a269d0c1b0d31e2ea5a307ea1db85115bdc6797887a6de36d597f6

Download Submit
/data/user/0/com.picturefar0/code_cache/secondary-dexes/1732313346082_classes.dex

Filesize
1.1MB

MD5
fdb2d51bd9471e44fc66624c2dbe93b3

SHA1
736d75eb256470e9b51ceaeb424bfaa2a4585e34

SHA256
d71f3a4dd7fa71d51c31e28d7e994096e5ee9ab7194d2e2c79dbe4ebb2597013

SHA512
d3122fd520fa2e55955d5312615d6826609e599f9c03eb9130c22b06e6e08cb0cec92d4c636a7bf01a36448f597b69f47b15cbecdefe5a8eb81ceee62e0fdcfb

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads