octo | 4052c9f77f76b20718057304f68b81dd6d4003564e2e7769c7c8e36493ab123a

Analysis

max time kernel
149s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
23-11-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4052c9f77f76b20718057304f68b81dd6d4003564e2e7769c7c8e36493ab123a.apk
Size

2.5MB
MD5

b59173f46013514816707aadd31bf813
SHA1

4e726d1bff0c11615c30f0541eb535d8a58b688c
SHA256

4052c9f77f76b20718057304f68b81dd6d4003564e2e7769c7c8e36493ab123a
SHA512

e09e5d6febfb7b4137a5053b38a154ede7b64497371ede83076a06d2a04e29de1e6073e2418885725aec0c7374dc7e694f82ecdac2e8adde33e2ed9ef63a4ba2
SSDEEP

49152:wl5iwwmokzAmRKfzN3au/G7emeKWsgH2Uv62cBnEmGMPCyYnRILOYvNmXxSr1LQo:wl5iwwlkMZ7N3au/Z/tNanx6yYnyTvQ0

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://cloudstats112192.space/NTQ2ZDEzM2FjMjY2/

https://fingerprintstats12.store/NTQ2ZDEzM2FjMjY2/

https://wordpress00stats.online/NTQ2ZDEzM2FjMjY2/

https://staticlocali112.ru/NTQ2ZDEzM2FjMjY2/

rc4.plain

Extracted

Family

octo

https://cloudstats112192.space/NTQ2ZDEzM2FjMjY2/

https://fingerprintstats12.store/NTQ2ZDEzM2FjMjY2/

https://wordpress00stats.online/NTQ2ZDEzM2FjMjY2/

https://staticlocali112.ru/NTQ2ZDEzM2FjMjY2/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4263	com.gotthosebd

Checks Android system properties for emulator presence. 1 TTPs 1 IoCs

evasion

System Checks

T1633.001

description	ioc	Process
Accessed system property	key: ro.product.model	com.gotthosebd

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.gotthosebd/app_DynamicOptDex/miA.json	4289	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gotthosebd/app_DynamicOptDex/miA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gotthosebd/app_DynamicOptDex/oat/x86/miA.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.gotthosebd/app_DynamicOptDex/miA.json	4263	com.gotthosebd
/data/user/0/com.gotthosebd/cache/xbbaa	4263	com.gotthosebd
/data/user/0/com.gotthosebd/cache/xbbaa	4263	com.gotthosebd

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.gotthosebd
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.gotthosebd

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.gotthosebd

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.gotthosebd

Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.gotthosebd
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.gotthosebd
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.gotthosebd
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.gotthosebd
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.gotthosebd
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.gotthosebd
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.gotthosebd

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.gotthosebd

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.gotthosebd

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.gotthosebd

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.gotthosebd

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.gotthosebd

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.gotthosebd

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.gotthosebd

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.gotthosebd

com.gotthosebd
1⤵
- Removes its main activity from the application launcher
- Checks Android system properties for emulator presence.
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4263
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gotthosebd/app_DynamicOptDex/miA.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gotthosebd/app_DynamicOptDex/oat/x86/miA.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4289

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.gotthosebd/app_DynamicOptDex/miA.json

Filesize
2KB

MD5
a00f27187c1e67976038d0bd15983c8a

SHA1
e7154828edf2269a5e23a883238d028345074eb4

SHA256
ed8f0838a46d9d0b4b21a880a4eaa51607d061e1e6d683638992c8593596c640

SHA512
b43deff54a825c3ce07dd2c714d6ad3731a44b7f64908351d0faffdda8327095f65a0217ae786104a08571609169dd8af52868ff025dfc959a1e28acb0757a31

Download Submit
/data/data/com.gotthosebd/app_DynamicOptDex/miA.json

Filesize
2KB

MD5
837f866379add962a1b6ab780694ec95

SHA1
25358cd47a92d4fa969773d9f631ec0963bfb458

SHA256
3363a90dfe8b02802afcca202e80f824b44ccfc6a6cdda5e70f2041003aae020

SHA512
f91b8a8c99ffeac0284a58d56271efb35efc8df7182071778bd2b9899d63b34b3d2df705305712513f240c670d7c9eb9692021cfe126e1a459204bdc9af55a39

Download Submit
/data/data/com.gotthosebd/cache/oat/xbbaa.cur.prof

Filesize
446B

MD5
a363e74480d330975382b653ae4beef1

SHA1
a3f629e67deb0cca90522a469e35e79c748832da

SHA256
0193c2612d6f39415380f71462cf85e0472fffc987792cbf79b571f097066a5f

SHA512
6988c13b2f588e10346ad06cc8a53c482c743054100acd9ea29389adea2159675dfc0bc5a616e6802e5edeb42631e08c3110d7a6d2e7df3b8e324065b312c11d

Download Submit
/data/data/com.gotthosebd/cache/xbbaa

Filesize
165KB

MD5
293bb5b0dc1af20c721ccacd16750c82

SHA1
01c3f70f56ad1c00c14fdb3dd28746af570b8460

SHA256
a61edf88cc731b9452e50916e281290878d5a9b0d5379edaa0a7da35f037e8c9

SHA512
64b3e867cf990a79b2c7da2941b066a506f82d40801fb5a5445a1f3c8c041635838ccefb19878ca5ed66e830d1a3a8c5018c7edcda9067caff4382c1c40d7231

Download Submit
/data/data/com.gotthosebd/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.gotthosebd/kl.txt

Filesize
237B

MD5
0dfb4fa0b45ec8ed94a2f41f333057fd

SHA1
2675f2968f4d4985a97949795ad3af4b26bdebfd

SHA256
fe576fc116e26e32816315db3854313d96f2a3d3233b37cf680ed9d49919e4ac

SHA512
6f55de18a9ecde12926aa20c5aea8b488a43a72a84811b9a94049d0b83771a13260f73d978bc37963cf4f0d1421da2a1e5f648af6424fae3d0b492d7871471f0

Download Submit
/data/data/com.gotthosebd/kl.txt

Filesize
54B

MD5
675d200ecdc3cccb5b1a94b6dbee10ce

SHA1
ef3e8e8219f96bf23ae28c059d4f2840a89ab4c9

SHA256
f9e5030d0360794eb352d63cf9e428f57321e07d8d2fc717ccf3000d9e24bace

SHA512
f594380c18300e09e8257aaef9379313e2dc83a6a8681b1e18cd49c49570ebc91b05bcb004050ead6d41911cdfcf51744a5542f318d577134e0df23ca7aac221

Download Submit
/data/data/com.gotthosebd/kl.txt

Filesize
63B

MD5
7878110779524c3bb352fc4e55e86685

SHA1
44bf2ea06b6f6364beda4b488b9b8b8d6dbc3470

SHA256
db525064a0952a24e729253fcc5c6c9ba05cf3749701d02ed4b2b5316ca6f1b2

SHA512
55134fe5f7174161c7eb0944176da007c9da21b36078e91a253497461cb4db08821681882eb4bbe58d10f6693a10313bea4bdf047d702195f68f6fda1988510f

Download Submit
/data/data/com.gotthosebd/kl.txt

Filesize
437B

MD5
5531549d024a76841f88e4ebc9027b34

SHA1
8043c46ac7ba836f29605e2bd3b2e0c262d88b30

SHA256
5a7f51650360425fe64ffcfa2be37c6fb630e1082bb6c2ed6f66751943023978

SHA512
bfc997c8d8282cebf09d53d6bba60b0c4e1bc3113898e56a1e92a8171ea9c19aef457500c3644c02d8a1fd782c2948600a256ce6283ae29c2f3149433a8d5b13

Download Submit
/data/user/0/com.gotthosebd/app_DynamicOptDex/miA.json

Filesize
6KB

MD5
1f5d721bb4600afdf303d8de87477ecc

SHA1
bfabca772670049d76ca3a869da14d9654504a85

SHA256
c23ace5081707365fbf81e337cebc49b3617598d8a82c8f8a4aaadf34af75c64

SHA512
85663c0f25b9aa72866a82bf7d4b8f99565ffd6a8b57eb1f0aeb5b0f366e48c5f403314e47752f57198476677aa63a68273869864eca5fe39cdb2d4254e47569

Download Submit
/data/user/0/com.gotthosebd/app_DynamicOptDex/miA.json

Filesize
6KB

MD5
efc266042f35ab7f1933ef7475c89d0f

SHA1
cd30d17ea6070b14d1cc7348ed74439898d77132

SHA256
deee95e0d98a2208fd82f2ae171f00aece8aeafd4e19c65ca68788747a8f30be

SHA512
ba20a2a2a8350a0c1c838b840dda04961b21d04e99290a24713166d508bb03e0d67d982912bf3edaab4a84feda8ab8a506711b5406b3e74b84cec91092b0827f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads