octo | bf1f06b33682c07853b0fafb6ea17389a72794880a2973a76a7e60f0fe4da055

Analysis

max time kernel
4s
max time network
154s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
23-11-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf1f06b33682c07853b0fafb6ea17389a72794880a2973a76a7e60f0fe4da055.apk
Size

2.8MB
MD5

05aa3d4d693f96f669bdfd8f7eeea9c8
SHA1

12deca90054e8af0777f34733475b4567ac20d83
SHA256

bf1f06b33682c07853b0fafb6ea17389a72794880a2973a76a7e60f0fe4da055
SHA512

99eb0b488a9a2cff5c6b7571fbd9d2c6d78bc324ed850ecfb342e1a2a502a201ce9353cc57a5121c64230669923f004fa407cb25146122ee5d79731928eeb525
SSDEEP

49152:8EMH88ZHtvEbuc9w24fkktEffrIo7W+Uhll088ZtWnagiIGxOTX0mJn5TwaCpvsC:8EMc8vO8suXyB59zO44z1vZowD0/v4EN

Score

10^/10

octo banker discovery evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://hayatindonderlerikararver.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklaryenicocugunhikaye.xyz/MDQ2MTZjMDhlZDQy/

https://yasamtarzdunyayidogrutani.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazyollardaumutarayan.xyz/MDQ2MTZjMDhlZDQy/

https://hayatinhikayesipratikcozum.xyz/MDQ2MTZjMDhlZDQy/

https://yasaminkavgaveodulleri.xyz/MDQ2MTZjMDhlZDQy/

https://kucukengellerbuyukbasari.xyz/MDQ2MTZjMDhlZDQy/

https://zamaninguctusevinyasan.xyz/MDQ2MTZjMDhlZDQy/

https://gucluklertetekiseyaoyun.xyz/MDQ2MTZjMDhlZDQy/

https://hayatdersleriozetlemeler.xyz/MDQ2MTZjMDhlZDQy/

https://umutlarvesikintilarbirlik.xyz/MDQ2MTZjMDhlZDQy/

https://cikissizyollaryasadogru.xyz/MDQ2MTZjMDhlZDQy/

https://zorluklarveguzelliklerin.xyz/MDQ2MTZjMDhlZDQy/

https://hayatsevdigiolumsuzluklar.xyz/MDQ2MTZjMDhlZDQy/

https://yasambaglantilaryaratici.xyz/MDQ2MTZjMDhlZDQy/

https://cikmazlardayolbulanruhs.xyz/MDQ2MTZjMDhlZDQy/

https://hayathikayelerinikavrama.xyz/MDQ2MTZjMDhlZDQy/

https://yasanmisliklarvesiniflama.xyz/MDQ2MTZjMDhlZDQy/

https://umutvemucadelehayalleri.xyz/MDQ2MTZjMDhlZDQy/

https://zorhayathikayelerindenson.xyz/MDQ2MTZjMDhlZDQy/

rc4.plain

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/memory/5053-0.dex	family_octo

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.hidden.butter/app_cargo/CtWIT.json	5053	com.hidden.butter

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.hidden.butter

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.hidden.butter

com.hidden.butter
1⤵
- Loads dropped Dex/Jar
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:5053

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.hidden.butter/app_cargo/CtWIT.json

Filesize
153KB

MD5
994d525020d7aec53f40646cfccb580b

SHA1
bd30f37065c8e64e543f7ca65c5fde941fa246ea

SHA256
72668ecc9a21e2a8a577736832e47f42a655874415aa4ece2d8538284040d6d5

SHA512
e18c507479691af0debf6e80a6834ef2a1f914dbe725ceac5f3779a90f8e121d956193450f6961eb9343579d82916107298f24995526b6bbd6518c498f1277dd

Download Submit
/data/data/com.hidden.butter/app_cargo/CtWIT.json

Filesize
153KB

MD5
f77578f172eecb7e07cb6b6b21ba3f6a

SHA1
d36df2f70e178f5fa89fba8ad844ff0fda24d43c

SHA256
38a752a0fe773a569ed8e3a8d690fca7fbbc7914d7da5ca8b68f6a68426a4361

SHA512
14a682ff8d28296edf200600189f372cd02de6e1c3675d9bebeed325a482066979bf60fb0f8ce77cd49d6607e712dcd9f65f00b591d9e90a6fed9f2340c5a8ba

Download Submit
/data/user/0/com.hidden.butter/app_cargo/CtWIT.json

Filesize
451KB

MD5
5c7173504d0976b084f7a90568fada07

SHA1
0e4c5335221c737b0c63aac6adb75dbfd3e17773

SHA256
e244f8127f3925f99bc046f3ccd97babb925e36b1248fd117b4f7f933f8ccdb8

SHA512
9898063507b90798380e0952a1f5eac4d3b5bbbbbbcfae40db048ffc4ff6582905f3c9e8006311f47b8f47d770813cf60c54857ab1a3a3ab805281916f95b181

Download Submit