octo | 96515ec94f2bce57561174f2516246c16b73ddfc5f0aadf2aa576f65604df213

Analysis

max time kernel
29s
max time network
25s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
23-11-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

865e193b3c83f15cfb0a180dd33affaed8bfab3d.apk
Size

1.7MB
MD5

bed61342b7339b40f96172a8f3bf6e9e
SHA1

865e193b3c83f15cfb0a180dd33affaed8bfab3d
SHA256

55b92655fd372189cb7ae07dedefa23f7660c0500892150e8c5ffe788c3dc72f
SHA512

108b86ed363d03c222b7abb8c37cad4a5cff6c57241daa38ada14cec04173d311736b1cadb040beaf065235671e8fcdc40819eebc1168829580e87980da5f2dd
SSDEEP

49152:D8ow18yYd2Ws57EeC9vbOyLTE4+BPgwOrY:D8oFNdBce9vzLY41rY

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://ssfdnsjds.top/OGYyZmMyZmVlMGI0/

rc4.plain

Extracted

Family

octo

https://ssfdnsjds.top/OGYyZmMyZmVlMGI0/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral14/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.yetdirectokmn/cache/pxavugmtploaohu	4444	com.yetdirectokmn

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.yetdirectokmn

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.yetdirectokmn

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.yetdirectokmn

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.yetdirectokmn

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.yetdirectokmn

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.yetdirectokmn

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.yetdirectokmn

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.yetdirectokmn

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.yetdirectokmn

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.yetdirectokmn

com.yetdirectokmn
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4444

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.yetdirectokmn/cache/pxavugmtploaohu

Filesize
462KB

MD5
6c7b59c8c7a98418c43bade2fd1b0d3c

SHA1
18e177dbb846c5d9de887650f353d23755b93707

SHA256
8df99892eaab6e194105f33843e3de45dfad127f90b102c6a530fd593b686716

SHA512
b1e410115271ee370edd6330d1273622162d1de125eb99ecbe8211ff34c310f6f2a03bb25963f4c2668cf85cffb5c0996ef04bd6ea3fc4efdbac18efe3544845

Download Submit
/data/user/0/com.yetdirectokmn/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.yetdirectokmn/kl.txt

Filesize
69B

MD5
60afed0d496a2e1a5150a6e1923907ee

SHA1
cfbb35e0e8a5c5dbdf28b9d05da930a38b93b651

SHA256
9606aa46bb1469edb4a2587417ffb4453308546b51b295fbe774ad62aa1b3af3

SHA512
aacbbbde63373e377e6cd73b16f0a37292db7f9fc6a11d021a7d352ebe21f59fda3865c2c0e45f100f42440ebb269e001151b5d553f62af11905d7d1f1cea0ef

Download Submit
/data/user/0/com.yetdirectokmn/kl.txt

Filesize
219B

MD5
588a7c96398eca8d60b48c48e4f0e73c

SHA1
1588c735ac9cbe1aa89236beeea4355225df5825

SHA256
c1e557a5a950ec4baaf5d112fdcc8601f51c3a61b7ae121523a0b3cbebfbdea9

SHA512
336be73d8cbf619cc20a59e89122505960baedcdf2a73338756ce4c43df69e70c44fe140807222f2d1f4c23c7da38f9bdf85778b744b6e7b5adc2a73d58fc7eb

Download Submit
/data/user/0/com.yetdirectokmn/kl.txt

Filesize
61B

MD5
726d0022eed53b3b683f2b990e56af36

SHA1
5648fe633253f414508648cceef2f7bd38fa5811

SHA256
f250d6594ce84ab3ab80c0e4246a42f0f16f0b8df58598b4c11528aa90bf9441

SHA512
943843b6c680bcf42e3c9ea6ff4dc16b0d9b785f379341564066862b8f17ea39dc2fcef5d33c817781dd3bd4b133a595444580d228f3b2bc3e75e3a9cd0a22db

Download Submit
/data/user/0/com.yetdirectokmn/kl.txt

Filesize
76B

MD5
a7c5972459f4c3a3eee18923cd82d3ab

SHA1
8c45f9a838ccc56e89a6710208534aed6dc08e02

SHA256
210f175f290c81d8fd93f5208bf6089c04732aa6ff55d5e3f3ed59fe0a5c4ea0

SHA512
88cfff3e7084da5de6f2be99a2a22abda37581c1536093684a8b26bcfcf67190d21fadd67dd7d44fd6285df02f80dfb62af80f2081d934182133d9a68bf57bef

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads