octo | 96515ec94f2bce57561174f2516246c16b73ddfc5f0aadf2aa576f65604df213

Analysis

max time kernel
148s
max time network
167s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
23-11-2024 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

865e193b3c83f15cfb0a180dd33affaed8bfab3d.apk
Size

1.7MB
MD5

bed61342b7339b40f96172a8f3bf6e9e
SHA1

865e193b3c83f15cfb0a180dd33affaed8bfab3d
SHA256

55b92655fd372189cb7ae07dedefa23f7660c0500892150e8c5ffe788c3dc72f
SHA512

108b86ed363d03c222b7abb8c37cad4a5cff6c57241daa38ada14cec04173d311736b1cadb040beaf065235671e8fcdc40819eebc1168829580e87980da5f2dd
SSDEEP

49152:D8ow18yYd2Ws57EeC9vbOyLTE4+BPgwOrY:D8oFNdBce9vzLY41rY

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://ssfdnsjds.top/OGYyZmMyZmVlMGI0/

rc4.plain

Extracted

Family

octo

https://ssfdnsjds.top/OGYyZmMyZmVlMGI0/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

Processes:

resource	yara_rule
/data/data/com.yetdirectokmn/cache/pxavugmtploaohu	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

com.yetdirectokmn

pid process

4315 com.yetdirectokmn

pid	process
4315	com.yetdirectokmn

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

com.yetdirectokmn

ioc	pid	process
/data/user/0/com.yetdirectokmn/cache/pxavugmtploaohu	4315	com.yetdirectokmn
/data/user/0/com.yetdirectokmn/cache/pxavugmtploaohu	4315	com.yetdirectokmn

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

com.yetdirectokmn

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.yetdirectokmn

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

com.yetdirectokmn

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.yetdirectokmn
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.yetdirectokmn

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.yetdirectokmn
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
evasion

Prevent Application Removal
T1629.001

Processes:

com.yetdirectokmn

ioc process

android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.yetdirectokmn
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

com.yetdirectokmn

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.yetdirectokmn
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
collection credential_access

Access Notifications
T1517

Processes:

com.yetdirectokmn

description ioc process

Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.yetdirectokmn
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

User Evasion
T1628.002

Processes:

com.yetdirectokmn

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.yetdirectokmn
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.yetdirectokmn

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.yetdirectokmn
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.yetdirectokmn

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.yetdirectokmn
Checks CPU information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.yetdirectokmn

description ioc process

File opened for read /proc/cpuinfo com.yetdirectokmn
Checks memory information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

com.yetdirectokmn

description ioc process

File opened for read /proc/meminfo com.yetdirectokmn

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.yetdirectokmn

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.yetdirectokmn

ioc	process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.yetdirectokmn

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.yetdirectokmn

description	ioc	process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.yetdirectokmn

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.yetdirectokmn

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.yetdirectokmn

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.yetdirectokmn

description	ioc	process
File opened for read	/proc/cpuinfo	com.yetdirectokmn

description	ioc	process
File opened for read	/proc/meminfo	com.yetdirectokmn

com.yetdirectokmn
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4315

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.yetdirectokmn/cache/oat/pxavugmtploaohu.cur.prof

Filesize
441B

MD5
8fb507dd89ab310afd42268a833a1dd3

SHA1
998b853b8f4efab2b764080c68bf6f0e5901ed4f

SHA256
2dffe0bf4d9fe8d5e69ef32640c558d1626641afe9f6b8d9090a497c275dc0a6

SHA512
c14d5650e951bacc29fbf3ce2d4691344fe998524e990d9b802e14571b36a0fb6457587a0e71cfe7ca75466320adaa3dad10c79bd4b9400c16a2ff1da6d0d371

Download Submit
/data/data/com.yetdirectokmn/cache/pxavugmtploaohu

Filesize
462KB

MD5
6c7b59c8c7a98418c43bade2fd1b0d3c

SHA1
18e177dbb846c5d9de887650f353d23755b93707

SHA256
8df99892eaab6e194105f33843e3de45dfad127f90b102c6a530fd593b686716

SHA512
b1e410115271ee370edd6330d1273622162d1de125eb99ecbe8211ff34c310f6f2a03bb25963f4c2668cf85cffb5c0996ef04bd6ea3fc4efdbac18efe3544845

Download Submit
/data/data/com.yetdirectokmn/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.yetdirectokmn/kl.txt

Filesize
235B

MD5
6bd74491358a811484090e55089169ba

SHA1
f5c337091716bc1e1a6b8ac30a46b8a37c530232

SHA256
20b8dcce85ed745ecc133c99a7c5f1641d56575f9fc9f5afc7df44123497378a

SHA512
0b42a13b8bb12d6d13e05458535ca72915a6e8f3cc5e129b08900e9baa0a9b7f32c42284bb5db7218d7ffebf6601e3d3ddc0385e0c914e98b74b11d729853b06

Download Submit
/data/data/com.yetdirectokmn/kl.txt

Filesize
63B

MD5
eee65b68a5109d75cadde3654227ff1e

SHA1
d86fe7d1a3cbea9becc28374f0c939ad74a7f0d2

SHA256
9e7e5a9a5667f9a2d4698e926069cfb8e67ec3ff2ab6a908000e2011e1727c2f

SHA512
795c85543a6e5248a86c30c79a18ba6f8c98449736551cc9b9330c2cb3e06e0eab668369046941f0c29da9724b184547f1d3efb76bc03629fe683bf515e93466

Download Submit
/data/data/com.yetdirectokmn/kl.txt

Filesize
54B

MD5
507660e0cb53a998d4074082bc06c8af

SHA1
c34ff89727aa5d91620a32803c2ce37ca137c080

SHA256
4705513c6d29e5638a175814d1224a7be2fd3c3bca3a71dde26c0028a548daaa

SHA512
a43551410a8ab39f01264ae16a4d3ecf365c363c9cf6e0be9af84c0d8935044b1bae9cf09da173445e8285b9a0e3521093b2a6952a9c5071e0239412c6afdd33

Download Submit
/data/data/com.yetdirectokmn/kl.txt

Filesize
433B

MD5
e6bd1079866e2b36787b0f17d5faaf66

SHA1
15fe63429b51713512fc064c744f1896345b9401

SHA256
f640961c347114b3e635c4a41911e20ab15573fe8070901dd85768aa8fc08892

SHA512
33d21cb9cfa893f30d718d8cadc487f51d53128d2670866a38abcc245f4f2980a5d5254402b615c4011d36e8d82be81c2b76582e8b267a984d0d7e1472a6f93f

Download Submit