octo | 5f39ea35201e49b7f14bdae9d2f077580f6c2527d17c767620be6890435ef979

Analysis

max time kernel
149s
max time network
150s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
24-11-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f39ea35201e49b7f14bdae9d2f077580f6c2527d17c767620be6890435ef979.apk
Size

1.6MB
MD5

59080c638509bac8c8d3b18001c1af6b
SHA1

5f3fef0ee883c14a821c1ce33cab832c21f1b898
SHA256

5f39ea35201e49b7f14bdae9d2f077580f6c2527d17c767620be6890435ef979
SHA512

cedd5a4e0fd773a90cca4c7ad45378e87dccc7ba27c6ce3c1fb96c047908d13577408465d897ceee855f20519ec7ba4118179c9c1e3f6707fd0dfe20a1507b0e
SSDEEP

49152:iWwZQufxBMwgREhrSHiu5XNZGZbmqiC+AAE4KoST:iDZrxBMQ1g35XNZQ/ina

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://povtoruhh.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/

rc4.plain

Extracted

Family

octo

https://povtoruhh.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.hundredcan8/app_DynamicOptDex/Jq.json	4512	com.hundredcan8
/data/user/0/com.hundredcan8/cache/upyqkbfbzdee	4512	com.hundredcan8

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.hundredcan8
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.hundredcan8

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.hundredcan8

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.hundredcan8

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.hundredcan8

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.hundredcan8
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.hundredcan8
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.hundredcan8

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.hundredcan8

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.hundredcan8

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.hundredcan8

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.hundredcan8

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.hundredcan8

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.hundredcan8

com.hundredcan8
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4512

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.hundredcan8/app_DynamicOptDex/Jq.json

Filesize
2KB

MD5
01d4c65d111d9aed9fe661542740928d

SHA1
d29d2d25e5d289f8c05d8eb172e31f8da19acafc

SHA256
31fffa2ee6a230cd48d85655b7c6dc05ec9d2f65455ea41207b0342b50d1d3c1

SHA512
2f1795bbcbe9e7b71b8d8931743516df3ed77946e1fcc6ddbd75c5006ae75062fb549f99e1e81cf318248486e84fd2fbc78d8f058b6458128533f4f14facada1

Download Submit
/data/user/0/com.hundredcan8/app_DynamicOptDex/Jq.json

Filesize
2KB

MD5
5f4480016d6494b6a5a37c5ec814b56c

SHA1
79ff937d929198ae3b0011ce76c13e146950a54f

SHA256
6489e346001cc367108b7fa7546392e6a5c1fd644062de3a9ef9ce9ca6420529

SHA512
872584f7264ae3ae3cfcfab1c7c77674fe822044c9b84afa0fdb037e0c108f4f839033f433805338b22bca73e822756b296644bff70f43367c5eb1e43f50ba56

Download Submit
/data/user/0/com.hundredcan8/app_DynamicOptDex/Jq.json

Filesize
7KB

MD5
41616ebc87eb08680fa9405040cb105f

SHA1
2df0b5e1256c1b1ee15c0f232a90851bfeac1d57

SHA256
5cb9e993f37de76f4cd6828eba64d902fd3c78dd30db670a9e365f122a5536d1

SHA512
81d730c2fde5eb4056740fcd08fe3af9be13c7e3f3831839ef76e32f16ff8df241c93be8e7fa6987d0c7183404c777636dba8e0c7cf3d3d6e7e6f65003a27e7c

Download Submit
/data/user/0/com.hundredcan8/cache/oat/upyqkbfbzdee.cur.prof

Filesize
399B

MD5
9a904ed47f3c6d5ef78f5c79917497c8

SHA1
ce47f2d19af9ddac6a4878222de5b9579ef74e12

SHA256
c37ea376ee4ae00133429a178ea748ce011756dfc718e0d8d6cc2e8041f711b7

SHA512
ec515f553a09585354ce97386e13fa477403952d4bce983b69bb7ca2645a1f55e794e5515916e6c2f2cccfc0a6faff4bdbe559eee15c97132bf7d30f48281a54

Download Submit
/data/user/0/com.hundredcan8/cache/upyqkbfbzdee

Filesize
449KB

MD5
1dd73b91757c1dc964f169daa7feb8be

SHA1
a0c15b35e043422a5c1321515a37a21281885185

SHA256
bf76cf4305e7055bca22b8b3298182733143523b254b5a0621563ec75ae4c2cc

SHA512
5cfe86b3e9d647620928f7af36e636cf4ff7910af1faf7dcd16d2c25eff4fc520adf535d5b032fb6e9239782f1cdf04117f7db8c5ee40f449a2e153339bf79ec

Download Submit
/data/user/0/com.hundredcan8/kl.txt

Filesize
64B

MD5
d800ec45dd5a306fc1d02b9aacc274ed

SHA1
d5982929c7d14f99929e228ab8c7ed5ab89b0591

SHA256
29aa20252df306d5679ab4e8e36d85609388b5fd8bda774152d4064fce57f395

SHA512
76160153c997415d24768ecd35e1ce7323a7abf50fe9b5c126f274330c3e779478ad014e78ee3def84c597296c2636c37304f786dd14121d57bb2da5c760cc59

Download Submit
/data/user/0/com.hundredcan8/kl.txt

Filesize
76B

MD5
71651749085d234073e34f0892fa0916

SHA1
9677d9bec2420f98e35b21d726116e62a76f8323

SHA256
d38b3d530b39c1b7c2ee2fb6149b3539a8b4c964ade173ca49df00af19d984b7

SHA512
4d1f8864c8c905e9b0c2d00d893f97cd6aa60c7a66fa25638904e4c38d6c4ece2e9c49bab8af33b6ddac40d261e1de23f934ac51228a3d762545e03b6f6555f9

Download Submit
/data/user/0/com.hundredcan8/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.hundredcan8/kl.txt

Filesize
221B

MD5
2d044967511e719782a87dd954b81609

SHA1
2090279eb0171b19a12edb5afa29d9570087cf72

SHA256
fb8daba812b086c7d773173e8787eba5c333418d8bba591ef755814719b4e20f

SHA512
b81999f8380409bed17318555f62a000a37c24234e060c7b9f5b9de74eeda02929df9481a5a5089dc968f940e1c22663210d8a1e8052ded33558e2604d6cb17a

Download Submit
/data/user/0/com.hundredcan8/kl.txt

Filesize
61B

MD5
8d3285a9b60ec320cafcda0c1da025ea

SHA1
ef6c8cdc48efc8dd3c96fe90cdeba93d1a31cdb5

SHA256
5821dce15f56bfa7535c9869914f97095c5403c85734746491f3848bd3bb109d

SHA512
c85fa918f2fe4a19f06420af3f003061c8a31d26676baa56efce4ddad2af0c81e9d53d6d3e752deacd395dcb2e8b3f03a40d16ec5e565efad68515cde30b4d2a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads