octo | 1c2e5bcf2a4cab7eab12c0e617f4b931a3181f3234fc1c5b0779e93cdaf5be81

Analysis

max time kernel
149s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
24-11-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c2e5bcf2a4cab7eab12c0e617f4b931a3181f3234fc1c5b0779e93cdaf5be81.apk
Size

2.3MB
MD5

6df8ee45bd50ffff91bd0a7f824a1d6c
SHA1

0939e4c54bc528e2c62043e476d8ca5bc3bae992
SHA256

1c2e5bcf2a4cab7eab12c0e617f4b931a3181f3234fc1c5b0779e93cdaf5be81
SHA512

f7e35860d0ec3c4015d4242f1bf796a0f30869a5aed7ba9313bf35afbc67b09a4ccb369925209d523df2c042a3a9f138c4bbe0a661208da195327ba670800eff
SSDEEP

49152:H0VQ2V745t15yGpDjB0jw42LZbA7eQsk4gv62lEe3M3CyYntVmXF+r1WQRDC7Y0t:HGQ2V74/15yWejw42pjCNllyYnOV+ZWR

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://discount44today.online/NTQ2ZDEzM2FjMjY2/

https://easyforpro901002.pro/NTQ2ZDEzM2FjMjY2/

https://mobile0team0stat.shop/NTQ2ZDEzM2FjMjY2/

rc4.plain

Extracted

Family

octo

https://discount44today.online/NTQ2ZDEzM2FjMjY2/

https://easyforpro901002.pro/NTQ2ZDEzM2FjMjY2/

https://mobile0team0stat.shop/NTQ2ZDEzM2FjMjY2/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4276	com.worksize23

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.worksize23/app_DynamicOptDex/wETXur.json	4300	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.worksize23/app_DynamicOptDex/wETXur.json --output-vdex-fd=41 --oat-fd=43 --oat-location=/data/user/0/com.worksize23/app_DynamicOptDex/oat/x86/wETXur.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.worksize23/app_DynamicOptDex/wETXur.json	4276	com.worksize23
/data/user/0/com.worksize23/cache/gvtpkqkhfhler	4276	com.worksize23
/data/user/0/com.worksize23/cache/gvtpkqkhfhler	4276	com.worksize23

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.worksize23
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.worksize23
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.worksize23

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.worksize23

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.worksize23

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.worksize23
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.worksize23
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.worksize23
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.worksize23

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.worksize23

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.worksize23

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.worksize23

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.worksize23

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.worksize23

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.worksize23

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.worksize23

com.worksize23
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4276
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.worksize23/app_DynamicOptDex/wETXur.json --output-vdex-fd=41 --oat-fd=43 --oat-location=/data/user/0/com.worksize23/app_DynamicOptDex/oat/x86/wETXur.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4300

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.worksize23/app_DynamicOptDex/wETXur.json

Filesize
2KB

MD5
bbf07383f55389639a43619851124af9

SHA1
17b329ca4cbac503bd33d8c15a9445f0d4d9d2c9

SHA256
82697114f7ce230fae21e24240f18326fd2005001a0ce15c12d01f3208ef7c48

SHA512
2f6bdca0fd6fbe2ab30448febda132976831172c04038141335267a504804c04240d29bcc31fb82cac811eaf14b741e385c43761c6009a9abe485ceb811071dc

Download Submit
/data/data/com.worksize23/app_DynamicOptDex/wETXur.json

Filesize
2KB

MD5
0bcc94f4cbed8f4bd62a3494bc15735f

SHA1
919c235047a90f1b38a097b2d6deb08017658f9c

SHA256
629ed1479864e8a84a97679b62337bd788ef04139cb9bc00eaa1fae06e8fdc1f

SHA512
847699ec02c3bda86f68b44f12bf38be7f2f202e8c25217ca8faea0fe1e3db4ca670437701758bdaf73426b5667fd3d7b3b51666fa3620246fc0fd1ab927960b

Download Submit
/data/data/com.worksize23/cache/gvtpkqkhfhler

Filesize
166KB

MD5
881cd7029f4e9a694076957fbea6a6cb

SHA1
c1eed803c1b5de82e84ae7675ba55feb0d198336

SHA256
512206ac8f52c72d1567462d6e612bcfd3f368f8c637c3843c90d27b95abb7fc

SHA512
c8b67e0d26df32d9a132d3f90978fe5c3fc47145ad42ea67495f50a354ba563fc72004423d4573d0c9a40e930180df54800dcb1be492b998687c41dffbee8633

Download Submit
/data/data/com.worksize23/cache/oat/gvtpkqkhfhler.cur.prof

Filesize
473B

MD5
ffe3098739051e42332068d7912bb75d

SHA1
3b3794ac1ea6e70c086529d864b4e454891ef5aa

SHA256
82eadf8e5b5527bea9f6fd01e11c7af7ec9c31cc000c436392d61a7d223a33ab

SHA512
9a395a405cc0d00ae53a4668659a8514aa795c1a6e4984cfe5ecc79a06ef011736e97608f579f7bed06f803958c2b5920468f4d2f987b6c26eec03a3c81cf9a1

Download Submit
/data/data/com.worksize23/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.worksize23/kl.txt

Filesize
237B

MD5
88eef8354a78f0825c2f1e98766d8cbd

SHA1
dbcba664a3ed847ebf3896e34617af104a8149cb

SHA256
86876278c310e99f41059fb32594308ad68b4e53e3d3fc99e0865c7f6b786a3f

SHA512
55d5088cf058cf52179cad680cfa2a525893897f441a2e9113b880e2c53e25f3bf42bc3984ca38729cae22dc311c899886bd9860d03d492e4c388043a728489b

Download Submit
/data/data/com.worksize23/kl.txt

Filesize
63B

MD5
8971adbca5e7420e608711caae99da78

SHA1
18a8fa6d5b881d41431550ece2f3da89ea91fcba

SHA256
3c9d1ebd5870c146fde5c726aca46765f8ffe033c875d0342410b9e207ed9c8a

SHA512
f61fa6bb03ea908971d30f94ef2dbc5a663f6362975f8524a3aaae7dde234b27d45827819ee9567d37adff5484984e2c20d53775bcc80460c54821bc9f6a9c76

Download Submit
/data/data/com.worksize23/kl.txt

Filesize
45B

MD5
49529798caa6052e7419893b553245b2

SHA1
cd884ae026ed307b3f4866535536f159f8ab8a09

SHA256
791db35ce7f253a585cc4a650b0689f3025231f956e9a1ab64bc394a8e338abd

SHA512
fa7680ee0aa46eb3c627ee093eac15a438e5fa3f478761969ce80c18acca2bc7b9d7aa346eadb6ff8ba9166821dbc37763665885f2430856b98aa6b387222cbe

Download Submit
/data/data/com.worksize23/kl.txt

Filesize
437B

MD5
4d65c827e5356c9ef9f4190300e32f90

SHA1
af5b80e6f5b722c1367c9a1d343f8b16dcb7305b

SHA256
ed13292078d67b2d13f86c8071e7416286db9962ee31e719cd7143478f56b902

SHA512
4e8788450fd172e827b2b6eb4be312519a0c2eea4750409377235ebf06dd7e97dc063db4f30d7c9d951f218a7a7043907b912aecae14bd45dda3e1f7a3fc613e

Download Submit
/data/user/0/com.worksize23/app_DynamicOptDex/wETXur.json

Filesize
5KB

MD5
171a42411632572d5a53667be9be4635

SHA1
fac7fdc538a76bbd1d42502e1ad26c4d1684aa7b

SHA256
a718a5da7ddcac66c545044d66bc4b6c0db8d36fd0e08e1105ef2e5a31164ea3

SHA512
3eb2ca2de3d425949f869fd7ca69cffb59c069fdc718839781ed4d07e527e3b6d9f9eb71bd00771f6819223bc6b7d0ca95656eddd95b55fe68e182a0789acb0f

Download Submit
/data/user/0/com.worksize23/app_DynamicOptDex/wETXur.json

Filesize
5KB

MD5
b5b385e4667a10458e4f24be45eda168

SHA1
46eb83cf6d947f3289d525a411235c4097549606

SHA256
ac0790fb7b4f5d49abedda3c9f0049dfd5f4b7323797438d82650cff1d06190e

SHA512
8e6d84c4e03111e64c32585fb862f5d32bf1c454bc8d057fb3219596474ef5fe702c088a3b2ec412972c1f1b8da0963d26769024206f7f3ccd571af225285aaf

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads