octo | 67395066972d0da17cedb8e587edd1acf45086ecad97c493ff3a6083e825cab4

Analysis

max time kernel
149s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
25-11-2024 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67395066972d0da17cedb8e587edd1acf45086ecad97c493ff3a6083e825cab4.apk
Size

2.0MB
MD5

4671deaf5b498168ed7a1d9a38a48870
SHA1

4dec1f00d4cbb93ac4ca20d9988e07a95c72c40c
SHA256

67395066972d0da17cedb8e587edd1acf45086ecad97c493ff3a6083e825cab4
SHA512

ffad9211fd403f960753fedd256c455e76ba41e0306375dac6b75983ae9b691e6ff7be804599f25b972b79b45ddd6af04d849ae482b09d77e95da148a86989fa
SSDEEP

49152:gTGnYpWKtoc/uid0YqpSXfhj34/Q+mEOsEv62LE3Mj0/oyLCyYnRJmXR2r1vQRm/:znYp1Oau60YqpAoIEgNLWoyGyYnGh2Zn

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://bunaseiranahui.top/ZmU2YzQ2NjZlNjc2/

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

rc4.plain

Extracted

Family

octo

https://bunaseiranahui.top/ZmU2YzQ2NjZlNjc2/

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4326	com.decidehundred2

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.decidehundred2/app_DynamicOptDex/FPJ.json	4351	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.decidehundred2/app_DynamicOptDex/FPJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.decidehundred2/app_DynamicOptDex/oat/x86/FPJ.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.decidehundred2/app_DynamicOptDex/FPJ.json	4326	com.decidehundred2
/data/user/0/com.decidehundred2/cache/zhxkcsiqkhfvf	4326	com.decidehundred2
/data/user/0/com.decidehundred2/cache/zhxkcsiqkhfvf	4326	com.decidehundred2

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.decidehundred2
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.decidehundred2
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.decidehundred2

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.decidehundred2

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.decidehundred2

Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.decidehundred2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.decidehundred2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.decidehundred2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.decidehundred2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.decidehundred2
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.decidehundred2

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.decidehundred2

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.decidehundred2

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.decidehundred2

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.decidehundred2

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.decidehundred2

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.decidehundred2

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.decidehundred2

com.decidehundred2
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4326
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.decidehundred2/app_DynamicOptDex/FPJ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.decidehundred2/app_DynamicOptDex/oat/x86/FPJ.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4351

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.decidehundred2/app_DynamicOptDex/FPJ.json

Filesize
1KB

MD5
03e35597d5813ca929d5da337c930173

SHA1
d2ec456ea556d80a59a9d0ba3879c6857fa4a5c3

SHA256
f86b9b496e719df5c5bbeb9141aad8d628c6f9cb8bb1f721c635bfaedd13ba2b

SHA512
7fe355a7915325b45c851e82ba7c82fa364d04e73815184d10ddc70f16ccdc5e4b930137e1d839aed6b8e4661cc01455e17ddf347b8a65a0461adf51c8e1aef6

Download Submit
/data/data/com.decidehundred2/app_DynamicOptDex/FPJ.json

Filesize
1KB

MD5
5332b91e7346cd1c6636ad10e2641000

SHA1
e58a68e63832609b86d0a3802880625ce341e24f

SHA256
75d9165625912005d0efc0c624c32a8c10e9ceef27fba4e275c2be136baa8fc4

SHA512
b8cedcc0748b7dd17c4b775141c3aa79571af6220846ebc5b73006b4416793b46a569e39cd91e4503a788ed613cb19b17f562949196f08576deb403ee35d725c

Download Submit
/data/data/com.decidehundred2/cache/oat/zhxkcsiqkhfvf.cur.prof

Filesize
521B

MD5
ba92a11f8f37a044655e2ee66e7ac35f

SHA1
8486be2c06fb60edc3b129cfa1fee2b06b72288a

SHA256
d6db7011a4060e74399df0ff39d5aa5417735de0bb461510154e783b4e2f7246

SHA512
dd04f6d77ba363f60864f3dcc283bceef4bf0950a9dd5f12ea97e94c33c924201b17ff00fb4d9a98672d824ce7314e2a38f42b152c0d8fb6e3815bef7ea99f6d

Download Submit
/data/data/com.decidehundred2/cache/zhxkcsiqkhfvf

Filesize
449KB

MD5
8ce2b5ea03883011ffdd8ef53fb4ab20

SHA1
d0ea0488924eed67cda20a0d275c44b9d054f99e

SHA256
b4276c301751e1a398c5f64fe1f48401c0e7f483e0cc99a6752fcd1c6d26f681

SHA512
c1229d099d0101e9519eb1f2ea17f5687b866a59f99c60cb282ca84c01be4e70d8f29090d1446c72d2b4a0c484125050d9afdd60fcbc5b10e2b4d7c703586f08

Download Submit
/data/data/com.decidehundred2/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.decidehundred2/kl.txt

Filesize
237B

MD5
c2fa809ff1eecdca2f9bcc10071a1e80

SHA1
6e5962e955e9216a113db5af5002ee743eccc946

SHA256
32894f5d1d89b8eb06be7f9eccaf8be4390494da07ef927d273b3e6481d6c0cd

SHA512
6636dcf702fb054fb268d08016ff4b60c0332751ef66ce787ab78f8399da82f37586693a7b832e1b6d12de06a0e66f2ee42bfd8d2ad4b1e1b7e664127ee98555

Download Submit
/data/data/com.decidehundred2/kl.txt

Filesize
63B

MD5
58e5c0791b2ec6331d549104d3987903

SHA1
609793d0c71e3a6dad42d64a6569faf2bcbf7de0

SHA256
03f1674d3b87ef936cbefc78e5def6e12eebd9117d0e90e41c7ba9fc74aaa582

SHA512
8bc8b2f4ef5d050d4b6325581c0fbbb5c88536d93f438edc813aee180790064d2f37691facefe1ab6f81fe29f7ca3aa83b051c14ab3ed18a53794df7552b0fec

Download Submit
/data/data/com.decidehundred2/kl.txt

Filesize
45B

MD5
0161c36e859dffedfcab072fb62d24dc

SHA1
605e45975bb3f526442778011d988afc773c5fa2

SHA256
100372cef5d283533f7d0cebf8eb0676d43f7f9312e19b273f7416f2ed707f92

SHA512
07ef2b2f5ad9c268881874587299afe9eff9970cb32851ef62a1c269955b158904697c8fbcb64e7eab1ff89b37e86b1794c36d874ed98035e2fe3f3b079a9a3c

Download Submit
/data/data/com.decidehundred2/kl.txt

Filesize
437B

MD5
7f8203c6517ccfdac6b1f9dba47aa2f6

SHA1
10f2e6329e3f2ebb8279be3ab03530c33b33cb08

SHA256
cda0678d4622fbb3dc137e9f292443c103450cb7a8dc7b84d886c72a0feec7ad

SHA512
bcf93fb618078f8126979964839db6e3dcbe91953826efc9ea84116134bfc3e08c0e71724024ddae2a57ae39475bf08860758b8dc81e50f917a902541c880b42

Download Submit
/data/user/0/com.decidehundred2/app_DynamicOptDex/FPJ.json

Filesize
2KB

MD5
00d2a2146952dd41c72198094101ab68

SHA1
4d9ddf0467d8573ddaf84fed8e420bbcfc373242

SHA256
9dcc20a5c76be2bf673b92478d4e407595d8074ceb93d23bd272cd6c690c8f6e

SHA512
093c35d4d7bae83480aeb917ba02fea31e3c616a216024568422d73fd7ce6fd86ad9d2c00a76bf46fd763432196e990373bb490caed680650ed3aac10321b7f5

Download Submit
/data/user/0/com.decidehundred2/app_DynamicOptDex/FPJ.json

Filesize
2KB

MD5
6b57f0c1dc2f26587de7a5c86abc0f5c

SHA1
013181a0a8b3bf638e89d19c8e5841319de177e6

SHA256
ed17830e8fc9b4f65379a534733f947862ce110a7609c813c82d56f6f696d01d

SHA512
c5b91013b3ff2d8bd0b764ca10308252e8e907eaa2e16f65a8d5e0a65cafbe139c826b5883dc8b172ae43f64dcf24805b3de59239137308a4b262f4515f9fbd8

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads