octo | 6efba5709ec73c91e961cdf2a11f47c748a96ac909202c3b676b432e1b1fdef1

Analysis

max time kernel
149s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
25-11-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6efba5709ec73c91e961cdf2a11f47c748a96ac909202c3b676b432e1b1fdef1.apk
Size

1.7MB
MD5

d22123c3836a3172fb8d2d229cc49ecc
SHA1

c9218a754bb9dad8884a028806ac61e266822eb1
SHA256

6efba5709ec73c91e961cdf2a11f47c748a96ac909202c3b676b432e1b1fdef1
SHA512

88e464e0d836c5db8832a89b247a3d1d61e11d93ada100cb535a41361c46953857d77abf87179411d3bc68d16ec8837dbb9b19035f599116033f032c841fc4e6
SSDEEP

49152:8zZZWI1BGiqkGJmvhzy10JstONxhXmZGZbmqh6czAE4KoSY:8zZZ51BGiBGozeQstON7XmZQ/hij

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://nonkapizza.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/

rc4.plain

Extracted

Family

octo

https://nonkapizza.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4405	com.thesefamily0

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.thesefamily0/app_DynamicOptDex/ckuhEr.json	4433	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.thesefamily0/app_DynamicOptDex/ckuhEr.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.thesefamily0/app_DynamicOptDex/oat/x86/ckuhEr.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.thesefamily0/app_DynamicOptDex/ckuhEr.json	4405	com.thesefamily0
/data/user/0/com.thesefamily0/cache/ehoqb	4405	com.thesefamily0
/data/user/0/com.thesefamily0/cache/ehoqb	4405	com.thesefamily0

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.thesefamily0
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.thesefamily0

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.thesefamily0

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.thesefamily0

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.thesefamily0
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.thesefamily0

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.thesefamily0

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.thesefamily0

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.thesefamily0

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.thesefamily0

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.thesefamily0

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.thesefamily0

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.thesefamily0

com.thesefamily0
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4405
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.thesefamily0/app_DynamicOptDex/ckuhEr.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.thesefamily0/app_DynamicOptDex/oat/x86/ckuhEr.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4433

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.thesefamily0/app_DynamicOptDex/ckuhEr.json

Filesize
2KB

MD5
00b298b854df5c3c5530fa7f72cb77ae

SHA1
bddc9ef265db1c4a9ac8f2903423d2dba2ce6858

SHA256
408810597e8c6c9c6c96984a7633f9487efdcbbb2dac32d559788ed7642feb46

SHA512
ef048c64f5f6428960e091cbd74eec4f158c006510376349c61e673ca013d0907a88d45ec50bfe5035c53907c994991c831779b28e8afc03dc11820d84369e7d

Download Submit
/data/data/com.thesefamily0/app_DynamicOptDex/ckuhEr.json

Filesize
2KB

MD5
3796029b1de9c85061c53d3076ef76bf

SHA1
725ba9c2171f5166f3e3934f4a6df7851f20f07f

SHA256
7821bb54a0f8c3cee798051ed93e55cc622351d4d0023f1baf56a818e3848b32

SHA512
f990c73b1a7dd1e1dadf1e78a651e991bc98a4b5a3e17267d1083c16dbd6a1ec86761962c9dfd5b371bc13cb69aacb06bb3f11882a29603e33946bf00727d0bf

Download Submit
/data/data/com.thesefamily0/cache/ehoqb

Filesize
448KB

MD5
14b72014546160b3ef22df0ca2290cc9

SHA1
56a86eb5bf2454243da148c679681127ed64f99f

SHA256
49b66ef3101699a1dca70c0685c80ff9306f3e99d11a65a90f3a88ebb9691df1

SHA512
47e7d456eaf7b1433c15b7cdb9e94879667041c895d28ae202b68afb1d4d4f633cea47a68fe107574d7c3729038011ff186aa2f030c75a628521395df11c8570

Download Submit
/data/data/com.thesefamily0/cache/oat/ehoqb.cur.prof

Filesize
501B

MD5
7de18b68f429bee2b542b406a3cb4247

SHA1
1073e734611cc3ce4054553dcd1c106773286d2b

SHA256
8552ab1c2cc109bc210f0375e68b0c3b451aeb1a75dbb8d22f43a6d9d69163c6

SHA512
da480daacbf2a5a11bb66b666e4942c11812b5b1d2d5da33caa76601c2a6f28872d2877f6cd6e61a1cfdac82e27ad5c5bbc16817738eb4aa78f0b55b456a8f7c

Download Submit
/data/data/com.thesefamily0/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.thesefamily0/kl.txt

Filesize
237B

MD5
694e2f4e61def4948d1a600f1d9d6809

SHA1
d8ef10773f1bed0ecb3a05d601ce7538f1e9cdf0

SHA256
83bb1efc13d53139c4e6ce255bb3781e9901c0d64062787eef752ae9404a1672

SHA512
2a4c8cf8dfda13ab0190e510210dd2d8408da8e932d82cdecce329455de5ef25c28f2c1d36c7b42ba4ef669067084f9f1f9be5e6815686f3abb1179da44434fb

Download Submit
/data/data/com.thesefamily0/kl.txt

Filesize
63B

MD5
d19f3663736d50102311fc7cfdddf3de

SHA1
24b42f1f3fae35cf6b45f58dd3adfe36ed10350d

SHA256
1d001e5af8eb5a20c697340bfada453ea9d480cf442397c7bbca097ffe8cf55a

SHA512
c626bb6b865be92f2e12872cc3c04d5c8a1712dc9d92b51055bd26d9164acdb4d12ad50ab42d7bc9db9e0813760757c136b492beae4f15dbd8fcec80b423fbbd

Download Submit
/data/data/com.thesefamily0/kl.txt

Filesize
54B

MD5
308caf49c9dfce1c5eaca9f9f66cc06e

SHA1
ecd0b2d8ed5165a382a88c476a17fa78aabde8ca

SHA256
5f36bf860becebea876fe0dcb0df88ccab6f08084fa159355421dd9c95476dbc

SHA512
a4573246167c3e60aa45e0cdfe5dfd96d4b6dac77fa257f54843b88b8bf6a95d07421acb803ea8a936538f5db87ad88b0601d1a8bfc7322dbb8f6f7a8e58cc11

Download Submit
/data/data/com.thesefamily0/kl.txt

Filesize
437B

MD5
42d30eaaa0a761b35c4bf0e0a6853921

SHA1
2fb77850635530f51ae0aff2ba8d56631e125bd9

SHA256
85a970d9310fedb5bad52e7b7973013cb9f9de3a162e913e879ccd05f96a697d

SHA512
e7a3321c9827ca2cf7174bd100418f45461bfb6ed5365bbb7d4cf42f1c61f1d059967928dfad526a08f8ba348f893a864a4b1faa76a3c2ef09b6d882892d5c0a

Download Submit
/data/user/0/com.thesefamily0/app_DynamicOptDex/ckuhEr.json

Filesize
7KB

MD5
3cac1d8ad3a49fc38253deccb2dfd157

SHA1
33153aecd865e2a4c212338bedae33039446bb46

SHA256
c3ec070807195d9b4af5d23cbe9393f3e17e8f6e15b850092e968d1bfece6fa4

SHA512
9c1aa1da1554227c1875cc1aecd390207f652f7c02d759d8c4fcf4f6fd6c5f1e99335ba647a178903bb92f545391c41a621209711a51efc8bd96af4836749c4d

Download Submit
/data/user/0/com.thesefamily0/app_DynamicOptDex/ckuhEr.json

Filesize
7KB

MD5
72fb2b30a875005b156cc1a46cecae35

SHA1
71d830731d9a8c736c9850803a49b9305ad433ac

SHA256
80991c9328d0785ef6f56897f32a24ab54602be35f6b6333bd05da6108d43fc3

SHA512
79cd29cdafd2587864183ef8a2024194c5a89e74873e42093f7fa064934599c0cf9f822d06e632572ff48a650b2b13a94e2b5ee0fe87d897afbea2f681758934

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads