octo | 6efba5709ec73c91e961cdf2a11f47c748a96ac909202c3b676b432e1b1fdef1

Analysis

max time kernel
149s
max time network
132s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
25-11-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6efba5709ec73c91e961cdf2a11f47c748a96ac909202c3b676b432e1b1fdef1.apk
Size

1.7MB
MD5

d22123c3836a3172fb8d2d229cc49ecc
SHA1

c9218a754bb9dad8884a028806ac61e266822eb1
SHA256

6efba5709ec73c91e961cdf2a11f47c748a96ac909202c3b676b432e1b1fdef1
SHA512

88e464e0d836c5db8832a89b247a3d1d61e11d93ada100cb535a41361c46953857d77abf87179411d3bc68d16ec8837dbb9b19035f599116033f032c841fc4e6
SSDEEP

49152:8zZZWI1BGiqkGJmvhzy10JstONxhXmZGZbmqh6czAE4KoSY:8zZZ51BGiBGozeQstON7XmZQ/hij

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://nonkapizza.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/

rc4.plain

Extracted

Family

octo

https://nonkapizza.top/MmEzNTkzZDFkOWQz/

https://lauytropo.net/MmEzNTkzZDFkOWQz/

https://bobnoopo.org/MmEzNTkzZDFkOWQz/

https://junggvrebvqq.org/MmEzNTkzZDFkOWQz/

https://junggpervbvqqqqqq.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqgroup.com/MmEzNTkzZDFkOWQz/

https://junggvbvqqnetok.com/MmEzNTkzZDFkOWQz/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.thesefamily0/app_DynamicOptDex/ckuhEr.json	4518	com.thesefamily0
/data/user/0/com.thesefamily0/cache/ehoqb	4518	com.thesefamily0
/data/user/0/com.thesefamily0/cache/ehoqb	4518	com.thesefamily0

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.thesefamily0
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.thesefamily0

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.thesefamily0

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.thesefamily0

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.thesefamily0

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.thesefamily0

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.thesefamily0

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.thesefamily0

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.thesefamily0

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.thesefamily0

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.thesefamily0

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.thesefamily0

com.thesefamily0
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4518

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.thesefamily0/app_DynamicOptDex/ckuhEr.json

Filesize
2KB

MD5
00b298b854df5c3c5530fa7f72cb77ae

SHA1
bddc9ef265db1c4a9ac8f2903423d2dba2ce6858

SHA256
408810597e8c6c9c6c96984a7633f9487efdcbbb2dac32d559788ed7642feb46

SHA512
ef048c64f5f6428960e091cbd74eec4f158c006510376349c61e673ca013d0907a88d45ec50bfe5035c53907c994991c831779b28e8afc03dc11820d84369e7d

Download Submit
/data/user/0/com.thesefamily0/app_DynamicOptDex/ckuhEr.json

Filesize
2KB

MD5
3796029b1de9c85061c53d3076ef76bf

SHA1
725ba9c2171f5166f3e3934f4a6df7851f20f07f

SHA256
7821bb54a0f8c3cee798051ed93e55cc622351d4d0023f1baf56a818e3848b32

SHA512
f990c73b1a7dd1e1dadf1e78a651e991bc98a4b5a3e17267d1083c16dbd6a1ec86761962c9dfd5b371bc13cb69aacb06bb3f11882a29603e33946bf00727d0bf

Download Submit
/data/user/0/com.thesefamily0/app_DynamicOptDex/ckuhEr.json

Filesize
7KB

MD5
72fb2b30a875005b156cc1a46cecae35

SHA1
71d830731d9a8c736c9850803a49b9305ad433ac

SHA256
80991c9328d0785ef6f56897f32a24ab54602be35f6b6333bd05da6108d43fc3

SHA512
79cd29cdafd2587864183ef8a2024194c5a89e74873e42093f7fa064934599c0cf9f822d06e632572ff48a650b2b13a94e2b5ee0fe87d897afbea2f681758934

Download Submit
/data/user/0/com.thesefamily0/cache/ehoqb

Filesize
448KB

MD5
14b72014546160b3ef22df0ca2290cc9

SHA1
56a86eb5bf2454243da148c679681127ed64f99f

SHA256
49b66ef3101699a1dca70c0685c80ff9306f3e99d11a65a90f3a88ebb9691df1

SHA512
47e7d456eaf7b1433c15b7cdb9e94879667041c895d28ae202b68afb1d4d4f633cea47a68fe107574d7c3729038011ff186aa2f030c75a628521395df11c8570

Download Submit
/data/user/0/com.thesefamily0/cache/oat/ehoqb.cur.prof

Filesize
330B

MD5
dbc1db2a6fae871618ce66bb204c2f9f

SHA1
c287503ac5475090e95d3c6771c2ab56f032ecee

SHA256
80cc575cd5a78b79ee1233e07d5a2ff1226d477af3f17c7745dc04117064a539

SHA512
e1bbf5c3cf23465b7bd28d91fb25c887f8c6b2616843d59c35eb82564300adb19622832aa70cb15a867b02a0b2f2030564a52346300ab5c686ed97c520200a9c

Download Submit
/data/user/0/com.thesefamily0/kl.txt

Filesize
75B

MD5
d82f15e10dfcbde14f835374d48707e4

SHA1
229db7e87089f991e042f3ef461e47b49ea62888

SHA256
4433ab3a572e337eb30d891a072f04f8d868ea208c9941ef21d44995a6bb55af

SHA512
7de0fe440a8db1929c4263f630c8bb6b367ebac8e99b3ba0fa54bd7a29696fb0ffc9d1cbdccb2c4afaa8dae58d929e4b80b62901ff17c6a8e86835a8ab408ea8

Download Submit
/data/user/0/com.thesefamily0/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.thesefamily0/kl.txt

Filesize
237B

MD5
f4fc822c5cb6b681714fb5fc534d66bd

SHA1
150857ba27b5d18ec410d0b4138b159f2e3007fa

SHA256
42aafd6942b20637bacc39299b1bb7ff9ba0e167202cb202c239ebb2aa0018fd

SHA512
836b16b7d7c204a7af7049a0b909e4d826e9f1a2b94174215e088b19215167ab187db77e6375e5852dd881fc929ef2a922d151d6fc7423c6c1eaca6e09db28b3

Download Submit
/data/user/0/com.thesefamily0/kl.txt

Filesize
64B

MD5
cf102889105bddd2a325cc1dd59921b0

SHA1
6605c175b08be5920be82dba09dcdbbebab25ef4

SHA256
277a1bf6bc908e04d301c352be44dfc7dbea7813922d33baaa104fb24bc081ed

SHA512
de0ea2c9c4d25d63241d145c75b4d9b28c99748238275771654888368bc04dac27ef4e4c76e41b6a9c1d8650ac5829ad73f39f59176dad2a873fcc64aea96fe1

Download Submit
/data/user/0/com.thesefamily0/kl.txt

Filesize
63B

MD5
070e5e3e7a51cb941e022a8297d672af

SHA1
c2ab31627c5218ea5fb60caf7ccefb456ba59102

SHA256
f868f38770d8b4257bde25660028c8af68702feff1f138707913bb73f264d379

SHA512
9efdb7edd37e41abd9c611c05c11436af8b8f2221b05c579e64f433bcf834f29e4c88eb2b98870e3f96fd99b749cb87d10bcfde6f89c4a4fa1913ba4d0213b24

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads