octo | 310e5a2e33c8dc27f83ec5d47ea3fb14fff805753f44f14247e312bec735f2dd

Analysis

max time kernel
149s
max time network
154s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
25-11-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

310e5a2e33c8dc27f83ec5d47ea3fb14fff805753f44f14247e312bec735f2dd.apk
Size

2.2MB
MD5

83bdf5b3118a5c29ab70ac0a0732073f
SHA1

e2564f67e9c3d6dd5a79828616c1ce41c40b9ec3
SHA256

310e5a2e33c8dc27f83ec5d47ea3fb14fff805753f44f14247e312bec735f2dd
SHA512

e608a0dc33306a6fbe9806ab2e89106bc1f7c2b7edb7046fc074c913d451eaea5c5b7604316ddb0e37ea39139a1f4ad1125ed5f1fc5dfdd87625d060ef686763
SSDEEP

49152:EP7kCLwm5gLJ3aZqnBq7e2AEHZYXFR2p8NssKiKv62yEQVM/CyYn7FmXDSr1iQRZ:EPmm5qe+VEHZOjkNyZyYnUzSZiQVR

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://bunaseiranahui.top/ZmU2YzQ2NjZlNjc2/

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

rc4.plain

Extracted

Family

octo

https://bunaseiranahui.top/ZmU2YzQ2NjZlNjc2/

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4215	com.muchlightoyzl

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.muchlightoyzl/app_DynamicOptDex/EkaTh.json	4239	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.muchlightoyzl/app_DynamicOptDex/EkaTh.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.muchlightoyzl/app_DynamicOptDex/oat/x86/EkaTh.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.muchlightoyzl/app_DynamicOptDex/EkaTh.json	4215	com.muchlightoyzl
/data/user/0/com.muchlightoyzl/cache/kyrvsbmwxw	4215	com.muchlightoyzl
/data/user/0/com.muchlightoyzl/cache/kyrvsbmwxw	4215	com.muchlightoyzl

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.muchlightoyzl
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.muchlightoyzl

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.muchlightoyzl

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.muchlightoyzl

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchlightoyzl
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchlightoyzl

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.muchlightoyzl

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.muchlightoyzl

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.muchlightoyzl

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.muchlightoyzl

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.muchlightoyzl

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.muchlightoyzl

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.muchlightoyzl

com.muchlightoyzl
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4215
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.muchlightoyzl/app_DynamicOptDex/EkaTh.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.muchlightoyzl/app_DynamicOptDex/oat/x86/EkaTh.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4239

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.muchlightoyzl/app_DynamicOptDex/EkaTh.json

Filesize
2KB

MD5
494bca46c5f7f528753e84b06a801682

SHA1
6a0f216dcb37bf72930dd3bd95181ce4465ad495

SHA256
d64d3379cc0d739d2572f333c9866b82748a4b868ba4a7ef194287f707a7e426

SHA512
d3b06bd225bbc0649a6b985af09b0695437cc7d9f6b78315cfa0c2e9887b8a22cdbd9f1270e160538f1d7b4084093df69432b5f6efd869f8b557798ab41a6f5c

Download Submit
/data/data/com.muchlightoyzl/app_DynamicOptDex/EkaTh.json

Filesize
2KB

MD5
6d607f63673e30b7d5918c95de76a9b1

SHA1
61c7390510e4bde9b677edfe8123d9833935d323

SHA256
e31a5ad3590a04ba5ebf2d44cf61fdd1d128bc534a6b39d379c821e2c7afcc2d

SHA512
6aff3a6bca982d3544f698ec075ea111f854f62419c738beed6888d5386b4df5ebdb62258217d9c8ce3157c77042b3d36b8e738ec52302d576d93ee3367a70b4

Download Submit
/data/data/com.muchlightoyzl/cache/kyrvsbmwxw

Filesize
449KB

MD5
f4643596efb1b54939fbb9d7ad0197ac

SHA1
b559a8ba2dab6e3a164debe944e381438a006013

SHA256
09f2ca5497c1f4836d543fa1b0df40ef326e4a20210a772f791f71c6cf8189a4

SHA512
7debb5deb4fe9f9b690c4a5ae6070993e91168506b8fed7319cb7b64c56890c1dcaf7121774e9e91cf9936f1175eb22a91a1b53fef8cf4b215eeb39219d72363

Download Submit
/data/data/com.muchlightoyzl/cache/oat/kyrvsbmwxw.cur.prof

Filesize
492B

MD5
a1551c198c2cf01ab1225b4de8ec0211

SHA1
02e62d499a5af674195fdccc69f10ef99de9d981

SHA256
884dfc9c2ab4baa6e9c73b348f37fc0b21e0ea9778f03ac612c72d1450c87822

SHA512
53e4d901c95981e890ad9b98ba01cfa9f540c2dd2839876c6cae00fc3458778c65bc914a6853561dd32d736e117d7e28ba0ad967bd89f50e17076f508aeeaf49

Download Submit
/data/data/com.muchlightoyzl/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.muchlightoyzl/kl.txt

Filesize
237B

MD5
5876ba0d379e401f0758efae037fb055

SHA1
dbffb57a8b2fa7a7c2703cc74b94b2ba22e17945

SHA256
f6c529450eb4a59acd0017abb70508c655e96e171b2c0e01a19ef75f373b5f43

SHA512
51459c12e2259e6e60318afa7e9444a1aac6cf8b61162474753a0f56e212b8f7a8f940308a73e27686f869c69707d3f43f0bf7a252bfba3732461512b95b0ee5

Download Submit
/data/data/com.muchlightoyzl/kl.txt

Filesize
63B

MD5
e08b80adab66c7bc1fde1e7eae7a209e

SHA1
25ddf4ee4c21667e2ac89ab48d71228521ea0e70

SHA256
969129aebf9c40a7424dfb0e9883c6284bf3f223d055e583e75277ffb53c9e49

SHA512
06317164b33bdffa66dc39c2ef46fa99aee557a9b13cd3ca006dc0a4ca1de10619140789746452ad4c49837be6457e6e3465057616191f7c6b868e42e169ef35

Download Submit
/data/data/com.muchlightoyzl/kl.txt

Filesize
54B

MD5
37c21a5da582e942a6532742e1bf1a8f

SHA1
ae13a630db1d90a0f4fa91c1fa50753cc045749a

SHA256
15e3f54140f9b39d4e79c7d014260fe19d1e56a1f401db44d4d7407b20843238

SHA512
0a88786cbebc4a1198c0295cd06f2a1c10dae6ea50050d48dc62f22957adf3b89c462bc7622d9bdf56f22aa5ed3219e6ee63c001ecafcc26391770a3d702dd3f

Download Submit
/data/data/com.muchlightoyzl/kl.txt

Filesize
437B

MD5
978e6648b0ae9a906d00d1d9b0c4b149

SHA1
dd46383bad329d42b09b4d1252e184a3f0af31d1

SHA256
ae94af33df9c9495f403aff862c86afce1904cf7d95975adc8376df422cf2af0

SHA512
e95468642b6a0477b61926440dc180383fe21ed23f141060d1f8cb2851733c607e872e67d21822c02e8af022e71920317cc188511ea7c98c1e6736c8eaf074a1

Download Submit
/data/user/0/com.muchlightoyzl/app_DynamicOptDex/EkaTh.json

Filesize
5KB

MD5
e600726d5bc1e877c95d05030af41ac8

SHA1
e43995582d902d176da5b98ce766c2c7d552f955

SHA256
dbef2eb7b58d62d04e7271be1f79047adee7d1ab236dc2cd0806b08d7b656e4b

SHA512
90a99e9652b3fa8a7c28c5cbd20178a5713757cd3d2776def3019a8e789d56fb04e8e01e66c9bbcd6f652021284a3baad3414e7211176ec08382c87ce432ccab

Download Submit
/data/user/0/com.muchlightoyzl/app_DynamicOptDex/EkaTh.json

Filesize
5KB

MD5
80aa783c8bf7e6239f752aa15360035a

SHA1
7a09519ea5f4feb38a932747454db2154af5a76c

SHA256
204b9742e37c3f6686907bea12976d51254276ad18630373fea69b55098cb700

SHA512
ac6e0ab86b3cd6863b92916fbe08de55554d519e1019c59a6668c71add1bcc71d04ec017b4ec33349d294b633116c24c353b455657f9ad0ea13623f724f2e573

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads