octo | 310e5a2e33c8dc27f83ec5d47ea3fb14fff805753f44f14247e312bec735f2dd

Analysis

max time kernel
149s
max time network
157s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
25-11-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

310e5a2e33c8dc27f83ec5d47ea3fb14fff805753f44f14247e312bec735f2dd.apk
Size

2.2MB
MD5

83bdf5b3118a5c29ab70ac0a0732073f
SHA1

e2564f67e9c3d6dd5a79828616c1ce41c40b9ec3
SHA256

310e5a2e33c8dc27f83ec5d47ea3fb14fff805753f44f14247e312bec735f2dd
SHA512

e608a0dc33306a6fbe9806ab2e89106bc1f7c2b7edb7046fc074c913d451eaea5c5b7604316ddb0e37ea39139a1f4ad1125ed5f1fc5dfdd87625d060ef686763
SSDEEP

49152:EP7kCLwm5gLJ3aZqnBq7e2AEHZYXFR2p8NssKiKv62yEQVM/CyYn7FmXDSr1iQRZ:EPmm5qe+VEHZOjkNyZyYnUzSZiQVR

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://bunaseiranahui.top/ZmU2YzQ2NjZlNjc2/

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

rc4.plain

Extracted

Family

octo

https://bunaseiranahui.top/ZmU2YzQ2NjZlNjc2/

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.muchlightoyzl/app_DynamicOptDex/EkaTh.json	4428	com.muchlightoyzl
/data/user/0/com.muchlightoyzl/cache/kyrvsbmwxw	4428	com.muchlightoyzl
/data/user/0/com.muchlightoyzl/cache/kyrvsbmwxw	4428	com.muchlightoyzl

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.muchlightoyzl
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.muchlightoyzl

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.muchlightoyzl

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.muchlightoyzl

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.muchlightoyzl

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchlightoyzl
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchlightoyzl
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.muchlightoyzl

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.muchlightoyzl

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.muchlightoyzl

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.muchlightoyzl

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.muchlightoyzl

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.muchlightoyzl

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.muchlightoyzl

com.muchlightoyzl
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4428

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.muchlightoyzl/app_DynamicOptDex/EkaTh.json

Filesize
2KB

MD5
494bca46c5f7f528753e84b06a801682

SHA1
6a0f216dcb37bf72930dd3bd95181ce4465ad495

SHA256
d64d3379cc0d739d2572f333c9866b82748a4b868ba4a7ef194287f707a7e426

SHA512
d3b06bd225bbc0649a6b985af09b0695437cc7d9f6b78315cfa0c2e9887b8a22cdbd9f1270e160538f1d7b4084093df69432b5f6efd869f8b557798ab41a6f5c

Download Submit
/data/user/0/com.muchlightoyzl/app_DynamicOptDex/EkaTh.json

Filesize
2KB

MD5
6d607f63673e30b7d5918c95de76a9b1

SHA1
61c7390510e4bde9b677edfe8123d9833935d323

SHA256
e31a5ad3590a04ba5ebf2d44cf61fdd1d128bc534a6b39d379c821e2c7afcc2d

SHA512
6aff3a6bca982d3544f698ec075ea111f854f62419c738beed6888d5386b4df5ebdb62258217d9c8ce3157c77042b3d36b8e738ec52302d576d93ee3367a70b4

Download Submit
/data/user/0/com.muchlightoyzl/app_DynamicOptDex/EkaTh.json

Filesize
5KB

MD5
80aa783c8bf7e6239f752aa15360035a

SHA1
7a09519ea5f4feb38a932747454db2154af5a76c

SHA256
204b9742e37c3f6686907bea12976d51254276ad18630373fea69b55098cb700

SHA512
ac6e0ab86b3cd6863b92916fbe08de55554d519e1019c59a6668c71add1bcc71d04ec017b4ec33349d294b633116c24c353b455657f9ad0ea13623f724f2e573

Download Submit
/data/user/0/com.muchlightoyzl/cache/kyrvsbmwxw

Filesize
449KB

MD5
f4643596efb1b54939fbb9d7ad0197ac

SHA1
b559a8ba2dab6e3a164debe944e381438a006013

SHA256
09f2ca5497c1f4836d543fa1b0df40ef326e4a20210a772f791f71c6cf8189a4

SHA512
7debb5deb4fe9f9b690c4a5ae6070993e91168506b8fed7319cb7b64c56890c1dcaf7121774e9e91cf9936f1175eb22a91a1b53fef8cf4b215eeb39219d72363

Download Submit
/data/user/0/com.muchlightoyzl/cache/oat/kyrvsbmwxw.cur.prof

Filesize
331B

MD5
1024635235ec01b9f1966a91c764680a

SHA1
1dc0249e6538ca08ab940b72de0d4431aaa4ba21

SHA256
e7992a8c2057c54242ec581ca07bb0eb8ece1e09ecdb47d66f37bddac4610b00

SHA512
0d38725a4189189175df92cc6cf75c1db6391790007ef4f8b59b7a7222dfefb6295c41b712e747b9f7f06c9708b0ac8cca0ad49b3f3fc8c2917c10b5689498c7

Download Submit
/data/user/0/com.muchlightoyzl/kl.txt

Filesize
75B

MD5
995571368d3747c7add3dc2e6a0518b8

SHA1
e235654d50916e9dd2a718dcac7111e298b84d5c

SHA256
7769c53f8778e15649cd9cb4826fa4ea713cb725dffa5b6849bfdf4705a66064

SHA512
3073a172d24be96cadc285ad02712dbb31fa7ed1f97ca7ffd0d133201d25242d26de391d4d15ac4193d22257161b159d57325d89842adf90f1f127ae766785fe

Download Submit
/data/user/0/com.muchlightoyzl/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.muchlightoyzl/kl.txt

Filesize
237B

MD5
7c65c0075f95942285cdaf5b8a009b0e

SHA1
e5e1a30d6fd298fca04ea9ac7f46651dc109ad5c

SHA256
7463582848e5ef7800761322205949c4b0567d1019b1af1a6cfc5289ef913501

SHA512
ed4cb53fc8d1655f0f921f3a18129ad2affb80bd9f0641ee365caaf0cd1c34d9cea9d2ea6a51c05459444d4fd45a9a1c5bdb369094def8e985c7d5e222ff604f

Download Submit
/data/user/0/com.muchlightoyzl/kl.txt

Filesize
45B

MD5
b8fad8d9e97ffbdd0c7d317992599b17

SHA1
c0e14c927340e55a8c975e21216f130e40d1b5c8

SHA256
ede5512d5efbb3ea0698670510667dcd12f681890c8af7b2994799ee0d75761b

SHA512
055ca45a8cf76856d1bc5b63476782336e9f4fac4e2f188112b0e517e1a1a8c92d37f4c3ac5fedb1f6a9c157242fb35958d49adda06dad9c3ab3e6ce0544b991

Download Submit
/data/user/0/com.muchlightoyzl/kl.txt

Filesize
63B

MD5
62eb56b804ae150c80918de6bf848a4c

SHA1
39397e3c0247072a1a5377a5330f92fa1a87424f

SHA256
65f96f5194741bc0d436a91ff92c7dc4a69580459d1da3c790207fba46a389da

SHA512
72f087cebbbc226d290aa2ff2df73d4affb5659fc7b4419c6778828d98cef57125a600f290c1d290ffde0da2e410b2f098f0216067792768dce6d416bbe12245

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads