octo | 0cef4cca88d762205fb8e6426dfda4bee4f1133eb5868534e7fcb901aff4a3c9

Analysis

max time kernel
148s
max time network
130s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
25-11-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cef4cca88d762205fb8e6426dfda4bee4f1133eb5868534e7fcb901aff4a3c9.apk
Size

2.6MB
MD5

819e3682dfda596d1b267d8fd434b6d9
SHA1

7c8fc71b4b6ccc278e4ff6d233078edac7fb4858
SHA256

0cef4cca88d762205fb8e6426dfda4bee4f1133eb5868534e7fcb901aff4a3c9
SHA512

3dae7eccef12f3ae50aa6454cbc376f4a990b3f095f73ab1238769f720c1c609e0bf6548c85556f694eafea8092c27ecad699cd4db2614f89838eb6a01c08260
SSDEEP

49152:qwQRN3PDAuGMcrf7ePwNhaSrFMXm8Q9Q/YEs4HDfv623BKEDPMvCyYnujLOYv7m0:qwQRNfDwhrqPsrv9QQ2jNRKgtyYnYTvh

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://asdkjshdakjshdkajs.hk/MTBiYTAyMTk0NzJj/

https://askjhksajhkajhskajhsa.hk/MTBiYTAyMTk0NzJj/

https://kokmokmokokmokmok.hk/MTBiYTAyMTk0NzJj/

https://iuhiuhiuhiuhuihiuiuh.hk/MTBiYTAyMTk0NzJj/

rc4.plain

Extracted

Family

octo

https://asdkjshdakjshdkajs.hk/MTBiYTAyMTk0NzJj/

https://askjhksajhkajhskajhsa.hk/MTBiYTAyMTk0NzJj/

https://kokmokmokokmokmok.hk/MTBiYTAyMTk0NzJj/

https://iuhiuhiuhiuhuihiuiuh.hk/MTBiYTAyMTk0NzJj/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4374	com.notecontain38

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.notecontain38/app_DynamicOptDex/ROyN.json	4399	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.notecontain38/app_DynamicOptDex/ROyN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.notecontain38/app_DynamicOptDex/oat/x86/ROyN.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.notecontain38/app_DynamicOptDex/ROyN.json	4374	com.notecontain38
/data/user/0/com.notecontain38/cache/odwxtptp	4374	com.notecontain38
/data/user/0/com.notecontain38/cache/odwxtptp	4374	com.notecontain38

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.notecontain38
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.notecontain38

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.notecontain38

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.notecontain38

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.notecontain38
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.notecontain38

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.notecontain38

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.notecontain38

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.notecontain38

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.notecontain38

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.notecontain38

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.notecontain38

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.notecontain38

com.notecontain38
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4374
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.notecontain38/app_DynamicOptDex/ROyN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.notecontain38/app_DynamicOptDex/oat/x86/ROyN.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4399

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.notecontain38/app_DynamicOptDex/ROyN.json

Filesize
2KB

MD5
f68bb8afe4774783d38e83486b3f7fe7

SHA1
5306d7879ef59ceaf2644c1e28e8f6e10465da22

SHA256
b5aa44c6b59f21a416ef09a4731c4c8f7604633983266144412236e1c88c05fb

SHA512
fa934c30c3d6ebc2070005ab160cff31a70e659041a73edbed131eebc612c4cee422c3bfd56cc8835e04b1de87d763205b6569287eda84443aef8fcaa5ab6d3c

Download Submit
/data/data/com.notecontain38/app_DynamicOptDex/ROyN.json

Filesize
2KB

MD5
769b99c39c99f53c5c902cfcb706c172

SHA1
a393d9e3fad1f69c4f213c5e1e58a2200ab37f22

SHA256
82ba3eee2d953d5d1b21be5989354421efe22f97b9637225e0b63ff20f3538a7

SHA512
97f4e1b5fc77cb4ab3237304af72d2f6b58777302f10925bd86d8d993b9294fd76c42beda4e27f09db5f9fe41677573eb5e33b4582e153d832d0634a41d87b8a

Download Submit
/data/data/com.notecontain38/cache/oat/odwxtptp.cur.prof

Filesize
499B

MD5
782b9895d9b90d5ff23e7267ea8d7ac9

SHA1
4177aa9bf38075b1de23a37566462d0d471abd87

SHA256
ba4e2b195e12a03cf7ac7544862ba6dad576dd9262a79bfd0691dabed3273515

SHA512
449ba0b9869c8932a53efbc72ca4cdc76d3feac32a2e18cccc1b5ca146f4d772f71d28bb86d7e452838c94dedf17bec6a03129e6e0448d2d193a4047177e434d

Download Submit
/data/data/com.notecontain38/cache/odwxtptp

Filesize
450KB

MD5
d8fbf98c72499db22fbe94f3f7d84abc

SHA1
10256505bd0ec3cc05558e0b0961b99175f71431

SHA256
df18b5370cea37900301e469f8149e86c085ad73a3681cb56dbec0760f891ec1

SHA512
9cf69b5e34357d3710a587d52c789193a354133d96cdf20aa7d1f1dd79908ce70db54d625429d80b48c4f5d35dbc223df11cf8d012bc343f9b3ba318901900a3

Download Submit
/data/data/com.notecontain38/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.notecontain38/kl.txt

Filesize
237B

MD5
0086e9acc7b798d39cbf30f01156b3f8

SHA1
7b8eeed71aadcb9da34aa286c41c7c2bd8aae4a5

SHA256
ab819d26a29dbcc9d4271d9d58163e2dc3613ea3d41f8478dfc7bfcaa2188750

SHA512
2a09c28e1151ae95bdfa276888cabd5ddd3c3606df786b4370ca16ee5bc1352c785ab018fcef41172a4136db4dac396878e15d1275043d8b8c893cae141bc14d

Download Submit
/data/data/com.notecontain38/kl.txt

Filesize
54B

MD5
1baf7e228dbed21036627b8f545923d0

SHA1
7a6bdaf4e640f74edb8baca895a17cdb1388b0a0

SHA256
e4357af273ec3ffa1abc8e99b6fb359608cfc6eb055b99cd2a69a27c9c0a4fd3

SHA512
e5d20e5ba8aeef325a832cacc11f2e4d86d87d9406827b3b74e7791fae3eae4769d68c354c9022df1132cefe6f7f2fcac7ec2697e0932e5a89dbd8215b955f0f

Download Submit
/data/data/com.notecontain38/kl.txt

Filesize
63B

MD5
83122c0f72d9887686f7955bd5cc248b

SHA1
6603b9cb6e86bd937b11ba13164c8ec0d558cc03

SHA256
0e0a202193876f4b71e0eb7f466b32203a97daaa7586dd05454bf5e6c08f3296

SHA512
0c49f9fa3c7abe3705627e864c81aed2da99e9cf4f700ba602ff3bf0ee2574dfc0363762e317f88dfccb38d054ffb5948acfe9674f7906954f4ef96086c23bb6

Download Submit
/data/data/com.notecontain38/kl.txt

Filesize
437B

MD5
b58427f53f8e898f78e14b063754310e

SHA1
2fb87ce501435900e05142b5de246842aaadc038

SHA256
0dbb2d9e7b49fef26877fae591a7b2a516d1b522e5f81d11ed04e01e64313ec7

SHA512
2a05e83bd32c8e53b5cfd4794f95bb3fb77fb2695d3f2abd98c467a92c667fc589441aa5f75d7356931fc55fd598b7b3ab548056196d1f13ee9e505720d0e423

Download Submit
/data/user/0/com.notecontain38/app_DynamicOptDex/ROyN.json

Filesize
5KB

MD5
7a87bca7af6891b86e1a989aa3ba2afa

SHA1
a1c4e974bb8c295a44ddb7b9467519c74f9843a4

SHA256
7e58b34ed3e156f87d51126e45babd566048b39876cd65f1333d64bc78e3a985

SHA512
365c05a1c996337b63aee8b43acdc8b4c2eec69831a554286e1515a9bd8432e1b103486bc1b10d1e7e398d97f1d68df0c01906e415a288fcbea0fe0057a6271e

Download Submit
/data/user/0/com.notecontain38/app_DynamicOptDex/ROyN.json

Filesize
5KB

MD5
e60246a90a41c7b98d781ff1a7329562

SHA1
62fc652649de8a67338706a5f5ead79541e3f75c

SHA256
d8f61d35176f8302e924bf1b5c6b097c8a61923deda20a51351310c44b49ca49

SHA512
cd51399e7d32bd48db582d4d8da88eaa54005affff0434ae0dca91e001ec949b8d8a6af3b1d4baeb8c48ba2dbc8f35a3c8e94b5701a64614547fd4bb24ed4388

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads