octo | 0cef4cca88d762205fb8e6426dfda4bee4f1133eb5868534e7fcb901aff4a3c9

Analysis

max time kernel
149s
max time network
156s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
25-11-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cef4cca88d762205fb8e6426dfda4bee4f1133eb5868534e7fcb901aff4a3c9.apk
Size

2.6MB
MD5

819e3682dfda596d1b267d8fd434b6d9
SHA1

7c8fc71b4b6ccc278e4ff6d233078edac7fb4858
SHA256

0cef4cca88d762205fb8e6426dfda4bee4f1133eb5868534e7fcb901aff4a3c9
SHA512

3dae7eccef12f3ae50aa6454cbc376f4a990b3f095f73ab1238769f720c1c609e0bf6548c85556f694eafea8092c27ecad699cd4db2614f89838eb6a01c08260
SSDEEP

49152:qwQRN3PDAuGMcrf7ePwNhaSrFMXm8Q9Q/YEs4HDfv623BKEDPMvCyYnujLOYv7m0:qwQRNfDwhrqPsrv9QQ2jNRKgtyYnYTvh

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://asdkjshdakjshdkajs.hk/MTBiYTAyMTk0NzJj/

https://askjhksajhkajhskajhsa.hk/MTBiYTAyMTk0NzJj/

https://kokmokmokokmokmok.hk/MTBiYTAyMTk0NzJj/

https://iuhiuhiuhiuhuihiuiuh.hk/MTBiYTAyMTk0NzJj/

rc4.plain

Extracted

Family

octo

https://asdkjshdakjshdkajs.hk/MTBiYTAyMTk0NzJj/

https://askjhksajhkajhskajhsa.hk/MTBiYTAyMTk0NzJj/

https://kokmokmokokmokmok.hk/MTBiYTAyMTk0NzJj/

https://iuhiuhiuhiuhuihiuiuh.hk/MTBiYTAyMTk0NzJj/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.notecontain38/app_DynamicOptDex/ROyN.json	5101	com.notecontain38
/data/user/0/com.notecontain38/cache/odwxtptp	5101	com.notecontain38
/data/user/0/com.notecontain38/cache/odwxtptp	5101	com.notecontain38

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.notecontain38
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.notecontain38

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.notecontain38

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.notecontain38

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.notecontain38

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.notecontain38
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.notecontain38

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.notecontain38

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.notecontain38

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.notecontain38

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.notecontain38

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.notecontain38

com.notecontain38
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5101

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.notecontain38/app_DynamicOptDex/ROyN.json

Filesize
2KB

MD5
f68bb8afe4774783d38e83486b3f7fe7

SHA1
5306d7879ef59ceaf2644c1e28e8f6e10465da22

SHA256
b5aa44c6b59f21a416ef09a4731c4c8f7604633983266144412236e1c88c05fb

SHA512
fa934c30c3d6ebc2070005ab160cff31a70e659041a73edbed131eebc612c4cee422c3bfd56cc8835e04b1de87d763205b6569287eda84443aef8fcaa5ab6d3c

Download Submit
/data/data/com.notecontain38/app_DynamicOptDex/ROyN.json

Filesize
2KB

MD5
769b99c39c99f53c5c902cfcb706c172

SHA1
a393d9e3fad1f69c4f213c5e1e58a2200ab37f22

SHA256
82ba3eee2d953d5d1b21be5989354421efe22f97b9637225e0b63ff20f3538a7

SHA512
97f4e1b5fc77cb4ab3237304af72d2f6b58777302f10925bd86d8d993b9294fd76c42beda4e27f09db5f9fe41677573eb5e33b4582e153d832d0634a41d87b8a

Download Submit
/data/data/com.notecontain38/cache/oat/odwxtptp.cur.prof

Filesize
478B

MD5
c8dfc910a30b0f9fc6022b6a831ef7c1

SHA1
46b8297bf4c364a7db0370f7257f107517f9b78d

SHA256
8850391092ca17e96dd5973c966eb05fce910120c55299fd7af62cbc14e935fb

SHA512
d9e120db208422b7de8c6a96ae0f9231f24059e8c5fa366f1e4496838a325e1bf88f60d8267ed765f6be140e7fa8aa17dbbdb8b3d1e7272bef6496b6df58318a

Download Submit
/data/data/com.notecontain38/cache/odwxtptp

Filesize
450KB

MD5
d8fbf98c72499db22fbe94f3f7d84abc

SHA1
10256505bd0ec3cc05558e0b0961b99175f71431

SHA256
df18b5370cea37900301e469f8149e86c085ad73a3681cb56dbec0760f891ec1

SHA512
9cf69b5e34357d3710a587d52c789193a354133d96cdf20aa7d1f1dd79908ce70db54d625429d80b48c4f5d35dbc223df11cf8d012bc343f9b3ba318901900a3

Download Submit
/data/data/com.notecontain38/kl.txt

Filesize
437B

MD5
0ac7eca1838c566597ad388778b9c1fb

SHA1
b3b70fd4d096f77fa67a8cb7631a435f370f397d

SHA256
145a9976c06c8dc23ec78905870864c607ca9c49853d9d9cb57cb8edf645827f

SHA512
948ffd740e9e07d4e7615fdd10ecbd97a738b6792048ab43fc293125ffd60f8d24b39f43d963512b00de9a19371020d6b7b6f1e62551917f4c7f2ac6b445b611

Download Submit
/data/data/com.notecontain38/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.notecontain38/kl.txt

Filesize
237B

MD5
91a9cd3f99736b212d941711b9d30695

SHA1
f48b28830ff31b771b23b3998b465538d3e4acdd

SHA256
3d4154fc8077d555a4897b6e52d4ef90e7ccdb02d29a74f452ee80d1c6647c1a

SHA512
1458986d78f4d4126ca491b80f5b89aac4d1789d18ceedfb1337558cdc2266e7191b4c2a85cf26e1a9e9891ad49657bcf3b371a2414203eaa52aac6438e97bbc

Download Submit
/data/data/com.notecontain38/kl.txt

Filesize
63B

MD5
992282ce82aede2ba85389a43163fa78

SHA1
c0e2a176d4b3f25a13175f6de3f25dd226fca3dc

SHA256
c9238650fb7e27c2348b1eace1bfd3d050970e2075fb587aa630682822b52c5e

SHA512
e6187a6d6731ecb2559e0fe4089c2cb4179800d43c0366a3c843a3bf9d9b88ff3d097d3753a7f48d44fac77f77c14dd92108ba3ccee4a276e2d1c40bf1ab5ce7

Download Submit
/data/data/com.notecontain38/kl.txt

Filesize
45B

MD5
55791e66aea370d468277b0de5dde907

SHA1
1793bb69ab1aab81d5a6afd72bcbb2649e797fa1

SHA256
7461b5c56ac323e748bf38e0b8ea96fd448d53ad034aaa97ce48fc1db9d572dd

SHA512
ce74dd83a43c0e87fc2d4b340ef7a697b1054669cc849fac7733b44c0a6f2533e986ea99d5987dda2cf45a25ca83d6342c4b573c19da41763e2245fd2a33733b

Download Submit
/data/user/0/com.notecontain38/app_DynamicOptDex/ROyN.json

Filesize
5KB

MD5
e60246a90a41c7b98d781ff1a7329562

SHA1
62fc652649de8a67338706a5f5ead79541e3f75c

SHA256
d8f61d35176f8302e924bf1b5c6b097c8a61923deda20a51351310c44b49ca49

SHA512
cd51399e7d32bd48db582d4d8da88eaa54005affff0434ae0dca91e001ec949b8d8a6af3b1d4baeb8c48ba2dbc8f35a3c8e94b5701a64614547fd4bb24ed4388

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads