octo | 3a97e7af74accc0c8729bb6823ab598826450153643244a2539bf04cd66cab10

Analysis

max time kernel
149s
max time network
143s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
26-11-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a97e7af74accc0c8729bb6823ab598826450153643244a2539bf04cd66cab10.apk
Size

2.0MB
MD5

31cb6dcaa5fd6bb68483612e57f9fe3f
SHA1

df8a28b6e9156469746d01bcba91847c8d7a01c1
SHA256

3a97e7af74accc0c8729bb6823ab598826450153643244a2539bf04cd66cab10
SHA512

24cda85bde35605752e09207725d28b1f51459b8ca2271b83d11e6b10ab9adfda7ee39910dd85dba5f2afeef7af8ca91b6822e1a4fdadcc900be339cc8132da8
SSDEEP

49152:3wKvxHYmKTm8iLg2w7FL/4gu4szv62HEZMDgXwMvCyYnjlmXLWr1HQRuCFYu:3wK5HnuJiU8zNH8wMqyYn87WZHQSu

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://zalupenn.top/ZmU2YzQ2NjZlNjc2/

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

rc4.plain

Extracted

Family

octo

https://zalupenn.top/ZmU2YzQ2NjZlNjc2/

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4307	com.usmay15

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.usmay15/app_DynamicOptDex/YTupAi.json	4389	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.usmay15/app_DynamicOptDex/YTupAi.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.usmay15/app_DynamicOptDex/oat/x86/YTupAi.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.usmay15/app_DynamicOptDex/YTupAi.json	4307	com.usmay15
/data/user/0/com.usmay15/cache/mpeolbwdbcu	4307	com.usmay15
/data/user/0/com.usmay15/cache/mpeolbwdbcu	4307	com.usmay15

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.usmay15
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.usmay15
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.usmay15

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.usmay15

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.usmay15

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.usmay15
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.usmay15
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.usmay15
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.usmay15

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.usmay15

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.usmay15

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.usmay15

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.usmay15

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.usmay15

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.usmay15

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.usmay15

com.usmay15
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4307
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.usmay15/app_DynamicOptDex/YTupAi.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.usmay15/app_DynamicOptDex/oat/x86/YTupAi.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4389

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.usmay15/app_DynamicOptDex/YTupAi.json

Filesize
1KB

MD5
a4d3a9756d492620a11fe0a4b0270f86

SHA1
7ff3199c4a4a88bd7f57a1228d6f4b6e80d6b314

SHA256
66f0aaaa27bd08e939b45b17db0d32bd908c716972cdcbcfa33579991aa7e8a3

SHA512
c64467e8945381402c0d756d0659c9878406ea1c17fe0e0feaaa5a34760d53641c2d94a833166538b1feb0470fbdedab7473b5de9c6b5bbce9cfda59d08fde4f

Download Submit
/data/data/com.usmay15/app_DynamicOptDex/YTupAi.json

Filesize
1KB

MD5
f361384243cef0873cc4c69b169fdaeb

SHA1
f314d82db0e6710339dc926a86f0087bc12012ce

SHA256
0aa8abc33fb0d87f7b3012be0b124b8de1fabf5cfeecb80db6b86d66dcde0481

SHA512
451b4d2157bbf456a7dd44b8d39d55443352cce6f77943a3e283ae549c5c47129b6b9f3b22d615506546156764afe37f59c7cd144d83ae9afb6fa64b4b58597d

Download Submit
/data/data/com.usmay15/cache/mpeolbwdbcu

Filesize
449KB

MD5
e74ae5348778aa3f382a98a007af007c

SHA1
834a82d48bf3419b40d1ca752455f01f460470e4

SHA256
72d566af5501fcdca27fd0b7f6eb71b560fd973570d7799986a5da268abb140f

SHA512
95933ae069fb700a2b513462288db350b884e45b33c8b141a3dcacdefa6007e524dff35c92fee41619e0bb456171cb8f57775bc969c4b0d63062efd98d663535

Download Submit
/data/data/com.usmay15/cache/oat/mpeolbwdbcu.cur.prof

Filesize
477B

MD5
ba53c4954db3c2b6df08b471768c4e10

SHA1
de5c7e2d719ca82102d7dab4b1ff742557b93041

SHA256
ce78f0f54b71113cac5530cdf96054e5bdfc30ecf9f75885088002a03c563c87

SHA512
ed66ba64584aedb7d8ed528fa745c84ee7ba1ebc719a61519d3d9a620ff75f23c7c581e2f6bcee99c16c808ed54d36cade0b06b2efdb17489e7b128372b9520e

Download Submit
/data/data/com.usmay15/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.usmay15/kl.txt

Filesize
237B

MD5
77bb9175d439d1b884b6d3b330df14bb

SHA1
d6125aa6d1e37e995d6fb647a9f5047f1694f0c5

SHA256
4123da74ed700554f12fc79be25fd473642b5c230ad7120135f0c7b4b1f46e63

SHA512
39dd6e02fddedcfacdfa80b310b47f579b5866bd9cc3de1efa25f24159728c660d2ac797015637400dda93fe511fe61223860322b800a7ca2e0b4898854d229c

Download Submit
/data/data/com.usmay15/kl.txt

Filesize
63B

MD5
b089dee11b7a47d65db2dd29fc9ef3e1

SHA1
615d35d39b69109cc9dd2e695192e4e90fa8201a

SHA256
c058ee66803cd8a1f3df096b2438e7d1dd25c00d7385d924084db89a32cae559

SHA512
4c86fce16c0f4367fe17494e2c4ed5b4d4549f344c5164df9de5b18714ce41f2823ca3053f26133f0b77da880e25c304ca38075c4433d535f878a5d7fcd5109f

Download Submit
/data/data/com.usmay15/kl.txt

Filesize
45B

MD5
60f3b3858b763d046f741e286e5eaf4a

SHA1
3fc6b8480ee907bc47fed2407054f2624c64cf5c

SHA256
9e5129b84c09e74c9fd3a53360a8a1df3c2b284f38c13c265aa6fe1c4d7fe6ac

SHA512
1bc5e0f6ffb5c4862adc6eb95d6d2de02c10a2e86cae2757d6766d8950ab985402056d7f4d553ccc53df11831af0ced21f1172802287d2006fb32f5fe8abe5ac

Download Submit
/data/data/com.usmay15/kl.txt

Filesize
437B

MD5
24fab3343b130d5a9802e15643bda7ac

SHA1
8c624e5573c0945e81302948d15a226908848213

SHA256
c310beabb93a49f82d067e636db17e33d6ae18dee14742a70847ce932f71d774

SHA512
9a37b0f68eb64fadff7b0fd2bbd6c7b6def8b634c2e5d75ea670d37d2241037a9882a35bf4b4c3352823c5865911fcac6509c1b82ee35d4ee7cd1382ff73b65d

Download Submit
/data/user/0/com.usmay15/app_DynamicOptDex/YTupAi.json

Filesize
2KB

MD5
c8e48747f77685380ac05db44f98e7d7

SHA1
02d29941c7dc06473bd7bd85928d1a77f237ecb8

SHA256
916f44a2f7e3f11cfa322258b55aa9e96d6fd2916b2cfe07102e7a41648b1284

SHA512
11fa67df9612ecb2847bfc27859eaeb35d694b563cc472c56f6b2e82977e58e103dbd12d01b86aaa72885de2c52d58d1cb399d1a1e2c038088d9b431a7b725d3

Download Submit
/data/user/0/com.usmay15/app_DynamicOptDex/YTupAi.json

Filesize
2KB

MD5
25bc9739c62421ac8cd3d081bc73f485

SHA1
3480f9a3718a857fa05ac95c77335dbfc66eb548

SHA256
85fd1fa056c1f1a034b5eae85f8b94c32b7d3cc2756f36e393c478fad68cfff5

SHA512
674cdf8c9c409bb5f5c49061642bc478a5431b03fcf87348cab72ec7bb5f34545f8560b1ce602807f07f18df092b6334d03056049658fae98ba4f2f1b7a3b093

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads