octo | 3a97e7af74accc0c8729bb6823ab598826450153643244a2539bf04cd66cab10

Analysis

max time kernel
149s
max time network
160s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
26-11-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a97e7af74accc0c8729bb6823ab598826450153643244a2539bf04cd66cab10.apk
Size

2.0MB
MD5

31cb6dcaa5fd6bb68483612e57f9fe3f
SHA1

df8a28b6e9156469746d01bcba91847c8d7a01c1
SHA256

3a97e7af74accc0c8729bb6823ab598826450153643244a2539bf04cd66cab10
SHA512

24cda85bde35605752e09207725d28b1f51459b8ca2271b83d11e6b10ab9adfda7ee39910dd85dba5f2afeef7af8ca91b6822e1a4fdadcc900be339cc8132da8
SSDEEP

49152:3wKvxHYmKTm8iLg2w7FL/4gu4szv62HEZMDgXwMvCyYnjlmXLWr1HQRuCFYu:3wK5HnuJiU8zNH8wMqyYn87WZHQSu

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://zalupenn.top/ZmU2YzQ2NjZlNjc2/

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

rc4.plain

Extracted

Family

octo

https://zalupenn.top/ZmU2YzQ2NjZlNjc2/

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.usmay15/app_DynamicOptDex/YTupAi.json	4498	com.usmay15
/data/user/0/com.usmay15/cache/mpeolbwdbcu	4498	com.usmay15
/data/user/0/com.usmay15/cache/mpeolbwdbcu	4498	com.usmay15

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.usmay15
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.usmay15

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.usmay15

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.usmay15

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.usmay15

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.usmay15
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.usmay15
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.usmay15

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.usmay15

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.usmay15

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.usmay15

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.usmay15

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.usmay15

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.usmay15

com.usmay15
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4498

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.usmay15/app_DynamicOptDex/YTupAi.json

Filesize
1KB

MD5
a4d3a9756d492620a11fe0a4b0270f86

SHA1
7ff3199c4a4a88bd7f57a1228d6f4b6e80d6b314

SHA256
66f0aaaa27bd08e939b45b17db0d32bd908c716972cdcbcfa33579991aa7e8a3

SHA512
c64467e8945381402c0d756d0659c9878406ea1c17fe0e0feaaa5a34760d53641c2d94a833166538b1feb0470fbdedab7473b5de9c6b5bbce9cfda59d08fde4f

Download Submit
/data/user/0/com.usmay15/app_DynamicOptDex/YTupAi.json

Filesize
1KB

MD5
f361384243cef0873cc4c69b169fdaeb

SHA1
f314d82db0e6710339dc926a86f0087bc12012ce

SHA256
0aa8abc33fb0d87f7b3012be0b124b8de1fabf5cfeecb80db6b86d66dcde0481

SHA512
451b4d2157bbf456a7dd44b8d39d55443352cce6f77943a3e283ae549c5c47129b6b9f3b22d615506546156764afe37f59c7cd144d83ae9afb6fa64b4b58597d

Download Submit
/data/user/0/com.usmay15/app_DynamicOptDex/YTupAi.json

Filesize
2KB

MD5
25bc9739c62421ac8cd3d081bc73f485

SHA1
3480f9a3718a857fa05ac95c77335dbfc66eb548

SHA256
85fd1fa056c1f1a034b5eae85f8b94c32b7d3cc2756f36e393c478fad68cfff5

SHA512
674cdf8c9c409bb5f5c49061642bc478a5431b03fcf87348cab72ec7bb5f34545f8560b1ce602807f07f18df092b6334d03056049658fae98ba4f2f1b7a3b093

Download Submit
/data/user/0/com.usmay15/cache/mpeolbwdbcu

Filesize
449KB

MD5
e74ae5348778aa3f382a98a007af007c

SHA1
834a82d48bf3419b40d1ca752455f01f460470e4

SHA256
72d566af5501fcdca27fd0b7f6eb71b560fd973570d7799986a5da268abb140f

SHA512
95933ae069fb700a2b513462288db350b884e45b33c8b141a3dcacdefa6007e524dff35c92fee41619e0bb456171cb8f57775bc969c4b0d63062efd98d663535

Download Submit
/data/user/0/com.usmay15/cache/oat/mpeolbwdbcu.cur.prof

Filesize
326B

MD5
b92abedec9ad0d9d0b9b6efa90960878

SHA1
06cf1887f8c5fad120ac6bfd51ed9cd8aa26cb21

SHA256
b14b0444cd9f360283cbbe99436fc9afc9711b0ec54d72cee0371789a2331f22

SHA512
32e44266a41266cdbc8072d7b1cce95bce370f4973dc1ad6aea449f3121957164e59cfe5ba9b01444bfb91c55647820318c09d466dc520f0caa45c782c2c090c

Download Submit
/data/user/0/com.usmay15/kl.txt

Filesize
79B

MD5
727ed44bceeaf691fa950d0444fff481

SHA1
1acaf1895d07cbc4cf1aac16d690776dbab39b63

SHA256
25c2d34f8fedd73184d7e378d68b0c848be3ab7373053a670c9abc6edcaab13d

SHA512
b966d1964f045a94890f60a3cfb39f66db6b1e2ea1af62c8051d9f5db3d21826a96120ac781ab1a40cf89a9bbb9149d1bf46df109d2287984a29134157f7ec25

Download Submit
/data/user/0/com.usmay15/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.usmay15/kl.txt

Filesize
237B

MD5
2dfb02b80e134418433353b67a5b318a

SHA1
cc69bd0096558abd1efa727137b7fe06273d301e

SHA256
bff69056baf7fa32b01b8b14c1c2fdfac510c1c604372555970925264761faff

SHA512
66ddc84bfb2c4a14a182de1b02185af550fb910f660e119a378a0a60d0f8131ba5ee617427fb671959791a0ffc29eb288d5a10ec3077c6bc97c282f129de3d6b

Download Submit
/data/user/0/com.usmay15/kl.txt

Filesize
63B

MD5
779fb160892cad388ab6cb17b83e3062

SHA1
4f32176702d83c6c6831018a7336524880ffff06

SHA256
5917b7eb490cdd65024219f4150bc0ab13a3c78205ea750b63910e832cdd34c0

SHA512
9d6b3614e6e26774f62c7573dd41a51c62b9675b6e6ef3ede2e07347b6dfc7bfcef1fa8a8ccfe82994abb91f1ff906bb90d72b9140fb546fec16bdd95a5aade8

Download Submit
/data/user/0/com.usmay15/kl.txt

Filesize
75B

MD5
85ff7bc859681c126cf16f9758997adc

SHA1
5d8dc6cf2ebeeb6a61517f8411f492838da96f71

SHA256
58c1021c0566c1e077484a52232a3153d2125c925f6d1d44ceea5f7e9289d409

SHA512
f15937c3007fb1efc499fb329af2f2dd86e3e9f91a9baefbe0d5be3b3bda1486eaaa6586480b34dda645868345818340bfa8544d13367a8b2cc74c15e34074d1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads