octo | 17bbcb24cee94d468bd9728ec6d21d5f3ed04f4fe4b3773c84a9b759b891488e

Analysis

max time kernel
123s
max time network
152s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
28-11-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17bbcb24cee94d468bd9728ec6d21d5f3ed04f4fe4b3773c84a9b759b891488e.apk
Size

2.4MB
MD5

23f76042625cad2043639116f62fdfb7
SHA1

e39c42e019dd6500dcce835f59abcf8110e099d4
SHA256

17bbcb24cee94d468bd9728ec6d21d5f3ed04f4fe4b3773c84a9b759b891488e
SHA512

95fa7d76cf7e0f02e8ee59c086c7ed075d919c66f01e48f85f3634f34012a36bebf050d93692c4e3b31154a05a3ce31fff6a3e8c64efc3946844d62bd52c2379
SSDEEP

49152:06fkLgCnb489OrF2NsbzDwKuDrZKKGWZjF0Ng1lB5jSuzANffr:0+kLgCnpOJ2NnKQrZKKD5F0a1lBKNr

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/

rc4.plain

Extracted

Family

octo

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.feetthink1/app_DynamicOptDex/Ed.json	5133	com.feetthink1
/data/user/0/com.feetthink1/cache/yoqgm	5133	com.feetthink1
/data/user/0/com.feetthink1/cache/yoqgm	5133	com.feetthink1

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.feetthink1
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.feetthink1

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.feetthink1

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.feetthink1

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.feetthink1

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.feetthink1
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.feetthink1
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.feetthink1

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.feetthink1

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.feetthink1

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.feetthink1

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.feetthink1

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.feetthink1

com.feetthink1
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5133

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.feetthink1/app_DynamicOptDex/Ed.json

Filesize
1KB

MD5
9ea74bee2f57d39ad34acdfb62fe9868

SHA1
16e89b1bd0ee6523aafc1174e7d3ff9603c3b391

SHA256
21e5ac5b7d8645a5a6b7978a3a54c0e91cb9ab2b26090025abcb824e787eed50

SHA512
3cdad66e72db0779e1bc05f6719929a33377ee395b0648f0e792dccf04980c1b44a91a4ff7456b908e3df7de3a4770f8ae1fb5f048b053a4e4ba41552ef3bab6

Download Submit
/data/data/com.feetthink1/app_DynamicOptDex/Ed.json

Filesize
1KB

MD5
307fc588f6589ee5922360200fffe89c

SHA1
a654fd912eded5d4a04cec322873bdaf7083ce87

SHA256
efcb71f29ef1a21bcfb73a44f0628d3a62561cffaaf3691e7ce9adf4dbfa7fda

SHA512
6ed769869b1f1b6a1fdabfa6ea43155851f940d0819b7cc3f08548d6ba55263c920f4e0a52e20e2d0eddc039bd779e192bf4738a67e792ca0eabd9d69bc35454

Download Submit
/data/data/com.feetthink1/cache/oat/yoqgm.cur.prof

Filesize
443B

MD5
fcd76bd3c4d3ca37bc80f7d059e90fc6

SHA1
0ef6b8569deed3d923cf22f15e04dc1b889fc53b

SHA256
506a83b071afad961640d95117499ff88753926c2e9a6eecad4edfba437dca81

SHA512
fdd99cc1a87aeac39f587e7895f62039c0a6573b600fff59729a8ae43f825b30d38711a21432a0c185ebb744b77612c37ed2b4cfcd202dbdd83dc479c92df88e

Download Submit
/data/data/com.feetthink1/cache/yoqgm

Filesize
448KB

MD5
9e2844fade7cfb86f017a9ecfc7ed075

SHA1
df2fb9ef780d333bf69d7042abe22b10037902f6

SHA256
10d41a7e4946971e583c131686249872c45cd8968c7647641dabfc0a360daff5

SHA512
97a77a5afe53d8733fab2bf6989e83d27959b9fcae6b8c22114c0fe41984c94054ee9de3c29492f9ed5dbe5110d55dafafeae84d5654e879f8c964c46fe69de1

Download Submit
/data/data/com.feetthink1/kl.txt

Filesize
437B

MD5
508e562ac4ff6c6bed804228d4706f4b

SHA1
3e903672795914c03ce6771df8ea097a767f3828

SHA256
449f8cb1b9dc3b16916213b69a37de4027f32aae053fc577268b97ecc4c5a845

SHA512
ac6e20aa6e811c25b000be73c6d8cc3bead9013e04474a730615244345bbf741cf961f98656e0eeccc73cc6512e2c660dedabcd3e453587d97d870f446d602ca

Download Submit
/data/data/com.feetthink1/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.feetthink1/kl.txt

Filesize
237B

MD5
52a9122212c48c1ba9a0b13258cf4ab1

SHA1
488c1ac4a5154e81db17a4a38143663a7db42730

SHA256
5470b0a80980a258b5458121813a65df4b51fe2addebaf30a401d11aa97baa98

SHA512
402c82a31c3d2e6aae55be34e787b97f5cf589c2d2770e6723983d38dfa73f606c1ae0fb4cd9e856e8ca08ca300e841e67df5cfa97b6b762f8843f5b4eb6de78

Download Submit
/data/data/com.feetthink1/kl.txt

Filesize
63B

MD5
3af55de66b13077d6a580f66fb9e4d35

SHA1
2f64ad5a340476e80cc6ce90008cc0c71078ad14

SHA256
09ad9ec018b0a94bb20a3be673317a6046fd1ca46b1697079d04d74510294f6f

SHA512
776bf23af9b8e94970e16b5bac65e6e2f97be516ceec77ba472de9307d9ce7882e7735c86dfa7e6d3f3f72fc7662bbd7e462e5601ba597b7af6b8f9d1565eadb

Download Submit
/data/data/com.feetthink1/kl.txt

Filesize
58B

MD5
71430482830abb3b78b0f313411e72d3

SHA1
dfde843c3f3ed7ffa0624410f2aa12c3b3dd11e2

SHA256
da8b508956bbf7689f6879660394715fb71cafcac003e6c64b395d7008f7c31d

SHA512
d892fd6c7db1a0bbd53fc2868eba792e0d424876ff18bd686644249a50bf074c6c1558a798e247d479d48e1befb57680cac714f7d6d691a71a13b1bbf47db35d

Download Submit
/data/user/0/com.feetthink1/app_DynamicOptDex/Ed.json

Filesize
2KB

MD5
42d4291d06bbf8570bb262b5dae88afa

SHA1
7aef566efaad4da6168cf7fef9809b420de44f0a

SHA256
19479a793d5ccff0da6a43824bf239ca90ffbd561209d546a2cd7c32706f1521

SHA512
98a9dc8658b4c88a59d9018e957aca86579feb539df13213eb5bf781a4243c7a0a4bdebcae19a9cb4bfc829529aa676f514b8eb3ad3306acd6d84efa2972242c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads