octo | 65b564629247e0359992ad83c0f183599d95b9e25492f912df5c81b57c8a2b70

Analysis

max time kernel
9s
max time network
154s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
28-11-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65b564629247e0359992ad83c0f183599d95b9e25492f912df5c81b57c8a2b70.apk
Size

1.5MB
MD5

c13ab92ba4fd50ab9eaf8efe9d5ce985
SHA1

ba3909363274fa5b0afc7b6f578babb0641f1982
SHA256

65b564629247e0359992ad83c0f183599d95b9e25492f912df5c81b57c8a2b70
SHA512

b0d6ea336f17a3c2ab0fdc04920240974c298a9b11c78bb8645edfb8feb157fc81e74151ef8874e2dac28fbac5e100aeda503365d49ca37cd7f6c2921b8c6001
SSDEEP

49152:3+XjrvKXu/nF0S5Czv0QFzrC+WjIor364+:kjm6FPAzvLFz+x8orq4+

Score

10^/10

octo banker discovery evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://pildirpirpir34.com/ZTZkODUzMTBjYTA3/

https://pidlirmidlir23.com/ZTZkODUzMTBjYTA3/

https://pigav233.com/ZTZkODUzMTBjYTA3/

https://tavaekemk42com/ZTZkODUzMTBjYTA3/

https://pifvafaf42e42.site/ZTZkODUzMTBjYTA3/

rc4.plain

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.appearred49/cache/pwuzretiawbj	4961	com.appearred49
/data/user/0/com.appearred49/cache/pwuzretiawbj	4961	com.appearred49

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.appearred49

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.appearred49

com.appearred49
1⤵
- Loads dropped Dex/Jar
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4961

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.appearred49/cache/pwuzretiawbj

Filesize
1.4MB

MD5
cc7ded5a6ae1cd1f4ea41564da5f3bcf

SHA1
6294879da1a8923068e83328e87836062ca9411d

SHA256
1739014400fa0642275c6d3714f32bda8767cdcef7436ce4b546257ad6fe806e

SHA512
8d014f8d504a9d3124b58f9941fe561e4b3ccaf8cd6d7e26588546bde5afe454f3430622810d3b7faa819edd266fbf61ca6b4f865c1b56c4d2b8a9e4c4e4a040

Download Submit