octo | 51f9972e563dad2e07b5119bf8c3a02a0f8e903f933c1a1403b66fff4346e39d

Analysis

max time kernel
149s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
29-11-2024 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51f9972e563dad2e07b5119bf8c3a02a0f8e903f933c1a1403b66fff4346e39d.apk
Size

541KB
MD5

986469fcf203e0ffe2253d718854f24a
SHA1

9213bf0e4b68febc053c7dc9012ce13399ba8367
SHA256

51f9972e563dad2e07b5119bf8c3a02a0f8e903f933c1a1403b66fff4346e39d
SHA512

399d10c62cf82671c2a65a4ef42737a5a55fd83e0fa8ece26d5429a6cb7a279e28ec6d6364c824462752183f17af46c7d82727d5b1d41ac5de116e6774f5163a
SSDEEP

12288:hY/F190tXFuOt74VMPMOCmNW0Is3coM7VDn7j0nzi7SMQ:WLG1uOt74VeUdsMoMhn7on4u

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://2uxafnknc4.net/YzgwMjM0NDkzZTQ3/

https://6xd7twv543.org/YzgwMjM0NDkzZTQ3/

https://xblxyxn84y.pro/YzgwMjM0NDkzZTQ3/

https://gt2xhtlmxg.xyz/YzgwMjM0NDkzZTQ3/

https://uchgrh8nb5.com/YzgwMjM0NDkzZTQ3/

rc4.plain

Extracted

Family

octo

https://2uxafnknc4.net/YzgwMjM0NDkzZTQ3/

https://6xd7twv543.org/YzgwMjM0NDkzZTQ3/

https://xblxyxn84y.pro/YzgwMjM0NDkzZTQ3/

https://gt2xhtlmxg.xyz/YzgwMjM0NDkzZTQ3/

https://uchgrh8nb5.com/YzgwMjM0NDkzZTQ3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4214	com.factsixdc

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.factsixdc/cache/ncamdqblzvp	4214	com.factsixdc
/data/user/0/com.factsixdc/cache/ncamdqblzvp	4214	com.factsixdc

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.factsixdc
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.factsixdc

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.factsixdc

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.factsixdc

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.factsixdc
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.factsixdc
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.factsixdc

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.factsixdc

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.factsixdc

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.factsixdc

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.factsixdc

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.factsixdc

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.factsixdc

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.factsixdc

com.factsixdc
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4214

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.factsixdc/cache/ncamdqblzvp

Filesize
449KB

MD5
10198d3c2db99fb4e00fc0514c80a99b

SHA1
6aabf131227c6600ff56f4a91988d68ac19b9f39

SHA256
9051c10c2ab8171fc462544ed0ff2768a600383213ff61409383202abd39ebfa

SHA512
984fb152247dcb2c347b7e83812da26fa64d362b2c3fc21a0e33575ccce8032495c702b866366615ef1c704400592f3da8ab03a5b3284b2ee5918de5acebb2f2

Download Submit
/data/data/com.factsixdc/cache/oat/ncamdqblzvp.cur.prof

Filesize
473B

MD5
27447669ee0589356520fbe49fcfe495

SHA1
ee3daf9a67e56f681d20bb7a1682a84578f4978f

SHA256
25383a5920400e63972d742d9069a2bfe7ae4b8a5da6ce91a02571f22dac1a69

SHA512
db65e1b18d5bbba021f1efcece0bd99fd7a7d41b1369ca81fc7924abc5bcd0267acfec12ea17573b476e633390c7e2b2e243eca51238f745cf3dbd7c016fc695

Download Submit
/data/data/com.factsixdc/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.factsixdc/kl.txt

Filesize
235B

MD5
2adaf6d9e76af2a6a926b23539b91c7b

SHA1
d4bf66739c1f49513b66157f477d868f288ad10b

SHA256
17141537de42f1b17e9d10cd3e97d0efc6aa065b2e6f3b8aa06e9aae1e580034

SHA512
4175e47edda374df84d3ec168611ca1a34eae113ceae3a9155741d4976e0bb331c81122a451820c001db95d5bd0ee9d952a85750221be39377eb8519aa32758d

Download Submit
/data/data/com.factsixdc/kl.txt

Filesize
63B

MD5
4a9038628980309b5749ed71d7d5b1ac

SHA1
cb8236713db4bbf6860626f780b6af227cfdf8ed

SHA256
97c7551c526b34b781945f6d511d8ed9947ef96a23fdb0bddd3306f2cd76b913

SHA512
a06ae124fffcbab37a203dd1dc2e3dbb39b1bed5a51fb7741d34e9437f461e30b9939815a91e28d4a3c622bf9deb0340cd5c014af672710840fbf4517b60e19b

Download Submit
/data/data/com.factsixdc/kl.txt

Filesize
54B

MD5
9a7208d0120604a01151762efe07a01f

SHA1
86cefe28e4cb8a116504e86427a11147ee405e87

SHA256
9078e64b1b8983f88297a5437f11e813ccd01f4194f5eeb28b15a025a7e8d2f3

SHA512
88b4c470e6be267daa8a85d667967653220d2c58f42cc1e1df7c68af64b35a7cafa0207444fa11fc555ace5fff1cc7f636ecaf8eb1848609837b02af4797a4fb

Download Submit
/data/data/com.factsixdc/kl.txt

Filesize
433B

MD5
454f018ac319411cf2ac3f4bf9885edc

SHA1
0fa0ca06e88e09f5285d4c6974894d7b5941058a

SHA256
c747e276301f58b76a0228c2c66cdc19ff0345fa33d8272937f129883f57d706

SHA512
b614ef42c4948a58699bb5f599cd895875b1fc8678810db079b61669791307e632d73647cbbee5facd68882add82ea7bae8926f71e205f1eb1b747bd8d1994f4

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads