octo | 51f9972e563dad2e07b5119bf8c3a02a0f8e903f933c1a1403b66fff4346e39d

Analysis

max time kernel
149s
max time network
141s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
29-11-2024 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51f9972e563dad2e07b5119bf8c3a02a0f8e903f933c1a1403b66fff4346e39d.apk
Size

541KB
MD5

986469fcf203e0ffe2253d718854f24a
SHA1

9213bf0e4b68febc053c7dc9012ce13399ba8367
SHA256

51f9972e563dad2e07b5119bf8c3a02a0f8e903f933c1a1403b66fff4346e39d
SHA512

399d10c62cf82671c2a65a4ef42737a5a55fd83e0fa8ece26d5429a6cb7a279e28ec6d6364c824462752183f17af46c7d82727d5b1d41ac5de116e6774f5163a
SSDEEP

12288:hY/F190tXFuOt74VMPMOCmNW0Is3coM7VDn7j0nzi7SMQ:WLG1uOt74VeUdsMoMhn7on4u

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://2uxafnknc4.net/YzgwMjM0NDkzZTQ3/

https://6xd7twv543.org/YzgwMjM0NDkzZTQ3/

https://xblxyxn84y.pro/YzgwMjM0NDkzZTQ3/

https://gt2xhtlmxg.xyz/YzgwMjM0NDkzZTQ3/

https://uchgrh8nb5.com/YzgwMjM0NDkzZTQ3/

rc4.plain

Extracted

Family

octo

https://2uxafnknc4.net/YzgwMjM0NDkzZTQ3/

https://6xd7twv543.org/YzgwMjM0NDkzZTQ3/

https://xblxyxn84y.pro/YzgwMjM0NDkzZTQ3/

https://gt2xhtlmxg.xyz/YzgwMjM0NDkzZTQ3/

https://uchgrh8nb5.com/YzgwMjM0NDkzZTQ3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.factsixdc/cache/ncamdqblzvp	4467	com.factsixdc
/data/user/0/com.factsixdc/cache/ncamdqblzvp	4467	com.factsixdc

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.factsixdc
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.factsixdc

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.factsixdc

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.factsixdc

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.factsixdc

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.factsixdc
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.factsixdc
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.factsixdc
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.factsixdc

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.factsixdc

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.factsixdc

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.factsixdc

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.factsixdc

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.factsixdc

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.factsixdc

com.factsixdc
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4467

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.factsixdc/cache/ncamdqblzvp

Filesize
449KB

MD5
10198d3c2db99fb4e00fc0514c80a99b

SHA1
6aabf131227c6600ff56f4a91988d68ac19b9f39

SHA256
9051c10c2ab8171fc462544ed0ff2768a600383213ff61409383202abd39ebfa

SHA512
984fb152247dcb2c347b7e83812da26fa64d362b2c3fc21a0e33575ccce8032495c702b866366615ef1c704400592f3da8ab03a5b3284b2ee5918de5acebb2f2

Download Submit
/data/user/0/com.factsixdc/cache/oat/ncamdqblzvp.cur.prof

Filesize
335B

MD5
9a931f3f63498595dbd1ca516ed0320c

SHA1
482d8e8d6f71700226514077b3d836c79af283de

SHA256
3b1adcbd46747ded128ad3b152cd10d27cee2a6b08233d5a63a523ddafcda7a4

SHA512
7955134bc33b34e1ea2fa87b41ea32ee21c32b81efe0b284b6d0dbd5451f7bd56d84ffd95419855a36dc345ea4b5dab7f9e78c46d7b6ec5c107dade002b60eeb

Download Submit
/data/user/0/com.factsixdc/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.factsixdc/kl.txt

Filesize
235B

MD5
031928312f1c509b9d2bf27d79d1fcb6

SHA1
4f8c21188423a126fd0a6780837c687ce3e14708

SHA256
333ce1b243c65832dd2b4c41fe95f144f803216015b0aaaf16920b0bdada0bd9

SHA512
595402696184f5926ec96b2f865313e34182614459a6f607cd4c03596958a3c55512938dbb36be767c827ac3e0cfa76c87668c5112176741fa034b8d83f88eca

Download Submit
/data/user/0/com.factsixdc/kl.txt

Filesize
45B

MD5
c4f4c205e5385a940a8af8413284a43f

SHA1
1e6b6f773de25442b73cb7ebd0c285e83835e572

SHA256
ec51cf8cd8e98e214466af977e0fd22d8ef486356945a0bcdb5aed1e35b4f05e

SHA512
b8558c7cb762c9d4efeab27be5f5eb1ed7d1b89ae9562032113158fd753d7c2413a67f03bada08f8697c324d528bc806753555f618840ca08629c9bed96b6e54

Download Submit
/data/user/0/com.factsixdc/kl.txt

Filesize
63B

MD5
f595cedf4f2d1d9080f8d9bcc3bb8c7a

SHA1
28d2c0c3a7c69d78ab28ebfa30423e6c9aa7cbae

SHA256
7d3aba9f38ebf49660e27faca0484e8a24bb9b32e198775eb6e368b58176eb25

SHA512
ecf0c314a9db6b7484cb78aaf49849d887e85a9f07ef73c6ba618dedaf3c6dbbe92ba30667975bb39d09f8fd2f344551fbf8bc2853300510c68695b4b60ef077

Download Submit
/data/user/0/com.factsixdc/kl.txt

Filesize
476B

MD5
29e8848f9e6a467b25b96fbf83bd6c5a

SHA1
42b36a4e84cdf3a58924bd5bbbe0d4f927af44c7

SHA256
2ce9934ec54ba3e52e98cd45e15a2e5753334135e9505eb0708f4c13f8024840

SHA512
a703b84806e3371580a0773018a240d5e1d383c7077d0351114024d1b89ee019d5ba6a6bfd5d00464773fbda02502b2301d2048cbf8e3b6ac367f4ecfbe0b06c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads