octo | 478c43aa96a43cf26548384d171898aac7d07f2810b3b5e5fc5957a3cec27bde

Analysis

max time kernel
149s
max time network
131s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
29-11-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

478c43aa96a43cf26548384d171898aac7d07f2810b3b5e5fc5957a3cec27bde.apk
Size

2.6MB
MD5

bbcb3edd3b5102029ca963cf0023cc89
SHA1

efd6608a2da1874e3b4a17768727fed71c3b665e
SHA256

478c43aa96a43cf26548384d171898aac7d07f2810b3b5e5fc5957a3cec27bde
SHA512

079ef87a9b57691b9ed120cfc6b81b06ef3bad931ab657479a40b2eb90a8e0837f2f94dfea0a6c03907fe770d31442200996015f578f4502b952713bdfa45337
SSDEEP

49152:jQY3tFeBhovmr5+WW9NR/7yF/wL0Ra7eEr3Seo3BysEIcv62cEWvMjCyYnZRmXZW:zjeBhoOsp9Of7Rd3BANcByYn+JfZSQ/S

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://asdhaskhjdksjahdkasjdhaksj.hk/MTBiYTAyMTk0NzJj/

https://shdiuvhisudvhuishvdiud.hk/MTBiYTAyMTk0NzJj/

https://asdasjhdgasjhdgas.hk/MTBiYTAyMTk0NzJj/

https://qssxsqxaqxqazxaq.hk/MTBiYTAyMTk0NzJj/

rc4.plain

Extracted

Family

octo

https://asdhaskhjdksjahdkasjdhaksj.hk/MTBiYTAyMTk0NzJj/

https://shdiuvhisudvhuishvdiud.hk/MTBiYTAyMTk0NzJj/

https://asdasjhdgasjhdgas.hk/MTBiYTAyMTk0NzJj/

https://qssxsqxaqxqazxaq.hk/MTBiYTAyMTk0NzJj/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.maincertainubl/app_DynamicOptDex/uE.json	5129	com.maincertainubl
/data/user/0/com.maincertainubl/cache/bbdjinjdqgcyav	5129	com.maincertainubl
/data/user/0/com.maincertainubl/cache/bbdjinjdqgcyav	5129	com.maincertainubl

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.maincertainubl
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.maincertainubl

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.maincertainubl

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.maincertainubl

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.maincertainubl

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.maincertainubl
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.maincertainubl

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.maincertainubl

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.maincertainubl

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.maincertainubl

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.maincertainubl

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.maincertainubl

com.maincertainubl
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5129

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.maincertainubl/app_DynamicOptDex/uE.json

Filesize
3KB

MD5
ecd45c664f6dfb240195ba6b0abbda98

SHA1
301a3213b24051a82b328496126b10289c51dafc

SHA256
7aa878297f91d13158dfebe6f8bb1fd79485ea1876b49b490c28fb47f526ec34

SHA512
bcd12eb54fa185135af63ef050e31db97bcb402aae01aa7bc88c187e965e0353786add1ea858d2262418350fd9389c53f4519c5de6f577fd51d8604583623ed5

Download Submit
/data/data/com.maincertainubl/app_DynamicOptDex/uE.json

Filesize
3KB

MD5
48a0fe11acd52a2f97ffb7ba4c70cf14

SHA1
c360d9a5d7d4d4c9200e2b1d0b72f1a9239a8394

SHA256
2712ee19b39713f5cef2ea62c3ea2e2d06081e83d841ba64e06fc84f3df1f972

SHA512
42a93b91f531133db0a0c42781e2681b60994e61e02493a8bc2bb11229754eeedff7a4dbecac047a4e4f8cd7168e9ef9e7a55c5b322b2e1dea7b94c6718aa34e

Download Submit
/data/data/com.maincertainubl/cache/bbdjinjdqgcyav

Filesize
450KB

MD5
01b512a325d71763c80f88afa1462418

SHA1
98e4c4743bedbaca5371c0cc15838e05141e48f2

SHA256
8028d8ad7d66be1ac427c82a276b16c784d83e4c6db67589af88e33d22f6f228

SHA512
e92d62affbe45086bdc05bd6ad424622a90ba9a71c6f65fede83634410e3644a75ffe080a747426d8ee4fb16fd0309c1cbd1d8755379f2d8e82c76ca1296bc11

Download Submit
/data/data/com.maincertainubl/cache/oat/bbdjinjdqgcyav.cur.prof

Filesize
463B

MD5
4f7dccbba3d3697fd4fe21902f460781

SHA1
1f80752ad50f4775349b994560f1c2855a5c9f97

SHA256
22a110d15ea8b1952e9db9e9a0f71f38c921d50bb22a967d90c311e76ee962be

SHA512
e29d83335a0f4ab4b69145e9d26a2612f885336560ebeeb5f782e645aaba36d16b00d5de4ed5dfb3adac0519710d24a00bbd07a9dcd257307bfbb7a380ef0f11

Download Submit
/data/data/com.maincertainubl/kl.txt

Filesize
437B

MD5
6941cfcaa64b7e8788769653539d6066

SHA1
f3ff151a5e47675da78405f2a178d09fc5b79c6c

SHA256
5586ae1fb2aef929207e772e2ced7e6a7a7f409514fbd082ed1eb713e045764b

SHA512
89c2785c44c463551ae2179bc0ed18096481841e2f192e18c8884618ac9e85971eb1f77cd2d587dcc5dffb4f86ce88a1cf7329094afaa35b09ea0ca9598e23dc

Download Submit
/data/data/com.maincertainubl/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.maincertainubl/kl.txt

Filesize
63B

MD5
778a301fb55c9434d3ec93828f8ac7ce

SHA1
7f874fcea1516c1b2877cfb441e2aa7934021ad9

SHA256
548569f6e07fb19f872834f2b43b67fea5c56dd7845f27ec8019e14f736b3e23

SHA512
1c72e06add701cfa354e8adab1b1b093082cfeab39122b1e1b798e7715917f694c80ebd9338a5e2216815ec8c67546b8fcf22dc3a1e73be282392a71889e7b55

Download Submit
/data/data/com.maincertainubl/kl.txt

Filesize
45B

MD5
fd83e07f855ba8f1f7413bc5e0c2f38e

SHA1
5637514c3fec9647e49e0abed556f6e706edb1b5

SHA256
c189f1de47956ab96f1538c89822a29bbc1a035833809a558e5d15ec246d2240

SHA512
4166c7f104487c3df208a024bf9ffaaaf0f4a402aaacdd81ba5ea56ad6fb203a6c263352ab8c752591ce5bef67f033b28458fbae295fdddbcce7b9fa18fc0018

Download Submit
/data/data/com.maincertainubl/kl.txt

Filesize
67B

MD5
d9ce4f642e7356dae0aa584bf4bb4435

SHA1
ea1c7861e02a0313c35e0cb161aebad69638002a

SHA256
31b23749abe95830447d3e15263b548b16d10905e47f0a68607d01e5a293d589

SHA512
d86500c1d1d8dac920a54ad9badbc18dda72c14f8129dda00521e31529e78e2ca4053d3bb9240431b78f18c72ebd862f2e80f9a2992a1610a2c199112f8d56db

Download Submit
/data/user/0/com.maincertainubl/app_DynamicOptDex/uE.json

Filesize
7KB

MD5
1a7dc908f57f23353712a5e9a6313027

SHA1
b0d687e2d350c32b45002247274e37ca5b0925a1

SHA256
fae3e9547001b38a03dd4bf0a32d3c45456b72634db314de4ef4a7191041edd4

SHA512
c5ddc90f855fcf65890f9c98aedf9c3310f998abd8d3aaa3a4d519096de7028516e80f18cc09810dda9cc85fecb297144edbde559821e8626bbe6dbfec15b451

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads