octo | 5db7a0ca8c67ca84bf2492772433991d96558240b1a17e955901b51ce21f7f0d

Analysis

max time kernel
149s
max time network
150s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
30-11-2024 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5db7a0ca8c67ca84bf2492772433991d96558240b1a17e955901b51ce21f7f0d.apk
Size

605KB
MD5

914c307e44ecbea01c93bf4766c95c2a
SHA1

7e6c5f05650b247a2e74890441138cd0735dcded
SHA256

5db7a0ca8c67ca84bf2492772433991d96558240b1a17e955901b51ce21f7f0d
SHA512

c7d6ed1ee2a8e964445568cbaa82f26a3d582fbc1e26715ed89fab1b8968cd54fffef170ece7f9ab84f2199575172bbaf72cb9385b05ccbcd06ef92b7b86f47d
SSDEEP

12288:p7MaMSOgt7XbOeDC21cACiCQVISEJ8vUFryIC0UM+VFpURYifzO5Cs4hDLrMhdX0:5MakLt21cIxVIJm6yIMM+veq5CsIzgdk

Score

10^/10

octo banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://7bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

DES_key

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-3.dat	family_octo
behavioral1/memory/4335-1.dex	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4335	com.placepicturet

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.placepicturet/code_cache/secondary-dexes/1733004867818_classes.dex	4335	com.placepicturet
/data/user/0/com.placepicturet/code_cache/secondary-dexes/1733004867818_classes.dex	4362	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.placepicturet/code_cache/secondary-dexes/1733004867818_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.placepicturet/code_cache/secondary-dexes/oat/x86/1733004867818_classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.placepicturet/code_cache/secondary-dexes/1733004867818_classes.dex	4335	com.placepicturet

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.placepicturet
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.placepicturet

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.placepicturet

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.placepicturet

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.placepicturet
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.placepicturet
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.placepicturet
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.placepicturet

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.placepicturet

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.placepicturet

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.placepicturet

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.placepicturet

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.placepicturet

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.placepicturet

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.placepicturet

com.placepicturet
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4335
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.placepicturet/code_cache/secondary-dexes/1733004867818_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.placepicturet/code_cache/secondary-dexes/oat/x86/1733004867818_classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4362

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.placepicturet/cache/classes.dex

Filesize
446KB

MD5
d916e5067de7ccdd811db0529c053d44

SHA1
b907cf503d94979c59b66fa6b6aeaaa8eec3bcd2

SHA256
97dce3823b3772a8329b8e1275f15d7aa208055388e62f88995d6bca5b5038da

SHA512
2bf6ea79144ecaa2c3c8b56953f6bc1d64dadc684eb4e482161ca2b5d5458bd85d3ebaaf487e52fc8dba18c632599dc8a14267cfc0a9bc0048be88b7a8967bb6

Download Submit
/data/data/com.placepicturet/code_cache/secondary-dexes/1733004867818_classes.dex

Filesize
1.1MB

MD5
bf09a6c60149b851957f92b88c5ba4d6

SHA1
b9241ba502982b7412c8eae0a49721333e5e442e

SHA256
fad3e2d2270854f83748f055331dd77af1c7f26a8dc0cca0ed8c3ca6f13bc2b3

SHA512
91c0232ec08b64e9d22f2de37ab60f6cd7609a23843e03a3da26b4d966bd5fdf151ecccaa2c5ece4196e2b9338d5a2f264db6525a0a9a9ad89a0b87f1ea2def4

Download Submit
/data/data/com.placepicturet/files/profileInstalled

Filesize
24B

MD5
fe3ffc23b3009115e69032c6c5f7d0c9

SHA1
cbd243129c65b98edfd4f1b714bd1d543a3fc25e

SHA256
f85e27bcacae70790b7619a5cf8979e2928476958791b92a843b245bd2dff637

SHA512
bc68cd926387a136db53c5f28f7682fee3eb691a8e77bf7c86518bbb8e85222cd61f7b1505b0944a3ef337badbea7b4e62a762ae70cfe1045dea70db1fbdd5b6

Download Submit
/data/data/com.placepicturet/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
310c1a13d4b5c49072f12f6f091ca846

SHA1
86bc35798810947e3a48f2218f6126b5acc84599

SHA256
4019551cb3264b30ccb8e59f2aa2715a5c79bc5cad40be8dd8e50ae96eeb2a6c

SHA512
cb9be9073e2885e4c2bae2b29e29a5d3615645bad8e717f7cc55d9669fd97a7f734905fd37bea205af1a96b4c393ebf900f2df605f5ce13d5ed378bbc8928ca5

Download Submit
/data/data/com.placepicturet/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.placepicturet/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
0621752a966ca20c4f3aa2c765f5fad9

SHA1
54d8096abd06bc8cb7b976db32814ded26793831

SHA256
90ef886ab5e5f559e49172f47e851fae416d230df0ad2fabf188866a258f5e07

SHA512
fb94d3ef14ce59f2e31c1d1c19a304fb9732ce3e0e807a968f35a4b507092872eada0d7ab426e9bb6247c7c9d043031353280ae2ea42abd1ec86e4bdf65f431d

Download Submit
/data/data/com.placepicturet/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.placepicturet/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
d87b0a1e83438cba7908115deb25e02a

SHA1
fa2cc62d09a4a087916f2bac5b29e6871fddaa28

SHA256
7a4aa1d3e0a7f25c4933017f0cbe7c3823a10a8045aaac8b940bca2710fa885d

SHA512
d10444563df5d118a645954bdb6fc6d6c3a8aa5d24f71f07b677c4718b4e56e978c1277a78580ac73ec930adb3617c4f109e0a284edca5fc0488ca03b5bf3b1a

Download Submit
/data/data/com.placepicturet/no_backup/androidx.work.workdb-wal

Filesize
116KB

MD5
d43cdfcaa2e02c5150c1612ad2799628

SHA1
c2401153faa9a40cdae504eee60c60a4c0d5bd91

SHA256
ab3646fa1c7154d22ddbaf9f3e2e8c7b0b2662d45aa3ff91072ab7ae3d9b9a6d

SHA512
6f0d57a7aa930cba5654f855d96d28fd82b078d0949c342abe7d2d94cd4270d4cf8e9ab448adf1b454d2a2ed55976607e2fa8d12b0be0891fae8083ee40a1d6c

Download Submit
/data/data/com.placepicturet/no_backup/androidx.work.workdb-wal

Filesize
124KB

MD5
84ac816570cd7421bbd43f2ac32fa4ca

SHA1
65c709c0b336b03575c35d13ede22d3e2704e836

SHA256
39241dce256fbe9d5cfad2866436d2d760bc0bb6313cacf78cb7d30258a617d2

SHA512
b057b0b3175b7dc4e8119c5aafb853f89c3c8f1f230eb0077572f0683975de42d26b387cdc579b6d4a8948da0a5edefc260a86e598e1a2f94ac29ddab29dc59a

Download Submit
/data/data/com.placepicturet/no_backup/androidx.work.workdb-wal

Filesize
177KB

MD5
2100ed36772f9d6edb9caf2d03d6c5f4

SHA1
461181dbb30229641b4505dff492c2a0e3d462c2

SHA256
8e841b57c67771aacd397f3e8e0aeb4d3e0bfa2e9aac67b93fe0fd3054be842e

SHA512
f7b12ac7e1d51e8c39fca96c47a90b2a8463990e30c02311a8d510f6881cc31d23ade149375a9aa0fbdc8108612c76fc216a58ac0ced4799061331bb53da0d95

Download Submit
/data/misc/profiles/cur/0/com.placepicturet/primary.prof

Filesize
110B

MD5
5ece4ffb44927bb355b264151f421563

SHA1
4f5ff5da7394f9fafe7fdaee5efbf98fa2a2ad07

SHA256
f01bdb8b34fde6be8c9df3148d33a02594c0ed624e0d5b5bb107e8f955a16c90

SHA512
a37fa0a1a4d4ae2c85ba855650bc64008ad5ff8426474125d9dbb12a6f2be2e6ecdd5b512d2cc133db85d7c55b81c0df9559f87dbfd32ff052f6101bdafaec4c

Download Submit
/data/misc/profiles/cur/0/com.placepicturet/primary.prof

Filesize
121B

MD5
cc9ed72a047d56c6e7ca44e1c1376aad

SHA1
9ea24519da87da45b8761cc1ffa9c5fa2254103e

SHA256
91f284054e824b4fcc4e4d46a0249ab14f3c1f2c1d1228a5601b50164656d76a

SHA512
32d1df61a38910e2e60b1d48682b21f8af9107c77f12b44389a78e024d0b4defa322aae534c102f212b58265e7dc7f678f7e914e79f99deb8d5d83339af0f863

Download Submit
/data/user/0/com.placepicturet/code_cache/secondary-dexes/1733004867818_classes.dex

Filesize
1.1MB

MD5
55946bde03adc68cf541139952fcb32a

SHA1
dd227c6689ac3ee8a61b4173f71e602f50b543b7

SHA256
33acc3111a4261b269681414d9e927a4b14fe313114d752aa8a5b92bf97a6a1d

SHA512
ea38ed95b6a1c30b347be213ab7d193b0fb762e4589d7a3aa26dc1443d0682b2744a18b3549ecff6faaeb85250bed1a8094a918b38effdc6d2fb0dbbe08c1a40

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads