octo | c4dd3278326252d54aa710f0240536bc663ba98a6cc16633fd6b2438fc308cdb | Triage

Analysis

max time kernel
149s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
30-11-2024 22:01

Sharing

Report Analysis Logs

General

Target

c4dd3278326252d54aa710f0240536bc663ba98a6cc16633fd6b2438fc308cdb.apk
Size

1.6MB
MD5

ac02a7b77faf94a23ab88d096e7c85bf
SHA1

c910a8f79ff91afd42fe77a949dd871c6be56efd
SHA256

c4dd3278326252d54aa710f0240536bc663ba98a6cc16633fd6b2438fc308cdb
SHA512

3161cc96eb8206a07547b5053b5e14d72cda48a00b40624bfbd917c69d04969c324d80394c4aba9c6d15179cd2ee1ce7f769ec99f2a7d25672ce3a5e69a46bc9
SSDEEP

49152:56ivppBK5RCO6SGR1ogvki0qpyBTOeDm9opHDFG+IKkbm:To5UO6X0qqZ6Ih/2m

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

C2

https://hizliveguvenilirshop.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c459d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64535326c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

rc4.plain

Extracted

Family

octo

C2

https://hizliveguvenilirshop.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c459d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64535326c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

pid	Process
4277	com.groupbothphtv

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

Download New Code at Runtime

ioc	pid	Process
/data/user/0/com.groupbothphtv/cache/hqflot	4277	com.groupbothphtv
/data/user/0/com.groupbothphtv/cache/hqflot	4277	com.groupbothphtv

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

Screen Capture

Keylogging

GUI Input Capture

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.groupbothphtv
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.groupbothphtv

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.groupbothphtv

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.groupbothphtv

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

Prevent Application Removal

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.groupbothphtv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.groupbothphtv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.groupbothphtv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.groupbothphtv

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

System Network Configuration Discovery

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.groupbothphtv

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.groupbothphtv

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

User Evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.groupbothphtv

Requests modifying system settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.groupbothphtv

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

Broadcast Receivers

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.groupbothphtv

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Data Encrypted for Impact

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.groupbothphtv

Checks CPU information 2 TTPs 1 IoCs

System Checks

System Information Discovery

description	ioc	Process
File opened for read	/proc/cpuinfo	com.groupbothphtv

Checks memory information 2 TTPs 1 IoCs

System Checks

System Information Discovery

description	ioc	Process
File opened for read	/proc/meminfo	com.groupbothphtv

com.groupbothphtv
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4277

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Hide Artifacts

Suppress Application Icon

User Evasion

Impair Defenses

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

System Checks

Credential Access

Access Notifications

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

System Information Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Access Notifications

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.groupbothphtv/cache/hqflot

Filesize
1.4MB

MD5
4c80a3ff947ba5fba7344ac1ef67b221

SHA1
6f60954292e5bfaec6d697079eeae8efbfecdcbc

SHA256
b9796c429a062b03e74acd62b615f35ddbac006e7bc25c7af7c7bff89456c395

SHA512
6518e25d57d22e542f970edd5b583f2bd281fb1adcd690e45e4692adb65bf78aa48c4dbdd7cb38c3ae5a67cae8bef88179db3fc5c8db97231802a766349eef9d

Download Submit
/data/data/com.groupbothphtv/cache/oat/hqflot.cur.prof

Filesize
478B

MD5
072ab50bb4e66fb31cbf679b5332e7fc

SHA1
c67c6f1080c25c61f3c012a5792e6576142a3e20

SHA256
7975d395e4cc04e69eb1f26691a5fe494d009348270c2d0c4de1d5f97e3c7adc

SHA512
d1a8aaa6d3d902044a185cc77ed9c1d46ebe593e091d9e7688b3386aaf70f7795c537ab903887d94551a5ff00b1ab54750da29c535876721bbfbfc4613474baf

Download Submit
/data/data/com.groupbothphtv/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.groupbothphtv/kl.txt

Filesize
237B

MD5
5e00fe0cc4b5def30d68f74c34466967

SHA1
a0df972b8a58eac83bc61e1ce06072af8d992993

SHA256
56df42a25868ef19015226585270cce4a0eb70dd7ce7b98cb3d02e1095f26457

SHA512
dea83ee9cc91c65e24e5dbefeacacaec922311fd6b18741f1c6b0d04a17d8e40609b50bb8a1fd76f72cf0fe2f8a9d98d1349f44c22ec4d55fd95c826642ad975

Download Submit
/data/data/com.groupbothphtv/kl.txt

Filesize
54B

MD5
98743e5931fe4d529e1a0b9f0ff595e8

SHA1
b09a205ec649af3ddadf5c4077096a553d2154e3

SHA256
985b0115ae72e3d00f22b30bd7b3e1152d99d34066658bee46df4c2248c92e6a

SHA512
650517d270e49f7697cede052172ec4a76810124bee9e345a8557294e2cc72ccdae7820ae44ba6fad3d2e090f00d5d77edf78a151244aa9ae6d3f5fc77474cf4

Download Submit
/data/data/com.groupbothphtv/kl.txt

Filesize
63B

MD5
f9dd308332e2021b0f1698c9213e153e

SHA1
69d56d487d4df235f5b52c7cb3c7808d6c750e9f

SHA256
3ba9d131551ed3625f12904925492e2c768adbbd049bef1f3e08639130b56349

SHA512
22adf206c744c4775aa7c12afb2180f65adb2718def611679f911deeda4dcc95040854f3fed33d70203b065e2effe60bcc1dd5b87f4a2b2e6efa8a28f44190b7

Download Submit
/data/data/com.groupbothphtv/kl.txt

Filesize
437B

MD5
5d761c2bc8ac036fc64c5cf801d57950

SHA1
3f1fa2f6bbb4c4c9b444c1ffbdd8a0416b35dbec

SHA256
17c04a6439d29786a53d4a79cca1c43e116b512d241677661b3e76dc8afb9138

SHA512
c08259601ad29e0ce6d700efec76d3d83d9ac13effa853eb6dc0d1c11fcf3bd9547831d2137b18e03e5a08642b7e1eaad851b163a86d824c55327274f73a820c

Download Submit