octo | c4dd3278326252d54aa710f0240536bc663ba98a6cc16633fd6b2438fc308cdb | Triage

Analysis

max time kernel
148s
max time network
145s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
30-11-2024 22:01

Sharing

Report Analysis Logs

General

Target

c4dd3278326252d54aa710f0240536bc663ba98a6cc16633fd6b2438fc308cdb.apk
Size

1.6MB
MD5

ac02a7b77faf94a23ab88d096e7c85bf
SHA1

c910a8f79ff91afd42fe77a949dd871c6be56efd
SHA256

c4dd3278326252d54aa710f0240536bc663ba98a6cc16633fd6b2438fc308cdb
SHA512

3161cc96eb8206a07547b5053b5e14d72cda48a00b40624bfbd917c69d04969c324d80394c4aba9c6d15179cd2ee1ce7f769ec99f2a7d25672ce3a5e69a46bc9
SSDEEP

49152:56ivppBK5RCO6SGR1ogvki0qpyBTOeDm9opHDFG+IKkbm:To5UO6X0qqZ6Ih/2m

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

C2

https://hizliveguvenilirshop.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c459d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64535326c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

rc4.plain

Extracted

Family

octo

C2

https://hizliveguvenilirshop.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c459d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64535326c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

Download New Code at Runtime

ioc	pid	Process
/data/user/0/com.groupbothphtv/cache/hqflot	4486	com.groupbothphtv
/data/user/0/com.groupbothphtv/cache/hqflot	4486	com.groupbothphtv

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

Screen Capture

Keylogging

GUI Input Capture

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.groupbothphtv
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.groupbothphtv

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

Transmitted Data Manipulation

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.groupbothphtv

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.groupbothphtv

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.groupbothphtv

Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

Application may abuse the accessibility service to prevent their removal.

Prevent Application Removal

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.groupbothphtv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.groupbothphtv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.groupbothphtv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.groupbothphtv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.groupbothphtv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.groupbothphtv

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

System Network Configuration Discovery

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.groupbothphtv

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.groupbothphtv

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

User Evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.groupbothphtv

Requests modifying system settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.groupbothphtv

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Data Encrypted for Impact

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.groupbothphtv

Checks CPU information 2 TTPs 1 IoCs

System Checks

System Information Discovery

description	ioc	Process
File opened for read	/proc/cpuinfo	com.groupbothphtv

Checks memory information 2 TTPs 1 IoCs

System Checks

System Information Discovery

description	ioc	Process
File opened for read	/proc/meminfo	com.groupbothphtv

com.groupbothphtv
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4486

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Hide Artifacts

User Evasion

Impair Defenses

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

System Checks

Credential Access

Access Notifications

Clipboard Data

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

System Information Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Access Notifications

Clipboard Data

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Data Manipulation

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.groupbothphtv/cache/hqflot

Filesize
1.4MB

MD5
4c80a3ff947ba5fba7344ac1ef67b221

SHA1
6f60954292e5bfaec6d697079eeae8efbfecdcbc

SHA256
b9796c429a062b03e74acd62b615f35ddbac006e7bc25c7af7c7bff89456c395

SHA512
6518e25d57d22e542f970edd5b583f2bd281fb1adcd690e45e4692adb65bf78aa48c4dbdd7cb38c3ae5a67cae8bef88179db3fc5c8db97231802a766349eef9d

Download Submit
/data/data/com.groupbothphtv/cache/oat/hqflot.cur.prof

Filesize
370B

MD5
df64c60b85463b8e5f4d5119cfde481d

SHA1
52727bd58525a86b3704c8bb39fd5341b5d5bb1d

SHA256
bf1467a58fd847331c9459b997a6c78cc7891c4bd23defc77bb251f9e4d8f46e

SHA512
f0ee56e72dfdba0cdbdc8fea7514fe6d54e7c9196609d2387222ad922e947191cd931f0181b36fa2ea0bbdb1b40e93062c0290a9f6e901024b5b9727e4874ee5

Download Submit
/data/data/com.groupbothphtv/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.groupbothphtv/kl.txt

Filesize
237B

MD5
92d1fbcf43910f6a6c4a0f805c488068

SHA1
862c472e40b30b2a16168a803bd22a6f575e793b

SHA256
cb6eb30e82fba18b3cf72d750ffb17098f8ceaaaa2b53a610ac2249455d3fe8e

SHA512
c8915f7983a310f2d8e94e672143bd8b41c2f4a4300bfd1aa4f86a7e2ff87dcf4076d6eeff378bb039f04a77fb1e4876fe3238ce5125f85a3a6088f32597f1bc

Download Submit
/data/data/com.groupbothphtv/kl.txt

Filesize
45B

MD5
bc1829f94e7f60f596969cadd0090b36

SHA1
1f11c9284ec624be528b90c6d9849d43bc0bfb35

SHA256
80da7fe1e4e39a293d4e662efdc123a00894e31f5d4b3c2e21d9b4935184b8db

SHA512
adb61afd6a6f216924dd28a6d10e7a7d0997b14c04a0066b357af7095aadfdd026749d22a470d684c5708ac53ce3d4b3ddc37ff3f6e39a805a19d3f2765cf080

Download Submit
/data/data/com.groupbothphtv/kl.txt

Filesize
63B

MD5
ae5d30e1efbd9af33ae9daf263fd1085

SHA1
325b06e690eb5334857e564900288c01f5f9833b

SHA256
aee6ee783fcce54896811a6e8749521fd52bbe146bacf9cb597ec76c9f8f1088

SHA512
aa5dc346319f75bda4deb4d3b3893c53ad5d4a44ac620c1fa57bc26a2cc3bf9f203e9b32c0fbc38d3da29a6cd7904729c2ddee7de20d8d739a98fc6682f8ad37

Download Submit
/data/data/com.groupbothphtv/kl.txt

Filesize
480B

MD5
b159dca4374da8ad6f64662a4fa1da79

SHA1
ad3b7ae30317b183bd9173109c4d8ce0fa5f35e3

SHA256
b301c18c4ca96a0e017cea940b41c939ff2aeff1bba4a0866f002a88cdb69298

SHA512
d0e6f272345f1343202e87dff0ad0377f9f455ef61579cceb52bbbc04ff34d97c6257df83c077f2739ca2d4b35c74ecf6a7a26be22b2f11d6dce0702c2e8bfdc

Download Submit