octo | 1b21d4464fe4a48f9b8a6d3958dc85812d09dcb0d28ac8b6279c1f366f2f942b | Triage

Analysis

max time kernel
148s
max time network
152s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
30-11-2024 22:02

Sharing

Report Analysis Logs

General

Target

1b21d4464fe4a48f9b8a6d3958dc85812d09dcb0d28ac8b6279c1f366f2f942b.apk
Size

1.5MB
MD5

21ccbc2d3c7dcce9edf2b8f63bff9708
SHA1

42e1b16f4fc5eb6530ff1adb81bb7673b488f25a
SHA256

1b21d4464fe4a48f9b8a6d3958dc85812d09dcb0d28ac8b6279c1f366f2f942b
SHA512

af42b7d84aad3d7d5f3e10b23627a3caa2ddbcab1e37eb46537127717bacebff13a5c474b9d27ab7ee1c28ea30cbcf8bcd52d6b0e388e95df26d8f1c840aa6b3
SSDEEP

24576:0AyCI5J4gHFTOigURga81+N+du26nEl4MJ00Y8NQouM6cXwoxpEZELKiN0cjt8M7:RyCKJ4gZMUov1qw5Y2ZuOfFLKia4t8o

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

C2

https://hizliveguvenilirshop.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c459d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64535326c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

rc4.plain

Extracted

Family

octo

C2

https://hizliveguvenilirshop.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c459d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64535326c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

Download New Code at Runtime

ioc	pid	Process
/data/user/0/com.centership3/cache/fhqmoqpwmcznex	4469	com.centership3

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

Screen Capture

Keylogging

GUI Input Capture

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.centership3
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.centership3

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.centership3

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.centership3

Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

Application may abuse the accessibility service to prevent their removal.

Prevent Application Removal

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.centership3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.centership3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.centership3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.centership3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.centership3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.centership3

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

System Network Configuration Discovery

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.centership3

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.centership3

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

User Evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.centership3

Requests modifying system settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.centership3

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Data Encrypted for Impact

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.centership3

com.centership3
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4469

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Hide Artifacts

User Evasion

Impair Defenses

Prevent Application Removal

Input Injection

Credential Access

Access Notifications

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Access Notifications

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.centership3/cache/fhqmoqpwmcznex

Filesize
1.4MB

MD5
2fe7ccb2a01f44f1dfb075d3c8637137

SHA1
f2df5ea78fa89ff40e4e11a3c7d8b15c539a2f26

SHA256
d588a91d7c12f2ba609a089eb930b497826901e7c776cc95f415fa7abf1ca7ca

SHA512
3cb128719669cb9c982b84a9076c7ccc3e5f512001f268c445f720ebff0acfa4336391146cc4e2421b4df621c8390459c99bbabdb475da31daa80e396ae0aca8

Download Submit
/data/data/com.centership3/cache/oat/fhqmoqpwmcznex.cur.prof

Filesize
406B

MD5
0f746d60c0f32833004aad79d6958c55

SHA1
de73048589247ac746dd3cfd5c6a1c2a9c5ac0ef

SHA256
7402668cf5a517cd3bd93b1ca115cdccdfa5440fac4b7aa5f34a53b783fdc153

SHA512
46163c16cc540cd080829c4259be4df2d2418b7001f11563f82e6e4008d9d55042124506f639dcaa122f76a30ef6627fbbb82d9e4b921251cd79203a7206cc66

Download Submit