octo | 949306a9e24af54bab67334e90c3f8abd6febc73d00bc812f0fc2c76c99da3aa | Triage

Analysis

max time kernel
149s
max time network
150s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
30-11-2024 22:02

Sharing

Report Analysis Logs

General

Target

949306a9e24af54bab67334e90c3f8abd6febc73d00bc812f0fc2c76c99da3aa.apk
Size

1.6MB
MD5

641de72489f98ba5436db2502516cab2
SHA1

e171bcc73ca0cf50ed4730ec03bb333eda1ed846
SHA256

949306a9e24af54bab67334e90c3f8abd6febc73d00bc812f0fc2c76c99da3aa
SHA512

e461e58f905b6540c0a3289736f9ea1121ce007a0ded2c3121070276857271cb02719d5332cf33d369605d75fffc060cfbcdb9b80e9b02625284bb5b52579915
SSDEEP

49152:/0Ij6L9s1LjZZAW05iJCkFlnVUEdGoJtij7BE:V2s1Hg3i1l5tiju

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

C2

https://hizliveguvenilirshop.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c459d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64535326c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

rc4.plain

Extracted

Family

octo

C2

https://hizliveguvenilirshop.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c459d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64535326c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

pid	Process
4311	com.sideworkv

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

Download New Code at Runtime

ioc	pid	Process
/data/user/0/com.sideworkv/cache/ilapynjrmqww	4311	com.sideworkv
/data/user/0/com.sideworkv/cache/ilapynjrmqww	4311	com.sideworkv

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

Screen Capture

Keylogging

GUI Input Capture

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.sideworkv
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.sideworkv

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.sideworkv

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.sideworkv

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

Prevent Application Removal

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sideworkv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sideworkv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sideworkv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sideworkv

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

System Network Configuration Discovery

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.sideworkv

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.sideworkv

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

User Evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.sideworkv

Requests modifying system settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.sideworkv

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

Broadcast Receivers

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.sideworkv

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Data Encrypted for Impact

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.sideworkv

Checks CPU information 2 TTPs 1 IoCs

System Checks

System Information Discovery

description	ioc	Process
File opened for read	/proc/cpuinfo	com.sideworkv

Checks memory information 2 TTPs 1 IoCs

System Checks

System Information Discovery

description	ioc	Process
File opened for read	/proc/meminfo	com.sideworkv

com.sideworkv
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4311

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

Broadcast Receivers

Foreground Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Hide Artifacts

Suppress Application Icon

User Evasion

Impair Defenses

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

System Checks

Credential Access

Access Notifications

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

System Information Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Access Notifications

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sideworkv/cache/ilapynjrmqww

Filesize
1.4MB

MD5
afd0cf734d51375ba598adf66741aa75

SHA1
958bf1a72d7e42d3e93cbbe96f8123142733a8b0

SHA256
85ae5bc62b94c75df6691d263a8172c2dbf14f2e8907c19eb62096d392b7145f

SHA512
53d30c01c61e968eae7228cfb039d615b21b4c0f0c7661e094ebd7ff40faad68aa9b82ad0c4af91a79079344114be8bc94c0df10d41da005d892e2f166bcd075

Download Submit
/data/data/com.sideworkv/cache/oat/ilapynjrmqww.cur.prof

Filesize
489B

MD5
b152a6776946520face423161a34a4ed

SHA1
4e77a776395cb16ec1970b7ae5e5143f0d31f313

SHA256
812b3e51cdf7422d0c2ca4b537076f8eff15c2d1fc1a59b942bcf26245c1b7d4

SHA512
12133ea7a2cd53b9732a8a38f96657ef6937436945e1402794b8b19145d78446a3678cb50677728b0b972c28ca77bcab3c57949c82890e492088e8fe68c7f4f1

Download Submit
/data/data/com.sideworkv/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.sideworkv/kl.txt

Filesize
237B

MD5
cc69418aa9a7494ea762f220f3de7d5e

SHA1
78d2f8649f518e06cebaecbb5a4590fb8cbc3103

SHA256
e03c35b55ba0fb2c5b126ba767ce2e5ddcd42425e54f4483de1a26e098c6b5c9

SHA512
68aa89745d98857cfff93d1d95b879fa26a455edaa85edb6838ccd10afbda8741785b10b2f5b449fabe20cd2a1a63a4481675046dd92e052cb3524900d327523

Download Submit
/data/data/com.sideworkv/kl.txt

Filesize
54B

MD5
64ddf336661076230cddf9ae8c9ec8df

SHA1
813180ac489d2c60f366d614d99be43a87a05d71

SHA256
79f1682e633210bebddfd076b4a58d37e15c47ae93a4f527475a47c250b78063

SHA512
273cffc4658745bbca62e9cfb4a8c9debb18a1d02f563ad29942a0284a1998a97a6a4007012eb7baca0854e7458fffa5bf719504f6589aa923696453defeb2fa

Download Submit
/data/data/com.sideworkv/kl.txt

Filesize
63B

MD5
309d7d5e9cea542c1d9cdf24f749ca1e

SHA1
eb0a47ae418441e341539ce375002fef8554ab1a

SHA256
33fa16955931026478616c1201feaf00af62629a70d6e1938ed07448171dbfaa

SHA512
96e518c6ad1de27fe4379d8630ee6b04d60e15fe8ee6c378b7ee960560a6e3562f7bbc1968fcf9ca60c055110a4babd1b33234c00e0251de6869d347a080dd58

Download Submit
/data/data/com.sideworkv/kl.txt

Filesize
437B

MD5
cdf619f01b80c597fab7db2ba0f8c605

SHA1
53da2fdb41287adb9ab60ad616a5b955daf15d30

SHA256
90895f7e94ed7c0361499f6eb4a7b925e3f632e7ca8394891ed096be5517a5b4

SHA512
6f61edca1342e9457e88a1ea39e1e9d2400276e22190d23c5b79770fb990ac9895a90b3dfce711898d5879060868603d6e0043b610f988fe7189af6baac044a5

Download Submit