octo | 949306a9e24af54bab67334e90c3f8abd6febc73d00bc812f0fc2c76c99da3aa | Triage

Analysis

max time kernel
149s
max time network
150s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
30-11-2024 22:02

Sharing

Report Analysis Logs

General

Target

949306a9e24af54bab67334e90c3f8abd6febc73d00bc812f0fc2c76c99da3aa.apk
Size

1.6MB
MD5

641de72489f98ba5436db2502516cab2
SHA1

e171bcc73ca0cf50ed4730ec03bb333eda1ed846
SHA256

949306a9e24af54bab67334e90c3f8abd6febc73d00bc812f0fc2c76c99da3aa
SHA512

e461e58f905b6540c0a3289736f9ea1121ce007a0ded2c3121070276857271cb02719d5332cf33d369605d75fffc060cfbcdb9b80e9b02625284bb5b52579915
SSDEEP

49152:/0Ij6L9s1LjZZAW05iJCkFlnVUEdGoJtij7BE:V2s1Hg3i1l5tiju

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

C2

https://hizliveguvenilirshop.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c459d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64535326c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

rc4.plain

Extracted

Family

octo

C2

https://hizliveguvenilirshop.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c459d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64535326c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

Download New Code at Runtime

ioc	pid	Process
/data/user/0/com.sideworkv/cache/ilapynjrmqww	4499	com.sideworkv

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

Screen Capture

Keylogging

GUI Input Capture

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.sideworkv
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.sideworkv

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

Transmitted Data Manipulation

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.sideworkv

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.sideworkv

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.sideworkv

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

Prevent Application Removal

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sideworkv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sideworkv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sideworkv
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.sideworkv

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

System Network Configuration Discovery

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.sideworkv

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.sideworkv

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

User Evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.sideworkv

Requests modifying system settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.sideworkv

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Data Encrypted for Impact

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.sideworkv

Checks CPU information 2 TTPs 1 IoCs

System Checks

System Information Discovery

description	ioc	Process
File opened for read	/proc/cpuinfo	com.sideworkv

Checks memory information 2 TTPs 1 IoCs

System Checks

System Information Discovery

description	ioc	Process
File opened for read	/proc/meminfo	com.sideworkv

com.sideworkv
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4499

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

Foreground Persistence

Hide Artifacts

User Evasion

Impair Defenses

Prevent Application Removal

Input Injection

Virtualization/Sandbox Evasion

System Checks

Credential Access

Access Notifications

Clipboard Data

Input Capture

GUI Input Capture

Keylogging

Discovery

Software Discovery

Security Software Discovery

System Information Discovery

System Network Configuration Discovery

Lateral Movement

Collection

Access Notifications

Clipboard Data

Input Capture

GUI Input Capture

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Data Manipulation

Transmitted Data Manipulation

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sideworkv/cache/ilapynjrmqww

Filesize
1.4MB

MD5
afd0cf734d51375ba598adf66741aa75

SHA1
958bf1a72d7e42d3e93cbbe96f8123142733a8b0

SHA256
85ae5bc62b94c75df6691d263a8172c2dbf14f2e8907c19eb62096d392b7145f

SHA512
53d30c01c61e968eae7228cfb039d615b21b4c0f0c7661e094ebd7ff40faad68aa9b82ad0c4af91a79079344114be8bc94c0df10d41da005d892e2f166bcd075

Download Submit
/data/data/com.sideworkv/cache/oat/ilapynjrmqww.cur.prof

Filesize
430B

MD5
d51d18f11bb3a0c61454648ea4552415

SHA1
3c2db2fc25dee1fe42122c72d78b6218053965b1

SHA256
114f9552c69cc1865f3eb50869a41c1487bfbaf786326676d7904e9efebc5b5c

SHA512
5ed08603e1deb1c3d8ee4b50ccbb8717d741081d736397fda88fedd4726f69fed9f7952eb8e1ca6720112c367507e2c44178fdfd2a4cc1799711a04c7a74c354

Download Submit
/data/data/com.sideworkv/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.sideworkv/kl.txt

Filesize
221B

MD5
2745a70e961832e1b9bda998176adf96

SHA1
43af3988f0b94fe42f35c5207d7019430adc262a

SHA256
122152e07206cfee3a69d4508772f452befea39056538291da84f5ee3fa0b43e

SHA512
710521d8108ae4463e0b8485523cad302a8522796f6e4fb7b69d259464d27b2297d3eed835599ddeb061e0d3f05b3e332527decc24e5c09560469e716766d2a3

Download Submit
/data/data/com.sideworkv/kl.txt

Filesize
61B

MD5
e258396b16a71e403314c432aebc546c

SHA1
45e91755291afcb5373f5aa96e5d859b370912ff

SHA256
7bcfb4009c57e9f029d6263e97ea1882bda80682c33a6e4aaebcb8cdab97c480

SHA512
5d7f3e9837b4f641dd09f2c0e539a892ecb704bb1957d461342eb648a170f26dfefc6306f5884567c0763c4530477e2161a824bbae260d9854fee752e0ac1359

Download Submit
/data/data/com.sideworkv/kl.txt

Filesize
60B

MD5
82962198bc80cdf1a4d4ffdbfcf1d712

SHA1
609299a9b92c79bc25c1576656f93e562de572de

SHA256
df06701a9f98b63e68b519b403182c48dbd4351dbfe2c1ce101527d305ce8865

SHA512
1a60b21f0be6d3c55846146854beadd6c69141114d6714a5f8425ac72df6f89200121b506348471d51cc322027d46a42d2a4f4e9335d9d4dfbde0a776a3bbb61

Download Submit
/data/data/com.sideworkv/kl.txt

Filesize
504B

MD5
a5595a9deeb1bbaaf704b1e58c7ef258

SHA1
0aa88259808f87a01ec2707a0995d1a7c48610ea

SHA256
6b7dce0a0c6a91465504b21908953a8880c2ef6a148c262a2722dcefacfe26bd

SHA512
a1effebd51d414196cfd3a9a1f4adc9bfb6cc8fc0339e260247e4991bc471fb07ec7c8ace55a507ef59aa08768b73fa14d3848ef90b221836514fa89ec1003e9

Download Submit