octo | 5610bfeab76710ba02decfb28e7685fd7ab02b48b78ae63548c387f63288d036

Analysis

max time kernel
149s
max time network
157s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
01-12-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5610bfeab76710ba02decfb28e7685fd7ab02b48b78ae63548c387f63288d036.apk
Size

8.5MB
MD5

368d70d254f488bafb87fa4293fc048a
SHA1

4764d5e82a267047f11a1d1d8cdd8084546fc035
SHA256

5610bfeab76710ba02decfb28e7685fd7ab02b48b78ae63548c387f63288d036
SHA512

6b1b4123c6850690ba129c18192decd6e19879f29079390701a395cd78d25b051243fb1347da1c0150451214df8e0ca3c678c9094c77e9066ecdf51f41e5fd5b
SSDEEP

98304:imISrQZbMhbULwKbTciYMoI57VKpN5iSRGLFEGfkk23y2j7uCY8XKP2R7oRsq+gy:hSiIxU3rBGfk1Lj7f4k7oRSv

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://156350786312d7feba2b1c9b7577097b.com

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/memory/4339-1.dex	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.talkbackdevice_notoserif63/app_noodle/KHY.json	4339	com.talkbackdevice_notoserif63
/data/user/0/com.talkbackdevice_notoserif63/[email protected]	4339	com.talkbackdevice_notoserif63

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.talkbackdevice_notoserif63
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.talkbackdevice_notoserif63

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.talkbackdevice_notoserif63

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.talkbackdevice_notoserif63

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.talkbackdevice_notoserif63

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.talkbackdevice_notoserif63

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.talkbackdevice_notoserif63

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.talkbackdevice_notoserif63

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.talkbackdevice_notoserif63

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.talkbackdevice_notoserif63

com.talkbackdevice_notoserif63
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4339

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.talkbackdevice_notoserif63/.global.com.talkbackdevice_notoserif63

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.talkbackdevice_notoserif63/app_noodle/KHY.json

Filesize
1016B

MD5
cf6cd4baded500807f5a4bce850541f6

SHA1
db8cec882db42eb40f32c2216c2a402072e3a732

SHA256
abe152bda9a3af754d1ac8e8cfae039eaa570f2e1df3eb6111e1bbe3871db96f

SHA512
d571081b0da41feb11d7a67a12a70f66d834217ca724d79693282a4df8173cd1f41f713b1a9c2dfac5f9b095492475df09f1b4c845e91bf467a86871d40562c6

Download Submit
/data/data/com.talkbackdevice_notoserif63/app_noodle/KHY.json

Filesize
1016B

MD5
cac895956d729fedb0a999b39a56a256

SHA1
5ffa9e242abb55d2bc10cfd6ee5acba53fd22349

SHA256
5a55166c945791ed9d91df100df006a2585af1e0a07ce4d036159d3e299ccd42

SHA512
9770c47221523866c935bec3dce85047ce7e1b71bae9eb44b26bd5285425ff1924881a5e22706f6e1df7211904b826747cb5a2b461b7b45b26ac8b2f95ec9802

Download Submit
/data/data/com.talkbackdevice_notoserif63/files/.s

Filesize
322KB

MD5
77dc50489b9323274732d27dc8a4e803

SHA1
0e02a3595b62489d0739d771881da8604d117c65

SHA256
c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820

SHA512
0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

Download Submit
/data/data/com.talkbackdevice_notoserif63/oat/x86_64/[email protected]

Filesize
13KB

MD5
7c683e3f72bb9e18a6cc3adc3f4977b3

SHA1
041218a8374f9a29ad6416c8d86b67f56fb04b87

SHA256
35e77f51a96b8bdde6f0d819f893af15d7f28bf6ce2068173c51019647eadf01

SHA512
a2987940cedf2f07e50814b04fa9d83c5a04fc9833829143691a52ac237a145259d02f27e196257558e26ceb453ebd4b1d561955cf3ee7faf46a94f819ecdc23

Download Submit
/data/user/0/com.talkbackdevice_notoserif63/[email protected]

Filesize
526KB

MD5
6d5cd37303f2c882308086e123a50d3e

SHA1
dd68843844ee0d4f8e36529fdb3b0d067855f35d

SHA256
ddd51bad8d4fb58fac172f65faefd66cb8689be7f1e089ed97dbbf6a34b61897

SHA512
85058b5d52f89ee428431937a1e3c6a7c29b08f913f7d8ec13f91ee4c836f65598489ce7b5c5b9ef96582728e0a45182df48f3a83ca14b68c379c56e244db5ff

Download Submit
/data/user/0/com.talkbackdevice_notoserif63/app_noodle/KHY.json

Filesize
1KB

MD5
32a44094c17929eca19ee695cc69cd39

SHA1
b184edaedb1f495e45ab71e5bb31e18210a25bfc

SHA256
5e8a62447c62ad5acc757e3a5850c6005b3ed59a384241d2052356c8721b20a7

SHA512
c425cbcdb52eb3ce8a33f78af14e59692e9f4f0e09f0f7359821c1470020eee8715477d68b6b307eda83c345df2cb5f4df77212ae06a458056c19077decae538

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads