octo | bed1d48ee44fcb2a3cda906b19205105a24d311b979932529807b6ab0985d2d3

Analysis

max time kernel
149s
max time network
150s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
02-12-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bed1d48ee44fcb2a3cda906b19205105a24d311b979932529807b6ab0985d2d3.apk
Size

577KB
MD5

7bd0620af2442abf88d1b86ce3a13d53
SHA1

ed59f857630d2e419741cd018c8083bf1e5b01a3
SHA256

bed1d48ee44fcb2a3cda906b19205105a24d311b979932529807b6ab0985d2d3
SHA512

4649bc5c1e081903283f369f62215ef8f9159da60f1709744189bb4ea310bf3fe4268b4f233ce74cc078a19616d11d9abe5731a5bbb11c77701a8a853a80ea3d
SSDEEP

12288:kQB9XcS0XtRsOtwnmlu4r2rnu1cYqG/Tg+zRlxOf+jo7+zkGs5mbxT:7yXTX6nxSFRl48WIbxT

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://85.209.11.84/YjcyMWYzZjc5OTUy/

https://32fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://33fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://34fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://35fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://36fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://37fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://38fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://39fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://41fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://42fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://43fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://44fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://45fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://46fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://47fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://48fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://49fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://50fdghhoo11.com/YjcyMWYzZjc5OTUy/

rc4.plain

Extracted

Family

octo

https://85.209.11.84/YjcyMWYzZjc5OTUy/

https://32fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://33fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://34fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://35fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://36fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://37fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://38fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://39fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://41fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://42fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://43fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://44fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://45fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://46fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://47fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://48fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://49fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://50fdghhoo11.com/YjcyMWYzZjc5OTUy/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4311	com.underreach6

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.underreach6/cache/wtuurp	4311	com.underreach6
/data/user/0/com.underreach6/cache/wtuurp	4311	com.underreach6

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.underreach6
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.underreach6
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.underreach6

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.underreach6

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.underreach6

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.underreach6
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.underreach6
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.underreach6
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.underreach6

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.underreach6

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.underreach6

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.underreach6

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.underreach6

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.underreach6

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.underreach6

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.underreach6

com.underreach6
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4311

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.underreach6/cache/oat/wtuurp.cur.prof

Filesize
491B

MD5
aa4588db8490c62d1510b07c8f0e7666

SHA1
3656eddbe41338e62058bf677db54e94fde7ec27

SHA256
9d7a6974bf26125f9ab1d1bb65ec2d0a6fa41399fca7994db1aee88b2b3bf4b4

SHA512
e7be007f8b292b64228b23fd539e1ec227950b956d342c53d0ec5bc829485d730db349c20909f635bbaea8bf0ca91edf0407f7679c6ff736ac7f5700ad054b74

Download Submit
/data/data/com.underreach6/cache/wtuurp

Filesize
458KB

MD5
fb29e45060fd519515980d71abb713f9

SHA1
fac66d84b242f6bdcf814d23dfc29382fd52d51d

SHA256
8f54bc1fa06d2bdb5a15f91dbe8cff6a0481a70a027c5e5ea31fc9704a7a3997

SHA512
f860c9e605acdfcebb453b3e61efa3e40a5e08e5d15074e6f63e6496c08fc6547167cdb6b05092ca17553781de2ca6db37563fabff2f1dbed5104c66acb2e290

Download Submit
/data/data/com.underreach6/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.underreach6/kl.txt

Filesize
232B

MD5
56c1bbd26c64e40d478292987341bbed

SHA1
c3ec4692acd05b00635f28379a894230da98aab9

SHA256
0e165676194ba4e028ef5119e2c5fbcac32dc17d1f679f77bad36440a5ddd07c

SHA512
2f678f0d30921d513bc591b52dd77783f571193324e39f827234d8992e7379cf09d7bdec284c142d850fb698bb3a7b620a3751cf6555c05a79450449e3eb108d

Download Submit
/data/data/com.underreach6/kl.txt

Filesize
63B

MD5
86ac591cf71f8d16612adb2b5688c805

SHA1
b252d8833ede77b4c04b20e2f59897fce7b629e8

SHA256
ddbbc20596bf3bbf85405da43379d1ed29233a3032cd785757ce41365a95530a

SHA512
b3b0237d41c83f2df9767468e38f386c29e2bfd4e4beb07746f9fbb57c3a597ea40621d95cf368b97911b4e0bd3cb8ca2e980520af9455d095f2f839168cca53

Download Submit
/data/data/com.underreach6/kl.txt

Filesize
45B

MD5
1cc37727e145f4d351075da5920bfcdd

SHA1
37c2c270b3841e5eb5d4880d3cdbfdb5ad5c7a92

SHA256
9c3b907efcf8579daef5c0ebc395e58cbd159525389dffc2d9d2fb18b9d64f09

SHA512
312b72ed223f0fc7f35882edf7654e3fd692483eea13144c58527b5761538701895f7fcf06e2c87e584bbb578912319fc3cb1d068acfe9b8242c2b1de3cc1012

Download Submit
/data/data/com.underreach6/kl.txt

Filesize
427B

MD5
d747ada0f453d4c25207a8b9c1bb685d

SHA1
8ee6e59a478c5948053f1bdb08a1ee587fe367c1

SHA256
aede7db342a407570f2e6dde6055b720a13a8cb73e5d5eb77b3cba131e4cd7a6

SHA512
6aab6e90cc63286d816ba2c27638855ccef3514819cee7413f2db14b544e6a77b8fc55c02b655e4cafc187408afd6a6875f694ac502a1353c5c5d324b357ed3e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads