octo | b35d0e986be46ef9965a7b05480caa4a70f696a187f56abde79509d7e7d5d616

Analysis

max time kernel
66s
max time network
139s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
04-12-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b35d0e986be46ef9965a7b05480caa4a70f696a187f56abde79509d7e7d5d616.apk
Size

537KB
MD5

27fa6c80389845fcc4b1fd4e49b41e6b
SHA1

76a2ff1fb35522dd13da0b221b1516c011992633
SHA256

b35d0e986be46ef9965a7b05480caa4a70f696a187f56abde79509d7e7d5d616
SHA512

8d770ae2e1a284fd10c06363f1067d213fd0b02e729eae1a76360b90285d8cb9556ee9cbfebdd5b548691f7172dabaddc1346b6362e4953f4fab8cdf6d2156cc
SSDEEP

12288:P2gBi2LExgmhgGaZjf7JaRdmXyVgqQpmYwZ1W6AvOH2LaMPG:P2gBiPzpa5tJiqmyFRLm

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://24fdghhoo1.top/doc/

https://25fdghhoo1.top/doc/

https://26fdghhoo1.top/doc/

https://27fdghhoo1.top/doc/

https://28fdghhoo1.top/doc/

https://29fdghhoo1.top/doc/

https://210fdghhoo1.top/doc/

https://211fdghhoo1.top/doc/

https://122fdghhoo1.top/doc/

https://123fdghhoo1.top/doc/

https://124fdghhoo1.top/doc/

https://125fdghhoo1.top/doc/

https://126fdghhoo1.top/doc/

https://127fdghhoo1.top/doc/

https://128fdghhoo1.top/doc/

https://129fdghhoo1.top/doc/

https://220fdghhoo1.top/doc/

https://234fdghhoo1.top/doc/

https://235fdghhoo1.top/doc/

https://236fdghhoo1.top/doc/

rc4.plain

Extracted

Family

octo

https://24fdghhoo1.top/doc/

https://25fdghhoo1.top/doc/

https://26fdghhoo1.top/doc/

https://27fdghhoo1.top/doc/

https://28fdghhoo1.top/doc/

https://29fdghhoo1.top/doc/

https://210fdghhoo1.top/doc/

https://211fdghhoo1.top/doc/

https://122fdghhoo1.top/doc/

https://123fdghhoo1.top/doc/

https://124fdghhoo1.top/doc/

https://125fdghhoo1.top/doc/

https://126fdghhoo1.top/doc/

https://127fdghhoo1.top/doc/

https://128fdghhoo1.top/doc/

https://129fdghhoo1.top/doc/

https://220fdghhoo1.top/doc/

https://234fdghhoo1.top/doc/

https://235fdghhoo1.top/doc/

https://236fdghhoo1.top/doc/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.watchandlr/cache/vsuprmqfiebpsd	4966	com.watchandlr
/data/user/0/com.watchandlr/cache/vsuprmqfiebpsd	4966	com.watchandlr

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.watchandlr

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.watchandlr

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.watchandlr

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.watchandlr

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.watchandlr
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.watchandlr
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.watchandlr
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.watchandlr

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.watchandlr

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.watchandlr

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.watchandlr

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.watchandlr

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.watchandlr

com.watchandlr
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4966

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.watchandlr/cache/oat/vsuprmqfiebpsd.cur.prof

Filesize
501B

MD5
72b2f654ccdbd4698d8f2019fd700e9f

SHA1
cd6dea223a2f96e8386110f2ab53ebcf9813928b

SHA256
28963825b7f7af5e8f1ec8829397a112fff3c6891df26cf066f32dab2e1e0387

SHA512
0a8255bcfda46501809109dab8c202b7335c9e32dbb8da1f1b27c59bc9bc5578a26607685cafd7fcb82b19c543dccc39748e922a49a381c315a02d8499133ffd

Download Submit
/data/data/com.watchandlr/cache/vsuprmqfiebpsd

Filesize
446KB

MD5
ca588cd5d574d50a6beed1da7a37deb3

SHA1
b0d2a36248289e2377b41f0f5d0a9fe72ac207b7

SHA256
8d9176615356427e8b71def85af48e8cc59a7c15045060b3f8a182ab85cfd739

SHA512
cab4985b534c8cf06b39035723ceacd8ead995ec4c133c4dbabc6b4b813f317d4470cc90778b30e4668e7eda67f52a3f37ac3d605dc62cd14ce3de3186b493d4

Download Submit
/data/data/com.watchandlr/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.watchandlr/kl.txt

Filesize
69B

MD5
f3df4e65bb7bbdbf2e793f054974e989

SHA1
2beb786f9b2ad825d16daa42cf4ef01519db2a02

SHA256
655f2afd450883954c97440ac462b198c49c636a9e40113b69ececfa3df6468c

SHA512
499cd3dcda72af340f46efd798e63ff40e755ba4603e3574b9fcc0d7b0334fb75e15ee6d8aecc2242aba170afa27801fa07ee0e952661c46bacaaeca2cf10d80

Download Submit
/data/data/com.watchandlr/kl.txt

Filesize
247B

MD5
65ee669b6eee6c85d2f8ffb84c3d24a3

SHA1
8978042e57005264d66b5889e0b54b63dac24bb8

SHA256
06749714a1386518579bca0720864749b84678bce1017f1c08ff1743f577e1a6

SHA512
336590c817778f2fd63c84710fa8b97f299b4fcbe64fb3180589ca149cf8351ea65b7ba227e13be2c07404a0afa882c44363156d3ece448a8bd536c79f967d12

Download Submit
/data/data/com.watchandlr/kl.txt

Filesize
54B

MD5
10ed67ed3e18474200054bf1fb1214c5

SHA1
ccdf41bcef1b8d831e281589d062ddf637501748

SHA256
b9cf6dc0a8ed46050fdf0bdce62c98cff85059c93c451806b5143fbdc3820b10

SHA512
024a092255041a6b38d05c99fb2f189e39d37d0a54966780aee207ddb351bbf3a1e37c56a9b148e7c29b22c6d8fd9fef35e3286e3937c7d02100b21777dbd476

Download Submit
/data/data/com.watchandlr/kl.txt

Filesize
72B

MD5
2336371f286c1e33aedb21642e968b38

SHA1
f9a47d3a002519f83dd39d953907663eda9f12b9

SHA256
dd23ff1b04a5913cfc1bc7cea7d1048d82fb0aeb7b565d7261320e8d72b51b91

SHA512
69da8d19be0c0fc0605dc48762637fb98f44216b2e49220c30a46a64358dc9787e8de489c47591b380fa14c5d4e1142957272a9d57263d23822ff21ea3d884c1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads