octo | cf149c6a3bbcbf14481a38684271c5f0ba0d3d3cf9eacdd740582a576e94156a

Analysis

max time kernel
149s
max time network
153s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
06-12-2024 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf149c6a3bbcbf14481a38684271c5f0ba0d3d3cf9eacdd740582a576e94156a.apk
Size

2.4MB
MD5

7c20b7c82d89cfadf1dfed97c20e8aa8
SHA1

6212df9880b0233869f2ce798b7a7fbc69381679
SHA256

cf149c6a3bbcbf14481a38684271c5f0ba0d3d3cf9eacdd740582a576e94156a
SHA512

e094793579880a0df331315be6b9b39c8540ec72bfae361037be45006f2a22f20a24b9bdd1bdef8fefcf0002495347f745febf6e310b264bf8e7bf814567cef7
SSDEEP

49152:p1QccWC5vr3bnJ1i6NqnnyDZGOsVWkUUwKwo3eY3GVtYB2YeNSsA/D92Xn/JmNx:sLvzvicMhHVZvwKwjY3G2e4ZC2x

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://332237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://7237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://62237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://35237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://332137453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://34437453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://3637453981d0595033c23.com/N2IzYzFlOTM3MWU3/

rc4.plain

Extracted

Family

octo

https://332237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://7237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://62237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://35237453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://332137453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://34437453981d0595033c23.com/N2IzYzFlOTM3MWU3/

https://3637453981d0595033c23.com/N2IzYzFlOTM3MWU3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.mountainenough7/cache/iiuvowcbzpmqnju	4341	com.mountainenough7

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.mountainenough7
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.mountainenough7

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.mountainenough7

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.mountainenough7

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.mountainenough7

Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.mountainenough7
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.mountainenough7
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.mountainenough7
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.mountainenough7
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.mountainenough7

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.mountainenough7

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.mountainenough7

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.mountainenough7

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.mountainenough7

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.mountainenough7

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.mountainenough7

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.mountainenough7

com.mountainenough7
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4341

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.mountainenough7/cache/iiuvowcbzpmqnju

Filesize
2.3MB

MD5
8e97ad28b6674f87beab82467d38acb3

SHA1
aae1a6f0b1a4812935ef12cec3a5c11cbebce872

SHA256
181f2d1d50621a932969445a3195e09aa78818e2d075431615f77d8b8fff9ab9

SHA512
4ba8ed3ee4caf5525811316d8bf1a39da80992e6b7fdc756ac1b6f7fbb527daea30db4f3b064ceb11b7c6f5348441c32fb2a9bec39fd130bd231eba55253e20f

Download Submit
/data/data/com.mountainenough7/cache/oat/iiuvowcbzpmqnju.cur.prof

Filesize
444B

MD5
27f42702a34b9605e425dd7142a6e5dc

SHA1
7e8c48515ae8424d4afe360c929d744ab4292d0a

SHA256
a951ae05a3eeb49a1fda26fdbcc4dcc60f867386364a87066a9eda5185261bea

SHA512
7fec5a824e3191bae59ea0466d792c3b6949b0706e25a9722eba153becc87e69934ec0cd58404f233f2dcbd27e8f1491948890623af4329fab117160737ea927

Download Submit
/data/data/com.mountainenough7/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.mountainenough7/kl.txt

Filesize
221B

MD5
1db783a394657ffb99b93e82de229946

SHA1
99f437537223f23ef6742ec418a87f2f2e5f3af8

SHA256
428c9a812e60e5b3d94336a2897e6046604a638f7337b38959387de1a9983aec

SHA512
16eff626c3b6ae4fb55079dba5820bf86bf4c053fb39ed0fa6764ca5313a8cfd72f5546a9e8d6095de05456c20025d5319d602ef34984846926a3092e1127caf

Download Submit
/data/data/com.mountainenough7/kl.txt

Filesize
54B

MD5
8f60232cbb95443f4e4db86d8cd99eff

SHA1
6ef00f9d45666f5cc6f7b5d8978b38e44e857af0

SHA256
b71eb640f3179c87b3f475c2b13c1284511f943bbf08ca1045d5b4ed26e2c405

SHA512
0707667821e787f4aa50ec56bf8731d1f899f98869a1e65c8533521f4fc7b78bddc4892efe9f60d3933d036c0b613df0049136f16d6d34a5c61359547f3072df

Download Submit
/data/data/com.mountainenough7/kl.txt

Filesize
60B

MD5
311941a9a65f3307b3463ee978d5a2e3

SHA1
9fa3b640ad16f69ab6f704e2b23ef9dfc4cb7480

SHA256
73ff5e32ee13a32871b1a37961be4e786286420aabab72123a92d671d8292423

SHA512
1f303a71fefd8692be68adf09569c35b003410de11539f5ea3fd0479b6da6d4d704813aa7c6cfd27b4e22dde126e8adeb5f173653bea77da912c575c70e6c7dc

Download Submit
/data/data/com.mountainenough7/kl.txt

Filesize
504B

MD5
bdab2faaf0e5204b5b4a59f662d8bd74

SHA1
c2054cda0031e2a019a720ef43a4e5f093cf1ff2

SHA256
5c41377dbe0ecd4a7323a0987cb03853b3cef4fb61c7530fc64c8bd165119635

SHA512
70ced3f4a57991f31999821ac85d661cdf9dc565065490da7b122709e0da0e39f79b2a8ae8e3c095be72f4240fecadd55464a3ed8928dd378d550f476cae72aa

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads