octo | 3a7c46c81e9a9c32359b81dc56cfd374423fed2ae2d666f9eef164d412116e84

Analysis

max time kernel
149s
max time network
134s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
09-12-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a7c46c81e9a9c32359b81dc56cfd374423fed2ae2d666f9eef164d412116e84.apk
Size

2.4MB
MD5

72893c3f27e3ab3bee96c2e4333f5c64
SHA1

23e8c5078bb2cd08444328851f74ee01c7b6c1eb
SHA256

3a7c46c81e9a9c32359b81dc56cfd374423fed2ae2d666f9eef164d412116e84
SHA512

aa3749a9a9b0204913b8a91d3442f521ed6d60873c6f591f0fbdd4db99ce229255d3f807cca3daf05a8df96473c357bc01659f3f1370a9daa67090f54b0f1640
SSDEEP

49152:g+gJtcyTe8FqkbMeQkhw9gwowGy75KHrZMmOZPIAnryyFjdzDO:OnTVqkVx/WQHrGmOZA+y2jBO

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://934437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://88237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://662333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://96255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://28237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://162333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://26255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

rc4.plain

Extracted

Family

octo

https://934437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://88237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://662333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://96255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://28237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://162333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://26255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://934437453981d0595033c23.com/MzQ3NjU5NDBhMjNj/

https://7894437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://8774437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://5564237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://661544537453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.plantmarkisdx/cache/eacowxiu	4242	com.plantmarkisdx
/data/user/0/com.plantmarkisdx/cache/eacowxiu	4242	com.plantmarkisdx

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.plantmarkisdx
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.plantmarkisdx

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.plantmarkisdx

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.plantmarkisdx

Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.plantmarkisdx
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.plantmarkisdx
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.plantmarkisdx
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.plantmarkisdx
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.plantmarkisdx
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.plantmarkisdx
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.plantmarkisdx

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.plantmarkisdx

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.plantmarkisdx

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.plantmarkisdx

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.plantmarkisdx

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.plantmarkisdx

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.plantmarkisdx

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.plantmarkisdx

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.plantmarkisdx

com.plantmarkisdx
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4242

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.plantmarkisdx/cache/eacowxiu

Filesize
2.3MB

MD5
c2f7ebb4302efe1a39027168e847438f

SHA1
692c980b4474dda758fb6d6577ee69c3bc4fb71c

SHA256
d56aa762851f2fa05f1097c7a6b2bc025fa8b83967174c99fdd7dc919d59c0c9

SHA512
215129425a6bca6ef96295d5e6f07fca1f30da92f5e6202eca06837d99c4a886dfa691c3035abb038b1acfa5796d4efb004467085c5935c5a3bbf9740069ddaa

Download Submit
/data/data/com.plantmarkisdx/cache/oat/eacowxiu.cur.prof

Filesize
508B

MD5
55184cb4a8c35016342f2b60b36b76c9

SHA1
c6f96ae099369d8a40d0ab56d8ceb95db826fc3e

SHA256
2580f04ff9c858a08fd22c4655fec289325c78e44942ea069d3adc9a35dfa782

SHA512
7882085ce53d051552d9227b8da4da223fa2d5b6fce6403a1260c0bec7243edfc854a06264c7c8319bd705466ab8158ec3ba45a018e0c270a6bd85a9a5af10b3

Download Submit
/data/data/com.plantmarkisdx/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.plantmarkisdx/kl.txt

Filesize
230B

MD5
ada132741aa3dfdec52456c9e3cf8d24

SHA1
a0e2ba2f9552996a3b3e49393bd4641e073ae95b

SHA256
d8069adc5604aaae63332d3eb72e4211a78623d996e2bc7f7466d8038e40d065

SHA512
8b8c34896a8fb2a62825c51a032d0217ede64c36e21d50872d5e508dc4aa87d2983c102994947763e8f1cbde16946cf3d0b857fc760b0e478bdca012bea5715f

Download Submit
/data/data/com.plantmarkisdx/kl.txt

Filesize
63B

MD5
801c573e70988f373901d79faaf41a85

SHA1
7962a46158909403c0b5898887d921db72d773d4

SHA256
712d191bc88c0229f26cfae07f768b76ec0a2f8b95642850e3b77ce9e723e922

SHA512
c00a324e8cf2002abb53ca75d694cc117f8ea958eaf96a81ab4b9f5fd12de7f68280cd725a62b2bcf3199c05c65f1bae7fd5774fa25e993c475e8e103d20e721

Download Submit
/data/data/com.plantmarkisdx/kl.txt

Filesize
54B

MD5
41dcda701ef00f0d86f3fca308e29c87

SHA1
31c39eb2089d052d900937906c002a14b163bc68

SHA256
78cfd8695d392e9a62bcf9b4f6caa662f6b2b9b948ee03d512caa35a21b9e15b

SHA512
700b0db3c7acfd3d0042ba4e0768857be3772e1b586d2b524d0deaa2656a29a82b903158cc48c06b1a5927ad0311ce03dae14bc7f32e9fe67e5deb0a592dc369

Download Submit
/data/data/com.plantmarkisdx/kl.txt

Filesize
423B

MD5
62e091999579ecc0e37a24b6e2085d35

SHA1
d50b8f4bb495e492bf6cbcb10f44b620d4cc107d

SHA256
cc8a9666f50ad4003b0fb16422ce049b743e8a924652b90a1c11f5d61e9d6732

SHA512
3df3ebd9ace55ae81e33f83a0f0d960d7b99ee4e6bd3f8928a489f75bdf8d27cca5dd30399b83bd20cc3bf6e8b8ab556328f3593c81e665dc6ba337895fc4d74

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads