octo | 3a7c46c81e9a9c32359b81dc56cfd374423fed2ae2d666f9eef164d412116e84

Analysis

max time kernel
149s
max time network
144s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
09-12-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a7c46c81e9a9c32359b81dc56cfd374423fed2ae2d666f9eef164d412116e84.apk
Size

2.4MB
MD5

72893c3f27e3ab3bee96c2e4333f5c64
SHA1

23e8c5078bb2cd08444328851f74ee01c7b6c1eb
SHA256

3a7c46c81e9a9c32359b81dc56cfd374423fed2ae2d666f9eef164d412116e84
SHA512

aa3749a9a9b0204913b8a91d3442f521ed6d60873c6f591f0fbdd4db99ce229255d3f807cca3daf05a8df96473c357bc01659f3f1370a9daa67090f54b0f1640
SSDEEP

49152:g+gJtcyTe8FqkbMeQkhw9gwowGy75KHrZMmOZPIAnryyFjdzDO:OnTVqkVx/WQHrGmOZA+y2jBO

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://934437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://88237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://662333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://96255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://28237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://162333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://26255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

rc4.plain

Extracted

Family

octo

https://934437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://88237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://662333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://96255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://28237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://162333981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://26255553981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://934437453981d0595033c23.com/MzQ3NjU5NDBhMjNj/

https://7894437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://8774437453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://5564237453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

https://661544537453981d0595033c23.xyz/MzQ3NjU5NDBhMjNj/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.plantmarkisdx/cache/eacowxiu	4513	com.plantmarkisdx
/data/user/0/com.plantmarkisdx/cache/eacowxiu	4513	com.plantmarkisdx

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.plantmarkisdx
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.plantmarkisdx

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.plantmarkisdx

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.plantmarkisdx

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.plantmarkisdx

Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.plantmarkisdx
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.plantmarkisdx
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.plantmarkisdx
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.plantmarkisdx
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.plantmarkisdx
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.plantmarkisdx

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.plantmarkisdx

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.plantmarkisdx

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.plantmarkisdx

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.plantmarkisdx

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.plantmarkisdx

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.plantmarkisdx

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.plantmarkisdx

com.plantmarkisdx
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4513

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.plantmarkisdx/cache/eacowxiu

Filesize
2.3MB

MD5
c2f7ebb4302efe1a39027168e847438f

SHA1
692c980b4474dda758fb6d6577ee69c3bc4fb71c

SHA256
d56aa762851f2fa05f1097c7a6b2bc025fa8b83967174c99fdd7dc919d59c0c9

SHA512
215129425a6bca6ef96295d5e6f07fca1f30da92f5e6202eca06837d99c4a886dfa691c3035abb038b1acfa5796d4efb004467085c5935c5a3bbf9740069ddaa

Download Submit
/data/data/com.plantmarkisdx/cache/oat/eacowxiu.cur.prof

Filesize
379B

MD5
305bcd3c8401cab983cc24478648b704

SHA1
bc0a6fa529bd5366f1b0c5c3a26c2a84d4652664

SHA256
d0f021a18b1927acf38fd9ce638ac4638b71ac4d4f7153811a79ded1c7eb2ba1

SHA512
67745228c716d1536c9b485259c3d2fb9da4905cd3f102da9a41a15cbb3efe6be0dfa9adb58ebd1932a9e58957bbe1a0cfea591da922b40a609ddefbf8aff4dd

Download Submit
/data/data/com.plantmarkisdx/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.plantmarkisdx/kl.txt

Filesize
230B

MD5
d0cd05d3db3042f6f4d48bf62c48fa06

SHA1
14ece8636110a35b8393607c964e32014dc39b13

SHA256
7571c2faed9e28d0046b52587eccbfae5c8d9ead1cf3d2251800486549954325

SHA512
08bba1d0e65abf15762dffe41605753ce9e0db0a71db2724ff843e9c4b30c5a9551c4af65d5460428f4a93748df3b3956cd429d376a803443549f123af1f6d6b

Download Submit
/data/data/com.plantmarkisdx/kl.txt

Filesize
45B

MD5
99fafc46d52c72055c9b27e58a6d33b8

SHA1
da9bb3eff262e95beac9ac5432810180de83eb86

SHA256
3244d994253b217784be18858314d507bf4b82b55416fc9b2c5df907cd69b388

SHA512
e4b281fef2931465998c1b7aad8e31f1c8b4e3a5bcaaf42d47fcb50e7d942c8118a2de67aa5b342e923190f3d36a071f80b7c0bd8f7d251ad590c5e96d5fe762

Download Submit
/data/data/com.plantmarkisdx/kl.txt

Filesize
63B

MD5
bd73b62b9e73d5260b485d228723ee32

SHA1
e0a5035f04a9606f983d3f7854f46ea38b8bbd3b

SHA256
59732c9588cd89e1cb1737d76630da7527a6e5fc9616d4d8a9b097b30ba6e511

SHA512
fa3108c4e6a784dddbe917c3f6ff2fcc9855bb5fa4aa11418441f96b56307d733e4abaaad2292de74dc20f76a3ab3467c380fe5a1416e73626366a731450b9fb

Download Submit
/data/data/com.plantmarkisdx/kl.txt

Filesize
466B

MD5
a8bdc407198c4f764dfd93b8be3d7219

SHA1
f28bc78179992fe11c431bd356ad7a5416ee2e3f

SHA256
95c122158264293f725113134d14f8d5bef79ac04e9468c7ca1fdc89d133fe0e

SHA512
6ec8f27bad77ccb39189da5153d276096281d5a013d9419dc45e4a7bc8d6a016bcbff6290a88ef5999212f03fdd2db2315172c9dad49e66426d6e15b8de30f53

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads