octo | 90a85a3b5be9d2d1964566a6433835718c3661bdb393ff1202e036425251cdf9

Analysis

max time kernel
148s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
10-12-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90a85a3b5be9d2d1964566a6433835718c3661bdb393ff1202e036425251cdf9.apk
Size

4.7MB
MD5

a593d32c9b7f3d8cc05afdcfe6649e0f
SHA1

848172d87d92752ebaa337435a620639986995b8
SHA256

90a85a3b5be9d2d1964566a6433835718c3661bdb393ff1202e036425251cdf9
SHA512

c1fb9a4e90680bccc1d4689cb02de1fd72da3ff66c32e9c01d5ad1251998fac4d16a6d344d01b0a9e154a31e4e2b334488e24cfd0f8206be09609799df23e970
SSDEEP

98304:qNkZbcGpTBc0HH3/drwnU4QLaMVSmAI97YBjV7MPTxQgyJrjD5NxVBl5:qNkZbhBPdrwsAI9kBkyJV5l

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://94b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b641390330721556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

rc4.plain

Extracted

Family

octo

https://94b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b641390330721556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

DES_key

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-7.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4408	com.maya1

Loads dropped Dex/Jar 1 TTPs 5 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.maya1/app_dex/classes.dex	4408	com.maya1
/data/user/0/com.maya1/app_dex/classes.dex	4434	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.maya1/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.maya1/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.maya1/app_dex/classes.dex	4408	com.maya1
/data/user/0/com.maya1/cache/qrvtddsbiyqbmnz	4408	com.maya1
/data/user/0/com.maya1/cache/qrvtddsbiyqbmnz	4408	com.maya1

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.maya1
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.maya1

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.maya1

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.maya1

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.maya1
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.maya1
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.maya1
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.maya1

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.maya1

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.maya1

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.maya1

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.maya1

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.maya1

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.maya1

com.maya1
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4408
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.maya1/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.maya1/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4434

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.maya1/app_dex/classes.dex

Filesize
3KB

MD5
321b000395dde30973aa7a74bb7a2152

SHA1
3af49503fb64e3a70bccf536b32567bc43f2a103

SHA256
9e02a5850cde8de426c3482959c0c11df43abfe3709e9f1c1347be53ac3b8cad

SHA512
4906dcbc79c4705d5ff61d4e4b314f1b05240244e00cfd13a2e8351d98125b812198a36bb171898ccac0110b2f315f856f5b34727e64acd599f847027bf2286c

Download Submit
/data/data/com.maya1/cache/classes.dex

Filesize
1KB

MD5
c5673f81fd344a1f193822c8bbcd179e

SHA1
0bb30bc459e7fe6d3d13b95b9a2a0f342e19d68c

SHA256
80ca6d2245fe6409b075c9a4852277d9323a9e26cefe582afaec8d374374dc98

SHA512
aacc29894b26d5e33c9eaaa3e86ea9229b1f193ed9a27067a49deea7fd9f5c4b19a164727ec4dfd536ca6b41b76b47e8455bc90c4c5f56555675cff992c07902

Download Submit
/data/data/com.maya1/cache/classes.zip

Filesize
1KB

MD5
290cf61dc7401716a926a363bd59ac3b

SHA1
9e2508b2622eed743e16364b61e907201f2fc85d

SHA256
2d83bfc6f5842fc7a7572ccd292320fd41077b3bcf4b075dd9a344c641f8693c

SHA512
430a83096a0f27799065c4e2f34d8acdc050e409c71f68e01b4191b6f1c70598fe8e4cea3dc15745eb1ab411811f1baa1194c484d52faaf7dc10c5eaee18654a

Download Submit
/data/data/com.maya1/cache/oat/qrvtddsbiyqbmnz.cur.prof

Filesize
505B

MD5
dee2df1b49d5c7044642e366824d19cb

SHA1
a3ae9a8268ee4c6f4734d53a6d5e18a5da34aa04

SHA256
33e87d4022e6a2a8752582e19a0cb864c096d8a19307770155ccda79c81f600d

SHA512
86363e3fbf32887469da84799f3ea385a74b798a89b5c5c8bcf3c36c335df299b350b4377c1ec51997639801a0b33aeded2e775c5ff076fc263ffdcdd85e0abd

Download Submit
/data/data/com.maya1/cache/qrvtddsbiyqbmnz

Filesize
1.4MB

MD5
45d8d05356784405ab0e5d3879e3737a

SHA1
84d29f77804268924c4e72bf779a86271974f549

SHA256
294127dd57ef1d8e60e7344c82cbad4da21b3fbe073c79f683a009edf7a8d89d

SHA512
d62690aea12998bddda28c5abfc49328bf4d92eb1b0f6267252f5a4625acc0686f7c048244d4172698103b90c67adf0d21cd9f5e363ce6b17166312f99b61e5d

Download Submit
/data/user/0/com.maya1/app_dex/classes.dex

Filesize
3KB

MD5
57bb27c398a212834597008b0bf9b545

SHA1
b013672fe28226a60282547463390aaa7559ceb3

SHA256
4b9c452934b0344d27a2415d52c8c855921a42df4c837e2173698a54c5da76e5

SHA512
e0ce56c96d3364af8f0047b02359ca85517565c46b0d367336c71f82bb7eb554f0c8134a102176f8473a59250ea264a7e759cfa424955549f9c046b4bc3e947d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads