octo | af9c8b85b92bfbe06718d520a80c2b361ad312da861d2c1d9aff47d4e7f89c07

Analysis

max time kernel
149s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
16-12-2024 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af9c8b85b92bfbe06718d520a80c2b361ad312da861d2c1d9aff47d4e7f89c07.apk
Size

1.5MB
MD5

696395a0dc0448eb95e74ccbdb01929d
SHA1

4184a5cd9322f26788ba8a2332895c0b9cf239f4
SHA256

af9c8b85b92bfbe06718d520a80c2b361ad312da861d2c1d9aff47d4e7f89c07
SHA512

5b0be78903a3ec5eb1b37ad0070d90ead8ccd1ad93d2a9b3b115ecb295620a0a59584898e5fff3e1398b4e9f06647f1da2cbdd957509dc436fde6cffa4eba638
SSDEEP

24576:Ro09SbM5YqP8Pdpn9PUINRBH7dK1OCHQ71hUBciSJ/IGWa3GtUP1B9LFKCaz7+hL:RoHUINRBHBK1OCaQw/5Wmes/9VaX+hL

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://r85d4kbe5729.vip/MTU2OWE0NzJjNGY5/

https://a87rvat46c50.com/MTU2OWE0NzJjNGY5/

https://juxtaglomerular.hk/MTU2OWE0NzJjNGY5/

rc4.plain

Extracted

Family

octo

https://r85d4kbe5729.vip/MTU2OWE0NzJjNGY5/

https://a87rvat46c50.com/MTU2OWE0NzJjNGY5/

https://juxtaglomerular.hk/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4319	com.workport3

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.workport3/app_DynamicOptDex/BojdEpy.json	4344	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.workport3/app_DynamicOptDex/BojdEpy.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.workport3/app_DynamicOptDex/oat/x86/BojdEpy.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.workport3/app_DynamicOptDex/BojdEpy.json	4319	com.workport3
/data/user/0/com.workport3/cache/bhetlmzxodpu	4319	com.workport3
/data/user/0/com.workport3/cache/bhetlmzxodpu	4319	com.workport3

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.workport3
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.workport3

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.workport3

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.workport3

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.workport3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.workport3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.workport3

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.workport3

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.workport3

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.workport3

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.workport3

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.workport3

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.workport3

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.workport3

com.workport3
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4319
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.workport3/app_DynamicOptDex/BojdEpy.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.workport3/app_DynamicOptDex/oat/x86/BojdEpy.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4344

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.workport3/app_DynamicOptDex/BojdEpy.json

Filesize
1KB

MD5
6a74e1d44ef512d900d4df6bcaee9718

SHA1
267afbf518620ea8714b112625ed37dbaf3f9c11

SHA256
78487e0c11f3edd770fc9cc549b3a4497ac617cb6f9f9797cbf29b68bff26d10

SHA512
dfecc004782bc4f1c6b1bbf7266623419d6a8cd37f5de709d8f1f758291398a740075071a04a8e3f7b1cf18bedaf3dbd2619918d937fa3cb39f8fd4782afd01c

Download Submit
/data/data/com.workport3/app_DynamicOptDex/BojdEpy.json

Filesize
1KB

MD5
f8c948d5bd2c4e4dbc4e3dfcdcc3e48b

SHA1
df681178b88f275a9d8f8f572ab77c804ab0c3c0

SHA256
d2a5083f800109b7ae0069e12ae98723b32ecc6ff7b43e7138bc3505a3a3ec7f

SHA512
67ea1d38390f69664970fc1fc74557483f10eb81bb7807469b2958e799f685de6d8526e72efd60fa51d1e551a48a4e77122523819b69b31ed63171aeae760f6c

Download Submit
/data/data/com.workport3/cache/bhetlmzxodpu

Filesize
456KB

MD5
3efdbf7ec9978b5b98cf59d05ed35a5c

SHA1
ed01c7e9f6f494a203d34d36c50d57642652e981

SHA256
9e561de1ff45a54113b57ce0ff52c6bd5fddd39df2d51272a47db4a244c5eb8b

SHA512
ec7d981a92c7cca93a4be453dc36d7435d431ab708626251254b4c2760cd48e517f6ffc762a132c62c5b14e683595f526c67c1d32531eadc093e448c123120a5

Download Submit
/data/data/com.workport3/cache/oat/bhetlmzxodpu.cur.prof

Filesize
469B

MD5
acb9d45fac85661db86b792a3e833a69

SHA1
806a4ad8f8233d37674cf953b910511bf8b17d7e

SHA256
71df2167a5514cacae456715ff4ff801d6b232ff5a883ce511ba548a65a7ba15

SHA512
0a4b63f232415d8bfebedaeaab168d91715d03546ec558dc1f19f4b896b094aa5de1f252dbd807b876b17f884ae5b071acfb6b06b8cec58ae0fc4c44f9f2db0d

Download Submit
/data/data/com.workport3/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.workport3/kl.txt

Filesize
230B

MD5
837f259ad8da6380dfb5a8d2fca46306

SHA1
9ec10e4e10628566b3ad954f5c1b43a970e251fc

SHA256
1081a9021e81b0bffa9af2991b2d5a680107743789e02494e05cc4df1b2b1409

SHA512
81e0308b5678d125194518197f208f9d36c0e6fbed81c0ef378f4b0867d9d86dd5ac0a4e4a1da210238cca22c37404f094430c13b6e951f5bc526a44ca6b4ca1

Download Submit
/data/data/com.workport3/kl.txt

Filesize
54B

MD5
d575aced14e7cadce504329213587311

SHA1
51689bb048b585bf9f99e38ccd47a77e25d0601a

SHA256
99f108c1702a37af7ebf5f30a48584c9dc414fc32d0a01968754af9ee3104a7d

SHA512
e04930457e3d6d736cbcb088c7ab5cf7df45da462c00fe0395523fcec9406b26cc73395b26c69adeff9f7d65b6e187a3c2f4e187c5cd0dd489e9a27b25af28fd

Download Submit
/data/data/com.workport3/kl.txt

Filesize
63B

MD5
2837bf8cc49bac02528a5999d154d65a

SHA1
4cfe479e2c735093ce1feeac03b2cba1d4a59ae1

SHA256
6e0bfffa11254338874130c711af88350aa66106d59caed73762671fe9f1a8fb

SHA512
325b90bdf0b926d2eb71a10323c7c2513898ee7b6f414041ab46bb84d6557070ec39eb49d8da6b205a8d88523952d8546c366ec741ebd73d40a4413a8f1ea794

Download Submit
/data/data/com.workport3/kl.txt

Filesize
423B

MD5
0c99f38be3416e753ab0df05867d4133

SHA1
3c015b6f9285e86b13a7ea09169077cf0788bdd4

SHA256
7b19b1ed541ece33fb5c590c992c332e8fc4fc538023ef468e3362fa648dff69

SHA512
0c82b9de0b1fb8d56eb59f839d2407f1232bb73837bd490e20e0fc88ac73669f04ee1136790e963ce89fba5264eb1fc1360f1d022ad883068ae45a0062fc6199

Download Submit
/data/user/0/com.workport3/app_DynamicOptDex/BojdEpy.json

Filesize
2KB

MD5
61ceba3ae5c7123c8062a36a8c224305

SHA1
d827d3a9fd82f895dc17711b43c8c8c8d715dd3a

SHA256
abfc47c6e659589d9b77e492ef2b0fa1f99fe031e9753566aaa232f959b3a59c

SHA512
700499db77a39f5ef16edd74f69cdc621f73d0b300c59e68d03d83a72176aa8a45f59b41951a9ea28c7766238ca263f745592dbe57e54bd7c50adb606938f9ce

Download Submit
/data/user/0/com.workport3/app_DynamicOptDex/BojdEpy.json

Filesize
2KB

MD5
a90112a5001f3e41d4ff808ed3318718

SHA1
e89b7924b176e0264cc3ba342c39b2ab4af1297a

SHA256
4ce69c0853c91c6c312557a1a3f087b77dc27a94c5718e113670deb01bd170f8

SHA512
dc7e597173d86e5878e8a10a67a9c0a146b5de2bda3399c277fefe45e8271b244180dba058afcca3bcf2d0d90918a4f337106c746de59eb166defdeabe411aeb

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads