octo | af9c8b85b92bfbe06718d520a80c2b361ad312da861d2c1d9aff47d4e7f89c07

Analysis

max time kernel
149s
max time network
152s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
16-12-2024 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af9c8b85b92bfbe06718d520a80c2b361ad312da861d2c1d9aff47d4e7f89c07.apk
Size

1.5MB
MD5

696395a0dc0448eb95e74ccbdb01929d
SHA1

4184a5cd9322f26788ba8a2332895c0b9cf239f4
SHA256

af9c8b85b92bfbe06718d520a80c2b361ad312da861d2c1d9aff47d4e7f89c07
SHA512

5b0be78903a3ec5eb1b37ad0070d90ead8ccd1ad93d2a9b3b115ecb295620a0a59584898e5fff3e1398b4e9f06647f1da2cbdd957509dc436fde6cffa4eba638
SSDEEP

24576:Ro09SbM5YqP8Pdpn9PUINRBH7dK1OCHQ71hUBciSJ/IGWa3GtUP1B9LFKCaz7+hL:RoHUINRBHBK1OCaQw/5Wmes/9VaX+hL

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://r85d4kbe5729.vip/MTU2OWE0NzJjNGY5/

https://a87rvat46c50.com/MTU2OWE0NzJjNGY5/

https://juxtaglomerular.hk/MTU2OWE0NzJjNGY5/

rc4.plain

Extracted

Family

octo

https://r85d4kbe5729.vip/MTU2OWE0NzJjNGY5/

https://a87rvat46c50.com/MTU2OWE0NzJjNGY5/

https://juxtaglomerular.hk/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.workport3/app_DynamicOptDex/BojdEpy.json	4756	com.workport3
/data/user/0/com.workport3/cache/bhetlmzxodpu	4756	com.workport3
/data/user/0/com.workport3/cache/bhetlmzxodpu	4756	com.workport3

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.workport3
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.workport3

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.workport3

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.workport3

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.workport3

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.workport3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.workport3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.workport3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.workport3

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.workport3

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.workport3

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.workport3

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.workport3

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.workport3

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.workport3

com.workport3
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4756

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.workport3/app_DynamicOptDex/BojdEpy.json

Filesize
1KB

MD5
6a74e1d44ef512d900d4df6bcaee9718

SHA1
267afbf518620ea8714b112625ed37dbaf3f9c11

SHA256
78487e0c11f3edd770fc9cc549b3a4497ac617cb6f9f9797cbf29b68bff26d10

SHA512
dfecc004782bc4f1c6b1bbf7266623419d6a8cd37f5de709d8f1f758291398a740075071a04a8e3f7b1cf18bedaf3dbd2619918d937fa3cb39f8fd4782afd01c

Download Submit
/data/user/0/com.workport3/app_DynamicOptDex/BojdEpy.json

Filesize
1KB

MD5
f8c948d5bd2c4e4dbc4e3dfcdcc3e48b

SHA1
df681178b88f275a9d8f8f572ab77c804ab0c3c0

SHA256
d2a5083f800109b7ae0069e12ae98723b32ecc6ff7b43e7138bc3505a3a3ec7f

SHA512
67ea1d38390f69664970fc1fc74557483f10eb81bb7807469b2958e799f685de6d8526e72efd60fa51d1e551a48a4e77122523819b69b31ed63171aeae760f6c

Download Submit
/data/user/0/com.workport3/app_DynamicOptDex/BojdEpy.json

Filesize
2KB

MD5
a90112a5001f3e41d4ff808ed3318718

SHA1
e89b7924b176e0264cc3ba342c39b2ab4af1297a

SHA256
4ce69c0853c91c6c312557a1a3f087b77dc27a94c5718e113670deb01bd170f8

SHA512
dc7e597173d86e5878e8a10a67a9c0a146b5de2bda3399c277fefe45e8271b244180dba058afcca3bcf2d0d90918a4f337106c746de59eb166defdeabe411aeb

Download Submit
/data/user/0/com.workport3/cache/bhetlmzxodpu

Filesize
456KB

MD5
3efdbf7ec9978b5b98cf59d05ed35a5c

SHA1
ed01c7e9f6f494a203d34d36c50d57642652e981

SHA256
9e561de1ff45a54113b57ce0ff52c6bd5fddd39df2d51272a47db4a244c5eb8b

SHA512
ec7d981a92c7cca93a4be453dc36d7435d431ab708626251254b4c2760cd48e517f6ffc762a132c62c5b14e683595f526c67c1d32531eadc093e448c123120a5

Download Submit
/data/user/0/com.workport3/cache/oat/bhetlmzxodpu.cur.prof

Filesize
337B

MD5
7beadf91e5a79845f51d8df7422c43f6

SHA1
21a30968b9dc69992c8b1d088022a66cd3335712

SHA256
2be9537494b78c1b41fba972a8ccd3932f900c6a72dafba12e33243164533af6

SHA512
bc98738512519cbfdd027abd0e38b1210b2bda37b267b3e52428303b5cc630f8fea1bf956dff584ecd2f4f44ce67dc7bfb5fdbbe3b95151a9ea2f2cf264e698e

Download Submit
/data/user/0/com.workport3/kl.txt

Filesize
466B

MD5
6baf9cc30e7ac2ef81776c8b765fc8a4

SHA1
f6ee8b9702c55401bf3705e259c7fcb6352704f9

SHA256
de5542c9c82895bb1945bb2f11d8be2a08c57f01e7a5625ed2100672f4dade5b

SHA512
722687c71b4aa830fd6707d97861b56b2c1ccab4950b197df4e93656b6d9ea25451f193ecb9115eb35d8438662ea3739ab3ad0ce8fb21b183a2cc711ddee12e0

Download Submit
/data/user/0/com.workport3/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.workport3/kl.txt

Filesize
63B

MD5
8ea008e34e62e63dbbf381523f64195c

SHA1
f925ded312c76288c5688891f154d221e1a185bb

SHA256
6104797991ae72c739a97bc2546a2a3c8315aeb9a990886b980bc984bfaa14fa

SHA512
f5d08f76e5530ed8bcca6bf019002b5c7c03de59f49b37daf15f446cdcae1546cd2c5e2579c98a49ed81f6cd444794b1834ad70080362f4366a16f6e3d57dafa

Download Submit
/data/user/0/com.workport3/kl.txt

Filesize
45B

MD5
ff12cb5ffa14101e4c84ded27447cdc1

SHA1
2b7ec374dcc20a9c00f9867030735b57beb75d25

SHA256
93cd0e196b0e118c5ce4a02caeca84f834878d56ac085c826783d3095a00f7d5

SHA512
a752f85d7c3bea5df2b1055ad0474e2098fffa8fd2bd2ac312c9f7295d00def150d0039e39b2a84bb81cf8c0f212ea7b5503dcddc7abd83de8703d3bb50802fa

Download Submit
/data/user/0/com.workport3/kl.txt

Filesize
68B

MD5
5f0346656b34c34de670c32e2d4014da

SHA1
1cdc18b30f504e1c0a5df03efe0513d99b244d5e

SHA256
2c766fb6addf7f0c15d5b67356cfb1eaecdd6028d92a8cf31421c67fe5f55f8c

SHA512
23ca460dfd871dd5bc7336a78b3227905b73c733400bf757a428bbf5310d39bebe2169c93f748cbefe3bbf35d94a06b3942b9dc924a491bbbf4cbb4c6e5c5444

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads