octo | 87dcf8af2e6985eed966f639136c8c1c3c422c08d4dec31885b2731e518afd6d

Analysis

max time kernel
149s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
16-12-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87dcf8af2e6985eed966f639136c8c1c3c422c08d4dec31885b2731e518afd6d.apk
Size

1.6MB
MD5

1d6209f4329cabfa0466b1a01439e75b
SHA1

9d37f209c76c247933822b61b2ff00f1990e3eff
SHA256

87dcf8af2e6985eed966f639136c8c1c3c422c08d4dec31885b2731e518afd6d
SHA512

2f90994e5f8412be3f3c71bf810f08c64a9397f6c9ca0290516b64ae577ed97c0796e3272624d684d3a440ef6628d8caeecce6ac1b6b0de7e638ce29a3840d99
SSDEEP

24576:/qUUxcc8RwQ1ml8HgXZbloLBR0PzxEKtWJRHlFtizxJrSczQywuJatW5tj9dFUCy:O8RwMml8HgXboNGdoJSwMyEV998R+bg

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://r85d4kbe5729.vip/MTU2OWE0NzJjNGY5/

https://a87rvat46c50.com/MTU2OWE0NzJjNGY5/

https://juxtaglomerular.hk/MTU2OWE0NzJjNGY5/

rc4.plain

Extracted

Family

octo

https://r85d4kbe5729.vip/MTU2OWE0NzJjNGY5/

https://a87rvat46c50.com/MTU2OWE0NzJjNGY5/

https://juxtaglomerular.hk/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4242	com.gametry45

Checks Android system properties for emulator presence. 1 TTPs 1 IoCs

evasion

System Checks

T1633.001

description	ioc	Process
Accessed system property	key: ro.product.model	com.gametry45

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.gametry45/app_DynamicOptDex/jqyPmK.json	4268	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gametry45/app_DynamicOptDex/jqyPmK.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gametry45/app_DynamicOptDex/oat/x86/jqyPmK.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.gametry45/app_DynamicOptDex/jqyPmK.json	4242	com.gametry45
/data/user/0/com.gametry45/cache/kfcrr	4242	com.gametry45
/data/user/0/com.gametry45/cache/kfcrr	4242	com.gametry45

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.gametry45
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.gametry45

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.gametry45

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.gametry45

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.gametry45
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.gametry45
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.gametry45

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.gametry45

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.gametry45

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.gametry45

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.gametry45

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.gametry45

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.gametry45

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.gametry45

com.gametry45
1⤵
- Removes its main activity from the application launcher
- Checks Android system properties for emulator presence.
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4242
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gametry45/app_DynamicOptDex/jqyPmK.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gametry45/app_DynamicOptDex/oat/x86/jqyPmK.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4268

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.gametry45/app_DynamicOptDex/jqyPmK.json

Filesize
1KB

MD5
44608f92ba099cfdbe63b5d13e002861

SHA1
d641a4715f722f41dcf02b319ae657728d2ebc5d

SHA256
c33b58f09808b241890daf51b0e015a796e5b563702ce38709f05e51c97483d4

SHA512
03861932b1765dcb63a8b8c63dab78b9b3533f1bc1cfefdc5f6486579f971db1212d1531d83d5322cc684015c8f1d4f17d259ee05157007fd6ca3ba9ad0180e7

Download Submit
/data/data/com.gametry45/app_DynamicOptDex/jqyPmK.json

Filesize
1KB

MD5
74e0f2097bb2ed3f759513f4d437bde1

SHA1
200c81437e0943765dfab1045b06db6a6e476530

SHA256
16245e4d83032dd18a67d40e87038bc6a1ab86d066fd18b3e5464585d5ed7738

SHA512
2d81edd7c3c699247355d3bc4ccf241a067c09403980431319eebe52e4e6123d7bff4d0ce0b052a57f86a2f6ade1cbe7cba939202d8092c03ef57a06f1fe0832

Download Submit
/data/data/com.gametry45/cache/kfcrr

Filesize
456KB

MD5
377cc75d09f94255e0edbb42044d378e

SHA1
efa2bd009b4d0522d74eb971ea3f57adaed95852

SHA256
7b1e29516e1c3ad1b3f04a7c62261ad60577ae23468f926f5259a850fcfe16db

SHA512
618339d127754675801d08c2f9c6b5a0b3b156e5a1ec95e1329e1d75064372d37d5054e20c0b1e481df9d57a7ef70b5f112d589f8d6575eb1fd76c7dd244956a

Download Submit
/data/data/com.gametry45/cache/oat/kfcrr.cur.prof

Filesize
452B

MD5
e0f5a487d353f34dba8d10abcb8ec6dd

SHA1
8544429ee85f6f952c059d5f2511895043857e9b

SHA256
27fec8b7b9cd52c070e9493ab1a82bf5b386929c4adac50730766409233f62a8

SHA512
62901411292f578defb9cf59ae9022df22e261d6859db968e0801370cd5fb43844f0fbd7a7c7531d094a17f31400b6957e394f586090b353d2f689c5fbde4216

Download Submit
/data/data/com.gametry45/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.gametry45/kl.txt

Filesize
230B

MD5
fb634d4459a87882e7289e68193b69f5

SHA1
3fb781245bceaf4574a2a299d9c033e1f4a56487

SHA256
be07d01c4a7224f330cb37b37b284f5e6242e5c227fc2a3f1cd54ca12a2e4bef

SHA512
5a4b60bcdfacda14c1e3b56eb863a5b4f5578ce2787776da072b2aeda173928ee63715de2273648476baf1e0b61378cc0882bbb9eb1fd655e353fd967a557cd6

Download Submit
/data/data/com.gametry45/kl.txt

Filesize
63B

MD5
57363b8205134f512fe951c95544f99e

SHA1
811cdca2dd280efb04222e32291c50b6e44d7476

SHA256
931765119f9f2b5f0f4bd32338a83993830fa32ce6cad344fd8311e63cecc338

SHA512
362a8fe92d14d4e645013a3a6b4e8d75f62a4ba26c02a64e931c1b9e964e50680cfec14ca8fdc53474f12bf1a71c1f6237170e8728ac17131b582a27f9c54b39

Download Submit
/data/data/com.gametry45/kl.txt

Filesize
54B

MD5
4474b910f90140a9e48d8b1b7c03fceb

SHA1
e6e2e29b5a15536ef3fc479a783f85f5a3a01a54

SHA256
8e81002474e13f6ab6504762662084f9a13a70a5ed88ce3fad9b177cc17c9078

SHA512
c538b593937e0d6f486b92b93bc096fa87162a009a073c3a1c09c07d43bf4948c84bcfa7fa8c6146541c58ce94b524309d6331e905fb8d25f375b3e4fdcc65a3

Download Submit
/data/data/com.gametry45/kl.txt

Filesize
423B

MD5
139f7bf4bfd9a6dac81d77b384b8b432

SHA1
ab589e80a5f62014aa1a60439e48b0389bdaa726

SHA256
de2b8998dbd06c42a76be5a0e5c6c293089097757f0ffde8b06ac8dfd4a7b22a

SHA512
b2d6a69690610cc8f577bd4b8cacfce6aaa53b67191614f95816e5aec9c52a6e6e79333aa3955ffb5a37c023180355497d7a0eaac212d75f3fffcb1d7b3b9ca1

Download Submit
/data/user/0/com.gametry45/app_DynamicOptDex/jqyPmK.json

Filesize
2KB

MD5
d4d1dcdbc5d09e16a33fcd5a24ee66ab

SHA1
55f07c8a5ea2dcc843788cb7079b54d8442b4a7a

SHA256
eef4952b654935da72f695e370570ec3fbba46d2b65efde06afa792f063e58be

SHA512
b85fd2be119cb68ccaf4eb976294f64f5bdb3d18de4e95cb7c6d7edf1401a8a8d51005fd4e93504ca74feb367e0339ef3b6f0ff03c5c4132b88a9f0e14e3c3ec

Download Submit
/data/user/0/com.gametry45/app_DynamicOptDex/jqyPmK.json

Filesize
2KB

MD5
63cb50b7cb76bc35c155147c136aeb5c

SHA1
e07deec705b3ceaf4427832d8fb06e31d1ffb016

SHA256
42254032988cf3e6af83d80799133b9e4bb71692d59d04281ba8509fddfcc5a6

SHA512
7f359eb08ea6a17c692f47b0cde87cc0ae479987cc695b05e42208b63a0992478e3f83b7fdf7280774916fb49f3869616318a57a327d30986cbfb307e9b0c879

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads