octo | 0df8c6043105779bbbd483c9d07613716e509e311bbe7a2c62652390f5f00727

Resubmissions

16/12/2024, 22:36

241216-2h9hwssrgl 10

16/12/2024, 22:35

241216-2hwa9ssrem 10

13/12/2024, 22:04

241213-1y5n7s1ndr 10

Analysis

max time kernel
149s
max time network
134s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
16/12/2024, 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0df8c6043105779bbbd483c9d07613716e509e311bbe7a2c62652390f5f00727.apk
Size

1.9MB
MD5

b2bed9d03f63b338427fc93bb7aafc30
SHA1

5a57ca52b038ec6c6d20baf3d8003b831501cca9
SHA256

0df8c6043105779bbbd483c9d07613716e509e311bbe7a2c62652390f5f00727
SHA512

b9635ef374bce803eae60c5c5dd895aeeaaa2c6dec73fc1344f5d8a5afadc97cfea1fc43d72c74208e555a3ed4ec42629d1ebe52f47ee5109a95bb82efec3583
SSDEEP

24576:bw6/b3VoUh3u8yzPaJB0MnWiq+6jiWVcdEQhl0cedK6EMmfR0/4NE30p7:bX5h3ubOwAqjx2OQI7KNMmZ0/4N205

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://recordsimo.top/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/

rc4.plain

Extracted

Family

octo

https://recordsimo.top/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.uswholekybb/app_DynamicOptDex/GWB.json	4346	com.uswholekybb
/data/user/0/com.uswholekybb/cache/bzwdgemlg	4346	com.uswholekybb

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.uswholekybb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.uswholekybb

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.uswholekybb

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.uswholekybb

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.uswholekybb

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.uswholekybb
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.uswholekybb
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.uswholekybb

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.uswholekybb

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.uswholekybb

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.uswholekybb

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.uswholekybb

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.uswholekybb

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.uswholekybb

com.uswholekybb
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4346

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.uswholekybb/app_DynamicOptDex/GWB.json

Filesize
1KB

MD5
b060e8a1ba9fdb9eb738c028afffe71f

SHA1
d35091bab8d0cef482315673bc2c4ad723d9c532

SHA256
ed71d381007be28c6af5dad9417230e2ca249dd7ce75703af62e008baa5f5829

SHA512
e01ae32ef74e7ceb4c907a9cd8d323ab83b8561854b4fa30a2a64703500ee22b7370584caf590a7483c52722b5cd0ce059fc73e1b2abb7c2a270c0916343d7e8

Download Submit
/data/user/0/com.uswholekybb/app_DynamicOptDex/GWB.json

Filesize
1KB

MD5
c64d93e354c25ac7ee8886f6c5d8103f

SHA1
d1a976b91e0603d289bafb9047baa318f5ba92cc

SHA256
052d26e009ee53b91956501a8b5e4ad40ca9c457f7b875a45ffae15f1ce09460

SHA512
5b36807fd72952f87c0914fb9458f746859307c0bfe76cd96823bc8d6fd2cade543f600988c5e1ff241263346bf066c952181c8e6b15fddad543338cf9cba5e9

Download Submit
/data/user/0/com.uswholekybb/app_DynamicOptDex/GWB.json

Filesize
2KB

MD5
ed058f5d6e67ef83cc9c3d1e907fa1cc

SHA1
f42b93ee85e862ff77ae823a261ecc72bb1f94c1

SHA256
7a334f7684668373b1404a6c801bd421c06fe051374173caaccf51eb75e4dd7b

SHA512
b6823b4fffb6e95ce58cf07af1bab1efb42e88cd4993fe78049428de94b50f68f6f5e4ac565d8068bd4518230f13c5568e73088659056be21424196d547f2323

Download Submit
/data/user/0/com.uswholekybb/cache/bzwdgemlg

Filesize
448KB

MD5
b609292c76c45ed701da8e4b5fd2915b

SHA1
a43c2c5310a7d3b0931805ab2596385739e203c2

SHA256
7ca55d15bc884b9f7d79aaa175f087fb0198947dc16458a6ead1194141c49d0e

SHA512
1132f00da5ebaeb64d731a75d3d878da0f6fc8b6e5045ca7e1fdc8ff46a4e10f5483f94d7c2010aaafac909bf0b95f603fa7d8b426fc5684b49203ad190e5ca1

Download Submit
/data/user/0/com.uswholekybb/cache/oat/bzwdgemlg.cur.prof

Filesize
383B

MD5
60e37a0de6a9dec8f2b97502c49e20c3

SHA1
768b4d8e5b8822657264afdf316aae4918c6e990

SHA256
5446b32615547d41e3af972100169134a49375f2055079618c0ab190e02255d2

SHA512
b804c8534492af69639eef24815e3e83ef4283e58cf98aaf5f7f839f0e629e60ba4b6eadb3873c78476bdfb823612600da73cae58998abad585c8ac5a7fdb82e

Download Submit
/data/user/0/com.uswholekybb/kl.txt

Filesize
221B

MD5
489448124cacc7c365aaa9e971a67a95

SHA1
470da297aaaf78c3358740259ea49397451043ea

SHA256
9960ca68fd527447a13c13ed48251f5a20591403f5e03d6c954ce1354234f490

SHA512
08042e0a05e49e1cd632f57765199124bd022ba0129e8648bdf759898f003f33d6aac16e757f805adb8f1905bad2254e6972e394f1908b849f55da4de2c10b6e

Download Submit
/data/user/0/com.uswholekybb/kl.txt

Filesize
72B

MD5
8d2cf18dc9b812bf698656dfc92e83dc

SHA1
0759b410e169ed50afa85d698a65ef7140535ee6

SHA256
0fc45107146611b66567264a9d19fb887d8a1d12ca3f602c099b384576daa015

SHA512
14731972d0ae48387b71f1b7a611bc16b0f6c48c4c322cf26962c2916db6550e07697e1008be7eefa01a1a8ff365ef36809cb1468fb17416231c133611b2fe79

Download Submit
/data/user/0/com.uswholekybb/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.uswholekybb/kl.txt

Filesize
221B

MD5
2e784dddf74c1fd340f6dd4cdbe3d5ed

SHA1
3f3d57fe60c4f9b4a4ba66b2c250b91af6709d42

SHA256
b2379ee44f37e00843a6d42700c713c2d927cb047d39e205c2ef4f08d83415ad

SHA512
f1dd5ede836f183222f895701e53d4ac3de87769c480488f13bf0ff9e0d155a611a5b849445731033ae2964f05b9d626693db0c314138c0b3f500fab530b5b40

Download Submit
/data/user/0/com.uswholekybb/kl.txt

Filesize
60B

MD5
8958f17015aedac0f6339cd6b658de4a

SHA1
81843685f748dedf3fdb47a8bd99e9f9f2f002a0

SHA256
308ec67651f23668aba138d53566f2696bdb2f745cb9ebed94b1f480f137cc22

SHA512
972dc47fb4c4e3cc1789fdc46fe4112248d7be704347708641c72c3ea24130863434b0a2e854af335505698575dca6de9c476a24354dc2e4c6e1a150b71c8866

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads