octo | 08d59f56d9aa90c50b024bb7984c701c02c4298f36ed60b4336a1568af20862d

Analysis

max time kernel
149s
max time network
158s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
16/12/2024, 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08d59f56d9aa90c50b024bb7984c701c02c4298f36ed60b4336a1568af20862d.apk
Size

7.3MB
MD5

a74a6a8a4ceeedd3c5ee57d941b92377
SHA1

819b300c04883a88452a1451e92eb70076f1bccc
SHA256

08d59f56d9aa90c50b024bb7984c701c02c4298f36ed60b4336a1568af20862d
SHA512

c09be9af5765c9baf1faeb135d5a9b6390d18c121c2881f16961d4c1a9d877b0887baa63f19ea9f1248011ce276928e2d578df166501c1eb46b419efce1c04f1
SSDEEP

98304:ycaXZg3X/Rs5vS5iSRGSwVKn31v6DNQ0WILb:ycaXS3X/RIqr8UFiz

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://dcbafa46fded53ee7a98b8deeb3b88a9.xyz

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/memory/4333-1.dex	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.printwriting_role32/app_farm/Xm.json	4333	com.printwriting_role32
/data/user/0/com.printwriting_role32/[email protected]	4333	com.printwriting_role32

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.printwriting_role32
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.printwriting_role32

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.printwriting_role32

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.printwriting_role32

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.printwriting_role32

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.printwriting_role32

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.printwriting_role32

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.printwriting_role32

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.printwriting_role32

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.printwriting_role32

com.printwriting_role32
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4333

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.printwriting_role32/.global.com.printwriting_role32

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.printwriting_role32/app_farm/Xm.json

Filesize
1007B

MD5
7dc2304639de93f6c2c70cd0ad4a9ba7

SHA1
404cc78ec0b4aa56162d0058436f98562d003880

SHA256
cf9a2d7cf4ff44d8119f397e32d436517978d4963500c1cc82d1576b8771b175

SHA512
ffe64ae7767d8e365bbe9a89c97b7669fff116fa042365633ce00fe4942b75eb1aca7ee38fd8a9b2cf948253fbb252fe5a7740e7642d0843d795f572d8d2bd94

Download Submit
/data/data/com.printwriting_role32/app_farm/Xm.json

Filesize
1007B

MD5
b2cc75acf7c958df3c517853b67d3bdb

SHA1
9086eadf6286c161720edacc2ee8d59bd1356fe6

SHA256
3fcd2448bb5d14ad4d19934494e05e96769ff5fda71a73a8aa3bae400e5090f8

SHA512
a1edb6fc9ec089af0254f5f46352690fe5de0765200f684be50416a69471000c54635b9fe97595c0a3d9cdbd933eceb171c3fa02c0c5e02778ea7bd2ec1041b6

Download Submit
/data/data/com.printwriting_role32/files/.l

Filesize
322KB

MD5
77dc50489b9323274732d27dc8a4e803

SHA1
0e02a3595b62489d0739d771881da8604d117c65

SHA256
c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820

SHA512
0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

Download Submit
/data/data/com.printwriting_role32/oat/x86_64/[email protected]

Filesize
13KB

MD5
b05c402ce9a09e6bdedf2cb437d1af6c

SHA1
a8712fa1d9ce99b6ffd1cd1e1152fad9d744cf75

SHA256
1617f8d51c613e3f5670eb4ea8e0e94650f71a30d01361eca064b9246622cd07

SHA512
b38ae10f7212a5f5f767a88a4bf2123aeab9d5fcecb0957f7f75ec89aa74a8917fbd6676984493c00efc888410efe4cc374165c766697ec46ddfbe976cae7a83

Download Submit
/data/user/0/com.printwriting_role32/[email protected]

Filesize
526KB

MD5
5ff086c3781b6f6f4b0febf10ff07b6f

SHA1
8220a3aaf741c2b70e75578809b6b05482a2e9e9

SHA256
f85405e30ce55723e2bd4ca6b0d5cd8822d147eddd4ad6ff3c500a8e4a71363f

SHA512
039e929eebcf5f4eea06727a7ff6f62327b34859e7cebc94c0da8c01bf2f6aad4db3417fe19217c847e512c181f9191d03c11d4625c8e9f2a64234c7a4462d03

Download Submit
/data/user/0/com.printwriting_role32/app_farm/Xm.json

Filesize
1KB

MD5
c89cb61479603c903c73f88bb4109db4

SHA1
86e41beac067b7e5c7dde7f914aac2fb86258e71

SHA256
724978dfeb952a8ac9b65c17bc1ac40486071029a9412583337b035033c1acb0

SHA512
d2df7ccd62e8870c834b6c6568a3ba4e1a1a581b82418fe73385e606b13f1e577a2256e1eeb4efd68c1f68ee1e9003233a438ac8faad7853afaad4e979b995c7

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads