octo | 4993ee53420a56e0112e0ae55be20abe1cf49fe3ec420ad287dbe32e353c9835

Analysis

max time kernel
149s
max time network
151s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
17/12/2024, 22:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4993ee53420a56e0112e0ae55be20abe1cf49fe3ec420ad287dbe32e353c9835.apk
Size

541KB
MD5

03e5f7a69c1e8ac9498531e0dd8ae699
SHA1

b4f536de8262c51dd5399421346a46895108b585
SHA256

4993ee53420a56e0112e0ae55be20abe1cf49fe3ec420ad287dbe32e353c9835
SHA512

a0426674c0c065a5467353b61a14dd258bdc3555f734850a747b42535c3f7c59d414a50a124e55943d80b3b0705d815d8d5f342266314d0e40b25d20ea70695b
SSDEEP

12288:ntxWDv1kjbXa1dcjOXCwwvhg8lD7lEkPfYmL93RKOpVnmnx:ntxbjbXa1mOXC7JRlD7O4wmL93AOpFmx

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://54ggter6ujfgt.site/NmFkZTc4YWM3ZTk2/

https://kdehrweuybvfrer4.xyz/NmFkZTc4YWM3ZTk2/

https://hrte93jdjyherhh.online/NmFkZTc4YWM3ZTk2/

https://fhw832jedsnhwsefgy.top/NmFkZTc4YWM3ZTk2/

rc4.plain

Extracted

Family

octo

https://54ggter6ujfgt.site/NmFkZTc4YWM3ZTk2/

https://kdehrweuybvfrer4.xyz/NmFkZTc4YWM3ZTk2/

https://hrte93jdjyherhh.online/NmFkZTc4YWM3ZTk2/

https://fhw832jedsnhwsefgy.top/NmFkZTc4YWM3ZTk2/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.actyoungff/cache/yqwoodpshjtrkcr	5260	com.actyoungff
/data/user/0/com.actyoungff/cache/yqwoodpshjtrkcr	5260	com.actyoungff

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.actyoungff

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.actyoungff

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.actyoungff

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.actyoungff

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.actyoungff

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.actyoungff

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.actyoungff

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.actyoungff

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.actyoungff

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.actyoungff

com.actyoungff
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5260

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.actyoungff/cache/oat/yqwoodpshjtrkcr.cur.prof

Filesize
486B

MD5
df693d19d4d90303603112accad0beb8

SHA1
694a17472593ebe9a4376568d096e371099e74f2

SHA256
ccbb5aa0535b8410887cdd8649d00e88689bb781a2c4c8de968a6f1ec5310cfa

SHA512
12391f47d5647e14116b16e17942d3b752586b695579cbe77ca005291ffc75ffd470e94c78ff657b4d2fa19b9b7c488ee9c0d90c9e266e6e19ba6cae59545093

Download Submit
/data/data/com.actyoungff/cache/yqwoodpshjtrkcr

Filesize
448KB

MD5
4bb829e9b50fff2dd6c5dae485233a67

SHA1
2114a1484baec0f00b283b8d0c8fb8c826ddeebc

SHA256
8a252d4616dbd490ef673f6c995a5439a25c5fa2e5e3cc698943a411d5221d97

SHA512
cacb0fa48eda68425d8d07a38016f16c35dddb873608210aa07ab9f5f50c19174064f4bd26286b7c3061023f2d42f7872226fc033a074fb2ac44da9bf9a1d6fc

Download Submit
/data/data/com.actyoungff/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.actyoungff/kl.txt

Filesize
242B

MD5
cabfe2d4e862a5afb5bd775538d259b5

SHA1
5b9ea2b36852c77288cc9d738d27bbfa55abe1be

SHA256
a2c0bebb10cc720c40801f7b9e343f564e57f73ca8b6c06a580f50d46508d6cf

SHA512
01dd27b61c95a153490c0b3c276c1f4f8080616d0bced08ffe86912937122d04481720bf8334205ae8677751d3bdea183fe9e894d4e1235d37a8d9d7aee4d473

Download Submit
/data/data/com.actyoungff/kl.txt

Filesize
69B

MD5
ce96c19fd2495e6a0e590fcc7102d5c8

SHA1
893015fa839001f53527db1e3e29344e1ff902d0

SHA256
13f9a5a87fd209b55b9387be7ee0fea15fdd465ddeee70839ce508c7b24540da

SHA512
9be453759c0c156d8839c1d481142d928425d4a84cc6a45fc768b1de6f8cd3ec1582d9502619e35de89116886e4a325138d9714200d6a6357241da5d3a2b45c9

Download Submit
/data/data/com.actyoungff/kl.txt

Filesize
59B

MD5
ed556882026c367fda3699033e2f8c7e

SHA1
eedd11fd6cfa97ae6efab548fb85b053dc5bb471

SHA256
9f6ffe44a8ee59650ccdeeb11f567aff274e781840bb2a8fbfe1d7c3aba92c61

SHA512
50a52242d80e52d84e8c1d5ac2b7ca04f60467e39d7b253d0e47b605b7a998facd501c75752d9dc07ebf3b702758e3b833b4b3a2b7aad7ce58ae3f71a543dd6c

Download Submit
/data/data/com.actyoungff/kl.txt

Filesize
437B

MD5
8667145245d0e0a02c53f7f8ab2ac970

SHA1
a3fbc872602a2274665d184b16efdc3ca876123b

SHA256
38188c061a940298e14fc051b91ff44f7562a82a1aa2f2501b3e2bde1d4c5cb3

SHA512
65b7381306382255b270aac2ce6949dc1c986766c63acc8f70d70075396237a9da644ce0c1fbab5b656dc10cbf35202aac523c133d8bac29c3dbd993739f311f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads