octo | 254006bee6fa65b2a4f827a6d9df24df326cbe7440d57451ee215cafb2a61b2f

Analysis

max time kernel
148s
max time network
152s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
18-12-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

254006bee6fa65b2a4f827a6d9df24df326cbe7440d57451ee215cafb2a61b2f.apk
Size

1.8MB
MD5

860df8edd87bf26e99af42fb7a17bd04
SHA1

4d3e1e817df778031623deafdb7e9395ed3c18ff
SHA256

254006bee6fa65b2a4f827a6d9df24df326cbe7440d57451ee215cafb2a61b2f
SHA512

89f464b7eda05fcbb7252ed0b4467f28fad8569ad578e908fc037f92bb9d6f42dcd1f3cfca9ecc66a5995926cc6e6cea4b01c28b2692ef8284cde971d8eb583c
SSDEEP

49152:aETpI3ny/qix/DIaKCs3BdOAYQhGkxsS1ro2T:d4iqi1kTsQhGYow

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://nuhimush6712.info/MTU2OWE0NzJjNGY5/

https://kijuolobtreshu31.pro/MTU2OWE0NzJjNGY5/

https://aganimsharse671x.live/MTU2OWE0NzJjNGY5/

rc4.plain

Extracted

Family

octo

https://nuhimush6712.info/MTU2OWE0NzJjNGY5/

https://kijuolobtreshu31.pro/MTU2OWE0NzJjNGY5/

https://aganimsharse671x.live/MTU2OWE0NzJjNGY5/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4337	com.weightandfrxj

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.weightandfrxj/app_DynamicOptDex/Hrg.json	4362	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.weightandfrxj/app_DynamicOptDex/Hrg.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.weightandfrxj/app_DynamicOptDex/oat/x86/Hrg.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.weightandfrxj/app_DynamicOptDex/Hrg.json	4337	com.weightandfrxj
/data/user/0/com.weightandfrxj/cache/vmigztsnwqnr	4337	com.weightandfrxj
/data/user/0/com.weightandfrxj/cache/vmigztsnwqnr	4337	com.weightandfrxj

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.weightandfrxj
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.weightandfrxj

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.weightandfrxj

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.weightandfrxj

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.weightandfrxj
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.weightandfrxj
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.weightandfrxj

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.weightandfrxj

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.weightandfrxj

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.weightandfrxj

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.weightandfrxj

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.weightandfrxj

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.weightandfrxj

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.weightandfrxj

com.weightandfrxj
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4337
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.weightandfrxj/app_DynamicOptDex/Hrg.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.weightandfrxj/app_DynamicOptDex/oat/x86/Hrg.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4362

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.weightandfrxj/app_DynamicOptDex/Hrg.json

Filesize
1KB

MD5
b0dd0407c9ce4d064c4daa90c591fe40

SHA1
6247de91bf24452efb02840efbbc9778c1866d45

SHA256
3d24a74f6d4655ff18c9764b02c742e04861fab575f981d20e1f55b745aa8edd

SHA512
59ebf2cdc056a9b42e34b0a6113ed414b957529822fdbe6e8f63650e20a560df2a0394e258c15e6003345f6f9e587429d0336b8becbd91139dc23ca0bbc022f3

Download Submit
/data/data/com.weightandfrxj/app_DynamicOptDex/Hrg.json

Filesize
1KB

MD5
8357fe55de972137ace700aba4163a54

SHA1
74f792e9e4f16ccb0705f6e5746ded687532c875

SHA256
cad19740bf95bb6a56dfb01586a593c112e086aee6e48b145623f7d07bad1d7e

SHA512
923673aaec82dd1a42860cbd1d5ff24b0220bf829fd1c56104c902f4b092b9e7d28b4ded084cb9ea96ea69c4c10416639eb4c11825d1c643ff650e4ee3580598

Download Submit
/data/data/com.weightandfrxj/cache/oat/vmigztsnwqnr.cur.prof

Filesize
454B

MD5
baab6e753227ddaabbf6388f35a65447

SHA1
f12c743d1efecbe747063ae6d121d268106ba3e4

SHA256
dd89a8aed3880bd8d9a08e06ac37b2a9a843b26b324ab0a846dff55c3ed7eec7

SHA512
136835f9b655d58304aea2ef9383d4918a83369c3fd29dd5f8b43ab388a049301398af81160ff0c496415b0fbde3330dfca1053ae7cec60dbcd341fac049af32

Download Submit
/data/data/com.weightandfrxj/cache/vmigztsnwqnr

Filesize
456KB

MD5
12cbd0da8d84af0feb1fa35a67bf5e15

SHA1
356bfd29a838d7b2886342528cb8110c07c5e030

SHA256
36b44d76926102443b130b2c3d332d081262e63b478d4c0b26b485c657f22fed

SHA512
7533c8111f05966c5d141988badc89610c5410262b2fb37044da2699a633575e947c6dd508cd7b3763eb74ffff3f86db23ba3c7edc60a1761f2255769aba8c62

Download Submit
/data/data/com.weightandfrxj/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.weightandfrxj/kl.txt

Filesize
230B

MD5
e6cb4fec39272a9e33ea3109f2b6354c

SHA1
cd6be54dd070f30f3c5d01e01a0919dfbd6bf277

SHA256
fc6d75bd477cf8faed6ec6dd6e3d568eca71eb5120c304de1b7b03b32ace875d

SHA512
1ce3a394242a2ceab2061e984fe3bd761ba5252b3d869a8c775efd2700d8ff34e341df37bb1bca8be07cb2b7ca842661807bbf66cfac4ed58ace5f607c2ba4f8

Download Submit
/data/data/com.weightandfrxj/kl.txt

Filesize
54B

MD5
8e21163115f38ee3d12a851510dd942a

SHA1
d0d276223fecad3d1a8bb9d67e2f8a32af2f223e

SHA256
ebc2a2b1403272fb2e2d099c2320969e6a4839d7bbd00142984a6002cd187cda

SHA512
b3b9650daac38ab30298e5963d5abb5b043fffdca857fb48006c27035d2554d91b4bed071b92c982d0e0515ecd68ce840d9318a6f64c53616883fafe3c3708c2

Download Submit
/data/data/com.weightandfrxj/kl.txt

Filesize
63B

MD5
64f4ac95b4d62fa2d902ba2caa945f0d

SHA1
aca3ed92831a23f10e30c7da9c2025d37093fcf5

SHA256
071f1aa8826117188edc1c8a4cc29cf0eddd67a9c23a3e2c439c095e537ca462

SHA512
6d9c4db2d75c368ce15f12e6813895e0c4d4b4d7f2b17a82828cfa37ff318e895bb1a92486e25d281ff7a24ac443c5599f518d8d916badc4d0ac59f6c10d38d1

Download Submit
/data/data/com.weightandfrxj/kl.txt

Filesize
423B

MD5
9a78cb40936b00879d0ad77f9eadb9c9

SHA1
20e17fa988252f12a9501a0e8a0302079dd83e34

SHA256
4360abe46284328589a7b2b7edea02bfcc565c7dba6392c807fc323fdd483c0f

SHA512
4d4a75f1e3da309d5a6516aebd8298360d643870bd7baabcf1425acdcd9e3699b0f15ca6a1d22ce79c6f460bee31caa3912691d7f4f064bb9f93df9c3034f639

Download Submit
/data/user/0/com.weightandfrxj/app_DynamicOptDex/Hrg.json

Filesize
2KB

MD5
2465df59ece3970caa007c394aa9fd4c

SHA1
d7ce131c3dbe9281f3acf072267b39f0379d3d71

SHA256
00316e96c3ae56d010f144ab35008a89e2430e19fcbbd154b7d2d4ae4623a96d

SHA512
9ec6542c3d90391d1505a0fb4cf231286a4cd5269ba1e0b00a5c472be587a4e875417277c95a9886d5174071b38c5a882f1e986a43000546d6f9b11c3460d950

Download Submit
/data/user/0/com.weightandfrxj/app_DynamicOptDex/Hrg.json

Filesize
2KB

MD5
e85e87bc8351bcc827548f7c9c81e07d

SHA1
1efad9b3667bdb4f21ec791ce86d1bdb9fa7351c

SHA256
04115a7aa8cf6104f9ba8ee8b54bbe0e358b791b1c66b787b1955b30d66112ff

SHA512
5fb801b5e3daa1ecb197ec147c0f2ee23409139157fd50a746c168337f8b0e757f6aa8e76c7d683e6a115b4d775bb4c838a65c8ce246de79aa435fbca5132eac

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads