octo | 9723d225ad048caf2fa4f83ff7cd8feab9221befe09c9759b7e393ee38e04b1f

Analysis

max time kernel
149s
max time network
158s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
21-12-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9723d225ad048caf2fa4f83ff7cd8feab9221befe09c9759b7e393ee38e04b1f.apk
Size

3.2MB
MD5

d14cc83768293dcc3743b14b16fd8693
SHA1

81b0e7a46e6139c6b06b2a3267cd5a59c8788cf2
SHA256

9723d225ad048caf2fa4f83ff7cd8feab9221befe09c9759b7e393ee38e04b1f
SHA512

d85850f5dd4da19acb3a10e0a95f0d8ab0b933642b84820319c348ddfc13c6c78a6be61c68b6d648261b5972f966731cab5f9510642223ecf81a699439708d2a
SSDEEP

98304:8hvaFW9Agk+r98RwP7sji8pFkCstMAxn83g7yPn:WCFWq+rGwP7sjrktMAxn833

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://185.196.9.197/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass2.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass3.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass4.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass5.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass6.net/MTQ4MmUxODBhMTVi/

rc4.plain

Extracted

Family

octo

https://185.196.9.197/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass2.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass3.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass4.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass5.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass6.net/MTQ4MmUxODBhMTVi/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-2.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.wantbook61/app_ded/pcjz3bAQ8Cfq8xlYhOSqObP4L5ndL1A9.dex	4793	com.wantbook61
/data/user/0/com.wantbook61/app_ded/pcjz3bAQ8Cfq8xlYhOSqObP4L5ndL1A9.dex	4793	com.wantbook61
/data/user/0/com.wantbook61/cache/dbchtznxtpd	4793	com.wantbook61
/data/user/0/com.wantbook61/cache/dbchtznxtpd	4793	com.wantbook61

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.wantbook61
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.wantbook61

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.wantbook61

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.wantbook61

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.wantbook61

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.wantbook61
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.wantbook61
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.wantbook61

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.wantbook61

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.wantbook61

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.wantbook61

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.wantbook61

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.wantbook61

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.wantbook61

com.wantbook61
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4793

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.wantbook61/app_ded/pcjz3bAQ8Cfq8xlYhOSqObP4L5ndL1A9.dex

Filesize
3KB

MD5
1dd01c5264c4740bfc756416d24696e4

SHA1
231aa64e4e0481fe1fac940eea9366cc12e42ebc

SHA256
1a49419a05e1f0464873561a796304573554462a28ae0fcc354f793f339de7c1

SHA512
cfcca3f3732313a0798788c7313c0f567a7159c4275be1c351830a4d454c96578eb18328184d3c1f34b7ab8e2beea272a41ded07cee6b366fe7e3b4ffa86e0ff

Download Submit
/data/user/0/com.wantbook61/cache/dbchtznxtpd

Filesize
449KB

MD5
f2a57d8c209b0cb07c0ba26352b1ac66

SHA1
8e6116e542e7a408329c326661a0cec271ecabbf

SHA256
c9f3344e3181a8b4825a800a78b0e5f7761a9da3dafa34659b2bb021ac108257

SHA512
314a3684aedebf49f0771b4a04c94efbfea1d2067db96aacb53bc4617c215429fd5acd10d9a7e0cf776b426bb9421f1c9a5def20cdd2746a41de83ce13be06b4

Download Submit
/data/user/0/com.wantbook61/cache/oat/dbchtznxtpd.cur.prof

Filesize
318B

MD5
6613bab029cf57ecd7c6aa6ac0bf9d3c

SHA1
cc564dec9a2a6e857f3e323859694b1c82e8f635

SHA256
2c8e088ed4b55f601f4651183f865a019ad8cc7297ae94bfc38f3e0739ad67fc

SHA512
89526a8940fc76dccc7be1213632132166cb2b72104e82c57c9c02d9f9e658f8f7d8039d2daa9f78c4aca6db9baf1e93b3995bbdcad30522bb0824a47e729fd2

Download Submit
/data/user/0/com.wantbook61/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.wantbook61/kl.txt

Filesize
230B

MD5
ff7a5972e1bf9184126330584af7385d

SHA1
5327182ac01c9b74428ec1598d26ee469f28a1f6

SHA256
14039b7b8470d7586e3d25c352b2059b2939c0c65a91d6f7e392ba920b4bc54e

SHA512
d6c4ad35b48698cf2e7b09f98c5d2b693733dfd958ecc15eaaffbb8bbaa674a595cb7dfa80db23cebc5a5ed24243ab978811c329234f7f27e5f133fe0b00d58c

Download Submit
/data/user/0/com.wantbook61/kl.txt

Filesize
63B

MD5
e3f18c313684bfccc5ff93e12aa1865a

SHA1
40ea7a7e25172d6b566017352390a9182b6cadd0

SHA256
6f2fba025c1db1cc41cddd08aa1b8e6ac9fc4334adc53d76d46d976d46ddb23b

SHA512
d5123c7e3a231b6e8984f73fc6922991361ba5caf8ddf3e24117687414a7a2521e938e363da51c08558a91e94d3c902c67b678d6975376dada305fab83ec4efa

Download Submit
/data/user/0/com.wantbook61/kl.txt

Filesize
45B

MD5
295cf7d966fc73f0beb875fc78c275d6

SHA1
4a1f794dc99f468643ed45c46bf2c6d997ee90c5

SHA256
bea10929422c960f5be851293da1e9f2a39d634b94c1daec078c4a53f76fe15f

SHA512
67481130534984a775382c5d61ac375ee684d0536fe318f70bbfc9a09d3bbce27bccc0460408c70727b8fcba78d8dd8a1063afc1d171206489228318978682bf

Download Submit
/data/user/0/com.wantbook61/kl.txt

Filesize
466B

MD5
276f225cae8a0aafcc649aa3437f2494

SHA1
5946a66c4bb28a31ec3d43a67e7187f8036f11e7

SHA256
454e6c11cc431fc6be0658e81b735391e27ae426556d9eccaee378e1b22a9f06

SHA512
f92d1ed3a8648430584b6c79de131a9fd033759d440ca313a76cc14e761d29923d4f8313daaf8f831352dc7bae9a328a44f385c8530fd1c8f5c7d5a8dc0838b1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads