octo | de3fa67bfa9272e457092f83e3dfd8c8a179a6f3f12216347de14088e051b8c3

Analysis

max time kernel
149s
max time network
144s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
25-12-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de3fa67bfa9272e457092f83e3dfd8c8a179a6f3f12216347de14088e051b8c3.apk
Size

2.3MB
MD5

9c28313ac351fa10ce97e5b80a91008c
SHA1

1fa4931260be88f330184a345668db05d583a868
SHA256

de3fa67bfa9272e457092f83e3dfd8c8a179a6f3f12216347de14088e051b8c3
SHA512

f389bf648e3e1e0721717f27500dfb5a3ba5ce3972bf8e60a5e0eb195022df0d8744597f6cbda746c89fd27fa8f1903abf64e0fc15a8f8277e4bee6d63ac9000
SSDEEP

49152:9Y60OBXrf5of9ukVh8ldHUbdXh6wOLajIaSm+gRIRZME3kgZB276bikRXO:9Y6nDqckXydIXMfLap0gIRZ5kvQikhO

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://karateustalariningizemlisan.xyz/MTk5MTQ4ZGNkMDBi/

https://karateyolcususamuraidurusu.xyz/MTk5MTQ4ZGNkMDBi/

https://karatefelsefesininizleri.xyz/MTk5MTQ4ZGNkMDBi/

https://dojovekaretekahramanlari.xyz/MTk5MTQ4ZGNkMDBi/

https://karatesanatvesavasustasi.xyz/MTk5MTQ4ZGNkMDBi/

https://samuraivekarateduruslari.xyz/MTk5MTQ4ZGNkMDBi/

https://karatedoguveteoribilgileri.xyz/MTk5MTQ4ZGNkMDBi/

https://karateantrenmanvesanat.xyz/MTk5MTQ4ZGNkMDBi/

https://karetecininkusursuzvurus.xyz/MTk5MTQ4ZGNkMDBi/

https://kareteharaketveteknik.xyz/MTk5MTQ4ZGNkMDBi/

https://savassanatlarinindunyasi.xyz/MTk5MTQ4ZGNkMDBi/

https://karateustalaringizemlibilgisi.xyz/MTk5MTQ4ZGNkMDBi/

https://dojoyolundagecenanilar.xyz/MTk5MTQ4ZGNkMDBi/

https://karatetarihvesanatustalari.xyz/MTk5MTQ4ZGNkMDBi/

https://karateustalikursunumetodu.xyz/MTk5MTQ4ZGNkMDBi/

https://karatekahramankitalarustasi.xyz/MTk5MTQ4ZGNkMDBi/

https://samuraikavramvesanatifelsefe.xyz/MTk5MTQ4ZGNkMDBi/

https://karateevrenselustalikbilgisi.xyz/MTk5MTQ4ZGNkMDBi/

https://karatekapsamlisanatustalari.xyz/MTk5MTQ4ZGNkMDBi/

https://dojotarihiyolundandegisime.xyz/MTk5MTQ4ZGNkMDBi/

rc4.plain

Extracted

Family

octo

https://karateustalariningizemlisan.xyz/MTk5MTQ4ZGNkMDBi/

https://karateyolcususamuraidurusu.xyz/MTk5MTQ4ZGNkMDBi/

https://karatefelsefesininizleri.xyz/MTk5MTQ4ZGNkMDBi/

https://dojovekaretekahramanlari.xyz/MTk5MTQ4ZGNkMDBi/

https://karatesanatvesavasustasi.xyz/MTk5MTQ4ZGNkMDBi/

https://samuraivekarateduruslari.xyz/MTk5MTQ4ZGNkMDBi/

https://karatedoguveteoribilgileri.xyz/MTk5MTQ4ZGNkMDBi/

https://karateantrenmanvesanat.xyz/MTk5MTQ4ZGNkMDBi/

https://karetecininkusursuzvurus.xyz/MTk5MTQ4ZGNkMDBi/

https://kareteharaketveteknik.xyz/MTk5MTQ4ZGNkMDBi/

https://savassanatlarinindunyasi.xyz/MTk5MTQ4ZGNkMDBi/

https://karateustalaringizemlibilgisi.xyz/MTk5MTQ4ZGNkMDBi/

https://dojoyolundagecenanilar.xyz/MTk5MTQ4ZGNkMDBi/

https://karatetarihvesanatustalari.xyz/MTk5MTQ4ZGNkMDBi/

https://karateustalikursunumetodu.xyz/MTk5MTQ4ZGNkMDBi/

https://karatekahramankitalarustasi.xyz/MTk5MTQ4ZGNkMDBi/

https://samuraikavramvesanatifelsefe.xyz/MTk5MTQ4ZGNkMDBi/

https://karateevrenselustalikbilgisi.xyz/MTk5MTQ4ZGNkMDBi/

https://karatekapsamlisanatustalari.xyz/MTk5MTQ4ZGNkMDBi/

https://dojotarihiyolundandegisime.xyz/MTk5MTQ4ZGNkMDBi/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/memory/5134-0.dex	family_octo

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.cannon.tuna/app_thrive/ZuLyAX.json	5134	com.cannon.tuna

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.cannon.tuna
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.cannon.tuna

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.cannon.tuna

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.cannon.tuna

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.cannon.tuna
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.cannon.tuna
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.cannon.tuna
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.cannon.tuna

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.cannon.tuna

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.cannon.tuna

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.cannon.tuna

com.cannon.tuna
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:5134

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.cannon.tuna/app_thrive/ZuLyAX.json

Filesize
153KB

MD5
2860914d9664e92e73f02da70b937129

SHA1
eab9e27d44662b804411e39967bd58f286246a66

SHA256
8b4cafaf06d90185647118c385a2667b8d25efdad9d7528ea915b3ba25568a51

SHA512
c33a82168721c9f4b9d3c7304cf38c20dc6533557f92a91bcc3c03e288227fb5354d8c1b632724a933d9df94cd33e273725259dfa6a31cf7e9730b10c3e58399

Download Submit
/data/data/com.cannon.tuna/app_thrive/ZuLyAX.json

Filesize
153KB

MD5
bed0c9ad9f4cf68dc96a66bdd091d4f1

SHA1
1cd7ca97c99eacbfed2bcec76f858904f9330df1

SHA256
476452a55ec265813e3198ca9aa2cb508a9f77356927c64299adb78cfd3a1035

SHA512
5075fe463cf4ae23f1f47006bd478a240d87a7f78fbf41ff1848ad289c771a7f6bae0a448407f322689f1cdbd3e950e74348fad8b5fb597d520c8877b0ad824d

Download Submit
/data/user/0/com.cannon.tuna/app_thrive/ZuLyAX.json

Filesize
450KB

MD5
c7326cf5b49c2e43b20e1dc66acff953

SHA1
3d645efe86b277c1110e187ec0801774537974d9

SHA256
23334d1d32f2b23e82e8f6c937861961050b02539d31c23359333585cd49a2dd

SHA512
5cc98028316cbd8ab22e5805c33068dbbcce9942aad53633b2a28f73ddc25566a4301a27c2b82465e46835ed5998464789a543d17b4939c4569315b49f9d0dd4

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads