octo | f7b510f2e312c6c00bd6fbf35a8498fa11fb2a6d890ac1ea477ac4381d3f1536

Analysis

max time kernel
149s
max time network
154s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
01-01-2025 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7b510f2e312c6c00bd6fbf35a8498fa11fb2a6d890ac1ea477ac4381d3f1536.apk
Size

216KB
MD5

671210c3b78a539aa621984fdecc5d0f
SHA1

c73c09d64efaf77f61d6d8adc6dc526e9698393c
SHA256

f7b510f2e312c6c00bd6fbf35a8498fa11fb2a6d890ac1ea477ac4381d3f1536
SHA512

c518c27b42a1807f028e0f83dc15ff3cae27d29f0891bfb3477350f847d01a20942c73cc62ca0037c3ec40c9c681a51ed2f38236a12eb95c4cb7570e6f241421
SSDEEP

6144:MF85YWB+Xm8t1VZCfoZdqDVZUqnEprpz737:Ma5KXm8RZCUprpzj7

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://a101.uno/root/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4340	com.adaxffsfzfada.zbsvxgsvbxhdgs

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.adaxffsfzfada.zbsvxgsvbxhdgs
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.adaxffsfzfada.zbsvxgsvbxhdgs

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.adaxffsfzfada.zbsvxgsvbxhdgs

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.adaxffsfzfada.zbsvxgsvbxhdgs

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.adaxffsfzfada.zbsvxgsvbxhdgs
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.adaxffsfzfada.zbsvxgsvbxhdgs

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.adaxffsfzfada.zbsvxgsvbxhdgs

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.adaxffsfzfada.zbsvxgsvbxhdgs

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.adaxffsfzfada.zbsvxgsvbxhdgs

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.adaxffsfzfada.zbsvxgsvbxhdgs

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.adaxffsfzfada.zbsvxgsvbxhdgs

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.adaxffsfzfada.zbsvxgsvbxhdgs

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.adaxffsfzfada.zbsvxgsvbxhdgs

com.adaxffsfzfada.zbsvxgsvbxhdgs
1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4340

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
230B

MD5
f34203749ec2355efdcc8b298c95d375

SHA1
cfb35ffa978cfd1b91d22b587341f5ac0754b014

SHA256
5e2ac5d6b12b2ea3d8f6a46897d5191faa5660dabfe7b8da2f0657e285eeef9f

SHA512
b47c41fdf8b082b7a8190a3e038e52ebb72cb318dd5f7161d0ffca91b4f372afc50f79920e921b3951a11c6f0088171d02f553405d5ca14cb9bca14ee2c6d7fc

Download Submit
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
54B

MD5
1301368b74e1c9ff3bbf42462fba05f6

SHA1
8997530cac43563c35e4c37d68ef21c683dd9c77

SHA256
4152dbdf79a945501b6764861df16df5e3743ff79ccee34188cc14959cfee8d5

SHA512
303cf70e03414533353243b9ef04e0011dfed3c519e1ec0fe1d058b6d6f3f8530f1f79018a4ebe933d517fbbdceb80d7a0d70298d0ebd86d3acf2b4909a752b2

Download Submit
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
63B

MD5
65366448e7f75d2b48641720e78c268b

SHA1
958762512d71959c821d80aaaa1d63cf3a300eb6

SHA256
dc519866065e002bb6564d18709180c7f196724df9acd0c36c07d8a627b9be74

SHA512
0e52aa92f604948bf25c50811904473e6d0f99590edb81feb2fbd0ff3f36d79181cf13d6f6eadb818f2834d6c05ef26a8d74f75be2e472aa0dc7c47769f0e8e4

Download Submit
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
423B

MD5
a857e0a8746d6e29cdf0dda85dbf7e7b

SHA1
5fcbd8bfe9be76721836a67a6781953f249108a3

SHA256
8f1280c8f731fd06a85345c1b6c5bed3630f6e367ccfa242ef89c38bc00b8261

SHA512
b588a922a233b6e801b4eb092a6f7e87b72868c6bcd929dd38b4024f0fa1ed88e4f128a475a1536086548a750f600af7fde9ec22702da0180fe4dfe5fa6a68d1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads