octo | f7b510f2e312c6c00bd6fbf35a8498fa11fb2a6d890ac1ea477ac4381d3f1536

Analysis

max time kernel
148s
max time network
156s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
01-01-2025 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7b510f2e312c6c00bd6fbf35a8498fa11fb2a6d890ac1ea477ac4381d3f1536.apk
Size

216KB
MD5

671210c3b78a539aa621984fdecc5d0f
SHA1

c73c09d64efaf77f61d6d8adc6dc526e9698393c
SHA256

f7b510f2e312c6c00bd6fbf35a8498fa11fb2a6d890ac1ea477ac4381d3f1536
SHA512

c518c27b42a1807f028e0f83dc15ff3cae27d29f0891bfb3477350f847d01a20942c73cc62ca0037c3ec40c9c681a51ed2f38236a12eb95c4cb7570e6f241421
SSDEEP

6144:MF85YWB+Xm8t1VZCfoZdqDVZUqnEprpz737:Ma5KXm8RZCUprpzj7

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://a101.uno/root/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.adaxffsfzfada.zbsvxgsvbxhdgs
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.adaxffsfzfada.zbsvxgsvbxhdgs

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.adaxffsfzfada.zbsvxgsvbxhdgs

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.adaxffsfzfada.zbsvxgsvbxhdgs

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.adaxffsfzfada.zbsvxgsvbxhdgs

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.adaxffsfzfada.zbsvxgsvbxhdgs
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.adaxffsfzfada.zbsvxgsvbxhdgs

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.adaxffsfzfada.zbsvxgsvbxhdgs

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.adaxffsfzfada.zbsvxgsvbxhdgs

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.adaxffsfzfada.zbsvxgsvbxhdgs

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.adaxffsfzfada.zbsvxgsvbxhdgs

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.adaxffsfzfada.zbsvxgsvbxhdgs

com.adaxffsfzfada.zbsvxgsvbxhdgs
1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5165

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
230B

MD5
2a9c17679145c530d2c3b432606ef426

SHA1
b11cd510919b0a46d2272e31e6802b09641fe0c6

SHA256
f2a528811e3392771778b7c06374f01106f91b4ae6cbe87b38f671dfc5b764a7

SHA512
5639efb6406eecd7d5bfce40b271132d7c42b985e0d0406ff05216c5ab86ed8872d531194adba7fb4c112b9234d7ee7f78389e457b587265f05aa12bff9c5914

Download Submit
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
63B

MD5
d462c39ae3d3985c90f7cc080e62a004

SHA1
de28f964ba8de3827dd677a9a52fd9fdb32d62ef

SHA256
972c5f190ac4149f6f3b1505c177b0bdbe8df875bb6d1382827be7c78e35af02

SHA512
ed0633f4a03b6717571f998583b57cd6b7d7f3145aebdef03eca1446f90aee44c7d28785d651079455877b34e71ac96522d873f63dfa6ee7731654d6ba81e6cc

Download Submit
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
45B

MD5
efe36d391240e1fd6d0a83dc8272d987

SHA1
ba9fa19cd20fa4c0e1b1bb5a59c48667b63a34a4

SHA256
9f689ae477ba7f8b7d6f0a06990f3d30cacb5852328a8174672d439255f847bc

SHA512
e69ab07e12cde03a2124e1bf9a4f863deabedc5be3d488fb7b782c8027f0cc7a8da52fee399e4d83244673668fddab585d098f5e5fc037bc5b425acc09576ab3

Download Submit
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
423B

MD5
60aabd7c91cf7bf3f1a2a5f7f70ee775

SHA1
62958f590fcae0fc499dfbf0c41e4f61d60903f0

SHA256
957519d4bbc9c84b9dbea68f7a4bf69b9cc72a537e8b27b75e4e2ab8b5f3ed89

SHA512
4202e18c10d742377d3edd14ea1d2b245a661d7c3479e205c4354b26aead5b2447c18fdf2a292efd325e0585ca2c05dba0d101b99f8918ef89e7a862bc75d20a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads