octo | 1faf6e8191e6ad0ba53b500556cc59713774ece7079e87586ef62494c409cd0d

Analysis

max time kernel
149s
max time network
152s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
02-01-2025 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1faf6e8191e6ad0ba53b500556cc59713774ece7079e87586ef62494c409cd0d.apk
Size

1.6MB
MD5

5de0c7a3d9b5821fa3473a43921dbd2f
SHA1

1ddd46a98a09f11d70a1298cc7eb65be44002382
SHA256

1faf6e8191e6ad0ba53b500556cc59713774ece7079e87586ef62494c409cd0d
SHA512

95f7e66ba5639030a713dea1dd0a9da6937db9a39d16435c1403f463ed40926ffa2fedd90837bf77d2e34e1073374a90cdea077125670624b3a452c70905d1da
SSDEEP

49152:v7/a8MEUuhjRiG41mrNhY6/xcIrO9B6wa931U+eY:vnUp1mQqcsAgjB

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://worldscanipbest.xyz/NmE0N2YwOWEzMTM3/

https://bestworldscanip.xyz/NmE0N2YwOWEzMTM3/

https://bestipworldscan.xyz/NmE0N2YwOWEzMTM3/

https://scanbestworldip.xyz/NmE0N2YwOWEzMTM3/

https://newfastcheckdns.xyz/NmE0N2YwOWEzMTM3/

https://newfastdnscheck.xyz/NmE0N2YwOWEzMTM3/

https://newdnsfastcheck.xyz/NmE0N2YwOWEzMTM3/

https://fastnewcheckdns.xyz/NmE0N2YwOWEzMTM3/

https://fastnewdnscheck.xyz/NmE0N2YwOWEzMTM3/

https://fastchecknewdns.xyz/NmE0N2YwOWEzMTM3/

https://fastcheckdnsnew.xyz/NmE0N2YwOWEzMTM3/

rc4.plain

Extracted

Family

octo

https://worldscanipbest.xyz/NmE0N2YwOWEzMTM3/

https://bestworldscanip.xyz/NmE0N2YwOWEzMTM3/

https://bestipworldscan.xyz/NmE0N2YwOWEzMTM3/

https://scanbestworldip.xyz/NmE0N2YwOWEzMTM3/

https://newfastcheckdns.xyz/NmE0N2YwOWEzMTM3/

https://newfastdnscheck.xyz/NmE0N2YwOWEzMTM3/

https://newdnsfastcheck.xyz/NmE0N2YwOWEzMTM3/

https://fastnewcheckdns.xyz/NmE0N2YwOWEzMTM3/

https://fastnewdnscheck.xyz/NmE0N2YwOWEzMTM3/

https://fastchecknewdns.xyz/NmE0N2YwOWEzMTM3/

https://fastcheckdnsnew.xyz/NmE0N2YwOWEzMTM3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.horsework8/app_DynamicOptDex/PlrTmR.json	5168	com.horsework8
/data/user/0/com.horsework8/cache/ggqwbtoqiwzus	5168	com.horsework8
/data/user/0/com.horsework8/cache/ggqwbtoqiwzus	5168	com.horsework8

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.horsework8
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.horsework8

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.horsework8

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.horsework8

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.horsework8

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.horsework8
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.horsework8

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.horsework8

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.horsework8

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.horsework8

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.horsework8

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.horsework8

com.horsework8
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5168

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.horsework8/app_DynamicOptDex/PlrTmR.json

Filesize
1KB

MD5
0a2899289a9c3539db77c18efae96d2e

SHA1
7f4f849933d374866c0248eac5c0a7fb6eac497d

SHA256
75c4e7a5eed221d2b7099536887dcf750b2ae46ce2429f38f57b4ddf480d4b92

SHA512
88db735259a24fda51a53d246f79c596b73af1608a0cca86fb8ea08035d48cb4f4b24764dc18ba73ce386cf3853c96997affbcd2d76819035930c08e07532d62

Download Submit
/data/data/com.horsework8/app_DynamicOptDex/PlrTmR.json

Filesize
1KB

MD5
11eb8813bb78ce6eb0fb1cfc778c6a58

SHA1
4b19933eab2b27efa836bf606dd293ff95dc0b1a

SHA256
07caaa48341909153ead7c183b6c619ba0dc85f8ba9cbc56eceab2946972717e

SHA512
a4bb8e713f30b64ca415c6f9e11f16f3d17c554ccd2f7d48cf4cb06a375ca6e1ff3602f4b53e87d97792ddd2e13e2c0476db848198fee8e84f2ce77ecbf840e3

Download Submit
/data/data/com.horsework8/cache/ggqwbtoqiwzus

Filesize
448KB

MD5
2a1a45cba2ace6d1361259f6856eeb90

SHA1
b87be57707fb3bec015d437a1421aab9046a68db

SHA256
91120dd1c6e674498a32f6a915a11d1da1e79d4a11d8e83cc6e7b16081d9d58e

SHA512
eb84fc7568bb92030e1b6760756b4b2ca324383cf99dc701f3b1949fdd28bccc5a053bc505c13066bfd81b6a3068d9e364029bb8798f0689c097e71c762a12be

Download Submit
/data/data/com.horsework8/cache/oat/ggqwbtoqiwzus.cur.prof

Filesize
533B

MD5
a13c62263f37b034dfe36596e561f3d7

SHA1
47015c40d4cc1820ec3ca01d30311d7666cb029b

SHA256
f7119473123c37ec6e4d9b9ecba88ffeeaf437a5671e03229413336710269ced

SHA512
7628f21f2ebc797cac8381a38cae4cf5403cc313c53300c0dd2c0a060b8674a7d3e10da1382899c72435fb7e84d6fe4427b9b62f7f368502e0b4eb2c3a10058a

Download Submit
/data/data/com.horsework8/kl.txt

Filesize
423B

MD5
006a0cb666886b64fcaca1efa8365317

SHA1
ae5af056c5c96b31761c723d984246d363e08e5f

SHA256
dcb66d4406e98505a96ffda4c5162384a1582363f6527ab5157e92f3f1a3e076

SHA512
2a5976eb188ac1aa50ecc117fdfa7d8f36cb2ed2a5c32c28531effbe782b074d68315b1465643504be99675111e91d4e5605a93d40a0e38f0266a52b76be71bc

Download Submit
/data/data/com.horsework8/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.horsework8/kl.txt

Filesize
63B

MD5
6c63d5943e0fc59fd30e56eabefd3f71

SHA1
ca2b8078b2724de2536fde57d98e5a0361d1c754

SHA256
21f33102ac111540e1b468b786019961409cedb8ceadf6eccf53e75772872c2c

SHA512
20c252fe6832602704b49e1b2face6c0db41e807a4013d7872e8f8888e573dbd79fbdcff19efd124a608a2b9b44adf1c5b68270962822e70562b21e42fe1440c

Download Submit
/data/data/com.horsework8/kl.txt

Filesize
45B

MD5
31b6a34ad8cbc00c169ef451c89c5eb3

SHA1
24b063ac7c3bddf2ab091ca9bca3f5901eb621e6

SHA256
78bc2f871eb4b034e5eb93b335aaaf899ce9948afb4854a77bc430f027e2d9ef

SHA512
7179680fc629c33f1e608aab02bbb73694dd966ec2e386121319a214375890ed8d16f2c49af2f523bd5de473a4c4fd3e94a942782b09ac7b61318597d47dee97

Download Submit
/data/data/com.horsework8/kl.txt

Filesize
60B

MD5
330c2a8f0f2a8e1d21811fd467825388

SHA1
7486b399839d09694a6706438b2990c2a75a4f58

SHA256
bedf469919bfc0c5f9ea9eaf96aa9e4f12020589e0ae624b42f0ef29213719dc

SHA512
88cc7e78423a4ff3f0fbf3f5616cf8d3f14ea56b0392811ac3948208e58f16f705065e5ee6e7ee49c1ce5a8d9f9d591b17307990d420037c195ba9aece7f7ac7

Download Submit
/data/user/0/com.horsework8/app_DynamicOptDex/PlrTmR.json

Filesize
2KB

MD5
83da672df4634b33a46a0e34bbe509f1

SHA1
91cb2075a6c2e1fe2c0208d7104e703cb93258f1

SHA256
dc55839849103efe9ad167dd05ab12ef18cfa8bf46f5522fb07d0f13b1ba0dc6

SHA512
9f6c806686a0beb1639ea0f48ab6e4bd301be1c87d3c1d539df3521724e6215abaaec53d14800a07fd2721e793c8c5c83f511c6e2ea23b5d95f31dc23a6e7bb1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads