octo | 48796872cc6c33cd667f0be5b3dee4c729cd153fb910bf98f88804a93755dca0

Analysis

max time kernel
149s
max time network
155s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
04-01-2025 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48796872cc6c33cd667f0be5b3dee4c729cd153fb910bf98f88804a93755dca0.apk
Size

541KB
MD5

0bd94271a27635454ce4e68943dd5af8
SHA1

a39e0a341cc9ca3465c876639ad4d98184af9896
SHA256

48796872cc6c33cd667f0be5b3dee4c729cd153fb910bf98f88804a93755dca0
SHA512

3e8aa0b34ebe7ee52855db24d40776d20f27bdc46462cd8789bbdb058616280c57887027cac2a2589e1dfc79307851a4901bc8728fcfc52556a39a42d2c54a7f
SSDEEP

12288:Dyvo7jfRnqwyTeb34ux7okzdx6hke9WMZY2jQOldOxl:eohnqFebFx1x6hkeMMZYWQOXOxl

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://keplistensan.site/YWRhZjAxNGM1YjFh/

https://ikranjsfyu.space/YWRhZjAxNGM1YjFh/

https://ujsayhhfsakl.fun/YWRhZjAxNGM1YjFh/

https://hduuooasdj.website/YWRhZjAxNGM1YjFh/

https://pkasjjfoosa.host/YWRhZjAxNGM1YjFh/

rc4.plain

Extracted

Family

octo

https://keplistensan.site/YWRhZjAxNGM1YjFh/

https://ikranjsfyu.space/YWRhZjAxNGM1YjFh/

https://ujsayhhfsakl.fun/YWRhZjAxNGM1YjFh/

https://hduuooasdj.website/YWRhZjAxNGM1YjFh/

https://pkasjjfoosa.host/YWRhZjAxNGM1YjFh/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.knowpointa/cache/vgibokjc	5172	com.knowpointa
/data/user/0/com.knowpointa/cache/vgibokjc	5172	com.knowpointa

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.knowpointa
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.knowpointa

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.knowpointa

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.knowpointa

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.knowpointa

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.knowpointa
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.knowpointa

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.knowpointa

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.knowpointa

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.knowpointa

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.knowpointa

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.knowpointa

com.knowpointa
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5172

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.knowpointa/cache/oat/vgibokjc.cur.prof

Filesize
450B

MD5
baa94bb03fcb2fe57e2b29316f3f021a

SHA1
2e12ad5abe6035ff54901b6c5117b35614c7d982

SHA256
6f2edd69d0fc5587659570b186a0987cb8cefff19e2fa23c8a95d842b0c6d49d

SHA512
0873e39aaaf27f492e7968c09a9d09707de0310da6f50166fc1d7c3f9c701a1ba83a349da1832d824a7dbdf89e85bf26e382bbb9dccb261e7a0d642201c0ba3c

Download Submit
/data/data/com.knowpointa/cache/vgibokjc

Filesize
449KB

MD5
6fd290be54e4580c7bf1a2bba3529394

SHA1
f6866869b310711d701de647c983ae4d0ed47384

SHA256
2e78d67eb83ddd9760fa56f7feb36b949382540c89f678c6d902e29c156f8903

SHA512
3ce92097e84c709e4139c13815fca050768f5e1692916a29e27d2afcde6566f672b203fda454134872e261545dbb89cb5114af5059fd4b1b3833a0d6225b7c81

Download Submit
/data/data/com.knowpointa/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.knowpointa/kl.txt

Filesize
63B

MD5
e826fbe0395e538303fef298bfd75f37

SHA1
6d1e6c2798088653efebfe897b0af43f1ee1dcab

SHA256
68cceefdeeed8377cce0ce769f343b92bef98981029c36c1165ed25906935f41

SHA512
28636236ae07fe5b11fcc91cd27fb4151231b81469f3491f95e46957e34381d50ede0faf3c477c65f981279eec5ae36d1cdd9333ba66e5860495a76e9b413a69

Download Submit
/data/data/com.knowpointa/kl.txt

Filesize
45B

MD5
19bc7add976b6cf91533ddacb480c95a

SHA1
85965195565246181d8a8b5b7ed28073aa2e6c45

SHA256
b84171a1c1a5ca095edadefe80a7e86ca830dd0fc3dcb9b14373ff335eeffafc

SHA512
06501410f9d96c5a760cf36a9f944c6e455ece617d639c4d8280506d1af905109c78b627e7a028bae88de9e228918041e8bbbf93fc83346cda22ff5599a99f09

Download Submit
/data/data/com.knowpointa/kl.txt

Filesize
60B

MD5
9c1b4fb04dcb9ba779d853b76f6a7fe4

SHA1
625a3df3f95d17d0aa9c868e731966c5e80a72da

SHA256
bb4b6fbf6a54914a9441d57772dade9697baf2c7718880674722fe442abfc5af

SHA512
4843aed3a4bef0bb9a0e55ef0dca82ea395330c745d4e7d8fec50bdb56165e0eed603d4409688f268a72b2d2127d1cdb82afc7431b447e803c9aeb48a02ffc84

Download Submit
/data/data/com.knowpointa/kl.txt

Filesize
423B

MD5
b98312ba700af0f6d75d1fb2cd29acfd

SHA1
902c6d3a074da3f501e8f1db40c00c0dadcc3937

SHA256
8d3638b3b82740ba5025b36c4fb0279721febd493b2e792ee0829a4d9b26a404

SHA512
2557a6ddaccfa5536b088093410a1867cb0b2dc60345705e9e4329a13b447bde4ec2f5d34e8ba4e5b2bcfad0d747f74cbc0e151a739791e236dbf8e66c5a1a50

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads