octo | 035fa5650ea10a63653b194578148fdff04ad7fd093a36fc72427f9588945def

Analysis

max time kernel
148s
max time network
150s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
06-01-2025 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

035fa5650ea10a63653b194578148fdff04ad7fd093a36fc72427f9588945def.apk
Size

589KB
MD5

e4b1fe392aedfd7006f977d8937e6876
SHA1

e77ba3ee039dd477cf3f28ecfbba04d71ff28ebc
SHA256

035fa5650ea10a63653b194578148fdff04ad7fd093a36fc72427f9588945def
SHA512

5095134d7d56f4f95347431493c5542d5dc1a95ca569dadc5c76c962f0d782a74a8bbbf05b11668e6ffb657d74f9015bb26f0b63db188ca7ee9dbd733530e25b
SSDEEP

12288:GSiVGakgqJu7G78+O+2fO4Rs79Y4twan4fjL0op0chQGQFlyXE/gl6Us2:rdgqJu7aElO42q4twrMciTyXE/glBs2

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://93.123.85.21:7117/gate/

rc4.plain

Extracted

Family

octo

https://93.123.85.21:7117/gate/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 2 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo
behavioral1/memory/4370-1.dex	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4370	com.adaxffsfzfada.zbsvxgsvbxhdgs

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/files/arm/classes.dex	4370	com.adaxffsfzfada.zbsvxgsvbxhdgs
/data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/files/arm/classes.dex	4396	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/files/arm/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/files/arm/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/files/arm/classes.dex	4370	com.adaxffsfzfada.zbsvxgsvbxhdgs

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.adaxffsfzfada.zbsvxgsvbxhdgs
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.adaxffsfzfada.zbsvxgsvbxhdgs

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.adaxffsfzfada.zbsvxgsvbxhdgs

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.adaxffsfzfada.zbsvxgsvbxhdgs

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.adaxffsfzfada.zbsvxgsvbxhdgs

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.adaxffsfzfada.zbsvxgsvbxhdgs

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.adaxffsfzfada.zbsvxgsvbxhdgs

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.adaxffsfzfada.zbsvxgsvbxhdgs

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.adaxffsfzfada.zbsvxgsvbxhdgs

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.adaxffsfzfada.zbsvxgsvbxhdgs

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.adaxffsfzfada.zbsvxgsvbxhdgs

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.adaxffsfzfada.zbsvxgsvbxhdgs

com.adaxffsfzfada.zbsvxgsvbxhdgs
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4370
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/files/arm/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/files/arm/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4396

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/files/arm/classes.dex

Filesize
448KB

MD5
f75c8735be3c4a009fa0719d595b3fb1

SHA1
64f22a19331d99c8e2b8c13cda290e3af934b570

SHA256
72dc7fd81b66c21dd5df21452cccf0a28a391c5c0ba1225ebc67223856996f0e

SHA512
bca74d55d9ad49fa533382457c069442955750ae4c8c36efaa9b21f1a7cf5e9dc8f30287877470cd8b4d9ae74d4af4cfcddc26715c7be47f816f403f1022b735

Download Submit
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
419B

MD5
53f2def94e6218482ae9149c7078982d

SHA1
3250e2232e4a13056d8a265c6bfc5a06a19d3f37

SHA256
9e702e12a5ecd3ed9ac9ef85fb171b4d0a7677e4634d14686a3229a193266573

SHA512
3057d6325545c5b4c724094ddec7090eff8df164ecfd25697a38b7468a51f138467851f8cf8cd3fe98c0ce6c6eb59082832837d07a437bcd8bfe35ed63503df1

Download Submit
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
228B

MD5
ec489aff523797818dcc0a4294e118a8

SHA1
b1652728283dc5ce83a2e42304c3890e860d5878

SHA256
b90cf133f5f1d82648e0f3ecbc51b1a0007dcf2f6761f625aa06eede3ec7c353

SHA512
12c6589ed1b85179b6b71c77be47e033d4ef9237d44f570195d7d312d524a5a6b1203c68507e92ed01e0af7500cdcc2893934c1b1bca7fa2de8276ce65f20fae

Download Submit
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
54B

MD5
87272ac9babb3deed9d3adb4836f3ede

SHA1
78378a31bd8f719a544de2acc9993be4cbb10846

SHA256
3219e53a90d15a237a0cc122f157c896043805ec66a862de0a0843d57a5d61b1

SHA512
cf1b7ff63ca34c10b75db5fda94d90a2c791f5799ce3c81220d300afbc1f71881c448f65c3dc0db8b349458d18699b9fc497524f1ea8e047e51a48fda590b2c9

Download Submit
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt

Filesize
63B

MD5
6dfc386bb1e237c2b71aa97f520b95f2

SHA1
c4a01809111b253318af9bc76e6ae4a6732fa34f

SHA256
d151d834c67849f417b90f535c93574b3da1c60563b7f18dbe56c781861728b0

SHA512
bfe42da2aa2befd17fdefcdb79a624a54d7c99a675517384e4ca4ba97633eb031bd0b5daf6e558119ea68da2b4df842b17ac8eaf76c6ba6e52c052ba12fb8b07

Download Submit
/data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/files/arm/classes.dex

Filesize
448KB

MD5
3a7a1c0565afa7525d603f46664b8739

SHA1
3fe3f97c7957c3a1806a27391732fb49bd36f01b

SHA256
880c06cbcac9ed0c2eb306527b2028954136c3e3a88a2286b1458a2360247b9f

SHA512
db6d415d2889572fd9a3ee9450fffe0cf4b451bd32f0253d0e3fd6edd4734a2879c04a597ed4218f1a4bed7d3efd87da5a38fb42bf19fc0b23535e48666e1425

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads