octo | 0a946a666299265c035361d331f918a1a8afdd86f901a9739ffebb33f246d155

Analysis

max time kernel
17s
max time network
139s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
11/01/2025, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a946a666299265c035361d331f918a1a8afdd86f901a9739ffebb33f246d155.apk
Size

7.6MB
MD5

10e4cd93b43a3375de5ad0fe3014d3f6
SHA1

74dc556115efe540513d41ede5d9b94d6010a871
SHA256

0a946a666299265c035361d331f918a1a8afdd86f901a9739ffebb33f246d155
SHA512

b2ed872eced6f3254d5f9a06629cbf96b821595e8c1a9daf98b0419d35f3f9770df15fbfb83aefa498aae489850718a6f623fe5a2327034971d4a7349283e4fa
SSDEEP

98304:sPlyV5iSRGQiVKxrQtbmB1w+6/ZCj7MRsFEKZN0RbBRcb:sPl2rkUxQ4B2Mj7MR09Nr

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://d5abaaa83590ecf7b2432196e08081a8.biz

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/memory/4940-1.dex	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.explorerproduct_framework2/app_truck/XxqHGDm.json	4940	com.explorerproduct_framework2
/data/user/0/com.explorerproduct_framework2/[email protected]	4940	com.explorerproduct_framework2

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.explorerproduct_framework2
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.explorerproduct_framework2

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.explorerproduct_framework2

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.explorerproduct_framework2

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.explorerproduct_framework2

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.explorerproduct_framework2

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.explorerproduct_framework2

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.explorerproduct_framework2

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.explorerproduct_framework2

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.explorerproduct_framework2

com.explorerproduct_framework2
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4940

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.explorerproduct_framework2/.global.com.explorerproduct_framework2

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.explorerproduct_framework2/app_truck/XxqHGDm.json

Filesize
1023B

MD5
17753daff4350f2e396ca31aa9bddfd2

SHA1
7f9b03b8e2c42ee07186ef3b2af7c349fde06df8

SHA256
66f475f2861e9b4124e4f312502932af3c8118ac017ddbdc2812a1151e358ad6

SHA512
488a837ecdb7088a9ce36c4de6f6f6bc234b4c24d8cfda2b6e782bedacb22c4430384350dbd4f2b5dc711022563e89c3f5eb4ab897c635744c412880c5bd7352

Download Submit
/data/data/com.explorerproduct_framework2/app_truck/XxqHGDm.json

Filesize
1023B

MD5
5745975bb637c212e9a1c40e21924be5

SHA1
260c6057a164ebfd0bf1de31c42a56d236067201

SHA256
ee2178700a24530514e9903c69d55949453270497aef78f9006c09698405f927

SHA512
fdbe3159ac777903e050d18026160a780be723931e9891ecb18f016a0471c887e7a96cb1e957880f0ce53bc6897f8c3e9649a22213f0774dc43fb4d3199f0ec4

Download Submit
/data/data/com.explorerproduct_framework2/files/.x

Filesize
322KB

MD5
77dc50489b9323274732d27dc8a4e803

SHA1
0e02a3595b62489d0739d771881da8604d117c65

SHA256
c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820

SHA512
0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

Download Submit
/data/data/com.explorerproduct_framework2/oat/x86_64/[email protected]

Filesize
312B

MD5
62147a90aad26369665b0d6f9582e71c

SHA1
b83b4c4cbfeb3b211f72fefa8bb3d3ff02506c8f

SHA256
ad2ae666afac03dcaadd18709da36709d720fdfd1d3d8de10349941573faffb2

SHA512
d6ca9f757bf1adea2b6104389bc45fa80bafd11dfcf695f2bb0b6e31409e0b82d444b9ea18ab8f691709ea2ebf8ab2ddcb2af84deaee954abe7120f55523bb55

Download Submit
/data/user/0/com.explorerproduct_framework2/[email protected]

Filesize
526KB

MD5
21affa17c6220c92c00cf92cbdaade9e

SHA1
f78fb957ac3fa4a7c1194f8ed7a9622b34e81cdb

SHA256
d537f9bfaa8719595e418d697f19cec6c2b8b2c83db1c4800bcd5292f61be5a7

SHA512
fa6c996d6a0211b459561da4fbcd332f254abc49d122a5b56e9e10e68add2035b2bb70fd404db7a82c5cd0877fbeb29d008f4c1366beebee34854a1caffff59a

Download Submit
/data/user/0/com.explorerproduct_framework2/app_truck/XxqHGDm.json

Filesize
1KB

MD5
b182252d60b6a13b8219bf5360865a61

SHA1
2fa2d8223cd7ca55886441f678d2d0a1d7270f88

SHA256
2591f5fa6365d05cc09abce72ff55697be7f95ea7b84c26f5cbddc5dd4c61dde

SHA512
8f9997af5c53b7206edc27092be2f672545431d1626d3c224b00abe5388a5059cffa41379d6704b629d58f6d5acbdf364464cc04530e21f8a8c453d5df5db1b2

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads