octo | 65f8c9bb3f72662cf1b58c853d05a522a0c547133d74f00eafc5810d1c00d054

Analysis

max time kernel
149s
max time network
158s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
11-01-2025 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65f8c9bb3f72662cf1b58c853d05a522a0c547133d74f00eafc5810d1c00d054.apk
Size

8.9MB
MD5

6dcc6f70622aa603fffa7b5c781645d2
SHA1

6700f83ae240b39a7d7438c0e24a9b084dbb58f2
SHA256

65f8c9bb3f72662cf1b58c853d05a522a0c547133d74f00eafc5810d1c00d054
SHA512

7b79c0256de410b9b014e7a76f7f6ea3d942aa56ab6c0dc2171704ba6483bd7595e850bf0480708e3b099c36b2c66dc6284d633230eaee7bf1e2d53d51c082cc
SSDEEP

98304:vjZbaTMImrVKC2abj7j5iSRGcuRstRuRxwMN/0wtsGRJ1xEjK9aZwuN8/AIIP:wwUpGj7jrMRSWi8/0KHyFp

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://2124edca28e866d7953fe775a71a44e6.biz

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/memory/4314-1.dex	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.volume_virtualwv56/app_trophy/dEtLkC.json	4314	com.volume_virtualwv56
/data/user/0/com.volume_virtualwv56/[email protected]	4314	com.volume_virtualwv56

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.volume_virtualwv56
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.volume_virtualwv56

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.volume_virtualwv56

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.volume_virtualwv56

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.volume_virtualwv56

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.volume_virtualwv56

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.volume_virtualwv56

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.volume_virtualwv56

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.volume_virtualwv56

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.volume_virtualwv56

com.volume_virtualwv56
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4314

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.volume_virtualwv56/.global.com.volume_virtualwv56

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.volume_virtualwv56/app_trophy/dEtLkC.json

Filesize
1020B

MD5
8f307acfb70b2b7b37c7ee5432df0d14

SHA1
a9adfff2819ecfc819baecfaf1871a4977807818

SHA256
f0794e3453791579155d5667be6aa47936c4ec91cc1921f8a9a40ade4506b48b

SHA512
49959d8c220873c185260b2545ea05db50d588b1d42196a0defe8f53d62b761862244fd1837b3cea9f6fc8e152ac494ea966311feda5d858ed5471f4ccdb2dbf

Download Submit
/data/data/com.volume_virtualwv56/app_trophy/dEtLkC.json

Filesize
1020B

MD5
5b006aad7a4d0d6aa60b530b1dae2e9f

SHA1
90d1e015adc5a6b013b658842ec2b4c6de457269

SHA256
e76f880e0bfb468249a08625810d85981abae2b425cb98d99a81cddb3c64e6d1

SHA512
0ed8214a0e34d6ec3870b122e1c09a4f5acc7714235e9ebf44589caf334e3da4e1e3bd9cd331ad10b61cb2672d16cd9c54ff818f54a029164bfff79fe6a83ff5

Download Submit
/data/data/com.volume_virtualwv56/files/.n

Filesize
322KB

MD5
77dc50489b9323274732d27dc8a4e803

SHA1
0e02a3595b62489d0739d771881da8604d117c65

SHA256
c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820

SHA512
0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

Download Submit
/data/data/com.volume_virtualwv56/oat/x86_64/[email protected]

Filesize
13KB

MD5
1eddcce76dc30cf34831028376067bd1

SHA1
4755b67809ea931870a6b4422b20bfeb794d0b80

SHA256
b3d1d27d598e86fa3019c89b94aa1afb5fb992f2b04a341edda9e6149a26dbf9

SHA512
66c0a39d50b65501a98d0d6a7139eb261ce88670b41ce7e65f9bb095ab5f93a4a46771ef92f92c23cb803dec216e190bef1ad35b77aa2b33bbc287aaa3e0cee9

Download Submit
/data/user/0/com.volume_virtualwv56/[email protected]

Filesize
526KB

MD5
883f2e03d3a1ddf284076163f260cef9

SHA1
dc72c8faa9287f9d017055df37286028aaaeebb0

SHA256
023b016dd834983efa539ebb822bb85b6ed88849c093f94a36b8588c2dad5817

SHA512
e03d9ca69f4bc92438e78d98e139a48bc032533c9be6e7d2c0de481605f4378986197ee0be6516a97e0d196f1928b07afc21000c7cc1b038c6de3eb8a3fc4293

Download Submit
/data/user/0/com.volume_virtualwv56/app_trophy/dEtLkC.json

Filesize
1KB

MD5
22981af3dd22a182ad6710e6e1d643c7

SHA1
2a48fc66ba6c3bfde14762f9e376cfc849fde6f2

SHA256
300e3d656634de5a00cf029e98fa1838647a405ffdf94662b9d820fe77bb20ba

SHA512
6abd302c32a0f6b192d19ddb4f4aa1afba0d9db11feb9a18b88cdfd8a07fdf342cf80f65685dde81f40b4f948742fd24f2504ac8927b3ba9ad2d96a1d93899c5

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads