octo | d9da6bafd74fd93b1a1e5544e5d5c6b7292f7c1ace2ea1df4646f38387d1ea1e

Analysis

max time kernel
149s
max time network
150s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
13-01-2025 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9da6bafd74fd93b1a1e5544e5d5c6b7292f7c1ace2ea1df4646f38387d1ea1e.apk
Size

541KB
MD5

75cbab34293d4a1ee987ffeb7b9fa25f
SHA1

afc694b030e37b9699bc40aebc7b13a820731133
SHA256

d9da6bafd74fd93b1a1e5544e5d5c6b7292f7c1ace2ea1df4646f38387d1ea1e
SHA512

ca7072e1bd9e89acfe84fc93a6d237caf543ffa1bf2dc14b8810e70f2b8c304ddf23eb9deb5711a45b307e3bf529fc506f0676f4410e8f6b57b3744260565b56
SSDEEP

12288:kUSUvdxzjJKYaDljt2q6pGZmsG81G1IIDeUHM2Q:HPVx3JKYAljt4gG/1ZD6

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://79.110.62.118/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

rc4.plain

Extracted

Family

octo

https://79.110.62.118/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-1.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4314	com.markearlyjc

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.markearlyjc/cache/vvobcfzwqawz	4314	com.markearlyjc
/data/user/0/com.markearlyjc/cache/vvobcfzwqawz	4314	com.markearlyjc

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.markearlyjc
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.markearlyjc

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.markearlyjc

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.markearlyjc

Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.markearlyjc

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.markearlyjc

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.markearlyjc

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.markearlyjc

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.markearlyjc

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.markearlyjc

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.markearlyjc

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.markearlyjc

com.markearlyjc
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4314

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.markearlyjc/cache/oat/vvobcfzwqawz.cur.prof

Filesize
447B

MD5
3f65d35692a851e34a6ce54b46f8fa66

SHA1
ced56c889dd9b7cf836f2e7f327ede3a0f51817a

SHA256
882e47329f6dfc6826eb09432ea4554d67305e1ceabebc3e64648468fe4d955d

SHA512
8910fdae04f5be60cbdee82de25c8380ae25ebe6abbfc4a21b89434fe4ecabeecd7586debcaf0af62295e30d9aa47387ed3a53414af69ff49c62f6a777c4da3b

Download Submit
/data/data/com.markearlyjc/cache/vvobcfzwqawz

Filesize
450KB

MD5
366b4c37a32cd351ed5a0d5cc54974e9

SHA1
74d96443ababaf2ad3c69c363486f9ea40a3aca1

SHA256
70efc20abc738e6b2db512238552574ddafd5dea37708c1cfe1ae38d4ca95a12

SHA512
9b0ea80dd60aacb24f72686b914a78657a6ac89637af2dc0c427602001b6087d46ccb77e9e69e291a7f5d8bc2a16f44cd50c38670bafde1df5d7d8608ffc08eb

Download Submit
/data/data/com.markearlyjc/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.markearlyjc/kl.txt

Filesize
234B

MD5
3403c0d0f28abbc7c5a09d30bb532fc9

SHA1
e7721cda0ec14ac86d49bd89e39091a4f9fd3601

SHA256
32c69d374159cdf764819f9bfeeb2d296cb3c073b3050ce83c9eb200e999b8e3

SHA512
874916e4b54d338ebcae8b5d1e1602b34778f0fd132b93f6e41917d99b4e32520579658cdcc6506502a24ceb4114d9cf53030a57556f2ebb61b170a4c8fc90e7

Download Submit
/data/data/com.markearlyjc/kl.txt

Filesize
54B

MD5
db8b93384f7badac53510afe5f9a3543

SHA1
f44448045efd3dc0d757a420fe4d7be782abb4bc

SHA256
7c097f04ac12457a26c776db146b807e2ee7c48ead70918d3bf6d54798c3ebb2

SHA512
3613a240c7bfa8fe0c39775a56ee70ac0157c840c62656a5a81c2f52f618902b1014c84400dae2ea4af720ed78a4cd7442d73aa73c22463fc437a33a6965bc92

Download Submit
/data/data/com.markearlyjc/kl.txt

Filesize
63B

MD5
dafafca6b8c533ca70870f59727d7f65

SHA1
effec0b637414a1bd9f7d74b0b2527e59fdeefcd

SHA256
33b0fc57a38caa5521be418736a2a6bc5cbd43b36e6e30cd2b0f78ed344077d8

SHA512
dfaaaa8aefabcc834af12322a4203b9bf0587129ffe1bf2e69adfdb62099650ef8ba2be2eac20ebba64924a91451943676668787b4988607fc22ff750674e263

Download Submit
/data/data/com.markearlyjc/kl.txt

Filesize
431B

MD5
30757d40b80a0a1d079ae747073a6646

SHA1
acc1c4d8be1fbf571a985d5a3215dfdaf194ad41

SHA256
807167b6d8f3d80ffd7054dab347449ba9cae8ebab74a0066b02c65b1f09d0ad

SHA512
ffbf028072c95658eb9e8b8ef7e5a2e7362ac28de54a7033cdd0bd4e68e283f178dd97da071ac06ab08e39e9ff7c4ef86abb7d54fe4978c9bf4769fd7ccf04f6

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads