octo | d9da6bafd74fd93b1a1e5544e5d5c6b7292f7c1ace2ea1df4646f38387d1ea1e

Analysis

max time kernel
149s
max time network
159s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
13-01-2025 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9da6bafd74fd93b1a1e5544e5d5c6b7292f7c1ace2ea1df4646f38387d1ea1e.apk
Size

541KB
MD5

75cbab34293d4a1ee987ffeb7b9fa25f
SHA1

afc694b030e37b9699bc40aebc7b13a820731133
SHA256

d9da6bafd74fd93b1a1e5544e5d5c6b7292f7c1ace2ea1df4646f38387d1ea1e
SHA512

ca7072e1bd9e89acfe84fc93a6d237caf543ffa1bf2dc14b8810e70f2b8c304ddf23eb9deb5711a45b307e3bf529fc506f0676f4410e8f6b57b3744260565b56
SSDEEP

12288:kUSUvdxzjJKYaDljt2q6pGZmsG81G1IIDeUHM2Q:HPVx3JKYAljt4gG/1ZD6

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://79.110.62.118/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

rc4.plain

Extracted

Family

octo

https://79.110.62.118/YTFlMzViNjNiNWM3/

https://3yamacfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam7acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5yam8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://5y3am4acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://6ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://7ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://8ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://9ya5m8acfirarda22.xyz/YTFlMzViNjNiNWM3/

https://15yam4acfirarda22.xyz/YTFlMzViNjNiNWM3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-1.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.markearlyjc/cache/vvobcfzwqawz	4477	com.markearlyjc

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.markearlyjc
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.markearlyjc

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.markearlyjc

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.markearlyjc

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.markearlyjc

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.markearlyjc

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.markearlyjc

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.markearlyjc

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.markearlyjc

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.markearlyjc

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.markearlyjc

com.markearlyjc
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4477

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.markearlyjc/cache/oat/vvobcfzwqawz.cur.prof

Filesize
398B

MD5
0f48dec09bcadb7ac6193bbd43ced9d5

SHA1
042f5120fdeda48809bb0dccf8b601b6b59f680f

SHA256
4593d2b85c2625d0e6542da53386be0d6455766cd87e2fc975a1daa84e87e930

SHA512
e7f8d9c6bd5c249d1efb99c3580661d09dcd3c4852886d395f4b7e82ad91b26a4c36bad0bf788d3c6d7082f4407b92c95818fde5f77211507d1784c89ea4d90f

Download Submit
/data/user/0/com.markearlyjc/cache/oat/vvobcfzwqawz.cur.prof

Filesize
413B

MD5
213d4c803f80602af4fda473c5dc1ebf

SHA1
243d7341dd3b5cc5fb8a34ca3180dc1daeaff0be

SHA256
49be466320a3bd95f13854321b830d38bb39b07c93d7ea626948fe9d3f86d751

SHA512
ac4ba624e6941a6ac44b39134c3f362e9b4ffbc86f7503d6500bf9dbe0e8090404e20885465a99da2ae5c9798c2f54e2f0e69f9ba0d82181d0eb260729ae9753

Download Submit
/data/user/0/com.markearlyjc/cache/vvobcfzwqawz

Filesize
450KB

MD5
366b4c37a32cd351ed5a0d5cc54974e9

SHA1
74d96443ababaf2ad3c69c363486f9ea40a3aca1

SHA256
70efc20abc738e6b2db512238552574ddafd5dea37708c1cfe1ae38d4ca95a12

SHA512
9b0ea80dd60aacb24f72686b914a78657a6ac89637af2dc0c427602001b6087d46ccb77e9e69e291a7f5d8bc2a16f44cd50c38670bafde1df5d7d8608ffc08eb

Download Submit
/data/user/0/com.markearlyjc/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.markearlyjc/kl.txt

Filesize
64B

MD5
3b813294119120dc1787f5834658a2ed

SHA1
7117f3cf3a4d2485cde9b2e952500f7073e51775

SHA256
eaca2023022c405e00f570c6bf0e85e4739a99e05b3b6d8251010bfc8e2511e0

SHA512
9953368cc6e5e2c22fd68c02aba16966f0716548a5ca1579a0996f6d73d427bbacdb2edd87d8767c1fa89f0707831064c872524b7855449e2a69123e03f680ee

Download Submit
/data/user/0/com.markearlyjc/kl.txt

Filesize
218B

MD5
2bf1bb5c2be1b92d57355b43a72eddbb

SHA1
0e0287d52916b5e7e3ce3204da30dfe809915bac

SHA256
de1a8e33532d28c03f2801d93a94c8d38fce92646a31f0103d4238a229cd42a8

SHA512
90d0c0d45d7933dc30a5be96cdaf8559688cb58e65485c8f1de56044743779a80fa0d0ab4449a165feaf3d0ba14bb46dd23f2ff1c0bccc6ec2c0dee2a63444bd

Download Submit
/data/user/0/com.markearlyjc/kl.txt

Filesize
72B

MD5
cc2fe9919d12894d63af3ef9122c0037

SHA1
773880f124ca54a01067a1e5d13457f0ffc90f1f

SHA256
de14a35807579ab22e7dbdbe70ea8c22d3f50e9902e2172271d00638f96fe3b1

SHA512
c41f770eb86492679034c22272923137e9b0c312291c696694bbf514208f2cf9c5ba265190e58c92b977f2f3f07ecb99bb1c91816df7bfd0ca72e181ff73d907

Download Submit
/data/user/0/com.markearlyjc/kl.txt

Filesize
76B

MD5
a03aa497e0b1f989e5e9dd511255c767

SHA1
3d12845f175a6e0453de9f1ae183482f0431be88

SHA256
03af760a7bb4840691d669e997bc5537c43753e4ffdfc31bb17e577170f10d48

SHA512
dfd4f5a2b5604761ef9f97dc1593f0de334c73042f892f1c04da5c3ee4ccc347e9a9af071f1b466fc1a0118a0df0ba5191638d9506499bbe9a3483d93499ff1f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads