octo | 419ba1b722591094e91165a148242d513b84f05ac7c5a97601c91e9aff3552df

Analysis

max time kernel
149s
max time network
158s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
15-01-2025 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

419ba1b722591094e91165a148242d513b84f05ac7c5a97601c91e9aff3552df.apk
Size

6.9MB
MD5

9a2688036c2c4e2128317fb2b559309d
SHA1

89a47f11bcfbd3c2a0263f718c3b51d3e88c85a8
SHA256

419ba1b722591094e91165a148242d513b84f05ac7c5a97601c91e9aff3552df
SHA512

11b6e17c32367e56973adc38168cf7de5190dc39286bf06479882f5bf41f8ab250488f2cbfa75bf0b4827b3a16fe1e23cebaeb5e28c408f5026ed5a332e56c73
SSDEEP

98304:cm5iSRGmhnG3XeRs1VKzraWoWbR2DQie4ffMqgMC+ZZGOj:cmrlG3XeRAUPEDP38MX1j

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://888a831585a02cde4aa0a9bbac3ff360.shop

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/memory/4343-1.dex	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.printcontroller_decrease1/app_hotel/ybk.json	4343	com.printcontroller_decrease1
/data/user/0/com.printcontroller_decrease1/[email protected]	4343	com.printcontroller_decrease1

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.printcontroller_decrease1

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.printcontroller_decrease1

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.printcontroller_decrease1

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.printcontroller_decrease1

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.printcontroller_decrease1

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.printcontroller_decrease1

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.printcontroller_decrease1

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.printcontroller_decrease1

com.printcontroller_decrease1
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4343

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.printcontroller_decrease1/.global.com.printcontroller_decrease1

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.printcontroller_decrease1/app_hotel/ybk.json

Filesize
1013B

MD5
65c5d2166b1f0b8b0288eabe84103d99

SHA1
32934fd2eb27d346fa49ff81d29dcff31a5f18ba

SHA256
8ff51989ca1774cd6386a55b10750e89cc31812841367d1efdafeb62ea5b6a1b

SHA512
8b292cd3b7d95378cba75d03db2e0f3754dcd680fa67eb82e24664bbdf0b2fd341b2adb3e0a49b471513ca425f314ceb1dcb83c39458a9e1c1d2c08f4c0c8e0e

Download Submit
/data/data/com.printcontroller_decrease1/app_hotel/ybk.json

Filesize
1013B

MD5
fd7052826a846545cf70d63117f87b6e

SHA1
8ae8d2fc778be1b3c42059eefaa30eb860bbf185

SHA256
6ce29e53827c57b4b98ffbc068c144aa6c12a8bec3e96553b79a949d72178c21

SHA512
8f7731fbc14a06234777c64f0a68e803e0d747516c9ac70d08a9c1d1237ad4bd8cf63a6d387a21abc2bb19e614eacf7845fd31d745348a04b7e4c30d4afdc3b5

Download Submit
/data/data/com.printcontroller_decrease1/files/.x

Filesize
322KB

MD5
77dc50489b9323274732d27dc8a4e803

SHA1
0e02a3595b62489d0739d771881da8604d117c65

SHA256
c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820

SHA512
0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

Download Submit
/data/data/com.printcontroller_decrease1/oat/x86_64/[email protected]

Filesize
13KB

MD5
6581b6bf94afde688ea926a00bd27764

SHA1
d1ad0212bc5a7b29c6ec98a8e493220296203a9d

SHA256
55a206fcf28232dd194c096d92fbd28f60611394a3809a73501aed07a6ceefd4

SHA512
cdd621f1506f06ed51833184d33aa04c16bab7ff120eaf7f02c648b6bba3ea439151247862e8d42184ecc2199a6d7b1114aaf59cc53fc970c98c49dc2bb295aa

Download Submit
/data/user/0/com.printcontroller_decrease1/[email protected]

Filesize
526KB

MD5
73268f1b3734d38ed4ef1d4a6d5e333b

SHA1
644c5e236d4e2564adc6b7b7c5e361f36fdc051d

SHA256
a5c34ae8d562a75ee8ba1f88a0b90e450d5c075ac1e71a532c56b07efc0eb9eb

SHA512
54b1047af4e68a6811639834da8325556927dbd61736e5915214d36bc607c3b3033997fdd57918995f59f8be7a5988a8f1f51c98b15813f0a5a20fe402e95db5

Download Submit
/data/user/0/com.printcontroller_decrease1/app_hotel/ybk.json

Filesize
1KB

MD5
8f3f006b24ba65b11eae0eae35511c3d

SHA1
1ebc4f14b1526849023bb86fec017c69dee5e368

SHA256
eb4b779e33d31acd545f1da62ddda214d3c568d63f680f3c0797c26a98aab4d0

SHA512
9c5eb55d36461bf8076ec4cc34658abec82f9dd1eee78aee9f420ede844b1e009d7bb4e3d8e6323806faec2af4c2a25cd38a099ca2cc3c4a5a13526d831ade11

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads