octo | bc89767303cb2da71a31efc14f0e668570f44df0c180a6763238c1d209a7d024

Analysis

max time kernel
4s
max time network
146s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
20-01-2025 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.apk
Size

4.9MB
MD5

71d040aa50a12f4334c2ecea47a06352
SHA1

0d717ebc596e20cc7619e53ef038f677d042f325
SHA256

bc89767303cb2da71a31efc14f0e668570f44df0c180a6763238c1d209a7d024
SHA512

60fa1104fece994e8d4b122caaf4ab74fc2ae1448b6a8a306c8643230a0efe87934b73b89323afd1292ef3ab5b0cf4da787532c913d073f0cf848eaee9ae6395
SSDEEP

49152:ARsEXuRNKlh3XKu45iS7xrGprYuU7cmjVKScoqMHqaX12/DhgQvbzfZR8:ARs7NIh3X65iSRGCVVKCTGDhgmvY

Score

10^/10

octo banker discovery evasion infostealer rat trojan

Malware Config

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/memory/4921-0.dex	family_octo

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.xbookmarks_user98/[email protected]	4921	com.xbookmarks_user98

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.xbookmarks_user98

com.xbookmarks_user98
1⤵
- Loads dropped Dex/Jar
- Queries the mobile country code (MCC)
PID:4921

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.xbookmarks_user98/.global.com.xbookmarks_user98

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.xbookmarks_user98/files/.k

Filesize
322KB

MD5
77dc50489b9323274732d27dc8a4e803

SHA1
0e02a3595b62489d0739d771881da8604d117c65

SHA256
c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820

SHA512
0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

Download Submit
/data/data/com.xbookmarks_user98/oat/x86_64/[email protected]

Filesize
163B

MD5
7d128ec62d093d6262c8d79651c1d1a6

SHA1
f8dcef3ddd9b2daa1f77b66f28c6af8ba4067079

SHA256
8fcca4dd9c15da0ef4aec2be7c2127f791ff1229a5c334592cbaeaf3d15e76eb

SHA512
63aecf0210a53a1cad1b7205a9f072c6f0525cfd810eb06210d84906639869e56edf6a725f9351b971dcfc87c2dc32c99b79655d862d2e15ce9cd2083038b721

Download Submit
/data/user/0/com.xbookmarks_user98/[email protected]

Filesize
526KB

MD5
ed2e769e8125f281ca59345964a9c375

SHA1
e3f11f5902f641bb89e58de73b1ab42574cd79cf

SHA256
3408aed638a9ed597a6412cc003e232fd9d88810e4c80d779f784266e26ca7fe

SHA512
0b108bcbfdc40773d8fb9dbb49d2da507cae82f6a53d3fb1ef418ed907accb108ce7ef8c5232f73a69bf46c710d21db574c5042dc312d2c4bac21c9ae61e2bc9

Download Submit