octo | f67c3e06092b4dca2e2fabc84c4a232b88c4ab3301c4d100535c328060f5490d

Analysis

max time kernel
149s
max time network
152s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
20-01-2025 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.apk
Size

11.4MB
MD5

ea68510bbcea63c46ab792b22ed65bcb
SHA1

938dceb0712405aadf6a9db6442629e50ef19445
SHA256

f67c3e06092b4dca2e2fabc84c4a232b88c4ab3301c4d100535c328060f5490d
SHA512

b46885d20f4e099200a39b1375ff3987af8a9b0a59741dd02712ada31115dca4fb16ed6e80f4de1b03d8d0ebe2776a7a7ae8acf08ac769ecbcae529ca9861bae
SSDEEP

196608:/8Rsc7kG7jRlpWs31R+1bMBlIncrcUsBzZj7WSDKZwZ+mz:0Rsc7k2oslRkilrc3DKZU7z

Score

10^/10

octo banker collection credential_access defense_evasion discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://e9d2795b711001bc93cc734b0413f675.shop

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/memory/4455-1.dex	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.sqtest8_wallpaper/app_caution/mN.json	4455	com.sqtest8_wallpaper
/data/user/0/com.sqtest8_wallpaper/[email protected]	4455	com.sqtest8_wallpaper

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.sqtest8_wallpaper

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.sqtest8_wallpaper

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.sqtest8_wallpaper

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.sqtest8_wallpaper

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.sqtest8_wallpaper

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.sqtest8_wallpaper

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.sqtest8_wallpaper

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.sqtest8_wallpaper

com.sqtest8_wallpaper
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4455

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sqtest8_wallpaper/.global.com.sqtest8_wallpaper

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.sqtest8_wallpaper/app_caution/mN.json

Filesize
1009B

MD5
73593a934df7a35912123f1e2b664b7c

SHA1
31fc7e9d7f89a9d7fa69098416dd3bb2adb81ffa

SHA256
436d7a4429aacb7eeb045f16720eeb13a300943e8b73c1ddf377c7a2b904e28f

SHA512
1512a9c3a3f7882d93984273f96975d3e915525742d34ddff531902362256b1953f1673d3cbec2b5dfe81ec2dbb712e1d0623795896a135f684d3048b5d2e814

Download Submit
/data/data/com.sqtest8_wallpaper/app_caution/mN.json

Filesize
1009B

MD5
4ab5b47edf73207222a9ca1f0ebb3122

SHA1
a73b9f0d5a7e00954d381732e0e5bfaa215ae160

SHA256
57da38698dd174644f5651866e89b0f6c9bba3f5be596f654d4501c4c0774122

SHA512
80952f0776cdbc89f8a44aa769defa95d3dec7021b37bfbd5c32be5441319bdc8e43509753dd171a0f4966a54d3763d4123b31cf3b15fec7c2f7d24cc66fd95c

Download Submit
/data/data/com.sqtest8_wallpaper/files/.u

Filesize
322KB

MD5
77dc50489b9323274732d27dc8a4e803

SHA1
0e02a3595b62489d0739d771881da8604d117c65

SHA256
c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820

SHA512
0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

Download Submit
/data/data/com.sqtest8_wallpaper/oat/x86_64/[email protected]

Filesize
13KB

MD5
5ee4776322ba7a53e280a473e9bddb8b

SHA1
0f3bea44caf17da4dd78a264ffc1d5811beb9c22

SHA256
fb661196eaa047d71137c3688602489e27983897c08076ab83b21810d30d463b

SHA512
18fe4901ff2a8a7efcf4b6c4f3ff6da19539b8a53c4287ee17f4942ac283fc54c3a86cb35f6d57d612b2e2b186d24300c635b955d79fc3eb883d857110c26e1a

Download Submit
/data/user/0/com.sqtest8_wallpaper/[email protected]

Filesize
525KB

MD5
a4d6dc5010445f1355eef366b3a8805f

SHA1
957803cb4f6ca0dfe66e1116d86735e4833883f4

SHA256
b111996ddc4a7676aa842524c5f8c5eadd7c1b3a2d844b8b12daeeccc8a13d3b

SHA512
924cae39d7a8391db07e46a33c0c13c09ea050ad47b7bddcfa220329d12e50a8ad5c8fd7d14d285e79af52527d92d2d5744979d0f0b1cb906a5d045278474278

Download Submit
/data/user/0/com.sqtest8_wallpaper/app_caution/mN.json

Filesize
1KB

MD5
75a6cbcc3dc6df986d34c7ea3200c485

SHA1
c49bdfe5121309c5daba99567a8f3180a43a8599

SHA256
16850a0c3191cd3c0b823c9e76e783006cfeb533cfd9a8d94e873cf3ecc69c4c

SHA512
5f4f90137d7652ec8a28204a7f3293f03dd17a13c0fe57ecbfe37ece179d57d741652bd5b14913eba196c7193efe8fe10a5edd5fac4385c500cf67b0ed99486b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads