octo | 3fdc9f96c04e96dfff54a9fe0e779a9a1a47fdd007f31578287e6ae501303bc2

Analysis

max time kernel
10s
max time network
158s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
22-01-2025 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fdc9f96c04e96dfff54a9fe0e779a9a1a47fdd007f31578287e6ae501303bc2.apk
Size

3.8MB
MD5

40839b6cd23085850afeda5af95e49a6
SHA1

8527e908d1510e628783f2e8943af6c043a24344
SHA256

3fdc9f96c04e96dfff54a9fe0e779a9a1a47fdd007f31578287e6ae501303bc2
SHA512

4795aac41b59c58b9be5dc10ba4e049b04952dfa8b17da329956c5b6fa0c30e2dab6842b37f310be573525239a06a7e30d6f454caca04a93fab742435798c363
SSDEEP

98304:OcB8SknyObDCaUYB6ILZuWNebpP9eporMsPrjLjNyZk4vu8b15ysPmKgAeM91frO:fKjbKMfHa

Score

10^/10

octo banker discovery evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://karakterolipsbilgilendirme.xyz/hxDNtg7DB3tk/

https://karakterolipsdostlukhik.xyz/hxDNtg7DB3tk/

https://karakterolipssinemaevreni.xyz/hxDNtg7DB3tk/

https://karakterolipssanatvesahne.xyz/hxDNtg7DB3tk/

https://karakterolipskulturkonusu.xyz/hxDNtg7DB3tk/

https://karakterolipstarihiyolu.xyz/hxDNtg7DB3tk/

https://karakterolipsmasallar.xyz/hxDNtg7DB3tk/

https://karakterolipskonferansi.xyz/hxDNtg7DB3tk/

https://karakterolipsgezegenhik.xyz/hxDNtg7DB3tk/

https://karakterolipsdunyasi.xyz/hxDNtg7DB3tk/

https://karakterolipsshowsanat.xyz/hxDNtg7DB3tk/

https://karakterolipsicimsessiz.xyz/hxDNtg7DB3tk/

https://karakterolipsfelsefesi.xyz/hxDNtg7DB3tk/

https://karakterolipsyolculugu.xyz/hxDNtg7DB3tk/

https://karakterolipsrenkleri.xyz/hxDNtg7DB3tk/

https://karakterolipssunumlar.xyz/hxDNtg7DB3tk/

https://karakterolipsduygular.xyz/hxDNtg7DB3tk/

https://karakterolipsgizemleri.xyz/hxDNtg7DB3tk/

https://karakterolipskaynak.xyz/hxDNtg7DB3tk/

https://karakterolipsseruven.xyz/hxDNtg7DB3tk/

rc4.plain

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/memory/4956-0.dex	family_octo

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.van.couch/app_sight/XymsXFF.json	4956	com.van.couch

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.van.couch

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.van.couch

com.van.couch
1⤵
- Loads dropped Dex/Jar
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4956

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.van.couch/app_sight/XymsXFF.json

Filesize
153KB

MD5
2c1035f680f7af01f03eb12e0e00d229

SHA1
36e38c1bb8b14c1eb97cb9719bcd21053e508a41

SHA256
7457a648aee9174e1964ef86d16e953d3d30c0213b39dca2ec10732dbc1a47fc

SHA512
f60d8d71b36b1b5e154bf1fbf6dea84bccfd317d4d0b9d4605b6a783dfb0e1007e9b4fe25285d092c2eb2b63e53523ef77d02e54d13e42c4839e5b8b23a98e1f

Download Submit
/data/data/com.van.couch/app_sight/XymsXFF.json

Filesize
153KB

MD5
3f9fc6b76541c49ce55a90136fba4cb8

SHA1
6da3c04053bf5054a15dc1bf065e0318e017be2d

SHA256
ffcc8f50e5ae788a621457b7e13b6c0a2138c595ca3b1d00f7d1b82249785d7d

SHA512
e0e308d8598c7093c98138567042f88e5e993ee9abe97b044ce3b6afa0471e5e5cdeb69a6b27f53cb5b7de1dc74344cd22719b789b93143930bb6673da637a9b

Download Submit
/data/user/0/com.van.couch/app_sight/XymsXFF.json

Filesize
450KB

MD5
8e79c31d8ccdef5abb8c54c2c5965c64

SHA1
712f6d3a9fac9e00672e7cea29669f273de0a4d0

SHA256
5606fd1273943bfce6e29d2018e035d39ea10e5cee80d3d9273ec15d79effdf1

SHA512
c72ab9991d3ee2892ec562320a86d0a6afb56552c1251cbd704f6e392bb562a9371644bff426f7e9b2f591ebf29f66b5fef0ca2264bf3d88409ec7edc5e7a5a6

Download Submit