octo | 604391ff58b0f9cad6b29d38706b2412f5f631e8ffba665bb47428a9ab56a72b

Analysis

max time kernel
149s
max time network
152s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
24-01-2025 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

604391ff58b0f9cad6b29d38706b2412f5f631e8ffba665bb47428a9ab56a72b.apk
Size

1.6MB
MD5

b887df17db43049e7fa515dac4a5ca71
SHA1

742b67c2828e7b6725a19c6c9a326bdc0d548ec7
SHA256

604391ff58b0f9cad6b29d38706b2412f5f631e8ffba665bb47428a9ab56a72b
SHA512

a1b9eb2d5e716ea0c7ff0b288d6718808a1bf81e8939f9a20ac78ef082867d9564a853dbe36655261b91f11b100141e054f7da7211110f6611411e89310e3ddb
SSDEEP

24576:xFGDpXCeYDczWruYkNMt5MXBitWu4ylHDRAqcaOfKazt9pMGnzZ17YZHBjQGrtD2:xFGoczWoDBitWClHD4jp37YZxeghWXj

Score

10^/10

octo banker collection credential_access defense_evasion discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://scanipworldbest.xyz/NmE0N2YwOWEzMTM3/

https://scanworldbestip.xyz/NmE0N2YwOWEzMTM3/

https://ipscanbestworld.xyz/NmE0N2YwOWEzMTM3/

https://ipscanworldbest.xyz/NmE0N2YwOWEzMTM3/

https://ipworldscanbest.xyz/NmE0N2YwOWEzMTM3/

https://ipworldbestscan.xyz/NmE0N2YwOWEzMTM3/

https://worldbestscanip.xyz/NmE0N2YwOWEzMTM3/

https://worldbestipscan.xyz/NmE0N2YwOWEzMTM3/

https://worldscanbestip.xyz/NmE0N2YwOWEzMTM3/

https://worldscanipbest.xyz/NmE0N2YwOWEzMTM3/

rc4.plain

Extracted

Family

octo

https://scanipworldbest.xyz/NmE0N2YwOWEzMTM3/

https://scanworldbestip.xyz/NmE0N2YwOWEzMTM3/

https://ipscanbestworld.xyz/NmE0N2YwOWEzMTM3/

https://ipscanworldbest.xyz/NmE0N2YwOWEzMTM3/

https://ipworldscanbest.xyz/NmE0N2YwOWEzMTM3/

https://ipworldbestscan.xyz/NmE0N2YwOWEzMTM3/

https://worldbestscanip.xyz/NmE0N2YwOWEzMTM3/

https://worldbestipscan.xyz/NmE0N2YwOWEzMTM3/

https://worldscanbestip.xyz/NmE0N2YwOWEzMTM3/

https://worldscanipbest.xyz/NmE0N2YwOWEzMTM3/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.areshouldpdj/app_DynamicOptDex/Psb.json	4784	com.areshouldpdj
/data/user/0/com.areshouldpdj/cache/qbdzkvee	4784	com.areshouldpdj
/data/user/0/com.areshouldpdj/cache/qbdzkvee	4784	com.areshouldpdj

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.areshouldpdj

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.areshouldpdj

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.areshouldpdj

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.areshouldpdj

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.areshouldpdj
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.areshouldpdj
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.areshouldpdj

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.areshouldpdj

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.areshouldpdj

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.areshouldpdj

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.areshouldpdj

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.areshouldpdj

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.areshouldpdj

com.areshouldpdj
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4784

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.areshouldpdj/app_DynamicOptDex/Psb.json

Filesize
2KB

MD5
6e1ee0cd7755c684bb838c6d339a0a6f

SHA1
01337dfc2dc3c3bd8799e6d8d20940e204b52e44

SHA256
20281c243e3e091eb520a266ae92be285edb6191e29417122ec8f64d6f546657

SHA512
d9e6ff1b4ee4f7dd3646dfbdb9cd6fadf4ae1129beeaaf0da35c87c488c35ac47f1f2d90930cabd446becc83785c77f14a58f347ece676036b1e547709753fa6

Download Submit
/data/user/0/com.areshouldpdj/app_DynamicOptDex/Psb.json

Filesize
2KB

MD5
0665c3369dcb9e6c5ffe7dc26e9501db

SHA1
1035defbb32694497f73f40a74eff38a53fbf4f2

SHA256
5f76fcfeca95a346155c3118d901c14c9c475862b795405432be994cb0892fe5

SHA512
3c0d2f7e6dca1b71e511a8d383beb76c2020c4590a6497bd7f50d338a168de91add7913d83903e6b59e0c38ddf335b3a8473b37b2f1af7226d3e6b65f43551aa

Download Submit
/data/user/0/com.areshouldpdj/app_DynamicOptDex/Psb.json

Filesize
5KB

MD5
f21846a2dc20bb1f9eec7b8dc529105e

SHA1
36eb3932d355d2543540983ccbd75dd661a4bf70

SHA256
ab1986c6b6be4a55797b0cad5443ae0f6cf77f9fa54b49974256ebd4b2a6fa4d

SHA512
e057a9cda74f157c92d9df061c42c338ca76b8c11a49c1d3719893e5c76560bd1b90bcbff434072460961c89388229f698e302f9c16518b4a8e7130f3652bf6f

Download Submit
/data/user/0/com.areshouldpdj/cache/oat/qbdzkvee.cur.prof

Filesize
347B

MD5
5a8078dab9f795a9e694d0ade427fc62

SHA1
aa898d74d0bb6d64273c50aa29e5b8fe571ad767

SHA256
403354a69cb4b8583c48b2f45e382c1b8e5af1817e8d6092d33b1b70c74116c6

SHA512
5fd30a525d1dc5339dcedddade01f468969f499599f4faa6180118fe9455e31c632df4ed22b0ca2985f857d3204763120657316d03f0cfd7d12f05e2cd15385e

Download Submit
/data/user/0/com.areshouldpdj/cache/qbdzkvee

Filesize
447KB

MD5
e8ca9ee157a5682ac69e752e2c5696cc

SHA1
37d5d00c21d07e21f3a3ecde68f01c0f5e01d09f

SHA256
ecd61a9ccb39c00d09136bcf757c5c80d479af00395119a466d326551ab0a7dc

SHA512
91e976181d8ea345a16db2e03d1dc6a219b7b1d22c0411e57aa4df02ff85bdf148c5a4038248528e58961cfe9474804d547fef44176fbbdf5ae19f59caa2d711

Download Submit
/data/user/0/com.areshouldpdj/kl.txt

Filesize
466B

MD5
4b5e224ac03020c362a3c9195ca9be71

SHA1
845a11ebd930c1eaf906d4f3b27052edaa129be1

SHA256
574927b3b7e72bcbb0faab484c171f8a5fc9589eca81f8edd9bf55659cd8bc9d

SHA512
f1c2f66bd3af01dd25479e4b8d849afc6ac039e44004816a19e4acfa42358677c39798275d66c285e92f14b5b7f6446167eb39afbb2e52b135eac825aa2e3be1

Download Submit
/data/user/0/com.areshouldpdj/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/user/0/com.areshouldpdj/kl.txt

Filesize
59B

MD5
670dfb2842d3fc1474f4bea93e13b5f0

SHA1
21d3573d540457bee1eaeaf76864b7235e6497de

SHA256
f44f594b2a93ed9c53cbab049e3a167926fb7bfde18a78ccdd83bb3fa10cb2d9

SHA512
66f36aec6a069e65247de5c907a026c990405a21ac5ff9a517223a76424a367c8bc59b3de093313b79b9f47ae544a35f8eae2dd38d292afe82e9b38f349ea106

Download Submit
/data/user/0/com.areshouldpdj/kl.txt

Filesize
69B

MD5
5dc0c5058c3f45ecbd315f2bdbf2aafe

SHA1
cfd422ee78dfdd7ced60ad181fc1d97372e22008

SHA256
d44b4cc2c6aa51284d8337729268f56198b59b7ee0c350c0bfa0e85ea7d91850

SHA512
787224d69ceb49a3c70e159254a696dfae248b753e8f49cb453a1b0d557e65473c10dda3e199644ebc13ee84617d82891d7237aeddfec66872933b96a603f440

Download Submit
/data/user/0/com.areshouldpdj/kl.txt

Filesize
63B

MD5
6611166a794cba6dfb86ca9e9990b764

SHA1
3b9990081dc69448f86837f6ec18cefd346aa132

SHA256
e9965b1eacee7601ea5bf4df4968591a41fc3dc19ef29bcef93bd03c3396fe6c

SHA512
0dfc56ea3a159df93d117c1aa47a500e8f6a4707277bc4eec2900050bbe664823071512acedb9c18909758e88ff5a6fbe4813b590d247e2b1f828602bf842098

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads