octo | 4e0a711d56bcbd362cb44b302e9554d4d2b9b914b9d5a79d725cad4ff6e9762b

Analysis

max time kernel
149s
max time network
156s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
25-01-2025 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e0a711d56bcbd362cb44b302e9554d4d2b9b914b9d5a79d725cad4ff6e9762b.apk
Size

1.6MB
MD5

7d6283b8d7d1324a8529dcbca63e779a
SHA1

44c42cef03de2e5dd1b39ee88aac5c2e2cbb2103
SHA256

4e0a711d56bcbd362cb44b302e9554d4d2b9b914b9d5a79d725cad4ff6e9762b
SHA512

cf01bf1a61c9bc55ba052b6d6f78e296dd151ef043e6ed47b9a4beebe5bcc4a9c9b27df7f60619796e8d51934fa14e986cfc3b851fa8478ea93649851128a3b4
SSDEEP

49152:0+V9WbLFFacTC5+tpYL2X1oTeQQ5LIWUxrDd:0I9WbLSD4kU2aQDdr5

Score

10^/10

octo banker collection credential_access defense_evasion discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

https://kamevitrec.com/YWFiM2VkMmFmNWFh/

https://opemenary.net/YWFiM2VkMmFmNWFh/

https://tomenadertr.com/YWFiM2VkMmFmNWFh/

https://sukemanetoref.net/YWFiM2VkMmFmNWFh/

rc4.plain

Extracted

Family

octo

https://kamevitrec.com/YWFiM2VkMmFmNWFh/

https://opemenary.net/YWFiM2VkMmFmNWFh/

https://tomenadertr.com/YWFiM2VkMmFmNWFh/

https://sukemanetoref.net/YWFiM2VkMmFmNWFh/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral1/files/fstream-6.dat	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4338	com.alwayskind3

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.alwayskind3/app_DynamicOptDex/EXTrBF.json	4363	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.alwayskind3/app_DynamicOptDex/EXTrBF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.alwayskind3/app_DynamicOptDex/oat/x86/EXTrBF.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.alwayskind3/app_DynamicOptDex/EXTrBF.json	4338	com.alwayskind3
/data/user/0/com.alwayskind3/cache/shhvozexakttch	4338	com.alwayskind3
/data/user/0/com.alwayskind3/cache/shhvozexakttch	4338	com.alwayskind3

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.alwayskind3
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.alwayskind3

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.alwayskind3

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.alwayskind3

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alwayskind3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alwayskind3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alwayskind3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alwayskind3

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.alwayskind3

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs

collection credential_access

Access Notifications

T1517

description	ioc	Process
Intent action	android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS	com.alwayskind3

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.alwayskind3

Requests modifying system settings. 1 IoCs

defense_evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.alwayskind3

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.alwayskind3

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.alwayskind3

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.alwayskind3

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.alwayskind3

com.alwayskind3
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4338
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.alwayskind3/app_DynamicOptDex/EXTrBF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.alwayskind3/app_DynamicOptDex/oat/x86/EXTrBF.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4363

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Access Notifications

T1517

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.alwayskind3/app_DynamicOptDex/EXTrBF.json

Filesize
1KB

MD5
35b3de1a2fd0c28b198cdcb3ebdb914e

SHA1
1d0a62376c6da8478d8dee0f1581fb6b7a626ba4

SHA256
bbbde7536b7702b62a73981997dbb9d0c0245bdf96d9ecb4fea33998f54e54d1

SHA512
72aed5a16ba95967daa34ac4d501fe9a510179bd3f5f8fb49882d621d3092c4d121ca26c54da1f200430cab5ce616e2d376ddc9f7af6425fd1521c8354ab2a80

Download Submit
/data/data/com.alwayskind3/app_DynamicOptDex/EXTrBF.json

Filesize
1KB

MD5
c1c2b0406d24fe058ff6c4fe811ff0e9

SHA1
8414f38c9241fcf8f43946c18094dd40a3212bce

SHA256
8aa201e6a8cd78637c0c72f1bba8cfb5205462c3d636c4a0c98c1de9da459acb

SHA512
777c629ea411afb68d0fa3f7bb1f202f0176f2a231da6dd06e6661f77b2783d27f870837a0e3c017f4e321286299503b68f729c093e28d9469ae83813310e219

Download Submit
/data/data/com.alwayskind3/cache/oat/shhvozexakttch.cur.prof

Filesize
486B

MD5
5b86004ae5bc93a1c1c4e89fadf3b714

SHA1
2e312f454b5a9e013f69370c06a5f08ea7f9d01c

SHA256
ce9afdc6901fbd9207a593a27d555aae8a1a94fc7fe0fe0cc88cff8297c053aa

SHA512
6c98a2c9b3e78189ad1d15c06e13d687541f843674a32564187a0477597152b0e4d0fdacfc29136a5d9320741f60d0f0b9517b5653c847961bbd6c814f7b6c69

Download Submit
/data/data/com.alwayskind3/cache/shhvozexakttch

Filesize
448KB

MD5
085dbcd9481b488e79b2123e6282a55e

SHA1
f9ebe2d6bd8955ca6c82455c721596b10c91f48d

SHA256
0c127f7ca3b3dcccca57b70d25f639ba07246110914da7482145935c6254bada

SHA512
d0986500d267ddc68bc9cc1be7cee2c8b5aa28b92799ace92f7fa608f8ed61c7907a8c74c74cc43fcb7c04059ee987218ece067043d334bdc8308cbcd3fa65c7

Download Submit
/data/data/com.alwayskind3/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.alwayskind3/kl.txt

Filesize
230B

MD5
20b3ab210efba57b9cabdae58365bd1f

SHA1
cfa6d4f0ed1fa710d0c539417e0affa2b43c7103

SHA256
8b4c078241c3e5f3c0d94e15d258e620cccbe44b5e17949a7d9d46e8f75f57b3

SHA512
c1fd184f0bf7931655ec08b8a58e88284be09cb893be94d3af8a22e8d19c258deba51d19af95db1cc1c4916d0a723a1d62b433be7886546bc7302e2622662310

Download Submit
/data/data/com.alwayskind3/kl.txt

Filesize
54B

MD5
754f3e6831e1aed0e02f2ba09c024374

SHA1
f51edb47356ef98c9f05d3e29e01033bf9c68080

SHA256
93364907888e6e5372d461415fc27d82cebac0300bda317bbc4dd4df7e16ba17

SHA512
d94e1736ef83f97b0a6db9bc48dbce56a0f5ec97b8a86ad15022592a25d97cb412766ce6a6e08b24e70372e99e64b601301e474bc8e396d9f08830c4372f290c

Download Submit
/data/data/com.alwayskind3/kl.txt

Filesize
63B

MD5
abc3fb4945d5cf96cb792c73a94a5350

SHA1
d20d4abad51980c30fc4862499970bd3cccead17

SHA256
97f07d986036a6117df965c72e04fff80a7d7be77e9e70b200994ba19f936111

SHA512
5623ac436631ad178413186a57e7731ae9831028bbafa3658548ae7befe71af121d23b930c59812f56433c87ac0a819740922a4ece802bf472537cb5954c38f7

Download Submit
/data/data/com.alwayskind3/kl.txt

Filesize
423B

MD5
a2cb7cc9a6a50c26b31b2a231ab97e83

SHA1
314c696100df457a208cb32c77dfc8cd03406e95

SHA256
415594ad3c721aa776e18d0855e57477e6020b4e1a0caccf2a3c6ddda9bf2b3a

SHA512
eca753b5e8b75b052577413d6d77c1907b9a67787864c425b4020872da56dacd7cfadf1c827bc1c7f4489a11649681acb0b78750ad2ed7ab691521d2fd3dc3ac

Download Submit
/data/user/0/com.alwayskind3/app_DynamicOptDex/EXTrBF.json

Filesize
2KB

MD5
ae103efd222fdedef82edb2da8748db9

SHA1
14fcab496d2ca7813490f8c857edf18a51f44f58

SHA256
1b6a365268c2ee02596984272fa58114699bddb4dda38564ebe597fd0006d2b4

SHA512
ee109d4367d7f683fabbac4618575b5498d2a6dac0de1de53fc2f88e25d9d4eefb08af8b005627cb4698578c877bb12fe43763ccc4db8df321e025fea8629ffd

Download Submit
/data/user/0/com.alwayskind3/app_DynamicOptDex/EXTrBF.json

Filesize
2KB

MD5
3acc7041f315d7254941bb6b8097ae24

SHA1
34b0b7e600b38cd61197b8126dd9d0c80a7bf824

SHA256
3dbb74bc5da5d097018e93edce15b11df2f1a0a5de7b59c688ece134b287f7e2

SHA512
0ea4545bae8afcf8c74e7b64a4127426ed9934580b6105e958b905f11ad925590fc49a953c1c87b67f265988a2548e2d8b8a6dde0fa2f24c64ea6b54a3de025c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads