octo | 4e0a711d56bcbd362cb44b302e9554d4d2b9b914b9d5a79d725cad4ff6e9762b

Analysis

max time kernel
149s
max time network
154s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
25-01-2025 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e0a711d56bcbd362cb44b302e9554d4d2b9b914b9d5a79d725cad4ff6e9762b.apk
Size

1.6MB
MD5

7d6283b8d7d1324a8529dcbca63e779a
SHA1

44c42cef03de2e5dd1b39ee88aac5c2e2cbb2103
SHA256

4e0a711d56bcbd362cb44b302e9554d4d2b9b914b9d5a79d725cad4ff6e9762b
SHA512

cf01bf1a61c9bc55ba052b6d6f78e296dd151ef043e6ed47b9a4beebe5bcc4a9c9b27df7f60619796e8d51934fa14e986cfc3b851fa8478ea93649851128a3b4
SSDEEP

49152:0+V9WbLFFacTC5+tpYL2X1oTeQQ5LIWUxrDd:0I9WbLSD4kU2aQDdr5

Score

10^/10

octo banker collection credential_access defense_evasion discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://kamevitrec.com/YWFiM2VkMmFmNWFh/

https://opemenary.net/YWFiM2VkMmFmNWFh/

https://tomenadertr.com/YWFiM2VkMmFmNWFh/

https://sukemanetoref.net/YWFiM2VkMmFmNWFh/

rc4.plain

Extracted

Family

octo

https://kamevitrec.com/YWFiM2VkMmFmNWFh/

https://opemenary.net/YWFiM2VkMmFmNWFh/

https://tomenadertr.com/YWFiM2VkMmFmNWFh/

https://sukemanetoref.net/YWFiM2VkMmFmNWFh/

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/files/fstream-3.dat	family_octo

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.alwayskind3/app_DynamicOptDex/EXTrBF.json	5112	com.alwayskind3
/data/user/0/com.alwayskind3/cache/shhvozexakttch	5112	com.alwayskind3
/data/user/0/com.alwayskind3/cache/shhvozexakttch	5112	com.alwayskind3

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.alwayskind3
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.alwayskind3

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.alwayskind3

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.alwayskind3

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.alwayskind3

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alwayskind3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alwayskind3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alwayskind3
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.alwayskind3

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.alwayskind3

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.alwayskind3

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.alwayskind3

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.alwayskind3

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.alwayskind3

com.alwayskind3
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:5112

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.alwayskind3/app_DynamicOptDex/EXTrBF.json

Filesize
1KB

MD5
35b3de1a2fd0c28b198cdcb3ebdb914e

SHA1
1d0a62376c6da8478d8dee0f1581fb6b7a626ba4

SHA256
bbbde7536b7702b62a73981997dbb9d0c0245bdf96d9ecb4fea33998f54e54d1

SHA512
72aed5a16ba95967daa34ac4d501fe9a510179bd3f5f8fb49882d621d3092c4d121ca26c54da1f200430cab5ce616e2d376ddc9f7af6425fd1521c8354ab2a80

Download Submit
/data/data/com.alwayskind3/app_DynamicOptDex/EXTrBF.json

Filesize
1KB

MD5
c1c2b0406d24fe058ff6c4fe811ff0e9

SHA1
8414f38c9241fcf8f43946c18094dd40a3212bce

SHA256
8aa201e6a8cd78637c0c72f1bba8cfb5205462c3d636c4a0c98c1de9da459acb

SHA512
777c629ea411afb68d0fa3f7bb1f202f0176f2a231da6dd06e6661f77b2783d27f870837a0e3c017f4e321286299503b68f729c093e28d9469ae83813310e219

Download Submit
/data/data/com.alwayskind3/cache/oat/shhvozexakttch.cur.prof

Filesize
487B

MD5
24c4a594b0d6240aac8d61fd0540cbca

SHA1
b273eb81d9c5e1046b6923fe2828a4181ad90221

SHA256
f3acb0c2f3824891a6c5c25b8ff0ec2819123ac3e5d8f1c4b00a88d57b23904e

SHA512
a36bfc52a50ea0b7db2f53ab7f8171863a0615db347d7179ef13cbe1290b1ed3560fa3b2e8f26035338c3ffbb33b477da8bc7fcd0d2bd237ac1f97d86efb6ac8

Download Submit
/data/data/com.alwayskind3/cache/shhvozexakttch

Filesize
448KB

MD5
085dbcd9481b488e79b2123e6282a55e

SHA1
f9ebe2d6bd8955ca6c82455c721596b10c91f48d

SHA256
0c127f7ca3b3dcccca57b70d25f639ba07246110914da7482145935c6254bada

SHA512
d0986500d267ddc68bc9cc1be7cee2c8b5aa28b92799ace92f7fa608f8ed61c7907a8c74c74cc43fcb7c04059ee987218ece067043d334bdc8308cbcd3fa65c7

Download Submit
/data/data/com.alwayskind3/kl.txt

Filesize
423B

MD5
48e64ad19199538cd6060a967b668d92

SHA1
176c0acbb1f424a9d85cdcfa8b82c8d6d197bfd0

SHA256
7333027c331dcbcb4cda5b201c466d022b222317c883179a6f547087ef588bd5

SHA512
0a51d1397cf8d2222b7b35d13a538867fb10a5eb36572eaa77ecf935d616a7ecb8ac113838d59e669eed09764fdf2aa9d3dfb5041c931703e6009a2cbf4e4a22

Download Submit
/data/data/com.alwayskind3/kl.txt

Filesize
28B

MD5
6311c3fd15588bb5c126e6c28ff5fffe

SHA1
ce81d136fce31779f4dd62e20bdaf99c91e2fc57

SHA256
8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

SHA512
2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

Download Submit
/data/data/com.alwayskind3/kl.txt

Filesize
230B

MD5
bf22a8ddb5a93c391dbd8f25ca7e6997

SHA1
2eadd9677fcea0c2fac0ae8f7817ca9e3742970a

SHA256
a934c09619b2928cf6a644cf1714765efb66386c578033315d9b274bdc6cb201

SHA512
3c66e91975012f76720fa2ef71a1212339def0a55fa0808f60c4ccf23ec9872a71416dc1dc4831497fe7421d14656da19d673a2761500f7a1eb7708b85f30011

Download Submit
/data/data/com.alwayskind3/kl.txt

Filesize
63B

MD5
cd1ef4544f1b44599bacc86d4c6526eb

SHA1
ea458679d39a3e8ee68a3e8292b1ac2ecce427e3

SHA256
2a1eedec91ee0a65cd9960b40344455136bafd5525c6d4cde49bfd125ddcb404

SHA512
13cb5114fb77423056a4a6cb610eb13e6962b8b29f68f3f1b70a8a1b2b82dd3baf682ef6e1f7c15e632ae59099e1838a7ea7c4f610d22eac74c9361896614098

Download Submit
/data/data/com.alwayskind3/kl.txt

Filesize
45B

MD5
b6295675dd624ee362be56165a9bf251

SHA1
572fd2d01ca7177a192b404abcb10bdbea704fa7

SHA256
0a45fdf5f7f2dba8b1b9a7dbee7bbf1132167bec5e015198b5c8961b051b82c7

SHA512
2a1f8397f05e8f9ac8ff0590c6d79257a7deb4136e67e1b136a51680a21051492905587fc560ccb5324212e3f3082ce52c50ae590da5d4b9160e4801b68c3517

Download Submit
/data/user/0/com.alwayskind3/app_DynamicOptDex/EXTrBF.json

Filesize
2KB

MD5
3acc7041f315d7254941bb6b8097ae24

SHA1
34b0b7e600b38cd61197b8126dd9d0c80a7bf824

SHA256
3dbb74bc5da5d097018e93edce15b11df2f1a0a5de7b59c688ece134b287f7e2

SHA512
0ea4545bae8afcf8c74e7b64a4127426ed9934580b6105e958b905f11ad925590fc49a953c1c87b67f265988a2548e2d8b8a6dde0fa2f24c64ea6b54a3de025c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads