octo | 9ddccad77e4a2349dd1fcc787e35fd3ea523984dc7b1ddbe4ffb7420d7f1dad7

Analysis

max time kernel
24s
max time network
30s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
21/03/2025, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

base.apk
Size

9.0MB
MD5

bdd117a48d51d7356cd5d91b768472cf
SHA1

1d4dc8529f7044157239c0b5949101a18a8d61a8
SHA256

89f0d93978492d024f2cff9df586f5c045500e38c817de5c8aec7e4d1d91bc34
SHA512

23de39d2295c873fcc68fad150d7edf92bdb7fc1b2f50b62603f2734783a0669c0aff56e4981ebf0d1c8a0becb1c4a0f060f65d39400fc3b946c074dc4c0b5b1
SSDEEP

98304:9d/eDaoqGDHSVKsvRLe3XRRsJm5iSRGEUUH9eTvJByT6FEn6wEa50CxPfz9QskEP:0yUSRy3XRRXrEyAEn6wdKgP

Score

10^/10

octo banker collection credential_access defense_evasion discovery evasion impact infostealer persistence rat stealth trojan

Malware Config

Extracted

Family

octo

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral4/memory/4213-1.dex	family_octo

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4213	com.safetylabs_overlay52

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.safetylabs_overlay52/app_obscure/xBKHdAj.json	4239	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.safetylabs_overlay52/app_obscure/xBKHdAj.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.safetylabs_overlay52/app_obscure/oat/x86/xBKHdAj.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.safetylabs_overlay52/app_obscure/xBKHdAj.json	4213	com.safetylabs_overlay52
Anonymous-DexFile@0xc7576000-0xc75fa3e8	4213	com.safetylabs_overlay52

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.safetylabs_overlay52
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.safetylabs_overlay52

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.safetylabs_overlay52

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.safetylabs_overlay52

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.safetylabs_overlay52

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.safetylabs_overlay52

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.safetylabs_overlay52

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.safetylabs_overlay52

com.safetylabs_overlay52
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests enabling of the accessibility settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4213
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.safetylabs_overlay52/app_obscure/xBKHdAj.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.safetylabs_overlay52/app_obscure/oat/x86/xBKHdAj.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4239

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.safetylabs_overlay52/.global.com.safetylabs_overlay52

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.safetylabs_overlay52/app_obscure/xBKHdAj.json

Filesize
1012B

MD5
d0534e0cd9b2bb4abe52052a71442d37

SHA1
8f3f76f18627f3cb630f5c640b735e82f99762c9

SHA256
d62ff1314fbca88157d1cd32e6fab7147de6b80e3d8854724fcddf86702ac1af

SHA512
8ef9356a926d38118fbc89b76c3209dde81b29e8b25238fd5a65cac8226cef151ee4673bdb35cd38e11b8d43358849b7ba391f82702956971e43a2214a7cc4bd

Download Submit
/data/data/com.safetylabs_overlay52/app_obscure/xBKHdAj.json

Filesize
1012B

MD5
925b0c70024c3dba2daa66eec198b318

SHA1
647755a42057332daf6933561818b948e740f2c3

SHA256
d4a594ddb02ef198771d6c9390fa2321076c8d0dbfc049332ebc4acc4b0e7bfa

SHA512
429ee78211bd5297aa76643046fe9796a3054b34cb9eb6cad5b51449947c40e2398a7bf1378b271905dd08d1427e1cd6b80f0e2e2e7242e631daf259931fd037

Download Submit
/data/data/com.safetylabs_overlay52/files/.l

Filesize
307KB

MD5
4e73947cabb5db3f92ca85004981b754

SHA1
6d9667fdb0280ed2dcb782b4683e422a51bdc601

SHA256
6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c

SHA512
be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

Download Submit
/data/user/0/com.safetylabs_overlay52/app_obscure/xBKHdAj.json

Filesize
1KB

MD5
e19b764aceab629cf981ac8c22e21b8f

SHA1
c2884e03def4f73aa09b0f9a4cdca381339bfb5a

SHA256
17d8e4ddfc16eb787591aeb7950c7e301dfa9fd84ce40778b4ff19d3b6cf1bd3

SHA512
b5a7a8cadd8f32254230a9466f2aa550d26d8f45dc3636dabf1f4fb4d12a6d141b31ceeddd4af64076a84283356fabfcfc5931ba28858c4936197309c210dd66

Download Submit
/data/user/0/com.safetylabs_overlay52/app_obscure/xBKHdAj.json

Filesize
1KB

MD5
1f30e2d62d4e7c1761199dd7492c22fa

SHA1
cc208e8ffdb904957fb81a2e8f4b9f01870da7cf

SHA256
128dd66ec1b7c7aa7d995a1617df6255738d6b3e0104643ac221e6eb744c8dc2

SHA512
b7d27bf04767c0fcfcf7784cbba3c4d94d8a83da713cc72b19a250465bf3d4e0b3e7e10efc7a242eab879ef70b037387bd7b51ff760d3e769282dd9129976b70

Download Submit
Anonymous-DexFile@0xc7576000-0xc75fa3e8

Filesize
528KB

MD5
4c3980885a7c62661a40becf5fee8748

SHA1
78ab48da96c11be73bc98b9da0b50bc1a5192a1b

SHA256
79865324b9bec945654e77931332c2038e316f229d02e7827073a46ff7cad0ef

SHA512
fa388f8c587c99860fe314d18494c8bc7ad7cbd8febb869179f1a79c051a677312c84df9b837de4ff11f28db1302a7b5deb9f3182b0908ab4816843c3641dd7a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads