octo | e48d8b5e607bcd5b9b85d3be271e96e7e088b551f03aae04f4129a1c1f0dba38

Analysis

max time kernel
23s
max time network
25s
platform
android-13_x64
resource
android-33-x64-arm64-20240910-en
resource tags

arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
submitted
21/03/2025, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

base.apk
Size

9.9MB
MD5

c63a7341b83657975615109f144e926a
SHA1

c486503ec21bf61620fd5749b9b9456e13e4b53d
SHA256

d838927c91197c21b1ecd43ef97590d63ad2351e23f90fd96483aa10eba93f1c
SHA512

9ee55b5c21e91f1e773c08b81e665691ced17c17bf879d53f6962cc9fce13fe7a3f8aa7c6b57aad39a9a3521b0d60596e8ea7c724431f765950d00698fbb4c50
SSDEEP

98304:TwdpTASe2WrSj7kVKdn5iSRG5CPVql6jgYt6+U93sx1DUUXTEPQRXG7zRsUq:cdidOj7kUNrTPVAVeDUAAoRXG7zRY

Score

10^/10

octo banker collection credential_access defense_evasion discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo
Octo family
octo

Octo payload 1 IoCs

resource	yara_rule
behavioral3/memory/4471-1.dex	family_octo

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.uunfw31secgestural/app_rival/YSIecoy.json	4471	com.uunfw31secgestural
/data/user/0/com.uunfw31secgestural/[email protected]	4471	com.uunfw31secgestural

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.uunfw31secgestural

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.uunfw31secgestural

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.uunfw31secgestural

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.uunfw31secgestural

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.uunfw31secgestural

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.uunfw31secgestural

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.uunfw31secgestural

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.uunfw31secgestural

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.uunfw31secgestural

com.uunfw31secgestural
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4471

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.uunfw31secgestural/.global.com.uunfw31secgestural

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.uunfw31secgestural/app_rival/YSIecoy.json

Filesize
1019B

MD5
2de53243f527a9ab45530b5dc31e0264

SHA1
82c32c6abc3950c0af67cd695c14973c45b5e1f1

SHA256
0cdacbb4ecf4657acde53193871c69be8fcf70642ce4507e5605988d74646406

SHA512
085958566b86b700c95efc17bcf928103f53393711f940ba1261b25bf7c1d05e134de0073a0ea3970aaaff967111dc93d63022cddaac15382bb072ee2fcba3b4

Download Submit
/data/data/com.uunfw31secgestural/app_rival/YSIecoy.json

Filesize
1019B

MD5
448e8a9f3ea84e5f357e307affe868d2

SHA1
aeeea7258d1dd9fe346543a9858fb026a6168f00

SHA256
48308b01f7f400bbed758fc544921b0f21f1033d9434db73e8dd9b4fe2ab434b

SHA512
7dab66a6b306d3ce1d3969d43016995b540e4d307c879b027c30db480451ab6ac63390f684f7fdc158589b97118b564a5c280e4df0631f443dc8e1b4ec70b238

Download Submit
/data/data/com.uunfw31secgestural/files/.t

Filesize
322KB

MD5
77dc50489b9323274732d27dc8a4e803

SHA1
0e02a3595b62489d0739d771881da8604d117c65

SHA256
c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820

SHA512
0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

Download Submit
/data/data/com.uunfw31secgestural/oat/x86_64/[email protected]

Filesize
13KB

MD5
f2f9ca3881376066d41bd8ea366b266b

SHA1
df150021c3090ece8801b1bb543015aaa311008c

SHA256
653a1df73396b8ba6cd4467f0c68ec4a928df3582bcf50d2862447fc586fc044

SHA512
b5b8e00011fcadf45347147a4631582fce3dfe0099c7e3c6bcb7551f6a22587a75e67f8b2d6d9cf3c5ffde6e413a5de27aac30670006cf04cf403776e5ca3846

Download Submit
/data/user/0/com.uunfw31secgestural/[email protected]

Filesize
528KB

MD5
dc054dcc95b3efb2d2d4f043167ba712

SHA1
fd0b011a4091a79a8d2f27fd46ee1d0f1ef0547f

SHA256
4199ceaefeb3865fcee456010f01afd1f3e253318b840a19ff2add09f5c8e0b0

SHA512
2dd7a629c5185a9325f075281bcc598e16e50137a3a1b847693cc60913b08abadce93f7faaf20e10dd10a7cd38f66fe7e02b518947886a058001da5a4e63dbc3

Download Submit
/data/user/0/com.uunfw31secgestural/app_rival/YSIecoy.json

Filesize
1KB

MD5
484ef4858067e65ddc78d790da8c0e38

SHA1
5ddc1e95483a76a1d9fc1eae0996a24749302d19

SHA256
3cef5587d1d1ec586f369abde3c5e00a3c07107095b50b98d2b2af8b08c4afed

SHA512
0038fcc42615cc2214bffba571a9f5026bdbf123f8bf5c568bd67fb6419455114a29cf881d0eefda4a4de5eabe27682d8a85d0a9cb556da511ac02158d8d159b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads