Overview

overview

10

Static

static

6

5e48e3c055...b6.apk

android-9-x86

10

5e48e3c055...b6.apk

android-13-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    170s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240514-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240514-enlocale:en-usos:android-13-x64system
  • submitted
    21-05-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e48e3c0554053eb58550d1bbaf1bf4d50d6ea75c4440502e40301c76b800db6.apk

  • Size

    2.0MB

  • MD5

    dd17e98acba1f2c1b085cac8729444af

  • SHA1

    5a3947a59d7fb677313d767db07a8e7ceced669a

  • SHA256

    5e48e3c0554053eb58550d1bbaf1bf4d50d6ea75c4440502e40301c76b800db6

  • SHA512

    2f7891d20a824f817caa8a5bbf6ca08b15724aff83424505919b2ff462d59fdb6424db4fa9e6dda16b76396429190132a94501a6f5671d9276bbbc5775ebf491

  • SSDEEP

    49152:RgGs2iqOl8aKAA440r+UnxDgjTwlGNppgFz:O2BRA94E+Unxlwo

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://nisiqnisiq.com/M2EyOTM2M2FlY2My/

https://siqnisiq.com/M2EyOTM2M2FlY2My/

https://xijunggao.com/M2EyOTM2M2FlY2My/

https://fujetgue.shop/M2EyOTM2M2FlY2My/

https://junggvbvb.com/M2EyOTM2M2FlY2My/

https://junggvbv.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.top/M2EyOTM2M2FlY2My/

https://sabgggsabgggsabggg.top/M2EyOTM2M2FlY2My/

https://nisiqnisiq.top/M2EyOTM2M2FlY2My/

https://abgggpoh.top/M2EyOTM2M2FlY2My/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.keepnoticenfyr
    1⤵
    • Makes use of the framework's Accessibility service
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4267

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.keepnoticenfyr/app_DynamicOptDex/eZm.json
    Filesize

    2KB

    MD5

    70f87cb9046a4af7afac6b6eaa9798ef

    SHA1

    ad47f5f18283496315f12cc30a0fdbd6cc04779f

    SHA256

    fe50d45f6f1254f9129cb1dd3cb54fec528496367b19cc45802d5da1f24eed96

    SHA512

    59fbd3d9536fade07323650f4b30e1b2c6a05e1b629966efeb8b8ad80b2954178b0b9a111dea70b5d325cb6bd72de169e8fcb2d394c83e9b5c02a311163e563e

    Download Submit

  • /data/user/0/com.keepnoticenfyr/app_DynamicOptDex/eZm.json
    Filesize

    2KB

    MD5

    3cff1e220aa74b10c5c1406f60a255ba

    SHA1

    b50e865bf6a59920f83fd314aa323e770fef5ae3

    SHA256

    d87291ca3570327a328b421d75adb30092fd547ff799f5bca8abc97748e22604

    SHA512

    046abb34f677d5d9954b4da2ee598f8d2ade9d76fae1da6fcd01043830c677c398520b600af4d534238cd5a3da8d264c034b094dacbb08e381292fe574d89a09

    Download Submit

  • /data/user/0/com.keepnoticenfyr/app_DynamicOptDex/eZm.json
    Filesize

    5KB

    MD5

    c343d8b2c6aac8ffbb98f86aa4f88fe5

    SHA1

    a913ea15a22323f74f1bf7ec22535dc2ec87164c

    SHA256

    d8564ff2a8ed704dbf46f0977f60be515400a25b5d9f6c8a383df6a3d84845c1

    SHA512

    840793e45f76f4cfb318f8985eabf2cbf0eaf7da3305dc001fa01317767bafabd3e19b6944d0f575229917835e460f58c571e502e186267d9c1261451d99b114

    Download Submit

  • /data/user/0/com.keepnoticenfyr/cache/arckled
    Filesize

    448KB

    MD5

    4fd57678b96e666a1a4854f9957b05ac

    SHA1

    9b37747060e9ecb11ed979cfc555f8555760030c

    SHA256

    eefa7eac85c72fde00d88404730247aa95f6714b33fcea821b8b7c0c848e3fc7

    SHA512

    0ca5a4636b7d15a247251f65acba83d50f31263bb0569f4293db2ff7ef013a36dbfe298ceb2dbd8456dd6b7bd878be3f3a39304dbc90131f6f10b6bbce4fe61a

    Download Submit

  • /data/user/0/com.keepnoticenfyr/cache/oat/arckled.cur.prof
    Filesize

    258B

    MD5

    01b58b4c2d4d0ad333d55fdd9eb79369

    SHA1

    b794f075154e33e45fed854d4e82f924d536832e

    SHA256

    ac3b5d88814e6c9ce5ff892fa04e7f73e76996abfa0d0f0b4a9539289190279c

    SHA512

    5ac546cc8a515956a5ddec87bd421a100837f5c1d2753377fabe9fd0954e5200e13e4e551c04fec1e8ab5eb8f02c9b27092798a8b240e742b064032415c82699

    Download Submit