Overview

overview

10

Static

static

6

f698fbb2bd...a5.apk

android-9-x86

10

f698fbb2bd...a5.apk

android-10-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    155s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    29-05-2024 22:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5.apk

  • Size

    509KB

  • MD5

    95d94be9f18f9c1311f50810a495679a

  • SHA1

    fa5752f396e19f085dd56c673073112d5d3aa135

  • SHA256

    f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5

  • SHA512

    c28ca69d77ba37cdfe84fbb787f6bd7ff3877af1218f528202a02e21aebc82e02255cf55731cfe15692524880065224c4a60e3fe95cbfc19d59a5ffc5adccbb3

  • SSDEEP

    12288:aSBzSFlIIhwPpqgFKDS30JGyMXpeX2/7XoU:R0FGp3FKDA4MXgXSR

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/

https://moneycsasfasfh.com/MmExODA3MDAzZjA5/

https://moneycsasfasfh.net/MmExODA3MDAzZjA5/

https://2moneycsasfasfh.net/MmExODA3MDAzZjA5/

https://2moneycsasfasfh.com/MmExODA3MDAzZjA5/

https://3moneycsasfasfh.com/MmExODA3MDAzZjA5/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests modifying system settings. 1 IoCs
    evasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Acquires the wake lock 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.snowcompletefyq
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests modifying system settings.
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4271

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.snowcompletefyq/cache/lletscw
    Filesize

    449KB

    MD5

    2eb5d79a2030280606286bfdcb0c6e8f

    SHA1

    43da73a57e47b70678bfb652602af4c2ec65cad8

    SHA256

    5d5a7dbe2e41740bf7397f905762d4f6f461f546c58f6877abf179d9eddcb7b9

    SHA512

    8bb734e791dacb406d8ce5cacd58f22aa695608691a590f14f060bdfe8d08c4e37d0cd4ad71a0b8b5edaa769c0b5cb9ce64e7f344e7a79eb03690dbf29d29529

    Download Submit

  • /data/data/com.snowcompletefyq/cache/oat/lletscw.cur.prof
    Filesize

    499B

    MD5

    27cc2ad111462c6318b04d68132e1a17

    SHA1

    87aa1c7919774ef8f30062a093787aff59db14c7

    SHA256

    d9803a8334b416896cf71b6ff4e7e9f1537be7b15727630628a40e0b8d79dced

    SHA512

    5ea908d259bbefffb4c381b03660f2d4f3e030058e96b1cecfddc384fd5b6eabe3be29c7c93b6460fa5c447b7d829620b955042c32299eb5ab13c67af1f4a512

    Download Submit

  • /data/data/com.snowcompletefyq/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/data/com.snowcompletefyq/kl.txt
    Filesize

    235B

    MD5

    322bb91ab14beba8f3b9dda0caa2da5d

    SHA1

    db7e216e23074ca234ff80d578f39bceb8cccad6

    SHA256

    97b76c2a5445e6c757e21ddc5725705786846562ed05aae07a6f55a921ce8805

    SHA512

    64bccb50bdeb469f677db81cd57f4a8efdb695ea06096301a31db1440830509870c4f169bb87557e5cd9eda961f3873f9d2672498aa0f30d41372d1d08368e23

    Download Submit

  • /data/data/com.snowcompletefyq/kl.txt
    Filesize

    54B

    MD5

    77c941f801f7876b00d60725702cd4d6

    SHA1

    b66df67a1b410d85f6dcf991af42270dfc6aae76

    SHA256

    576b1cf15547c272b96d2b8f720bfcc7fab93883dc77a8072122bde444fba6ee

    SHA512

    dc9171d7de34247c73816c424789e2b2da754edc22f7f220437e07fc084ac1d84ff5b7fbd54ae39b8a643e07a4f675e4106d2ac1bf361c26ba85c0754fdcc280

    Download Submit

  • /data/data/com.snowcompletefyq/kl.txt
    Filesize

    153B

    MD5

    582a30fcd024361de12caffe6fdedab7

    SHA1

    158ca2b9f6a25b71c3e5155b9729ed1690174404

    SHA256

    46e3188c1532e162853fb3ddc75109de428f5ba27f3f47ac32caecdc307ec52e

    SHA512

    f5c4308a9401197fccb35f74af9c3591b0cfcdb2e89d68d506ff3a96fe690448f4ae75939747bf0f7cdb331f1ba2232a5ba0a371a98d61934c5533710ab7d094

    Download Submit

  • /data/data/com.snowcompletefyq/kl.txt
    Filesize

    433B

    MD5

    11f3b3e384378fcb21adb021a49cd9aa

    SHA1

    9f188166b39eeb9a8f7dd50d0b39489463d0d244

    SHA256

    3baa2b88e18c20652c4221e8534547a2bab9173bc8baf1805fdf30a262aa6d57

    SHA512

    0523f0094cf657dda40cd4c4e7adb19ea436b244da140dd9fd2213b61b2283f647c3874f374d59f64b23ac1b4d1e4af56d66f7854c018f3cac545f221f9e45bb

    Download Submit