Overview

overview

10

Static

static

6

dd2a5a043f...5f.apk

android-9-x86

10

dd2a5a043f...5f.apk

android-11-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    132s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240514-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
  • submitted
    29-05-2024 21:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd2a5a043f234d30b485fdc6d4a297d07c640f4f7e2bd6b31707b7cee1f3825f.apk

  • Size

    541KB

  • MD5

    69bbaa343457f36b54e0381ad1cec22f

  • SHA1

    f2cd9031baf7f18db90ef2415f433dc4ed833bac

  • SHA256

    dd2a5a043f234d30b485fdc6d4a297d07c640f4f7e2bd6b31707b7cee1f3825f

  • SHA512

    1f8f360c37e2d1302f1df134427f052f4e7007ac4f8e88235176d3b738c2ca5c3da9a8bc70edfaf928f040c4b30f9313425c91e78be940d908086467d3a96cb3

  • SSDEEP

    12288:7vCNEGRqYMECw5ha5H+HyYUFoUhCrlJNbf6gby16B1M:G7LMECUhpHDUCDJN7TQ6s

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://adile56tasarim.com/ZDQ5M2JhM2ZkZTkx/

https://6adiletasarim.com/ZDQ5M2JhM2ZkZTkx/

https://7adiletasarim.com/ZDQ5M2JhM2ZkZTkx/

https://8adiletasarim.com/ZDQ5M2JhM2ZkZTkx/

https://9adiletasarim.com/ZDQ5M2JhM2ZkZTkx/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

    evasion
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests modifying system settings. 1 IoCs
    evasion
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.hadrightbqaj
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests modifying system settings.
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Obtains sensitive information copied to the device clipboard
    • Queries the mobile country code (MCC)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4619

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.hadrightbqaj/cache/jpwuwyc
    Filesize

    449KB

    MD5

    afe4ad1d723273c6a55d7357c7862184

    SHA1

    53636753c24d0e8a7553897b28dcbd1a766e6fac

    SHA256

    4be693241f3d19603717f391f36861abe86e0e4cca87aed74a9983a6048b8d75

    SHA512

    62a0b83b1d4da77991a3b9a4e1e43800629574f674f336b292e45e4cf42e3c97120ad6cbe16b75a5b26ab0d26d0fcb23e89e61ac137075edd9000d86581fd30f

    Download Submit

  • /data/user/0/com.hadrightbqaj/cache/oat/jpwuwyc.cur.prof
    Filesize

    316B

    MD5

    c891a9863a0304894da8fc3398bffd6f

    SHA1

    ca25ed6c1213ffe5a6854a9fefc07a6d194541ca

    SHA256

    fa02dde732102a491a27f388364a5c614a289f86418b2eca3aa1b298548e78dc

    SHA512

    689c53b755150b9b8ea9ea36ad5f664cfa49b70dff546a536a46dce96c03074809fd33f292349c76a12bc6859b256160e8195a420b927c327051f0da9cd26b91

    Download Submit

  • /data/user/0/com.hadrightbqaj/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/user/0/com.hadrightbqaj/kl.txt
    Filesize

    235B

    MD5

    10b0340a899d38c085b3e1a0aa12f9e7

    SHA1

    4d05a78581884b35a1696d77bbdc72a885135383

    SHA256

    d10abe72e0dbe64065bb5d17fe6b7da9c0b063b6acda9657cabf9dc57772b73f

    SHA512

    2780a31584fb2ed6f1798346ba87d18f828bfc250d2445f1a7132ef08da66a3b62cf68bfb2cdc4fd9d109a8f98ecb4dc350ea744c0250d376d2d63d07038fa45

    Download Submit

  • /data/user/0/com.hadrightbqaj/kl.txt
    Filesize

    70B

    MD5

    bd531b22885c1da31422ee480108528c

    SHA1

    7be340c338df17c56be53b4fa4eb718e8e3921bc

    SHA256

    3a67cc9282d2dfa36d3a4aa43c54c4f3fa6b8400278dc0bec456a52cefa73cba

    SHA512

    5002c1ae075b1502d8fe21797fb77a7e7c6062ceb64d34bb546926c07ea7d4efeeb4bcd5a7ce1d39c8f7e6ec9f0814986003867c2fb1fb30927c6df83ee7a2f2

    Download Submit

  • /data/user/0/com.hadrightbqaj/kl.txt
    Filesize

    45B

    MD5

    1b6d7415cc11f54c81e0497b2bceaaa2

    SHA1

    7ceb15e40b69a5e0e7306c28f3790d0ca3ca7224

    SHA256

    613357785f5e5ecf3e03e4ceb8da523fe8ca159cb3f1431514142864e44154a1

    SHA512

    3afb97dae06871e43c5d01ee7c8fca046ce028359d8fd4dc6cbbb57056fd33ca7c3b215928c39eb32056d59f102cf7de58707555db10a1a4f6d66b8082fc373a

    Download Submit

  • /data/user/0/com.hadrightbqaj/kl.txt
    Filesize

    84B

    MD5

    fdc67fd98356765833c4869cf568bf13

    SHA1

    dbd9ac2430097ba262dc0aa134848ad593b8ba8f

    SHA256

    e62bc698dc909430caa06292f018c661c13aa2c4818d1ede3cd20b26dc605350

    SHA512

    42e2e314d7a14e12a6f754a4ff66c598d7a7c7717eb5929a1b368d4adcb71a56ca237c6bebac40ea54325e611e22c27db4bf62eb15263ed2f2b7eff735162ee1

    Download Submit