octo | 9ede872e3b967b2956afa53ba25d2cca8c331765ef946a956b2cf6beb12b7025

Analysis

max time kernel
34s
max time network
159s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
11-10-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ede872e3b967b2956afa53ba25d2cca8c331765ef946a956b2cf6beb12b7025.apk
Size

4.8MB
MD5

bf3d9d722156753ba40be9d883698538
SHA1

c5d8facb127a045798fd7e407901cac875aa0ca5
SHA256

9ede872e3b967b2956afa53ba25d2cca8c331765ef946a956b2cf6beb12b7025
SHA512

053401cb2af51b36d491521e569b0c49c4fe46df9802f2200032d7a36456b56c5f3c1c98bc5275815f811c73519b50731f5109ffe36d9170b205c58fa05fe586
SSDEEP

49152:yRsEXJ0FCK5nj7845iS7xrG7/VwlhQjVKScsHDYAHcyFaDFbhtn:yRsRFC0nj7V5iSRGSOVKwSyFapd1

Score

10^/10

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan

Malware Config

Extracted

Family

octo

https://4dad07b9ff8f38e33e31fb9414f6f67b.xyz

Attributes

target_apps
at.spardat.bcrmobile

at.spardat.netbanking

com.bankaustria.android.olb

com.bmo.mobile

com.cibc.android.mobi

com.rbc.mobile.android

com.scotiabank.mobile

com.td

cz.airbank.android

eu.inmite.prj.kb.mobilbank

com.bankinter.launcher

com.kutxabank.android

com.rsi

com.tecnocom.cajalaboral

es.bancopopular.nbmpopular

es.evobanco.bancamovil

es.lacaixa.mobile.android.newwapicon

com.dbs.hk.dbsmbanking

com.FubonMobileClient

com.hangseng.rbmobile

com.MobileTreeApp

com.mtel.androidbea

com.scb.breezebanking.hk

hk.com.hsbc.hsbchkmobilebanking

com.aff.otpdirekt

com.ideomobile.hapoalim

com.infrasofttech.indianBank

com.mobikwik_new

com.oxigen.oxigenwallet

jp.co.aeonbank.android.passbook

jp.co.netbk

jp.co.rakuten_bank.rakutenbank

jp.co.sevenbank.AppPassbook

jp.co.smbc.direct

jp.mufg.bk.applisp.app

com.barclays.ke.mobile.android.ui

nz.co.anz.android.mobilebanking

nz.co.asb.asbmobile

nz.co.bnz.droidbanking

nz.co.kiwibank.mobile

com.getingroup.mobilebanking

eu.eleader.mobilebanking.pekao.firm

eu.eleader.mobilebanking.pekao

eu.eleader.mobilebanking.raiffeisen

pl.bzwbk.bzwbk24

pl.ipko.mobile

pl.mbank

alior.bankingapp.android

com.comarch.mobile.banking.bgzbnpparibas.biznes

com.comarch.security.mobilebanking

com.empik.empikapp

com.empik.empikfoto

com.finanteq.finance.ca

com.orangefinansek

eu.eleader.mobilebanking.invest

pl.aliorbank.aib

pl.allegro

pl.bosbank.mobile

pl.bph

pl.bps.bankowoscmobilna

pl.bzwbk.ibiznes24

pl.bzwbk.mobile.tab.bzwbk24

pl.ceneo

pl.com.rossmann.centauros

pl.fmbank.smart

pl.ideabank.mobilebanking

pl.ing.mojeing

pl.millennium.corpApp

pl.orange.mojeorange

pl.pkobp.iko

pl.pkobp.ipkobiznes

com.kuveytturk.mobil

com.magiclick.odeabank

com.mobillium.papara

com.pozitron.albarakaturk

com.teb

ccom.tmob.denizbank

com.tmob.tabletdeniz

com.vakifbank.mobilel

tr.com.sekerbilisim.mbank

wit.android.bcpBankingApp.millenniumPL

com.idamobile.android.hcb

logo.com.mbanking

com.openbank

com.samsung.android.spay

com.cardsapp.android

cz.bsc.rc

cb.ibank

com.bifit.mobile.ubrr

com.bssys.mbcphone.ubrir

net.bl

com.bifit.mobile.bin

com.webmoney.my

com.polehin.android

com.bitcoin.mwallet

io.totalcoin.wallet

com.quppy

com.sharpdev.fxcoin

com.advantage.RaiffeisenBank

hr.asseco.android.jimba.mUCI.ro

may.maybank.android

ro.btrl.mobile

com.amazon.windowshop

com.ebay.mobile

com.idamob.tinkoff.android

com.akbank.android.apps.akbank_direkt

com.akbank.android.apps.akbank_direkt_tablet

com.akbank.softotp

com.akbank.android.apps.akbank_direkt_tablet_20

com.fragment.akbank

com.ykb.android

com.ykb.android.mobilonay

com.ykb.avm

com.ykb.androidtablet

com.veripark.ykbaz

com.softtech.iscek

com.yurtdisi.iscep

com.softtech.isbankasi

com.monitise.isbankmoscow

com.finansbank.mobile.cepsube

finansbank.enpara

com.magiclick.FinansPOS

com.matriksdata.finansyatirim

finansbank.enpara.sirketim

com.vipera.ts.starter.QNB

com.redrockdigimark

com.garanti.cepsubesi

com.garanti.cepbank

com.garantibank.cepsubesiro

biz.mobinex.android.apps.cep_sifrematik

com.garantiyatirim.fx

com.tmobtech.halkbank

com.SifrebazCep

eu.newfrontier.iBanking.mobile.Halk.Retail

tr.com.tradesoft.tradingsystem.gtpmobile.halk

com.DijitalSahne.EnYakinHalkbank

com.ziraat.ziraatmobil

com.ziraat.ziraattablet

com.matriksmobile.android.ziraatTrader

com.matriksdata.ziraatyatirim.pad

de.ingdiba.bankingapp

de.comdirect.android

de.commerzbanking.mobil

de.consorsbank

com.db.mm.deutschebank

de.dkb.portalapp

com.de.dkb.portalapp

com.ing.diba.mbbr2

de.postbank.finanzassistent

mobile.santander.de

de.fiducia.smartphone.android.banking.vr

fr.creditagricole.androidapp

fr.axa.monaxa

fr.banquepopulaire.cyberplus

net.bnpparibas.mescomptes

com.boursorama.android.clients

com.caisseepargne.android.mobilebanking

fr.lcl.android.customerarea

com.paypal.android.p2pmobile

com.wf.wellsfargomobile

com.wf.wellsfargomobile.tablet

com.wellsFargo.ceomobile

com.usbank.mobilebanking

com.usaa.mobile.android.usaa

com.suntrust.mobilebanking

com.moneybookers.skrillpayments.neteller

com.moneybookers.skrillpayments

com.clairmail.fth

com.konylabs.capitalone

com.yinzcam.facilities.verizon

com.chase.sig.android

com.infonow.bofa

com.bankofamerica.cashpromobile

uk.co.bankofscotland.businessbank

com.grppl.android.shell.BOS

com.rbs.mobile.android.natwestoffshore

com.rbs.mobile.android.natwest

com.rbs.mobile.android.natwestbandc

com.rbs.mobile.investisir

com.phyder.engage

com.rbs.mobile.android.rbs

com.rbs.mobile.android.rbsbandc

uk.co.santander.santanderUK

uk.co.santander.businessUK.bb

com.sovereign.santander

com.ifs.banking.fiid4202

com.fi6122.godough

com.rbs.mobile.android.ubr

com.htsu.hsbcpersonalbanking

com.grppl.android.shell.halifax

com.grppl.android.shell.CMBlloydsTSB73

com.barclays.android.barclaysmobilebanking

com.unionbank.ecommerce.mobile.android

com.unionbank.ecommerce.mobile.commercial.legacy

com.snapwork.IDBI

com.idbibank.abhay_card

src.com.idbi

com.idbi.mpassbook

com.ing.mobile

com.snapwork.hdfc

com.sbi.SBIFreedomPlus

hdfcbank.hdfcquickbank

com.csam.icici.bank.imobile

in.co.bankofbaroda.mpassbook

com.axis.mobile

cz.csob.smartbanking

sk.sporoapps.accounts

sk.sporoapps.skener

com.cleverlance.csas.servis24

org.westpac.bank

nz.co.westpac

au.com.suncorp.SuncorpBank

org.stgeorge.bank

org.banksa.bank

au.com.newcastlepermanent

au.com.nab.mobile

au.com.mebank.banking

au.com.ingdirect.android

MyING.be

com.imb.banking2

com.fusion.ATMLocator

au.com.cua.mb

com.commbank.netbank

com.citibank.mobile.au

com.citibank.mobile.uk

com.citi.citimobile

org.bom.bank

com.bendigobank.mobile

me.doubledutch.hvdnz.cbnationalconference2016

au.com.bankwest.mobile

com.bankofqueensland.boq

com.anz.android.gomoney

com.anz.android

com.anz.SingaporeDigitalBanking

com.anzspot.mobile

com.crowdcompass.appSQ0QACAcYJ

com.arubanetworks.atmanz

com.quickmobile.anzirevents15

at.volksbank.volksbankmobile

it.volksbank.android

it.secservizi.mobile.atime.bpaa

de.fiducia.smartphone.android.securego.vr

com.isis_papyrus.raiffeisen_pay_eyewdg

at.easybank.mbanking

at.easybank.tablet

at.easybank.securityapp

at.bawag.mbanking

com.bawagpsk.securityapp

at.psa.app.bawag

com.pozitron.iscep

com.vakifbank.mobile

com.pozitron.vakifbank

com.starfinanz.smob.android.sfinanzstatus

com.starfinanz.mobile.android.pushtan

com.entersekt.authapp.sparkasse

com.starfinanz.smob.android.sfinanzstatus.tablet

com.starfinanz.smob.android.sbanking

com.palatine.android.mobilebanking.prod

fr.laposte.lapostemobile

com.cm_prod.bad

com.cm_prod.epasal

com.cm_prod_tablet.bad

com.cm_prod.nosactus

mobi.societegenerale.mobile.lappli

com.bbva.netcash

com.bbva.bbvacontigo

com.bbva.bbvawallet

es.bancosantander.apps

com.santander.app

es.cm.android

es.cm.android.tablet

com.bankia.wallet

com.bestbuy.android

com.jiffyondemand.user

com.latuabancaperandroid

com.latuabanca_tabperandroid

com.lynxspa.bancopopolare

com.unicredit

it.bnl.apps.banking

it.bnl.apps.enterprise.bnlpay

it.bpc.proconl.mbplus

it.copergmps.rt.pf.android.sp.bmps

it.gruppocariparma.nowbanking

it.ingdirect.app

it.nogood.container

it.popso.SCRIGNOapp

posteitaliane.posteapp.apppostepay

com.abnamro.nl.mobile.payments

com.triodos.bankingnl

nl.asnbank.asnbankieren

nl.snsbank.mobielbetalen

com.btcturk

com.ingbanktr.ingmobil

com.tmob.denizbank

tr.com.hsbc.hsbcturkey

com.att.myWireless

com.vzw.hss.myverizon

aib.ibank.android

com.bbnt

com.csg.cs.dnmbs

com.discoverfinancial.mobile

com.eastwest.mobile

com.fi6256.godough

com.fi6543.godough

com.fi6665.godough

com.fi9228.godough

com.fi9908.godough

com.ifs.banking.fiid1369

com.ifs.mobilebanking.fiid3919

com.jackhenry.rockvillebankct

com.jackhenry.washingtontrustbankwa

com.jpm.sig.android

com.sterling.onepay

com.svb.mobilebanking

org.usemployees.mobile

pinacleMobileiPhoneApp.android

com.fuib.android.spot.online

com.ukrsibbank.client.android

com.Plus500

eu.unicreditgroup.hvbapptan

com.targo_prod.bad

com.db.pwcc.dbmobile

com.db.mm.norisbank

com.bitmarket.trader

com.plunien.poloniex

com.mycelium.wallet

com.bitfinex.bfxapp

com.binance.dev

com.binance.odapplications

com.blockfolio.blockfolio

com.crypter.cryptocyrrency

io.getdelta.android

com.edsoftapps.mycoinsvalue

com.coin.profit

com.mal.saul.coinmarketcap

com.tnx.apps.coinportfolio

com.coinbase.android

com.portfolio.coinbase_tracker

com.bitpay.wallet

com.bitcoin.wallet.btc

com.blocktrail.mywallet

org.electrum.electrum

com.paxful.wallet

com.bitcoin.pocketbook.btc

net.bitstamp.app

de.schildbach.wallet

piuk.blockchain.android

info.blockchain.merchant

com.jackpf.blockchainsearch

com.unocoin.unocoinwallet

com.unocoin.unocoinmerchantPoS

com.thunkable.android.santoshmehta364.UNOCOIN_LIVE

wos.com.zebpay

com.localbitcoinsmbapp

com.thunkable.android.manirana54.LocalBitCoins

com.thunkable.android.manirana54.LocalBitCoins_unblock

com.localbitcoins.exchange

com.coins.bit.local

com.coins.ful.bit

com.jamalabbasii1998.localbitcoin

zebpay.Application

xmr.org.freewallet.app

com.bitcoin.ss.zebpayindia

com.kryptokit.jaxx

com.cajasur.android

app.wizink.es

com.grupocajamar.wefferent

caixagalicia.activamovil

com.abanca.bancaempresas

net.inverline.bancosabadell.officelocator.android

es.caixageral.caixageralapp

com.bankinter.bkwallet

com.db.pbc.mibanco

com.indra.itecban.mobile.novobanco

es.openbank.mobile

es.pibank.customers

es.bancosantander.empresas

com.indra.itecban.triodosbank.mobile.banking

es.univia.unicajamovil

com.westernunion.moneytransferr3app.es

com.denizbank.mobildeniz

www.ingdirect.nativeframe

AES_key

Signatures

Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
banker trojan infostealer rat octo

Octo payload 1 IoCs

resource	yara_rule
behavioral2/memory/4344-0.dex	family_octo

Loads dropped Dex/Jar 1 TTPs 26 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.visualizationbutton_scribe82/[email protected]	4344	com.visualizationbutton_scribe82
/apex/com.android.wifi/javalib/framework-wifi.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.uwb/javalib/framework-uwb.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.tethering/javalib/framework-tethering.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.tethering/javalib/framework-connectivity-t.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.tethering/javalib/framework-connectivity.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.sdkext/javalib/framework-sdkextensions.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.scheduling/javalib/framework-scheduling.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.permission/javalib/framework-permission-s.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.permission/javalib/framework-permission.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.os.statsd/javalib/framework-statsd.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.ondevicepersonalization/javalib/framework-ondevicepersonalization.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.mediaprovider/javalib/framework-mediaprovider.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.media/javalib/updatable-media.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.ipsec/javalib/android.net.ipsec.ike.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.conscrypt/javalib/conscrypt.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.btservices/javalib/framework-bluetooth.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.appsearch/javalib/framework-appsearch.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.adservices/javalib/framework-sdksandbox.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.adservices/javalib/framework-adservices.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.i18n/javalib/core-icu4j.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.art/javalib/apache-xml.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.art/javalib/bouncycastle.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.art/javalib/okhttp.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.art/javalib/core-libart.jar	4344	com.visualizationbutton_scribe82
/apex/com.android.art/javalib/core-oj.jar	4344	com.visualizationbutton_scribe82

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.visualizationbutton_scribe82
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.visualizationbutton_scribe82

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.visualizationbutton_scribe82

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.visualizationbutton_scribe82

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.visualizationbutton_scribe82

Performs UI accessibility actions on behalf of the user 1 TTPs 43 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.visualizationbutton_scribe82

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.visualizationbutton_scribe82

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.visualizationbutton_scribe82

Requests modifying system settings. 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.action.MANAGE_WRITE_SETTINGS	com.visualizationbutton_scribe82

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.visualizationbutton_scribe82

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.visualizationbutton_scribe82

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.visualizationbutton_scribe82

com.visualizationbutton_scribe82
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4344

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/apex/com.android.adservices/javalib/framework-adservices.jar

Filesize
25KB

MD5
b7378810aaedc21703a206caa03483f6

SHA1
c7f25825108746487b3845bf92a050cd58d8696f

SHA256
ebf554eca9585be7cc99314e35c844d481ab811456055a1127b3df4641cf2ffb

SHA512
29dc68938e9ed5cf0ce51ed35ba10496ce703a9099a4a2dc4849470aa8f567b3052e08515dfee102f22c5b5bb6f2a4d21daf03b97a61e3d1d2964bc450956d37

Download Submit
/apex/com.android.adservices/javalib/framework-sdksandbox.jar

Filesize
11KB

MD5
898c6c1597e17488fff3ad1f075b126d

SHA1
ded41197706768e8fb5a27211091710de74f87cf

SHA256
e71199d47af29d61859792529bfee051ebb23b92747d57e402d6af30c8d2a9c2

SHA512
34126bb4f7e75a9386c5960685c2d6107b547ca545643a4158f09876d62e4a04e48961e01664ef9bebf2faa165952adb29d447281178fbdc4f157a079a2159dd

Download Submit
/apex/com.android.appsearch/javalib/framework-appsearch.jar

Filesize
145KB

MD5
45f2b5cef7279c9e721764da4618a83d

SHA1
c3b16d4e71bb29955481eba3d2e7bac78292d1ac

SHA256
a77cfbc9d66d3fde22540b2e6a5bee8ce21dbeb3f66c0d9121764513188252f7

SHA512
fbbdefd3117f8af38dc60676b85a86e7d38009bf839aca2d1d7f38960e05942befa7d5645f218cdbdba56aef6d7d1f5794ed3fb53c0f2134ec782323b03d7c9e

Download Submit
/apex/com.android.art/javalib/apache-xml.jar

Filesize
1.2MB

MD5
5c1dc5d635f8e0de770c930b244d72ab

SHA1
1cfab9c114f0e14bef8f58bbb5c46ea5c7f45581

SHA256
a592316ce171525b731179a84d91a1f7824d5e7c2c6f713d038163a95f7f3626

SHA512
fbe9dead311f0279587006fd60f13759635ae39f81f3eaaac71db264e2ef773788162fccaf6537f87e7b7b9d5a7e8cf0ff31561774686e1bc3fed0ec9bdbd363

Download Submit
/apex/com.android.art/javalib/bouncycastle.jar

Filesize
1.4MB

MD5
610cf8fc8e3b9316656d5d8562edf98f

SHA1
6c628e96dcc908ef390c46a67de435b06607a2fb

SHA256
b12a49fda7dec105cac09b6d77b083d37b1be5d52f4f265790f2e348e5783f06

SHA512
3adc4a3bea3ce819f1b5eeff0988d5cb131d850f2a3ac6c484e4b7f4ced566dbd081d0cc6042ab3caa344098650c0b1a4c5f691f7921d2cf1ca395e08e3222b7

Download Submit
/apex/com.android.art/javalib/core-libart.jar

Filesize
549KB

MD5
9dfc76933503bef1af365e42ed68879c

SHA1
65c92169881f1a10fb26a407494f9c4b383ef84d

SHA256
eb3b040c7700fccdc6a637ff9628c0867b6f48ebac4b09c2b5bb4dd77baf3d38

SHA512
f8ffef274eae3e01003cc8643de1eade69a5747978f3ec60d910a02d18445d776d997024130dc42dd92287900c6ba57463bbddedf045064bc2374669f00a792d

Download Submit
/apex/com.android.art/javalib/core-oj.jar

Filesize
5.0MB

MD5
f1a98ecb23b9134c358015fcab1f0215

SHA1
e71c1849677f17d5aa83a20853f3483136d449e4

SHA256
d9d541d074d858571d60e2964fd39fb74130217fa7c92d74ed1695b0962837cf

SHA512
8e2a6dd96a89d2195ac770320933a1938977dd55ac98bc822bf33646fec208a2354f1e2dee14463eb776da13b737517affe9bc336093fec1fa9bbc6c7b67f1d2

Download Submit
/apex/com.android.art/javalib/okhttp.jar

Filesize
397KB

MD5
a4b2495e244595af5f3e3ef446f3fb05

SHA1
5a19ef43d0ffe4cb740cefd5bef48da5bf60e774

SHA256
14d759d0257e1be79263f4ff0bd41548af7f83f7d5f8f5029dae5e58a4687ada

SHA512
5fe72bbed317af46c385cde578bbb9d47e429ff192f96799ce81e891098ee45ce5d6287373cc78ae07b664af168e0ed7e516184883442132664e659ae5d0aba8

Download Submit
/apex/com.android.btservices/javalib/framework-bluetooth.jar

Filesize
937KB

MD5
dfeab0380131c54e132e010995886029

SHA1
8d99f8257731637cace5f413916741a94fe5e460

SHA256
9f51175dca7d241cff99acba4f8e29a1b781f3d16a72baebc8ab7434ded1869c

SHA512
2f101e3e655e0d6ce4952ba462692d706752491d5ff3b8528d0331f1523ac227c0830a26c74bc850117f7bf028d1547cf190bdac02f647ca245e83d60f9715d9

Download Submit
/apex/com.android.conscrypt/javalib/conscrypt.jar

Filesize
453KB

MD5
7ce91e3f14e20db318e38b3fb497984f

SHA1
068ebff84b6fcb998fa518e39b78b4d52707edae

SHA256
787aa8fdbb20b5a4df8a61213c8df30de929dc610967f32712611b323d89d32d

SHA512
54ffec1ac57503575b6a2f471f8eb895b1042b2592b5febe63377e11522103dee0f70f01ae52cb2081b06dfd16ef79723cdc1b40680a6d2622fa0a5067b5267d

Download Submit
/apex/com.android.i18n/javalib/core-icu4j.jar

Filesize
2.7MB

MD5
baf8aae4583bf6989f30a3512d36cdf4

SHA1
b8623c5c6be23f8201cc1b826f83eaa6ac8f7b46

SHA256
baa7c3b0f8df0cb4e6b925b44ccf99dbe35dbf4be00a0ae33c5e4eeb173ce7f5

SHA512
420c583336e62cd5137809fc6d2267344d1d52fe5edd3e0ed8385207f6731d17a6370b61b6418260039266c2ae2c5e814c5eb9b16b4e672a6b0e3b1e5714f11f

Download Submit
/apex/com.android.ipsec/javalib/android.net.ipsec.ike.jar

Filesize
670KB

MD5
5041171aeeffa6ae45eef650b594445b

SHA1
cc2a8d2577fedf8cf3f5c146a7874a3420a9015e

SHA256
dbf99fd2ecc3f0a085855d9a53881b91132da8f0e85dd11d92ee46db01d6ab83

SHA512
79201fe62462460065e376879ff014232394dc608e838fee0e2391b4f01fa1e8c76866398894b8195e23d45e2ae56ce348930d9abbb14e622a0874df0f4f66d7

Download Submit
/apex/com.android.media/javalib/updatable-media.jar

Filesize
482KB

MD5
5b75de85d1963c518cc39440e203e80a

SHA1
cd199428ef27a5e6c42462a600fe572a0c8cdfd3

SHA256
19eb02aed8c826a9a4b74d11a345e8ecbe1fe5562c5b9d13ac1286efaa4771e9

SHA512
de7ac7c3d55f36d9efe66d7fce049543fcf2e37c24e50f8e593c50b71e3d77271f50723a223e5b6877248ae0c53f9dcfd450dfe428e2b4e6ea5e5c8195ef0ea1

Download Submit
/apex/com.android.mediaprovider/javalib/framework-mediaprovider.jar

Filesize
73KB

MD5
5f147ff03fa6df46871cc7988719efff

SHA1
1bcc3c94c4edaec0c4b71d619ad6e93834c98420

SHA256
6ae5b642fe117238ea95d6f39931c86cc3e784115a0874e8b742dab88ef9629b

SHA512
d6d6e022fe31d6aed2663ffcd7c909aa22d93e4389f8c4930c32bf4b49062e57c4481f9c551cb2963457a0418cdef8acb24c123204127b0873e8b18e89a591d2

Download Submit
/apex/com.android.ondevicepersonalization/javalib/framework-ondevicepersonalization.jar

Filesize
8KB

MD5
a226d2dab862fc8e24ab338ca5eefd26

SHA1
d424730e7a0ab29a2ef906b7e71e50f857d24856

SHA256
f2d356c75b62b631972f29ed268497b3088e80676f34c4f8ea779d30be959b4f

SHA512
df211db5e4b6dfaeb74f5cdbe9d776486753dec9d527364ffe3d38a1ccdc5718f8edf1d59a4a9bc1d0fe6cc568de9a43a46510a7cf2ea5c93cd3fd0cdf9adc17

Download Submit
/apex/com.android.os.statsd/javalib/framework-statsd.jar

Filesize
73KB

MD5
c62549e4c3dc3dc6828b5930a696d82e

SHA1
a19f79ea7a2fb4a730e20817b52a51625ab23dcf

SHA256
22481f2149c6f9b6e8873c4419c8fd33fd72c7dd1ef8e968c63ba3a1c8eab914

SHA512
cef48a5871c75d214a74fdc2907bcb6052b7a6fee03c7463ee0922fb1158d08e770a0a6fa5412fc69bd5704b65800c9cf875a563a560a864778e873772747d9a

Download Submit
/apex/com.android.permission/javalib/framework-permission-s.jar

Filesize
173KB

MD5
dddbffa4fb9866e65e46ddedbfc917eb

SHA1
d1b1e3f5e3596544a4259a019607d93b31d2a271

SHA256
25c24c41332b5886427c5864067ac491e163a6c729bc219b31183b229e5d3219

SHA512
6a55f0c915ebfcff4fcd928dc67a0126ae7a0467c8ba39028996c219d089312872f8a2f672ba9b3886d003726961da10d66a8459bee91934fcde28ec8ea110d1

Download Submit
/apex/com.android.permission/javalib/framework-permission.jar

Filesize
612B

MD5
11055bb5f97d6dac0aa37bfeca7051e8

SHA1
b71d72d66800f512b9ccdbe3e3b1028f8e1090a2

SHA256
e62333a706d04ca49f917826f49770ad089d134580f050567de912ecac31302c

SHA512
787b6f40c233eae5c0e5d84c178f02f755cb0c8ba9ad3991e145841fcc05da69573d489f3331f46a778c365e25d3cfd20a1388d2cd6ee4dd99a0381feb90b2d9

Download Submit
/apex/com.android.scheduling/javalib/framework-scheduling.jar

Filesize
11KB

MD5
9667a58cf7cbf24089068395a663542d

SHA1
233b15ea03809e8d55249ecc2a386ed8d6f1b05c

SHA256
a80d2a1dd96cbfd38ed68d8934611f2294ff8f85fce7378500570814d571ce7e

SHA512
21b7e60d5e299fae15d61212f657504aa429120ed90f0facae98b5e04b16f35fd79b63a6668c9a1bfa799e47f42f42ce9495e475b86e01837cfcab88111f92be

Download Submit
/apex/com.android.sdkext/javalib/framework-sdkextensions.jar

Filesize
5KB

MD5
dde2bd24649e82bea6ea5d8bcf7c0589

SHA1
ad1b2b9ffeb9e87ce85db2d47a896c551990a985

SHA256
835e58ff912600ddef1b3fa9adaff5d7e2c4b379fbe8adaac065122777b204a5

SHA512
2b9b75466911a0e7f75b02d7132a497017873752a4310a2c79251b546e0c5e426f90ac460fed1e932e6119738cada32cc6df041d4b9c49200675dac9d470abe1

Download Submit
/apex/com.android.tethering/javalib/framework-connectivity-t.jar

Filesize
374KB

MD5
6af554dbf0735cde24b20ffcbc996fc7

SHA1
2f8e3e13b167f5a619b4a4aba6e735516a04f68c

SHA256
595956d19b204fce5ae88e02999467cd6bee084158ef209fce06958d76806608

SHA512
b450779b88d6e07537e6cb39e413ae69c8b60e4e18786d9654f5d610abbe404f83c9ed9036977051766a1b414d7434383c6dfab7edda3d854b0a16562d41f6ab

Download Submit
/apex/com.android.tethering/javalib/framework-connectivity.jar

Filesize
490KB

MD5
4f7a254ff28a65ea2a4cffe24b1339ce

SHA1
5c2861faf85e3086eb0144bb6006099503b5e283

SHA256
13f8f21e0f6c093ce54e81bbd0e169f605060d68a60070bffb0e1ba2e54a40c0

SHA512
53357cfbdaf076104dc6d6feeeabe1235d8e4214bc4b5b3a70eab2107799be19efc0b970add2eb65e8c099b4f0dfce72a309842a5d0bf6c266e3707b73311a2d

Download Submit
/apex/com.android.tethering/javalib/framework-tethering.jar

Filesize
63KB

MD5
d81b5e468aa772e188d4d826bea7022b

SHA1
a95510ede5c549b29c6778b235863a6c817d982e

SHA256
fdabd2584172b86fb29014cb70f61e5995c229db5fe098a80244809bb7bca7cc

SHA512
bcec5c487477d83cc8aa43c75bc1eec9d3e50cf34960c302ace30d8a91a1ed298b5314dcf83845dd142be202cf960a4514eeb8dd376fb7947c7728349d940ae3

Download Submit
/apex/com.android.uwb/javalib/framework-uwb.jar

Filesize
102KB

MD5
7f8f7e544abbf10bf9d0623e09aabe34

SHA1
ee06d0f1adc3ce304d2b4dde0bc043b37a0e32fb

SHA256
31ec5ef294c561e6ead889767bd0656714f42998717a947427150d51dbc3b367

SHA512
8c49570f530b73c9edeb948ff89f1d4491273e4c5ae7a79156d38f12d5cc93076f325913107848cf91f566ee7b59c30b86db213c078fd0a635e9aa6eb9a99ddb

Download Submit
/apex/com.android.wifi/javalib/framework-wifi.jar

Filesize
985KB

MD5
38bb2ecc2647701304bb9980e35480fd

SHA1
1bfc5c534617cbd176268d6a267abd59959f3184

SHA256
79bb444346e1086292f96dfd8f859fe6e72fb439c1426db6915aaddb5bd30a65

SHA512
02fc2026b43e02c25cb370606ff2adfc3c9b66b393250ca92b2d5eabbfbd2568c391d8932ba774bd5c5661c850bd71157a0ce454b195658066b65b7363a1f551

Download Submit
/data/data/com.visualizationbutton_scribe82/.global.com.visualizationbutton_scribe82

Filesize
267B

MD5
ed218c7eada576933046ba7377881355

SHA1
bb8ad7df872741d3d8b42c07e4dff70bf0f6b74b

SHA256
a93beb94e972bd31110daa49f897ecb77362e7e9fa16124e6a22e79f70b2fe36

SHA512
51808cb77c0c80e34ed1e7b7c5761d3f2273bcd918744642ccd6dd29dcabb117f3a1a1e4b3be3f0c2ae01c6cf7dd2f23d516d60e6529a238fdf2ba8aeb8cbb00

Download Submit
/data/data/com.visualizationbutton_scribe82/.global.com.visualizationbutton_scribe82

Filesize
48B

MD5
046a414913add6f5bb60072c7db819b6

SHA1
451ee4f6809260aec622d772fd329c7d0297a842

SHA256
b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

SHA512
4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Download Submit
/data/data/com.visualizationbutton_scribe82/files/.i

Filesize
322KB

MD5
77dc50489b9323274732d27dc8a4e803

SHA1
0e02a3595b62489d0739d771881da8604d117c65

SHA256
c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820

SHA512
0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

Download Submit
/data/data/com.visualizationbutton_scribe82/oat/x86_64/[email protected]

Filesize
13KB

MD5
bcf322e6b20e2c3e784c8146936ff6ac

SHA1
01a4d249a2e19f73fefae62c2b48f8122ae7ba3d

SHA256
8211429335ffc67924946eb2ef997470b96051d29ce76fd2c6c5f14d3b7037be

SHA512
00ee4cb65f9aaef8cbc2c314be3e6ab1c7a45a58634c8ebdc61086e6d5e620e3c25735375029d6a0ce424a936c18d5e22a784175c5b10b42a347aba135fbcfc9

Download Submit
/data/user/0/com.visualizationbutton_scribe82/[email protected]

Filesize
527KB

MD5
3c4fde23e27fc9e2edf41d46be611ada

SHA1
b239a38930772724aaec58ae28e7f7398f3ec8a0

SHA256
ecb6d4ec7ca3a08fea015ba3da5d0f829b7f0878a99e024c6698d5da1a537989

SHA512
0c7b5779649218cb1226362fc35e3f6f9466caf147d875b9a5f9c6cf53b80e739c4a4ac05359a512b337d58013bd4bc23e3b1c39ea3825b1fa736dbda32f49fb

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads