Overview

overview

10

Static

static

6

c0b43974e7...e4.apk

android-9-x86

10

c0b43974e7...e4.apk

android-10-x64

10

Analysis

  • max time kernel
    27s
  • max time network
    147s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    02-11-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0b43974e7c5dff72fc566de627dbcb9cdd7691d22f8a00036f60f47f1e0d2e4.apk

  • Size

    1.3MB

  • MD5

    8d80881e9d68e2c6332073906f11801d

  • SHA1

    423e4f9b389cd88f0ad5c2d1cc51cbdf76cf4439

  • SHA256

    c0b43974e7c5dff72fc566de627dbcb9cdd7691d22f8a00036f60f47f1e0d2e4

  • SHA512

    9132205dfa420109661da932e60a05c2eac1fc9bdf4e31f6a8a3a7c6b2433aa3a30522178f3d6094d2dba388f40fe3803fa95ce3103ee1cbcad386e513b2ebdd

  • SSDEEP

    24576:p9L+INfAHMhj1WwUm/JuSESbQiShBf/GSpWwyHTTZfLFZZMlp7sF5mi2Wi:p9LBnhj0a/3QiA5/GSpWbTTZDF4p7Yg

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://3bb139030bc7238b33981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://6bb1390306788b33981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb139030b74564533981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6432453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://43313903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
rc4.plain

Extracted

Family

octo

C2

https://3bb139030bc7238b33981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://6bb1390306788b33981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb139030b74564533981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6432453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://43313903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://9bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://5bb1332453233981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://7bb13903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://4b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.piececover6
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4214
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.piececover6/code_cache/secondary-dexes/base.apk.classes2.zip --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.piececover6/code_cache/secondary-dexes/oat/x86/base.apk.classes2.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4242

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.piececover6/cache/dexDir4967289678319578219classes.dex
    Filesize

    1KB

    MD5

    4e61c08811afeb9494278f1a7d47f738

    SHA1

    5b2a983ae31618ed7f9a4bbbd5822aa97ca756d9

    SHA256

    3e6a57ba3a7efa0887a27b60ba09df2a0bfc892b1741baeb41c832f9113d0256

    SHA512

    8fe9363a05b119854504f6eb8a184a34111eb19eb6dc57846da6c02dc6cc56ff9aa60b443b9321f237404455813dc8a2f9401b9d6b7954b745669990d0a4b042

    Download Submit

  • /data/data/com.piececover6/cache/file6471772862761586825ext
    Filesize

    1KB

    MD5

    c7b5eada3dc95bb00d702d4dc3650e8f

    SHA1

    44040978491dd8614755c95677b23f16526d72bb

    SHA256

    cf3620fca474b5e8073608f3c75824ba0c60bf419b716f943fcf58b2247be25d

    SHA512

    4c4ac0db8075b91736b301dcfacc334abcb449a0e3178d5203e4f434518a5ade405a5faa79bd5ff537e0c350d82ac449be5e273ea63aa4b03e45efdb7a16186f

    Download Submit

  • /data/data/com.piececover6/cache/wbkluozhdyk
    Filesize

    449KB

    MD5

    6815620d7515427c5fa4735f11281c2b

    SHA1

    089b66fb5ac0ecfeb34384e6c1a793cdef843df3

    SHA256

    3cbfba98f094f17175803e9874a7c5170c4c58b7cf75e6f858a1a31548b2a309

    SHA512

    06927ffd3e726819a21a2258977eaff3f198327634882eb2a99d114d878e1f68d82ab1e695a81d09ea78ed62880a1fa4098dd141dd93a6637117aa9ff279718b

    Download Submit

  • /data/data/com.piececover6/code_cache/secondary-dexes/1730584907063
    Filesize

    2KB

    MD5

    b073f960fbda11986db8fee0815fb86b

    SHA1

    5be979257ba8d218d2851571efe0121c81b98a62

    SHA256

    016737518c8f4d1a5f90cc61945b21b499b4086dc9ae616502dbfc918a6fa636

    SHA512

    eb09d0084d56d68fcc5c147816c618959a3ea278ef477f9c5a8777f86cfd7381928206394042d3edaa5753f9c513bf106d29b77eba809eb570b7cfe230b4645c

    Download Submit

  • /data/data/com.piececover6/code_cache/secondary-dexes/base.apk.classes2.zip
    Filesize

    1KB

    MD5

    a7d1a53be7de6ee121bf298f40d2c1b9

    SHA1

    806580d2cb6baa022e7bf65ab5cb233fa0809c9e

    SHA256

    174afa2d05482af1f86ff87a7c398c814e16f9310325feb046ff51fbd69e6bbf

    SHA512

    f15cd3a05d2b364dd8d7e70f0d9c429fdb7eb4ca8129f06f90d71c86791392e553c66d0bbee9e96187d56637e6e5c636cb3e7d5cf538bf624e9c0ed1841a11ae

    Download Submit

  • /data/user/0/com.piececover6/code_cache/secondary-dexes/base.apk.classes2.zip
    Filesize

    2KB

    MD5

    eca456d2b1a0447b182203f4fea2a362

    SHA1

    16e1eb29da13b8f3fbd45bfe04eada3e23287d8a

    SHA256

    7c2b035f5ebeee4a73a7f7a5f27bdc854b2454221ddb507cea6a5e23eda5da8b

    SHA512

    d73aac55bf2d266d990fb0427cd477c38dddfe14c74e0a183404fe5823c3dcb73b5c72c922692791f834051bb9758c4377d39aaa639d7a1790c4d099f8e15d2e

    Download Submit