Overview

overview

10

Static

static

6

0ef52e4763...1e.apk

android-9-x86

10

0ef52e4763...1e.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    10-11-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ef52e47637939880aa85c0d1d824b15449bbae70b65d17be6897a259010b71e.apk

  • Size

    637KB

  • MD5

    f9801769c22d77741480e6e4f46d1ba3

  • SHA1

    0d0ef7e1ba141d0b351ae21a68ebc80a59779be3

  • SHA256

    0ef52e47637939880aa85c0d1d824b15449bbae70b65d17be6897a259010b71e

  • SHA512

    71d138f6d9f2143a54d127b2826e3822d1b25ec928885ec34fce2a478c0b1e610e3cfd5a914a953a911b431c0b1a7b5f52a53d107929ef659b4051b3462d36eb

  • SSDEEP

    12288:TSiVGakgqqu7G78+O+2fO4RRoGvB9Y4twan46ecKSHai0xcpwpVjL0op0KsFjipN:Gdgqqu7aElO44Gs4twDcFHtPpOlMbef

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://brunchxy.top/YTZhZjliODdlYTI4/

https://sporkly.top/YTZhZjliODdlYTI4/

https://glampingaz.top/YTZhZjliODdlYTI4/

https://frenemyq.top/YTZhZjliODdlYTI4/

https://chillaxio.top/YTZhZjliODdlYTI4/

https://ginormusj.top/YTZhZjliODdlYTI4/

https://workaholkc.top/YTZhZjliODdlYTI4/

https://hangryv.top/YTZhZjliODdlYTI4/

https://spanglix.top/YTZhZjliODdlYTI4/

https://blogosphze.top/YTZhZjliODdlYTI4/

https://smoggyu.top/YTZhZjliODdlYTI4/

https://edutainmt.top/YTZhZjliODdlYTI4/

https://mockumnt.top/YTZhZjliODdlYTI4/

https://fleekyp.top/YTZhZjliODdlYTI4/

https://infoglo.top/YTZhZjliODdlYTI4/

https://staycatzu.top/YTZhZjliODdlYTI4/

https://mansplainu.top/YTZhZjliODdlYTI4/

https://spaghettom.top/YTZhZjliODdlYTI4/

https://gluttonyd.top/YTZhZjliODdlYTI4/

https://electrohu.top/YTZhZjliODdlYTI4/
rc4.plain

Extracted

Family

octo

C2

https://brunchxy.top/YTZhZjliODdlYTI4/

https://sporkly.top/YTZhZjliODdlYTI4/

https://glampingaz.top/YTZhZjliODdlYTI4/

https://frenemyq.top/YTZhZjliODdlYTI4/

https://chillaxio.top/YTZhZjliODdlYTI4/

https://ginormusj.top/YTZhZjliODdlYTI4/

https://workaholkc.top/YTZhZjliODdlYTI4/

https://hangryv.top/YTZhZjliODdlYTI4/

https://spanglix.top/YTZhZjliODdlYTI4/

https://blogosphze.top/YTZhZjliODdlYTI4/

https://smoggyu.top/YTZhZjliODdlYTI4/

https://edutainmt.top/YTZhZjliODdlYTI4/

https://mockumnt.top/YTZhZjliODdlYTI4/

https://fleekyp.top/YTZhZjliODdlYTI4/

https://infoglo.top/YTZhZjliODdlYTI4/

https://staycatzu.top/YTZhZjliODdlYTI4/

https://mansplainu.top/YTZhZjliODdlYTI4/

https://spaghettom.top/YTZhZjliODdlYTI4/

https://gluttonyd.top/YTZhZjliODdlYTI4/

https://electrohu.top/YTZhZjliODdlYTI4/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 6 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.sgakagak.agakagabs
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4338
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sgakagak.agakagabs/files/arm/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.sgakagak.agakagabs/files/arm/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4364
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sgakagak.agakagabs/app_mph_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.sgakagak.agakagabs/app_mph_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4387

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.sgakagak.agakagabs/.qcom.sgakagak.agakagabs
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.sgakagak.agakagabs/app_mph_dex/classes.dex
    Filesize

    450KB

    MD5

    96de19022452856853c365e26583ad59

    SHA1

    a47e679075ddc612b4ea2b80edf54abdb169caaf

    SHA256

    31cc0b964c631b816d0fecd21e09ab8be6655b61df751a40b7f376dae7280446

    SHA512

    595248ca615e2eac908e988a00812e5c4df990df6c79d602cfe3fb98ea56269ea848ff534d200ac643e04ce9c5d5ed7935b5eeda00886cb539f7b937750478b9

    Download Submit

  • /data/data/com.sgakagak.agakagabs/app_mph_dex/oat/classes.dex.cur.prof
    Filesize

    460B

    MD5

    7cfbc1387767cce780685389359dd5d4

    SHA1

    35bb445ee778f2031c9e1c0bf535c494342c06f3

    SHA256

    e7c053a3d38e6696f8e2a313aa68f4dfe7500e9751a667e39b5f02359024d57d

    SHA512

    233ee4cd3e2f088fb99f7b4e50da1c884e8c8cab13a3f0578f3ba1a1cf87db7bb85922cd68e1960733f96974b0cdd0323590d9d87fcff39074cdb80d255d2ab4

    Download Submit

  • /data/data/com.sgakagak.agakagabs/files/arm/classes.dex
    Filesize

    100KB

    MD5

    d90e84492d628958f60f85c42b42d36a

    SHA1

    9a40bde00b906f276b7f37a233f3418869bc1199

    SHA256

    61a95b5c5e05322f45130fe7389ed0d3ee905d4c1136499b90b855b9b4216b13

    SHA512

    d54abb185cdb614a1f5c5ee668b9fdf6c8aa95da07e9276cbf6ec02219a1fbff9f5fab1b69f8713c53611ae3c022643c2af6644e205615527a8d3a3bd539e7db

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    230B

    MD5

    871d841a5e9d809f3c9f69efe2980b1e

    SHA1

    6f862cca8253041266841533e3d0fe35b9341b7a

    SHA256

    792ff8395e7fc270c2589c002366a273fc48c5c461726402432e6e00b16d4fa6

    SHA512

    c9162ad42476888925ab4c7e244034868867a46051de6ffafa081b9916648fa5b2c8e09d04b36e9a72065b70b904ac4b14ce040052181d2f1b8a6a33d74ec1be

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    54B

    MD5

    cab46e3c125ef72f8d5c1f79b151062f

    SHA1

    0343dc6686ebbe1f1fb32ab2b8ad3d4e37ef246e

    SHA256

    bdf759d244f81bca795010b01e4195e693613262a1f8a3e00f474f2dfc5a1ce7

    SHA512

    b6a49a31b7c8675c67abb642da8698a6e232207b1866435abc02fa1d4609e7735c9d9aa1267b7fc9bef415532b395586deb25f7b03edb1eafd2814e53a9fcefb

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    63B

    MD5

    959a9b24b3095162e0e07e1ac4f16874

    SHA1

    a5f4977d84365277879a5a80f59bfae64ec4679c

    SHA256

    70230087ac11032b8796aa0cbb56b38e7cb0b3641444da848ba12b85130b4dd0

    SHA512

    521977341dba6dfb2e630af01469603c07d4472f515a78c27e37adf6c78ff859d50d6c1c65491f3e069af48e29501dbab820efe5a505aa128da1454252dbbb05

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    45B

    MD5

    e9d77e1e5607e47aef30e5ed361c09ae

    SHA1

    efabef87651b50dc9c9d256abbe0752a5372b0e7

    SHA256

    310beee10bd9aee4f42df50c28054f5f37e85aaf5c4b2030f09fb0c0e8184332

    SHA512

    abbd3a868f40775e17fac6bdfae52f544a4f0d21a4b02370f78fcaf155a046e7c5f3e1621f0593c83dd53dc893683936bfeeddbd8123026f767d0131b488a0fa

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    423B

    MD5

    49ec6be223e4b946518192451be35d57

    SHA1

    21fe7671e9b53fe270b3841996dd4ec460571e1a

    SHA256

    98571fbc8a359ccfb46f09e6d230a68640990a5b99b6c352aee2cb9940e45526

    SHA512

    0ce111c13bacf61deb72a4de5a7bc10ead96d74f2375bc694ed1e00f9421f6c91de97a0c1f002149a25ee332c2ec58899aad20b06ef41aef3fffab4e3c57530f

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/app_mph_dex/classes.dex
    Filesize

    450KB

    MD5

    2abb97e1b8b8944235e50cfeebbd142a

    SHA1

    b357a16570c3ff4a4c8970db1be406ef11ce79e5

    SHA256

    a3c49064f5d825868ac1f37657fc66d01adaa26e36e60c91b249f5e6d4fabb05

    SHA512

    ebd636c44163881f9999a72ad466afbd70211c38a510a7eb188a339714ee7d05f3248032a9d01a3f86f00e3395f3aa2619efa1af95b1e8c356d4860bf965c718

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/files/arm/classes.dex
    Filesize

    100KB

    MD5

    fc41cee2fe29a00586b1e6e3436d65d1

    SHA1

    5f61b1a0f842d28dbe8340baa8c2f09a72c9e84e

    SHA256

    bd064d7110032cc1c57eacb570b3da7bcb8109d1b91e2ec16e9e9e95c9db0093

    SHA512

    0a1ca3ae10e7652fb182210150bfb1c0ea6ec17df61e185d00179941edf41eb182a32ebde5e559d79ca8ce246e463605ed6c0bb1a879b5b6605037b012906ca2

    Download Submit