Overview

overview

10

Static

static

6

.pending-1...16.apk

android-9-x86

10

.pending-1...16.apk

android-13-x64

10

Resubmissions

12-11-2024 07:36

241112-jfc3sswrhw 10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    12-11-2024 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    .pending-1690617237-chrome-update01216.apk

  • Size

    1.3MB

  • MD5

    f1a8bde16690e181588a6e2609b20c96

  • SHA1

    5cd203c9a378e389714320c66530010036f2fb6e

  • SHA256

    fcb5665e81ddec0bbe57bdc2acf443ea5f5a521e50d085f978f2dc4e5ce01d0a

  • SHA512

    9536f6be977f8d2e12e55205fe4818d2cbaefe6e1035e9151c0080052030ab5b6e5fee831cc879ca084b33dfeb932e76bf4a9bd017827cb1b98c4513a4151caf

  • SSDEEP

    24576:WHyV2tCKvYy/Xm+B2akhR6Qf9cGEGXN8ZODZH7mqzCeJClAE4KvAS3u:WS1sYyP/2akhRFCGX+ZGZbmqmyClAE4D

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://29p0jb1nyxmt.biz/MTU2OWE0NzJjNGY5/

https://fmri3i4567ng.biz/MTU2OWE0NzJjNGY5/

https://ahs8a4mz8ehq.online/MTU2OWE0NzJjNGY5/

https://518tudu7579h.xyz/MTU2OWE0NzJjNGY5/

https://4jsi8qj3203u.org/MTU2OWE0NzJjNGY5/

https://4n51yg9firr3.site/MTU2OWE0NzJjNGY5/

https://0eto0mhk6g7b.top/MTU2OWE0NzJjNGY5/

https://icbm5s5oj028.xyz/MTU2OWE0NzJjNGY5/

https://yjf241z0uu75.info/MTU2OWE0NzJjNGY5/

https://wanrflitrnvn.asia/MTU2OWE0NzJjNGY5/
rc4.plain

Extracted

Family

octo

C2

https://29p0jb1nyxmt.biz/MTU2OWE0NzJjNGY5/

https://fmri3i4567ng.biz/MTU2OWE0NzJjNGY5/

https://ahs8a4mz8ehq.online/MTU2OWE0NzJjNGY5/

https://518tudu7579h.xyz/MTU2OWE0NzJjNGY5/

https://4jsi8qj3203u.org/MTU2OWE0NzJjNGY5/

https://4n51yg9firr3.site/MTU2OWE0NzJjNGY5/

https://0eto0mhk6g7b.top/MTU2OWE0NzJjNGY5/

https://icbm5s5oj028.xyz/MTU2OWE0NzJjNGY5/

https://yjf241z0uu75.info/MTU2OWE0NzJjNGY5/

https://wanrflitrnvn.asia/MTU2OWE0NzJjNGY5/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Checks Android system properties for emulator presence. 1 TTPs 1 IoCs
    evasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.nextobjectygy
    1⤵
    • Removes its main activity from the application launcher
    • Checks Android system properties for emulator presence.
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4243
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nextobjectygy/app_DynamicOptDex/TGl.json --output-vdex-fd=41 --oat-fd=43 --oat-location=/data/user/0/com.nextobjectygy/app_DynamicOptDex/oat/x86/TGl.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4269

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

3
T1633

System Checks

3
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.nextobjectygy/app_DynamicOptDex/TGl.json
    Filesize

    2KB

    MD5

    fc718b98b64fe2ed82e1e2c0d9967266

    SHA1

    cc7975eca0b8f2780d99f32ebb6e5ec8226fe078

    SHA256

    4b91d174ff6bbc4d85830d59f99135780a4e10c0cd869723bcb1a5dd99d1a0ff

    SHA512

    fe8df4b8730c8d2c6beebdaa01c7e79a761d7a75ee13705c2dcc5a82a0f3f5d7c1bd83a64e37f5ecec6950b53f2f7e8b0d587654c7301bb2a55f7541a94b9e90

    Download Submit

  • /data/data/com.nextobjectygy/app_DynamicOptDex/TGl.json
    Filesize

    2KB

    MD5

    b50a3902d820db59c863242b523ea612

    SHA1

    2f7522c043c173916095aa45be39ffdebc49828e

    SHA256

    631a6fe0c17c52ccc4ceb67e7296b575857b36fb7dd1965a71fa5abb45f01036

    SHA512

    ebaec637417f0f5e750ab0a3b35945bf17ea729de91d4253b1206986c38e6908f6e2433ef4f599a444c635d11a9826761fbfd33c68d980418058f1903b99e076

    Download Submit

  • /data/data/com.nextobjectygy/cache/mylywfwk
    Filesize

    271KB

    MD5

    4889f001450b34d1d50b0a8d1341a5e0

    SHA1

    0d015e40994ee61bd4582b34c18db5e762418a77

    SHA256

    eeeb9de74c2137c1d79a72da567e6610ce974d2d2a2f7ab38472dbb76dac0674

    SHA512

    0fabb069e66fd7b32cd03f6bec0228d2a74649ff35ef446943f0f92fe9d08dbecc23189a36f2c18265d2f89b217ea604897125419c3aa841b8a4a8a032c85e3d

    Download Submit

  • /data/data/com.nextobjectygy/cache/oat/mylywfwk.cur.prof
    Filesize

    440B

    MD5

    030ca0af933090d9d70823bea9e81607

    SHA1

    a4e0fa7cd51312166086a250907ed171791492ef

    SHA256

    3f03a209f911a1b10791079e179ff47e5509d0079d3b241664fbf3c8e61c9bc3

    SHA512

    38cb4c6c701e291ebac24c3a47a70c17ff8bbef8fedab31cf80cd58af8e63f5b95c0f60258ec1fbb07ba99163a2917ea53f59d22a29cdd43f88afd3e13a5bf48

    Download Submit

  • /data/data/com.nextobjectygy/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/data/com.nextobjectygy/kl.txt
    Filesize

    230B

    MD5

    82c65b65a2bad346fa4a629b1f779002

    SHA1

    78211bf725dbf61a9d67b993729c3127b13d6809

    SHA256

    4919c0e27749d1262dcb90dedb42c2b6f84689938b601b3689c8be6b05bc842d

    SHA512

    949374597925c8e05fac9fb6a214da97c58ecc2a5ad6f4ff1cdf7572af20ef9f3a8c9bb8414222e77cb37b2493725a4c49df065061217a6134144a1a8f89add8

    Download Submit

  • /data/data/com.nextobjectygy/kl.txt
    Filesize

    54B

    MD5

    e27a8bdde37897f779d324effeeb688f

    SHA1

    63754ca122d6965a7202f76bafa70fa786409db3

    SHA256

    90410cbe4a9783512a18cdee7c17618f2c3a055e137b21a51cff70a0cd132237

    SHA512

    70698159e5198fda331179143502ba0499a7d8a0255bbf2a5bec2f36d10e376122c950258e24af7fe5b3bbbe685bec37dd205e78f34fafa4976ce9b566de342c

    Download Submit

  • /data/data/com.nextobjectygy/kl.txt
    Filesize

    63B

    MD5

    c45ba7384830ddf6da0e39e8c069c51b

    SHA1

    5ba74849a9907108776414029e83c6f90935ceaa

    SHA256

    1c9899faa752cac95d3611e114d50a854275ad07e07720a312c0c98288547767

    SHA512

    d61942ff84d9e1980796d2c25ae9059d36f4ea335ed60f1c7256f009219fa161b931d4ca43688da742bc348500bac55850a9e49cffafea76dee2dcc780147b2c

    Download Submit

  • /data/data/com.nextobjectygy/kl.txt
    Filesize

    423B

    MD5

    3238dad0c9582c82eb889074c1024cda

    SHA1

    561e989be3a348847a5d0cd63e871ed8b3b235f9

    SHA256

    63426bc655493636287e607aa0245e0de1cd9251515c13a1e44208a4331b572f

    SHA512

    c1174f415c985ee0e6822cae28d80fa3a835b070099010cfc773c7e8c669b8f33698465ab7dcd427f1bc35cb1d81998d88f831e8e38563fc32c207596d560acd

    Download Submit

  • /data/user/0/com.nextobjectygy/app_DynamicOptDex/TGl.json
    Filesize

    6KB

    MD5

    603abf42f0ef8bf8780c6d483d8e40ac

    SHA1

    b04671e952552c8949b6d08974575561fa2857a0

    SHA256

    462984ea3c11fcc928436ed34fd0920453ba0518f02946df13eb189a8890976b

    SHA512

    c359ee524194294bdd8b04cebc751ba1db5a7653a2be86c6310c665ac1ef39ce0fe4873cd3e05197c83e20b1cbfc511f8bcf986abe5792f1094c166df9640b2f

    Download Submit

  • /data/user/0/com.nextobjectygy/app_DynamicOptDex/TGl.json
    Filesize

    6KB

    MD5

    58e846b1e78a29b77a81113a915ed6cc

    SHA1

    e929dd35bc6cd2dc4417df46dcadc7a32b50875d

    SHA256

    1aa5a09744c24bd1b999846cd4f742b179fe3beb27f5467c161796c6357ba807

    SHA512

    5988e11a5b46ed74fabe6b4c72d7fff207e036bbd637e945c7657eaad078af1bcf1e6d4b2255213a0b86ac6fd4145a7bcbd7a1c08296c9f50e34ea0ae9c3857d

    Download Submit