Overview

overview

10

Static

static

6

e603c5cc63...5c.apk

android-9-x86

10

e603c5cc63...5c.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    16-11-2024 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e603c5cc6349913bc866f9fdef16fe0144b2daf81505a1ef9efa23c4bd44085c.apk

  • Size

    2.0MB

  • MD5

    e1869f35d0d95cb1ec9236b32be35da5

  • SHA1

    c165cec4a14f8e310c9827a792301dbcce96e746

  • SHA256

    e603c5cc6349913bc866f9fdef16fe0144b2daf81505a1ef9efa23c4bd44085c

  • SHA512

    8ed2b9d6a8e6c8b47f543ef3e6f7163d920669949c9ff12a9c8fbd30cd0813149de26082bd6e809e12e4467bcdc91b39df73543a683917628843404800df356a

  • SSDEEP

    49152:XqX15ZKEo3Hh88waxJyKXNI17q3VlJaXBpKQigAAg:XqXZ1o3Hh81axJyhq3V+X79igg

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://85.209.11.84/YjcyMWYzZjc5OTUy/

https://32fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://33fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://34fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://35fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://36fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://37fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://38fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://39fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://41fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://42fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://43fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://44fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://45fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://46fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://47fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://48fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://49fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://50fdghhoo11.com/YjcyMWYzZjc5OTUy/
rc4.plain

Extracted

Family

octo

C2

https://85.209.11.84/YjcyMWYzZjc5OTUy/

https://32fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://33fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://34fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://35fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://36fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://37fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://38fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://39fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://41fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://42fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://43fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://44fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://45fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://46fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://47fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://48fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://49fdghhoo11.com/YjcyMWYzZjc5OTUy/

https://50fdghhoo11.com/YjcyMWYzZjc5OTUy/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.findsoon0
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4337
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.findsoon0/app_DynamicOptDex/sEAu.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.findsoon0/app_DynamicOptDex/oat/x86/sEAu.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4362

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.findsoon0/app_DynamicOptDex/sEAu.json
    Filesize

    2KB

    MD5

    787e5d6042741cbc1e038ebd72fdc962

    SHA1

    e49d24dd0925f88fd06842d738cc9ebcf9df4220

    SHA256

    782ad05078b6a8985666cd99589d136288627d5c1b519a23aa78a874d81c17d7

    SHA512

    e33e1d9db6c7786049c244e0038df4293a80a89dbc7584841e49bb588133c70d69d03988c42ed04fba300b7991d061984e12389d72d60bd7420c6f184a1a2a9c

    Download Submit

  • /data/data/com.findsoon0/app_DynamicOptDex/sEAu.json
    Filesize

    2KB

    MD5

    b9d18d15cd4d6ea499f01abb931e17f0

    SHA1

    199292ece639194fbac670f4bcc156d6e001db2f

    SHA256

    f55cdcf9600c7feb41d90aeac607466e73de776fa855dc1db30f4165100a586c

    SHA512

    da17da2c31b562e705dbf78ac66372b2aae5ac1f14e758a78cc2f97dee558b66687271d517fa5925afc99dfdb2cde592c12f41cb1b419aa80765aff8cc1d3f45

    Download Submit

  • /data/data/com.findsoon0/cache/mjkmfsjufedbme
    Filesize

    457KB

    MD5

    54a1be9c2d8d116bddb449d803699376

    SHA1

    93f16f54cfc855d52b4dd72f785ebacf8cfa65a6

    SHA256

    42268e8d1a19caa5bd7e074f37fd5adaccb9bfe379c49e1b80b3caa02fce875e

    SHA512

    30081fdd9ef5e7c593bc97cc80287ee8a1e956d53d66a8aac39a75cd7edf822c36be3c75903e532c78584a57a0de9deaee102f87434c7dc60a5abf068ddc5cae

    Download Submit

  • /data/data/com.findsoon0/cache/oat/mjkmfsjufedbme.cur.prof
    Filesize

    495B

    MD5

    82d59e7fa055c994e78107ad7abba0aa

    SHA1

    94a165e155e49a144813a7c308d0a93dbdb2778b

    SHA256

    7a9dfafddaf3b02ccaa2e5db198805014dc245f9a2b4d0662f22ea61d1f1b098

    SHA512

    519ce6b41d10f00a9bf88c026830c99d4b97faafce94a655530dcb41aed14a4003b0f44db749900685ef43c4181e92625db05912be251f16f7f77f2aa4276f71

    Download Submit

  • /data/data/com.findsoon0/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/data/com.findsoon0/kl.txt
    Filesize

    232B

    MD5

    5ac1ab93f28e801bac69994b89960d69

    SHA1

    0e0505ba3f1956cc3b256a8c4adb275bd46f012e

    SHA256

    c36d172bdf4a4fc01bbab4e70e3d47fd9aedb82963e5548f2e3f49c33dfc6c0e

    SHA512

    2586c0eca386a15480eabc5ed5d553687fe1ee9763e5d8f3f63b7dc25f84afe53c55a6433073b22609c300299e12cc5423a953d30db4b3e6417048b0f4a50da1

    Download Submit

  • /data/data/com.findsoon0/kl.txt
    Filesize

    63B

    MD5

    856cd75ee0b2cef5d588e6f39a3511fd

    SHA1

    25bbee97c6dd8e3f7a138e4ffd20da747868f0e8

    SHA256

    2d2c8583e8af0b4951a1e209d11da12871b9438acb6be10d31cb97b3c425b299

    SHA512

    6653ddccb7314606e6f367be78b8bc4d35ce380d09f3d9eca33df0221afae277cdc221356d28b1e072790e22280ee3a5cbfcb2533f77bcb9862b538effa4d23c

    Download Submit

  • /data/data/com.findsoon0/kl.txt
    Filesize

    54B

    MD5

    c673f443ecc3afc57731500166c3832b

    SHA1

    f3376fba7dfd3e24458d9598e507b907b0107f62

    SHA256

    383d3923078a0f29048f8549505ed8d0d51253171a35f8f0c701949293113fad

    SHA512

    1dc05870d91ee4efe40d8b351b8fbdc2beee0ee640258eae73f1be7262047e9c733a572f9046c820d405e4d5bbd478831dd8dff58c96b7c4e0acb649af520d5a

    Download Submit

  • /data/data/com.findsoon0/kl.txt
    Filesize

    427B

    MD5

    de3d6f301a56f74d5d4ae1dbcbe4e73f

    SHA1

    7e5bc4072eb9cc6526d1a5581bbfac71d711b67b

    SHA256

    fd2c41947dd386400f62e266c16fdd191ace2455a03b9f148f18609ba2d71839

    SHA512

    44ac36d29291eebae6c339f873217e1a3c328f97c33b9678c9169b06c6c66132e36654c2f3cdface3857d895ca66c88fd22a63ece8a8bab6782a652b5181a021

    Download Submit

  • /data/user/0/com.findsoon0/app_DynamicOptDex/sEAu.json
    Filesize

    6KB

    MD5

    844700d5b81831ad2bceab3df89879b6

    SHA1

    d72f2c6e4a8fd98f44b2b5e957222967119787b2

    SHA256

    5940421e6e6ea1c835006f45cfc84e3cca96c3039c4dcdfa463fc020c91e8958

    SHA512

    b16002de71d04db19b42515dfe4be8d6a05971d50b51d63698630849771d269ea7bd0b16dd7090fb68a8f63761af9de722c945eb8fea03a16225e1088a5b694d

    Download Submit

  • /data/user/0/com.findsoon0/app_DynamicOptDex/sEAu.json
    Filesize

    6KB

    MD5

    971f7dc04310049f3b571bc5fb540834

    SHA1

    af8df12c444656cddddffe6eae3acd560ff174bb

    SHA256

    fc9be0d765d2f491ce6a3f73f1baa123e4ddb25eb32af8e9b3c53ef5103aba16

    SHA512

    8bfb71576308d9bb7c33b010bdac84b1e91c9a2267e3db7f4ddbd09806e5b95dd616e7f3dc705e473165ff7423fba966cd4d83792840ec595d4edc6f8db5494f

    Download Submit