Overview

overview

10

Static

static

6

770994c9d5...dd.apk

android-9-x86

10

770994c9d5...dd.apk

android-10-x64

10

770994c9d5...dd.apk

android-11-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    148s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    16-11-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    770994c9d5bb8554afabb675989bc843e0c7da0769eddb92476c57d50d56d4dd.apk

  • Size

    605KB

  • MD5

    3e9bc28c092d03381ed0ff2e5d45d989

  • SHA1

    f33d1b2a130fd8e7986ef577e93f78d14b4ca760

  • SHA256

    770994c9d5bb8554afabb675989bc843e0c7da0769eddb92476c57d50d56d4dd

  • SHA512

    5b6e303d202a9f2f0f62a13fc52b0639b068e96e46f8adbaa93772f092427c2191e453c67803098c0e0ec050ad975cc862d75d292e444354efbfcce1ecffc750

  • SSDEEP

    12288:V+ppcVe4/g7id0c+dwKLcdgJ7XGM2ymmsZfizHs4hDLrMhdJCF:UppcI4HudLNJ7XGM5sZqzHsIzgdJCF

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.stillshow51
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4262
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.stillshow51/code_cache/secondary-dexes/1731794430679_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.stillshow51/code_cache/secondary-dexes/oat/x86/1731794430679_classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4288

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.stillshow51/cache/classes.dex
    Filesize

    446KB

    MD5

    3b4319eaf6dc1eada8a52f193873c416

    SHA1

    96f831cc3f22e28635868f635b0958fe8af32f7f

    SHA256

    c75389a6c582cde210357389b4dca5c339374447a6e24abe38584f27f2937d24

    SHA512

    0b9607419e925b7692633468d914591e79a46d3b04fb475be05dffa45d3e063a3294f2b02b50998c8878ea29e5210f2bdd539b07ef3ecd2fdadbde6e3d366879

    Download Submit

  • /data/data/com.stillshow51/code_cache/secondary-dexes/1731794430679_classes.dex
    Filesize

    1.1MB

    MD5

    5580eede36d9e0606b7c761a8cbc1f78

    SHA1

    38064c6fdddce2453f21a0ec3faa50e5f6e48172

    SHA256

    0c23e37d0b81250fe0212c9d9eda7e25859f84c78b5cdd48f166c028c03fb101

    SHA512

    26efff0ddf5611b424e686e1146634f42bac708c4573761f93c155d8964037ad3413d1a0f4e1119d14e6c1c2435c39413bdc443ff0c58b320fc1260d39cb0d8e

    Download Submit

  • /data/data/com.stillshow51/files/profileInstalled
    Filesize

    24B

    MD5

    09338caeb28bb6fca2ca1d3c8b3191c8

    SHA1

    1dbce4c4ee99e22fe698681134554fe25a2a5757

    SHA256

    44ffe79b2ce213be92e99321c7494775183f7d42ad8c9580380bb20477fa5ef6

    SHA512

    a506c0c2d014611f45c3992a6d6bc41c81bb63cdc7ee079c9efb7667138cc04e6c23f12f8dfdf84c8280794fc2ef36713a1bcb9862b93af265780d5f7d19467f

    Download Submit

  • /data/data/com.stillshow51/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
    Filesize

    8B

    MD5

    60d700c0b2461e4793176836b13e9784

    SHA1

    6014891acb728fff5d39a9fa53491273e8a34ddd

    SHA256

    95660ed9bd6b9f283c1b68405247a5aa9784b39b1df3c28a619fcea4f00b3a4f

    SHA512

    fbe7f0609936554c5719935578da0053cb50018f314da2457e506d28112b30ed35381d5dcf2defbc357dab55ad0b04051c2a778cf2089092b9455191b667f598

    Download Submit

  • /data/data/com.stillshow51/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.stillshow51/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    5437843740e76cc0416af48ec831f7d6

    SHA1

    2ebe20f489f9e75b2d31d69733f19d683d9213a7

    SHA256

    7a203d337f0d095dd9e4657b01c629e4bf7335add8b7678a20fa3d6f3966e891

    SHA512

    90646b50d79752f9c9057b4d90be9295259a528535763def7b01248cf79f50dba9890fc90642c2ff97989d62489e31396a2529dc5e2bda8dcc7010977b8881c0

    Download Submit

  • /data/data/com.stillshow51/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.stillshow51/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    c1838a7107ac1bb9996986679c1d2e8f

    SHA1

    ac76555f7191c0e29f109c1694abfc75e6f6d1b0

    SHA256

    a944ae9ea1046c51d4b0ca6122168f7ce67f89370efac2ecedf66288e8833313

    SHA512

    c662c3f19c71704400b6e0c534183676d2f5099ec820c96dc7eebc72758b951480e9ffd1e8ba755e9e6925db6a0fef59e723a38275de57f38f85ea8cb44d9897

    Download Submit

  • /data/data/com.stillshow51/no_backup/androidx.work.workdb-wal
    Filesize

    116KB

    MD5

    5cba02154cabd5d8ef1b32728a15f44a

    SHA1

    d06142ced6f2f62fe51a928385b6c73a3812f041

    SHA256

    e78d809c8f75315f6aae14834d661ffb65c5710c5aab183ffe2f34817e5acbde

    SHA512

    b37d7828b0f6089efa29505c1d4745ef856e29b1d4becc13e1e885f99573d352f3b1bfd24a1614af89d17aea437d848ff027c3f281a1ca8c311f9e2e43cb3937

    Download Submit

  • /data/data/com.stillshow51/no_backup/androidx.work.workdb-wal
    Filesize

    124KB

    MD5

    4734e1d8ae4f4d40f65a12fc5ef41cc6

    SHA1

    e4b474492c395d5252e551818d19f5b0374ea450

    SHA256

    232c18961015cea24ed41ad5a1b3fbba6d86e61b3d940b707fa77606fd142948

    SHA512

    216b445b0db5c96a179d5b09fda6a3400d49c820249cbaef93bb537d0fddba5011b229e55a50376785493b5297c1a7f4f9429a1d4a11921c313e4f0e934a373f

    Download Submit

  • /data/data/com.stillshow51/no_backup/androidx.work.workdb-wal
    Filesize

    177KB

    MD5

    97f4544e389382c60b6a4a4a71762685

    SHA1

    0435565dbc7ae0cce12252417e75ce7a8a5d1a7d

    SHA256

    c7f3aeb8e6c74fa96a8cc195ff8eed24435426ae1ddea553b9115be431ae24b5

    SHA512

    fb8fd3cb452a4efc81c3a2cc6abb5a5b5d23e83f31a6cef5b1cb3914e0d647b3c46b5534a6db4f5c2973e8db14765e6675c8d30e57c528ce4d7775308953edb5

    Download Submit

  • /data/misc/profiles/cur/0/com.stillshow51/primary.prof
    Filesize

    108B

    MD5

    ebaaaf65d8be3832e6776826051713cf

    SHA1

    f9f4e3f409a0cc80f6ac6784a1cc60af9994b8d2

    SHA256

    82734afb342b0c87d81bb8483524b1c8c79e939798edadb7ee7f0df7095ea536

    SHA512

    82b60f3c0d53d46c65a7ec1b3d7dbc9839e48c84ad48c3aab4f735a5b89c75365c56217d6811f0aa71a092402ef7c6be7366688786454992863d606533d33bff

    Download Submit

  • /data/user/0/com.stillshow51/code_cache/secondary-dexes/1731794430679_classes.dex
    Filesize

    1.1MB

    MD5

    7f13d9edaad4c9722ded20a4011d4814

    SHA1

    a3bc3ece90b4c8db36492b8bef1f924763809fec

    SHA256

    11d53bef73fffc2f8a89c107d3e1466af176e9c75918d761ae790a6d529e1f63

    SHA512

    65ab8ae30ae5c720597611588a471d97bc989e0c69dcd0885ef5a54e9f9bcf1079e25e7e1defde4a603f8d79ebdb9f86660fe5b27ce0692610b25cbae3249fb0

    Download Submit