Overview

overview

10

Static

static

6

69004f172d...7b.apk

android-9-x86

10

69004f172d...7b.apk

android-10-x64

10

69004f172d...7b.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    16-11-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69004f172da0121ae1313812e97dfc67ecc2f3c6b75231ff52565b534fb8bd7b.apk

  • Size

    605KB

  • MD5

    6a5b6a3038012f9953b13a708f8b7265

  • SHA1

    4429f716eed529788601c14552aa48a7ca634a2c

  • SHA256

    69004f172da0121ae1313812e97dfc67ecc2f3c6b75231ff52565b534fb8bd7b

  • SHA512

    e8ef81e3d48fe123ab99b6a1e623b311ea5871e8115b84530f346e58f70978c561c3c7b0f0648f155b1d3504ad5c72bd18913eb3c6d08fb4bdacf1b9b25e07ab

  • SSDEEP

    12288:wv2Hpn70EYGXC95tSmRYcdREahbmraMVfVjURfVsyXVy4IqnvRms4hDLrMhdCi:NHFlZyFSmicdea4uMVfVoRfSyfIqnvRv

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.marklargel
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5246

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.marklargel/cache/classes.dex
    Filesize

    447KB

    MD5

    fb7a7e53367ceee6bac148fc05f7fb92

    SHA1

    3c1659aaff3eba6cf751bc654737856f2618d3d6

    SHA256

    4c6dcc8089fe262438b61e0b7debad4b6506689485489f74dfedcb8992972d0a

    SHA512

    0b4a0c169f87a71860c8c41840e2eac3acca7ef82c8e15ac7705be82d4b873600aa0b3ea73f4ed27283f1896acfdaf7ec190de623349e38ddb64f856c58d21f3

    Download Submit

  • /data/data/com.marklargel/code_cache/secondary-dexes/1731794429155_classes.dex
    Filesize

    1.1MB

    MD5

    9aa8d5d67565669133c579ae21386638

    SHA1

    4e15670cabd3a4420f1251ee6b59c28685da284b

    SHA256

    d52cab89c8f4269e0fe2f4050b42b0842984f402bd766613b34b8f83d0c7d62a

    SHA512

    a12281391f2e69e1aab5c1a28007499b09bc53a2e4dba8537d243ea8720643e85d882a3703b53479eb020ad621bb1fffde983fbb1eb5ac7f0948cb51c4bbe202

    Download Submit

  • /data/data/com.marklargel/files/profileInstalled
    Filesize

    24B

    MD5

    81410ddee4a8ade37f9671e0307132ce

    SHA1

    79e454f5cd7b44673ebcab497187a546febdd2d5

    SHA256

    8f3804266854159da1479a219ca2c0de770c667e1d95d33aa71ee5a6d34524dd

    SHA512

    6dc38ae18d0849a73288652326de0f65c3061e7425fe51268e6752587112c2b11c3d6d7b592ef2925ae6445057bc0a62775826933c9ab032bf63272a1af3cdad

    Download Submit

  • /data/data/com.marklargel/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
    Filesize

    8B

    MD5

    08c21295dc9804a768691fc0c07253e8

    SHA1

    8a50af283fd54ef9b609730597197c0c8144e290

    SHA256

    8a03895bb13febcbe3b760cef14288b31a45f9357cb2111aefa48b71474d31be

    SHA512

    dd050941584e6a0258ecf9d89f4884755f85fdc49d0031882279f39ac2448078530a3c87d6195e0858bf266486a61b621637901523cc910381d403e17cf5c74a

    Download Submit

  • /data/data/com.marklargel/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.marklargel/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    2869598898e4cf898e784f4669c5208b

    SHA1

    388cce44dd2958a7003bf6fb503e288f6a47090e

    SHA256

    9a0453f5bfe28f6693610c2da296d167584ec3a892e6fab9c9425c2fb26758d5

    SHA512

    ffdae3c36c7954efb225a9dd2f21f49f9cf0cb9419753b8cd93c512e3c17210ce43adc96fb8e6505fe6b7d7ede81a0cbb1466c46178fb315cf8fe84bbb69728a

    Download Submit

  • /data/data/com.marklargel/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.marklargel/no_backup/androidx.work.workdb-wal
    Filesize

    177KB

    MD5

    052b2cd3670545fab8a3d242a4ebe669

    SHA1

    601772cd1cdb282348e6f974787f8c6f1b8cc74b

    SHA256

    bc9b1ebc7e0db5fe659ca85fef2ca3bb96685aba16f277014fc606a2f85cae41

    SHA512

    3bd57b6045ae52a965c64379641a0ecb6609ffbe0074a7a938c3282646bda2aa9ad471ddca4482b928f2b32fb0ff88963e739e3497e44d26d11dc688ba50ee31

    Download Submit

  • /data/data/com.marklargel/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    d266d307eb8f7906481c56783ec287d1

    SHA1

    f9b0bd46dbbd5f7bd03b1f5ce8ea4f35520d615e

    SHA256

    fe3c3847c169d3b1d57295992526d7a828b75270eef76c9e47edc2a9f02b57f6

    SHA512

    09318c6ef71f4aca2040fbdd8ddc3a544a3c112294cf9a16f9ce238ae12e4788954fb5412931af2628646530e7a50be1dfa3b64d043e30ce262b7028287cca88

    Download Submit

  • /data/data/com.marklargel/no_backup/androidx.work.workdb-wal
    Filesize

    116KB

    MD5

    ab55186439a82cf1f5cce230acfa582c

    SHA1

    5369217fc65a77a02ae3ead7218078640d72c7c7

    SHA256

    524d78b22666dcbfe61fa5b7d59afa21905719bcbb15dabac7709c46dd6acb8b

    SHA512

    56b3a21bff539cf5e99d38e96e20c6a3dcf67d14a2eeb03a96ce08fb0b68744a4840eb753ec86cf161f8e7f01541ff2279ecae60673ee611507a459edc818d12

    Download Submit

  • /data/misc/profiles/cur/0/com.marklargel/primary.prof
    Filesize

    112B

    MD5

    56c8e82adad0d7ce546d7b1ef2d8f07b

    SHA1

    78dbc8d0a2e54aa79052a00541f2ce8bcd33640a

    SHA256

    99685baaffdb6dbe0954b71f34c4f7cc306acb30aa19e40535a390b0e74f27a8

    SHA512

    8e32239ecf25098997805eeb37b28fafcc928e4944b191c830b03d7109e3ba2a3271697a5905de37d9979d0199ba808900cd361530d0edbbd47c85377ace0bfd

    Download Submit

  • /data/misc/profiles/cur/0/com.marklargel/primary.prof
    Filesize

    25B

    MD5

    b9d9e0f8902d129e1aeebff0ae7b725b

    SHA1

    cb0d2b4c9dd60a5c1fc6261fb581bcd3416fe781

    SHA256

    25a822139d06016af8be1296c0242b60e35074f94c713e03323636be1162ce91

    SHA512

    f158a9dc753e0cb41f71a98714ff02198c576bacdd792a6153fdaf6f9a7b52d8cfb6d09099a269d0c1b0d31e2ea5a307ea1db85115bdc6797887a6de36d597f6

    Download Submit