Overview

overview

10

Static

static

6

3797a11be0...5c.apk

android-9-x86

10

3797a11be0...5c.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    17-11-2024 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3797a11be0590ab2a5420501672263d784f7019bd9aae7d3c15931e21af0225c.apk

  • Size

    1.7MB

  • MD5

    9a3b89f2fa21e9e581bbc49b8766e7c4

  • SHA1

    1e8bd4848aa90a780371f35fb4c01d1a290310b6

  • SHA256

    3797a11be0590ab2a5420501672263d784f7019bd9aae7d3c15931e21af0225c

  • SHA512

    a01846e7089dd8d08714d04a5a176af171617dd8456c52327743def9ba6649de2241f63ba93547231190fc9c2a86af84508a436ed6c1698933063de8dd23414b

  • SSDEEP

    49152:U50wLqOv/TkCmkAIwfQAatbQ0DXs93gwbd:45L9ZmXH8DX6d

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://barabara2e1.me/ZWU1ZTRhMzU1Zjdi/

rc4.plain

Extracted

Family

octo

C2

https://barabara2e1.me/ZWU1ZTRhMzU1Zjdi/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.mandirect9
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4777

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.mandirect9/cache/luzqxznfsghfql
    Filesize

    461KB

    MD5

    1ea273a651ffc79827c35ee2387b55d4

    SHA1

    41ef6c8c89d8579199d8013e51426a79c98a2c1d

    SHA256

    44d58061eb00b2f08cd8b5484f9a0417b68b9c1b5b7af094ca4f3a76fe24f51e

    SHA512

    afa8e0ee596e81722be821dd1de35a9963be201a7c84736b7a21fe12466b4d96bced23d4d6e0bab259ad8bba33b3c6e59ee7cb24e3c843e68fd1b6bb0903282c

    Download Submit

  • /data/user/0/com.mandirect9/cache/oat/luzqxznfsghfql.cur.prof
    Filesize

    351B

    MD5

    5c909bbaf3bbc8c2065ffb56313d4292

    SHA1

    cd98687cc01d19e3ecd333e538a426294273e33c

    SHA256

    42e76dbe0ad569df28a8b3f6dc267ee96b5d3b550bc16fb3cf0b876ba28570d0

    SHA512

    7fa4671a4cfec90f745c380999742954e89e1b270dfb57e970d8edb6511c130d693e04d91a5f7c004e556758212aad78fdc6c6a1b7c53a4a1df9203ee95c2e46

    Download Submit

  • /data/user/0/com.mandirect9/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/user/0/com.mandirect9/kl.txt
    Filesize

    73B

    MD5

    8035ef02d4fdd0ffc59fa24ba9bbc6fd

    SHA1

    b0a7467748023366e205496223f3199d528bc11c

    SHA256

    d98c91da2492b84cc25384d6b1afe99ea2b5df7b839ad6dbed599e01af8ac6d2

    SHA512

    4f8479821c499585528ad1fe7e8f573754210fe7a4f05db8c02d6f7d75db2cc33fa00b1e41793099fbc1c9d3c63719eb1126dfe637ad32b370c20dc6eeaa9615

    Download Submit

  • /data/user/0/com.mandirect9/kl.txt
    Filesize

    237B

    MD5

    328d45d4d06d085f90534acd9e6577d7

    SHA1

    0680d949d13d236135b08140000934f191974255

    SHA256

    974cb0839be239a8fd77e175f1052760b92598a2d0822720079bbf07713ec9f2

    SHA512

    c90734395a007fee740a4f61731778fe514cb3c6ef8204af4305db102f85d21ad89e1099335c935324fae49e2a81adf7909cbd36b0ba50f082e887fab32c84c9

    Download Submit

  • /data/user/0/com.mandirect9/kl.txt
    Filesize

    45B

    MD5

    74e6cd3f25bf28b45a5128427faad739

    SHA1

    cc0254e3f1dffce58e4b6f6d4f10e0ca8d75d69a

    SHA256

    1cce430f660940d180007681b178a76df90aa77991363863846bf5690c820a2e

    SHA512

    325cad73b7eaa19fa82c2decbe670b3e936d988128632f8bea07a854dfca9df7eeb7f1eebe49a411bfc97020670e2358341a4b9c3fad61f5b85f69538263ad27

    Download Submit

  • /data/user/0/com.mandirect9/kl.txt
    Filesize

    75B

    MD5

    f44baf1e05b5624c90ed34cedbfefdb0

    SHA1

    0752aa7b76297c12e0870bda848f6409b708633a

    SHA256

    a5a7f5665d824356eae504323e528a2ce97d1c3b55f4dce8ffe648e7b7096e5b

    SHA512

    29cfb33e1cf1897d5645e36c80c271fe0fb9544bc758262e72309ae0534c01c8d29d04ea1b20aa61daf84ef183a87255a1bd2fe6c54b14fa62021ab0864a1c35

    Download Submit