Overview

overview

10

Static

static

6

028436b9c1...13.apk

android-9-x86

10

028436b9c1...13.apk

android-10-x64

10

028436b9c1...13.apk

android-11-x64

10

Analysis

  • max time kernel
    79s
  • max time network
    143s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    17-11-2024 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    028436b9c18135ed661d90cc817f821c4d8ad6d43f85ece17de6ac03dae07113.apk

  • Size

    605KB

  • MD5

    844e1a7088f531d429f244032cca79eb

  • SHA1

    435c71c133b5e161c701c874a7fe981fef0b753f

  • SHA256

    028436b9c18135ed661d90cc817f821c4d8ad6d43f85ece17de6ac03dae07113

  • SHA512

    590fcce88c91cda765b80b29264de7c760a7b24f15f9b4037616c3f6753b716c60e3a5a0ffc86eff972068171e60b741ad6d49c293eeeb39f9063bd797fd82d4

  • SSDEEP

    12288:mlA+SE2uziR2FPwmfr7my8fvRcLqqejcakBbnpn6bCIvXhbqKMUs4hDLrMhdxty:mlA+SEtziR2FTfHmy8fe+qejBk5p6bCo

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://34b6413595033c23.biz/YmZiMzU0OTU5NGIz/

https://34b6413595033c23.xyz/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.biz/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.xyz/YmZiMzU0OTU5NGIz/

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.enoughnumbergbrr
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4311
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.enoughnumbergbrr/code_cache/secondary-dexes/1731881393753_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.enoughnumbergbrr/code_cache/secondary-dexes/oat/x86/1731881393753_classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4336

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.enoughnumbergbrr/.qcom.enoughnumbergbrr
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.enoughnumbergbrr/cache/classes.dex
    Filesize

    447KB

    MD5

    6cd0261692704e68c5d1e9f3399afcdd

    SHA1

    e56a48a839cc9a1828667b237e2183a8053ec99f

    SHA256

    6c6c6a5e1a6c028e64ca4d5b15fbd33cce490cebe4bd0a1cf70f7978c7d85c11

    SHA512

    d6cdc1a317138df030f91103614fbdda73edf8804cfdf46896a82ef23679e7ffd222156941b6c3c6c5b96349783e69e4312416ed1545866291368ce205443159

    Download Submit

  • /data/data/com.enoughnumbergbrr/code_cache/secondary-dexes/1731881393753_classes.dex
    Filesize

    1.1MB

    MD5

    4c78a54b925d3eb24deb8221dad06426

    SHA1

    dc2c3283777c64828406ba02c23a28964a5e2985

    SHA256

    37c01970ed67e71d4271c408e2c3081f59c95de9c19cde1174f382c7ca1b112e

    SHA512

    8ce31c6acaf40cfc77e02a8bc399ddc542d25d2be17f6cc8dd3ade92399db8d543cfc412b2efaa09ab421e78a2d5c726aba5d7e086cedcfcf58a2df66408a13a

    Download Submit

  • /data/data/com.enoughnumbergbrr/files/profileInstalled
    Filesize

    24B

    MD5

    97bbf17e9d9669e7f43ad3e6bd1d61a9

    SHA1

    a3d8b1eca6bd9a4f2591220d72ca682fddf58bef

    SHA256

    f11ce3aa401cf5b38f413ecd411b2147a0903bb015dcca6ddb25d5a09c8c0d94

    SHA512

    8511fbb0652924fb499da7e5f387e1f14d00594362281870c16ed265223653781640c9edf99fb3320087be233f520456f695297f0594e7c93ceedca49beaf13e

    Download Submit

  • /data/data/com.enoughnumbergbrr/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
    Filesize

    8B

    MD5

    e6b6c19eb64e94ca2abd47c0c96922a2

    SHA1

    a8c32a5bb709bf9cfe5d84fad1fc36a429f87d4a

    SHA256

    510b2dff8f045503c8b03cc45345705342a25c0dc711db231217e6ee2dd4344d

    SHA512

    bbe28c7b600ea0342861184a64cb4d459188258847dd1ec4f3738071c8d37ab68e52774fe1b9ef7be95d73e0217a115db226dc315e01b50f69561173a57952a1

    Download Submit

  • /data/data/com.enoughnumbergbrr/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.enoughnumbergbrr/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    98efa7d8bbee5b2e979e770ba35f683f

    SHA1

    a4e92dfbf8b0c86e7b3d710ff3780f9d9be0ded4

    SHA256

    30cf74fda7d36948b9c2c98b87ceb2ab0c4ab13acc568647a1573ead132679d8

    SHA512

    55d8ab07835dd97f1d7f37ff6670b84492af5a942d1cfe3bdec07b17d529c4110f05f6f800ec69ae9fda9f35a0fe5e7e3b4372e7c0bd24728630bf0669eef39f

    Download Submit

  • /data/data/com.enoughnumbergbrr/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.enoughnumbergbrr/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    c7dea525e36cc93e4f59d726b7f490d7

    SHA1

    df6ca44c620473c4a7c21b3c0bb641a0e0fa57ca

    SHA256

    043e3ad1036dd90fe82cc6f2305bb41d1f4eda9e3198f3ead5cd863722fb1157

    SHA512

    8c6a42e6331c5f1dbdc8ea857ebe206fbcad170252d6dd7cea25229c09d20365d11498b9a17f7c4d1f25a45514a1432017c1b2daeb677cb1526f3777420c0379

    Download Submit

  • /data/data/com.enoughnumbergbrr/no_backup/androidx.work.workdb-wal
    Filesize

    116KB

    MD5

    191cab4ecfdc6778570d9db3dad9247b

    SHA1

    e209c657ae49dbe1bca79501e1962f3b2f474d66

    SHA256

    7de430fa897d2f7431e208e3d804491db621cd325722843113f3c09bc4e6260c

    SHA512

    18fd6c130a974cf0d043b6ba1551b67ca97c2de5606c99c85430ab41bb464b27028fa6409e7fd73b9d86318d0799a329c7327aced5ae2ffe2db10e9f60b39c3c

    Download Submit

  • /data/data/com.enoughnumbergbrr/no_backup/androidx.work.workdb-wal
    Filesize

    124KB

    MD5

    fc19ade9a59ad76030927dac83c6b78a

    SHA1

    dc6c5830aaf3c6475344fcd3aa8b4caf12787c21

    SHA256

    91f45529cf8431d66b88dd19a31366b863142139e6f4e982854a3d049104fcce

    SHA512

    ab2a6ad46a6854b34949bc7b6901c3c570eb82531db46156efc14f45f4480d0df401c0c3a4ab8f6498037791b939e7a24b202024ba7f038d1c5f5e8200bbe52e

    Download Submit

  • /data/data/com.enoughnumbergbrr/no_backup/androidx.work.workdb-wal
    Filesize

    177KB

    MD5

    f20c975d02b9534c4a58f149bb6e1381

    SHA1

    9c543a3a090be37eac3078d341be7eee3d5b8d81

    SHA256

    4ddb589018e1d7682924b8f89eb9bb9b84cf31048f203c5845c0d9a0c9d25eb6

    SHA512

    0014e5fee566bb1c98a3aa881efee59d1ec2cda3b5d46f9c4e28d4e4d788d0c7f481ea3671e9866654b98d4057c93e52ea88252a4fd319ffc343549238a50d14

    Download Submit

  • /data/misc/profiles/cur/0/com.enoughnumbergbrr/primary.prof
    Filesize

    112B

    MD5

    13b5598a52096d695818849c5cfec363

    SHA1

    778152a877723b09293ec12e39bb637c3394f03a

    SHA256

    18137ea04b76cb8a8135ad69e5f310c1811d620c0ea2b3a6712af1f6000372e2

    SHA512

    74945f333c2ab899ec4f2c07a4f97e1c496356a2834f33a816a54cf6ab91be470e90893e4a51f54366a3bcc8dd41f61d60caf7886f8d71f36b2578ae658f986c

    Download Submit

  • /data/misc/profiles/cur/0/com.enoughnumbergbrr/primary.prof
    Filesize

    121B

    MD5

    8933688a0e2f36e81e6f0cf649e3752d

    SHA1

    344bf2f40569e751802cc7fcde32ddb2cddca71f

    SHA256

    f6c4867ddab75ff474dbe0ced42ad4b07465ce6bf482a62a54df3ed92baa6010

    SHA512

    ebba2171e6142a4cc64e6ea971e1f1f981992877ff406caf639f169591496f35ec59541e95cbca8aa66c2360b0ca791e23634131a5ffa15270a629f655bc1fdf

    Download Submit

  • /data/user/0/com.enoughnumbergbrr/code_cache/secondary-dexes/1731881393753_classes.dex
    Filesize

    1.1MB

    MD5

    271a870e81f4d6d436fe2076e80ec7a8

    SHA1

    98f6ba6714d9770488ed4dd6505b767b2662fd3e

    SHA256

    d42db6da9bc2988802321356f2081bf4c39be395385c46ca7c760007a909d110

    SHA512

    ebf9ee37e6a83f02d2ce52c73b1859dafbaa96eeb9c61702359227f1d84073440f68d27a3cc0c309255a75d2cf54a01496969efd8103f4dbb821ba51e6912732

    Download Submit