Overview

overview

10

Static

static

6

e6569b723a...d3.apk

android-9-x86

10

e6569b723a...d3.apk

android-10-x64

10

e6569b723a...d3.apk

android-11-x64

10

Resubmissions

18-11-2024 10:55

241118-m1bx1svlds 10

17-11-2024 22:00

241117-1wttxsyncy 10

Analysis

  • max time kernel
    39s
  • max time network
    139s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    17-11-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6569b723ab84a98c9f8d43b03f0aad49efcf2c314efbc7ae6f99d2f462febd3.apk

  • Size

    605KB

  • MD5

    e109abe047081e2850c113f051fa2399

  • SHA1

    013a453d3cf1a897a8055c4dcd0ee974b7fbe15d

  • SHA256

    e6569b723ab84a98c9f8d43b03f0aad49efcf2c314efbc7ae6f99d2f462febd3

  • SHA512

    a084442a82f83ab83db09bbbfaa0d4218e0c7d246544ac978fdd261d7ef7c32e802b202ebee558eb2916af35a1ad499bb9f9e431aa42a40cd1b30e06d7933cf4

  • SSDEEP

    12288:4TK+XfiFh6KipZ8hlrOKMWLfkf8+U01PxKeyis4hDLrMhdy4:4ThOfiZI8tt1P7yisIzgdy4

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionexecutionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://34b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://64b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://74b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://894b6413903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139030754567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b64139033074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/

https://94b641553903074567453981d0595033c23.com/YmZiMzU0OTU5NGIz/
DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.eachdidrtz
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4262
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.eachdidrtz/code_cache/secondary-dexes/1731880834132_classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.eachdidrtz/code_cache/secondary-dexes/oat/x86/1731880834132_classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4291

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.eachdidrtz/cache/classes.dex
    Filesize

    447KB

    MD5

    8262b6e449a9c36b0b04da4f0ba66faf

    SHA1

    9048317b5eb21106a26043dccc50bf88e01c01ff

    SHA256

    219ed6c3f2a607bf79d237ec79da71c60f5dded5628755ac1c6a49f4da0192ab

    SHA512

    d8c8c934f4f4e24820e4cfa22049eb1107bd97a38250574f47e80513a07598d60c900c8fb13ca668e55462112b926ced3e3e8490cbc16baeac7c39cd37b893be

    Download Submit

  • /data/data/com.eachdidrtz/code_cache/secondary-dexes/1731880834132_classes.dex
    Filesize

    1.1MB

    MD5

    466d8d46387ad88b170b1c35085e9e08

    SHA1

    64279445185cc85ecca8e67aa626ba2dd3a4b6e2

    SHA256

    54a4e0e614f4e25153271efc05103aaf57ee70abeac84a921f48e5701159bbdf

    SHA512

    2e8f0ee18b75921bcffc151df7cefad1b4c5ec5b8ab1df79c8808222be5524d107438458f5d64d24ff6a1ca61491895cf3a458a95ea6a456cf82c1189901573d

    Download Submit

  • /data/data/com.eachdidrtz/files/profileInstalled
    Filesize

    24B

    MD5

    200af7da8a84e26d4430690937a2e0f7

    SHA1

    17288bd801fadb6a69428ae1f3567314742ed05c

    SHA256

    a48b5ad6dc5c48b7db270b861fdec68a6431c4f85d479cd4fc38b431c8f121d6

    SHA512

    12167e3edda9ab72e4fd6a7dd7f811f67f9f2c66df8890cd2e93a631919f1c64d91bcb46aee4148677bad18824eea2c6ef8ef67677fe0b06b4184ffb181a624b

    Download Submit

  • /data/data/com.eachdidrtz/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
    Filesize

    8B

    MD5

    ddae9a91dfb7bb4fb868e648ca3e5cba

    SHA1

    56d613a019c16697f91cf7f18825befe6e4ff57c

    SHA256

    b9b4d778f1235149e2e0d244ae8942ad6d20747f756f5278f83647b54173b95a

    SHA512

    15ebfe12a7055d46512f9aa5ae4b814b5ee62db3e564e616517d34dbe4f50a41d74127e7e01ac9b774376edfc276b7f0d66a82d6b725ea231569a8d3ac6be8a7

    Download Submit

  • /data/data/com.eachdidrtz/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.eachdidrtz/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    fc1da48fe5287d776502cfce4890b46a

    SHA1

    c3fdb722f5e60e87da4f1d464e7fcf25cb535be6

    SHA256

    a5d20f9168f7cec14d635fff0c7c4744217dc34412b4c788dbf72b3190910c0d

    SHA512

    24a0dcfd55dee961977f2e1331ccf684e59ac6879605db62ef2747d0c6d91ec892edd6a841ef5454d13a8059248bdba96233df65be6f50710b533981ffadb1df

    Download Submit

  • /data/data/com.eachdidrtz/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.eachdidrtz/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    810a619c506769b64b263ffab5d35c92

    SHA1

    735e1745c88244deec65f24fa3d73fdc2965f768

    SHA256

    a8ee22ecc9713ad8dd88c8cec063b0fe1bf50cebbeb12a5f3b1fb3f3a0a96779

    SHA512

    365e11fe33c8a1ee9c9b2cd64810fa1ce0e969f44de0f481a5db5854d80a3aaf4f31dc2dbe334539acb5aac9611d98bc6f6dbb6c236a4441fc5ccd35a48f9ef7

    Download Submit

  • /data/data/com.eachdidrtz/no_backup/androidx.work.workdb-wal
    Filesize

    116KB

    MD5

    fcac1c37048671f7aa56de982b7562bc

    SHA1

    19c3e0b63c13cb1db3104ff801aa50b89b5dd727

    SHA256

    586c9ada40c80b09ca218387a9d985ab4e6059dde447e98694794250f08bd4a1

    SHA512

    93b1ec5d770d7ad92f3eb39be306c948dcbdabde26ed611f781722ed2b43732be9a59f302da7f6b222d7fec5eb567ca1de2e39d847d56cb54f94deb9e29aacc9

    Download Submit

  • /data/data/com.eachdidrtz/no_backup/androidx.work.workdb-wal
    Filesize

    177KB

    MD5

    800e13a9547072fc4ce0a8471d993bdb

    SHA1

    230f0879a9d0a6e2b43487def80f3e0940f4647b

    SHA256

    0a0b784568fe09864c9a041b4039e0d9332fb71703415ca88cda5f143bde65ec

    SHA512

    860029fb3ec0a3e922e40e2c92c733993353544ee30bf1386923068d0ecd1e4c6b1be367aaf5825e421b1418a5031e580607e1d18ff3b638188bd1be32846585

    Download Submit

  • /data/misc/profiles/cur/0/com.eachdidrtz/primary.prof
    Filesize

    111B

    MD5

    24e462e1c546783ab5e1d547d9543d01

    SHA1

    d392b1840dc25a33f3bfd33e04d0d632a75e388c

    SHA256

    afa1f9ac2fcf9afdef3e071bead9665edeb290cbcb1b453beb0c4dad73312d91

    SHA512

    797cd3a91c3a9c2174639d3885c0b33a9fab425e6215b0c2d303a4e2bdcc10931d7fac740cd1427e3e60b22c593f6e01cea57d48368c0947fdd0c080f3fb354d

    Download Submit

  • /data/user/0/com.eachdidrtz/code_cache/secondary-dexes/1731880834132_classes.dex
    Filesize

    1.1MB

    MD5

    15db515fb3a5c702d961dfa12aa4d5c4

    SHA1

    fdf54d3510097e12284efb0719630511c66f5920

    SHA256

    d79d84c0232515075da62fcc775975bee916ae2716fcd27a97a64bd4a59d986e

    SHA512

    5bbfd1a5950507226b8e5130f1eaa365560d4cfa6dea10f575e8833377bf6dfe2e53daa83e5957b906542256ce306115c34a5d97c71e401718e7527f71c6840b

    Download Submit