Overview

overview

10

Static

static

6

64b535ae0e...fc.apk

android-9-x86

10

64b535ae0e...fc.apk

android-10-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    20-11-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64b535ae0e7d0f9edfcec31945310ea1c710f1aee18c52ac45c579b5a1ea3dfc.apk

  • Size

    1.2MB

  • MD5

    57ea80a371feab800709e5b125e93a06

  • SHA1

    f94f3f868141393ec9df11307eb7eddc6d9b734a

  • SHA256

    64b535ae0e7d0f9edfcec31945310ea1c710f1aee18c52ac45c579b5a1ea3dfc

  • SHA512

    aab66aa2e80a4289aa0fdd1964c60a3649fdf732384f1b888dcb10a6c4d49855f2d087e3f2cad245a7c5686cd6e6135ffc746a8d32613a8f8575b637dde8c1b0

  • SSDEEP

    24576:IaibmdwiITEEFMqBAH98uswqtfncy82BOOHoOVepxTfzJwldqNfUQNtd:VS6IoE+qBAH9qwq/7XPyxT9EdkfUQNtd

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://siqnisiq.com/M2EyOTM2M2FlY2My/

https://xijunggao.com/M2EyOTM2M2FlY2My/

https://fujetgue.shop/M2EyOTM2M2FlY2My/

https://junggvbvb.com/M2EyOTM2M2FlY2My/

https://junggvbv.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.top/M2EyOTM2M2FlY2My/

https://sabgggsabgggsabggg.top/M2EyOTM2M2FlY2My/

https://nisiqnisiq.top/M2EyOTM2M2FlY2My/

https://abgggpoh.top/M2EyOTM2M2FlY2My/
rc4.plain

Extracted

Family

octo

C2

https://siqnisiq.com/M2EyOTM2M2FlY2My/

https://xijunggao.com/M2EyOTM2M2FlY2My/

https://fujetgue.shop/M2EyOTM2M2FlY2My/

https://junggvbvb.com/M2EyOTM2M2FlY2My/

https://junggvbv.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.top/M2EyOTM2M2FlY2My/

https://sabgggsabgggsabggg.top/M2EyOTM2M2FlY2My/

https://nisiqnisiq.top/M2EyOTM2M2FlY2My/

https://abgggpoh.top/M2EyOTM2M2FlY2My/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.colddoosuj
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4264
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.colddoosuj/app_DynamicOptDex/UWgpuwY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.colddoosuj/app_DynamicOptDex/oat/x86/UWgpuwY.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4290

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.colddoosuj/app_DynamicOptDex/UWgpuwY.json
    Filesize

    2KB

    MD5

    37fc167b6ec22e7a7ebd17e4bc9dc52e

    SHA1

    7df1ad43a39d1c22e48a24359e8ccbbdb1cd2533

    SHA256

    805695ae70904a474cfbd18c62bfd7c036bd2f7f8d1d74e412f06b8173e5dcf5

    SHA512

    1d9a129255b1cefc2aba214955874feae81d4e2c0c112090613e781ce50d1095e765d73b5d29563029a50f1a2e40bcd442e02e4b6f36b99d65fcf07f9156cc98

    Download Submit

  • /data/data/com.colddoosuj/app_DynamicOptDex/UWgpuwY.json
    Filesize

    2KB

    MD5

    ea56c3bc743790e0c100c242b1bafb34

    SHA1

    14b19ea384f7e8d9bcd464a8d2bb52425b1a0b10

    SHA256

    9cd8e9c12b8d5391cf59738230fa198cad24f7f442537cff438e076d6b52393d

    SHA512

    271d22873ff693afb0b98b78a90ac5e06a2eb0b351008c1fad1770eb7c00b9304341efcfe92f67f0f8c42ded9f96c6e8d0665dcfa5a2477f1ce3362f1c06f38c

    Download Submit

  • /data/data/com.colddoosuj/cache/bbttmxgc
    Filesize

    448KB

    MD5

    8087d117f28be45559cb45b4bcd7c89c

    SHA1

    ee2547667760be13c071da4a8f01258dce6ce557

    SHA256

    275c8d5c41275965a97764cc51b39fd344d803b8f7a3b686a303eda2382266a1

    SHA512

    328973fa9321c2ec2ec663dd8fd46d8753d7d6480d20d3f4a43b33da508d3231c650b7a062a586ae584b0a78339819d8de6a25ab0dabf88eed82c853eb9df6c3

    Download Submit

  • /data/data/com.colddoosuj/cache/oat/bbttmxgc.cur.prof
    Filesize

    545B

    MD5

    66e1b98c1396f3169521bc88af73b415

    SHA1

    6f243b319857c1d00eb1b3a759df7e37e99e6371

    SHA256

    41cf568d2404762f010d9739c64b84d543f79bc959d6b2dedb231a7a5b7665cf

    SHA512

    0147be0d67b9dc4b7f79b481a1c88217040dd1f9d49291ba6b0c8f0a8e9b3f788df7b19e55f5b592ab11fe795db4f6ead3b042e8177d6f5c549384fa19b48a2d

    Download Submit

  • /data/user/0/com.colddoosuj/app_DynamicOptDex/UWgpuwY.json
    Filesize

    5KB

    MD5

    44363f45289e96fd82cae0533ae4f95d

    SHA1

    d89b72ff6dc328f73b87b9b80ef7f999aff374a6

    SHA256

    146a0e8b791bb1cd40ee74951eff05ee205fc438799333727ccc42cc91816d2f

    SHA512

    b42f03ee5be7140f64dba9f7f02e7579037b0b352e0aabc68a321f5a597edf0f1d0321a681febc0bb61af9738bb8126cf3b4ac9d5d420d507108b0865342b317

    Download Submit

  • /data/user/0/com.colddoosuj/app_DynamicOptDex/UWgpuwY.json
    Filesize

    5KB

    MD5

    0868097b61441c163c964fdb3610e34e

    SHA1

    cc8a27912a5083e4fe998bd0fd2567019e739f7c

    SHA256

    913842b54d425628cef2516b1537cbeb0b9eae5c71df5d652fa27f13585ef005

    SHA512

    6ab9660fe5136be6596e4865be86d823ad1c44ba94df0f89589dbce352b39cf01014c94a4ba8fa883723b2d21f1948ff4d46315431788c9b66fe82b04d75382b

    Download Submit