Overview

overview

10

Static

static

6

dc69c74be9...d6.apk

android-9-x86

10

dc69c74be9...d6.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    20-11-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc69c74be98939f4940807d2268b5b32ed2f2729b2ba068591caf0254160a6d6.apk

  • Size

    2.0MB

  • MD5

    40265050e0136239ffc1ac9d782e31ae

  • SHA1

    753c262257602605e79946ed42fa855da101761d

  • SHA256

    dc69c74be98939f4940807d2268b5b32ed2f2729b2ba068591caf0254160a6d6

  • SHA512

    03512268e0a9440c5f35a5c3b08f97a0c60b4bc5c11fa3cfd843089ad83d049cfb5ee525f00adf0b8334b5b413e23fae0287899f737cc1f9f4473155c85a654b

  • SSDEEP

    49152:BTT+7AgEUy1I8ehFC1l8+E5RMoznNlJnFm:dT+dEUy1I3FCzE5R/z5c

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://jtfersion.com/YWFiM2VkMmFmNWFh/

https://kineomager.net/YWFiM2VkMmFmNWFh/

https://aberinogerd.com/YWFiM2VkMmFmNWFh/

https://nolevibanget.net/YWFiM2VkMmFmNWFh/
rc4.plain

Extracted

Family

octo

C2

https://jtfersion.com/YWFiM2VkMmFmNWFh/

https://kineomager.net/YWFiM2VkMmFmNWFh/

https://aberinogerd.com/YWFiM2VkMmFmNWFh/

https://nolevibanget.net/YWFiM2VkMmFmNWFh/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.carrybuild4
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4723

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.carrybuild4/app_DynamicOptDex/UtCj.json
    Filesize

    2KB

    MD5

    099566ba3010bf29dd0b74d16dfd2c81

    SHA1

    c81c115b5d9fdcb9ad2d3bfa2dbf894797d89d1b

    SHA256

    190e41c7cfd4487f40877e4f69c24415c787fb3224ad13500ab97f74a2f4a526

    SHA512

    265a474e2ef6261a27be1e1dca73ce8806f66fe103365208a40f64de238d7d510dd9cb7b3522ce0483e56cbbac25a363ff4458589b6fdd54583ea9572d7e4863

    Download Submit

  • /data/user/0/com.carrybuild4/app_DynamicOptDex/UtCj.json
    Filesize

    2KB

    MD5

    50aaaee161ff33560781ae6474091699

    SHA1

    7312861b1c038912c23d0cdbff2876a4456cddfe

    SHA256

    c3705004cfb2a4a8a39511c8940fd2a8d0fd4220fbd3c10a32f75c03ed0f55ab

    SHA512

    01a0b15b71572836b4d1940ed7efe8bb0d03e11bc11b772710b1cf794e9d4293d24813bfe910fc3d834162b916079eac4c6a5d818f7e9b469f56c2ee740c482b

    Download Submit

  • /data/user/0/com.carrybuild4/app_DynamicOptDex/UtCj.json
    Filesize

    5KB

    MD5

    11a3b3fc2b85c30bdeb8ce89f5b2d568

    SHA1

    1fc9f3d1ae372011bcc2303d2de88630965b1535

    SHA256

    0811480d39d338a846fee5db302b07d598edec4ea9ef4c2a361d181299172649

    SHA512

    53490fd84c941e88c140cf0baf146322b943e8aff003e389840938c4146cabb06061daa3c9aa5687418bc52dea0ed2453d746069363f90f1947ac04dd836b3c4

    Download Submit

  • /data/user/0/com.carrybuild4/cache/oat/txwpunphgcavnew.cur.prof
    Filesize

    348B

    MD5

    982d0547f565a2a69c904fd88ed58b11

    SHA1

    06c59117c317ba42885d5812fe1f632573cb4305

    SHA256

    8a6d08ae6946fd8e95e38189c29e70f075f88032fb02b242bec730dc6a2e2884

    SHA512

    00dc09f67b1a2dafc8bce79660ca6cc75288d6e2268a6be45b256c9948663f9126925d2f62379afb4f1393998f4141c89e11767700fb839a164bbbe72c423d56

    Download Submit

  • /data/user/0/com.carrybuild4/cache/txwpunphgcavnew
    Filesize

    448KB

    MD5

    251f5be95aad11c7a231d88b37b0154d

    SHA1

    6e694c35ff718a617e9999aae12a63711c8e7c1c

    SHA256

    09272d112558b22a70359becd2a292cb110b9e2f33202cb5cb491bd08c8bd6c2

    SHA512

    2f63110429eff2ac05d18f40d80ce26909f1071fc1bff75a1d1b2603b0b61a37794b7f2ba1da6d37000c1b20dd7c22881ac1c7adf201ce7523c6e6d37822558f

    Download Submit

  • /data/user/0/com.carrybuild4/kl.txt
    Filesize

    480B

    MD5

    912dfadbffb15e32a7496e9c37d3ffee

    SHA1

    4677ec083f1d95d91c674a165fd68eca7835e9f5

    SHA256

    3d334bcdaf2ee891f9a3408786c3f02d6eb5ed1f815194f3ef2207b928d44ad6

    SHA512

    55a30e2ddee80c93cd4257a51e7fc2ba50332398a21e13969ad20fdc215f7f141d389a12bfb6734475b469cbb837aaf8dd60100a79a5a18db5193d4b83145325

    Download Submit

  • /data/user/0/com.carrybuild4/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/user/0/com.carrybuild4/kl.txt
    Filesize

    237B

    MD5

    3b82b1bfe3aad7b2b57f1f00938e0c68

    SHA1

    4429e2f52788e6c3610e23fe54f530d9f8a9a632

    SHA256

    16e18a2f301368ab91c3c940bf2c49ad6480aeeeafb143c17ad867a762f03538

    SHA512

    e4c2708257fc2427cd194c7cad7a15d30fd28b4da72a80c0137904401071acb74b86ec5d0656b7dab25334ed2deff67634d1214c440340baffdc293be17d3f49

    Download Submit

  • /data/user/0/com.carrybuild4/kl.txt
    Filesize

    63B

    MD5

    36961b51e83ee9ac7dbc904804922663

    SHA1

    79c7c13d188aeaf0d1cd5d716221c5bdf3efd568

    SHA256

    acecd1fc25bf331552eef24fc4241d828bb5ea7110dbeb0e5f42f32a92d20b39

    SHA512

    1657c5e153c18fea25248e0a84b8b38173652e4a7a63b54ebcb2f9b37774cff4f3f30092348449a5d01627ef616e584f62ab1d07ef1003aced78382cd070727d

    Download Submit

  • /data/user/0/com.carrybuild4/kl.txt
    Filesize

    45B

    MD5

    8e689a5683cb5b1572a5ff67d66f4e98

    SHA1

    f24249389a91879e7fd43b9d5849edff2a568116

    SHA256

    0bca4821ddc38635b1ba56224fa5569e34b5e016ff695e69cb0c16a17625b652

    SHA512

    ee86b52d02ed90b19f5d7387d222a84db68498148701b855a309a827df4fbb213e364c54fa63baf516d90e3df2153969a4d4b81175f3f25204841775c83d3431

    Download Submit