Overview

overview

10

Static

static

6

01e6cb93ee...9e.apk

android-9-x86

10

01e6cb93ee...9e.apk

android-10-x64

10

01e6cb93ee...9e.apk

android-11-x64

10

197359a4d8...d7.apk

android-9-x86

10

197359a4d8...d7.apk

android-11-x64

10

2427241add...70.apk

android-9-x86

10

2427241add...70.apk

android-10-x64

10

282a7cfccb...bd.apk

android-9-x86

10

282a7cfccb...bd.apk

android-10-x64

10

284d74a6fb...fa.apk

android-9-x86

10

284d74a6fb...fa.apk

android-13-x64

10

3221126c35...63.apk

android-9-x86

10

3221126c35...63.apk

android-10-x64

10

3f3ab2cd7e...bf.apk

android-9-x86

10

3f3ab2cd7e...bf.apk

android-10-x64

10

43e48ed5f6...fc.apk

android-9-x86

10

43e48ed5f6...fc.apk

android-11-x64

10

616c4ad548...8a.apk

android-9-x86

10

616c4ad548...8a.apk

android-13-x64

10

74aca9fcfb...e6.apk

android-9-x86

10

74aca9fcfb...e6.apk

android-13-x64

10

753c262257...1d.apk

android-9-x86

10

753c262257...1d.apk

android-13-x64

10

83684d8fa6...97.apk

android-9-x86

10

83684d8fa6...97.apk

android-13-x64

10

84b4b256e4...0f.apk

android-9-x86

10

84b4b256e4...0f.apk

android-13-x64

10

865e193b3c...3d.apk

android-9-x86

10

865e193b3c...3d.apk

android-11-x64

10

8734504205...3f.apk

android-9-x86

10

8734504205...3f.apk

android-11-x64

10

950867a96c...32.apk

android-9-x86

10

Analysis

  • max time kernel
    149s
  • max time network
    163s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    23-11-2024 11:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    753c262257602605e79946ed42fa855da101761d.apk

  • Size

    2.0MB

  • MD5

    40265050e0136239ffc1ac9d782e31ae

  • SHA1

    753c262257602605e79946ed42fa855da101761d

  • SHA256

    dc69c74be98939f4940807d2268b5b32ed2f2729b2ba068591caf0254160a6d6

  • SHA512

    03512268e0a9440c5f35a5c3b08f97a0c60b4bc5c11fa3cfd843089ad83d049cfb5ee525f00adf0b8334b5b413e23fae0287899f737cc1f9f4473155c85a654b

  • SSDEEP

    49152:BTT+7AgEUy1I8ehFC1l8+E5RMoznNlJnFm:dT+dEUy1I3FCzE5R/z5c

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://jtfersion.com/YWFiM2VkMmFmNWFh/

https://kineomager.net/YWFiM2VkMmFmNWFh/

https://aberinogerd.com/YWFiM2VkMmFmNWFh/

https://nolevibanget.net/YWFiM2VkMmFmNWFh/
rc4.plain

Extracted

Family

octo

C2

https://jtfersion.com/YWFiM2VkMmFmNWFh/

https://kineomager.net/YWFiM2VkMmFmNWFh/

https://aberinogerd.com/YWFiM2VkMmFmNWFh/

https://nolevibanget.net/YWFiM2VkMmFmNWFh/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.carrybuild4
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4384
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.carrybuild4/app_DynamicOptDex/UtCj.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.carrybuild4/app_DynamicOptDex/oat/x86/UtCj.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4408

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.carrybuild4/app_DynamicOptDex/UtCj.json
    Filesize

    2KB

    MD5

    099566ba3010bf29dd0b74d16dfd2c81

    SHA1

    c81c115b5d9fdcb9ad2d3bfa2dbf894797d89d1b

    SHA256

    190e41c7cfd4487f40877e4f69c24415c787fb3224ad13500ab97f74a2f4a526

    SHA512

    265a474e2ef6261a27be1e1dca73ce8806f66fe103365208a40f64de238d7d510dd9cb7b3522ce0483e56cbbac25a363ff4458589b6fdd54583ea9572d7e4863

    Download Submit

  • /data/data/com.carrybuild4/app_DynamicOptDex/UtCj.json
    Filesize

    2KB

    MD5

    50aaaee161ff33560781ae6474091699

    SHA1

    7312861b1c038912c23d0cdbff2876a4456cddfe

    SHA256

    c3705004cfb2a4a8a39511c8940fd2a8d0fd4220fbd3c10a32f75c03ed0f55ab

    SHA512

    01a0b15b71572836b4d1940ed7efe8bb0d03e11bc11b772710b1cf794e9d4293d24813bfe910fc3d834162b916079eac4c6a5d818f7e9b469f56c2ee740c482b

    Download Submit

  • /data/data/com.carrybuild4/cache/oat/txwpunphgcavnew.cur.prof
    Filesize

    487B

    MD5

    2febd010c86372ab5e473b897c68fde6

    SHA1

    641a04e0a5076028885be57f0352abdc220689ac

    SHA256

    0edfb05cc7dbdad9411363eefe013b9533994a5842802cd5453e3224276dc6ae

    SHA512

    add13f9cf2aef2644c7777c8d621f94cf8e14a82047874bf93719e01581b436e4f2cdd2e94df1a3f14659d72a1ba0b4bc902e458ec1debce2afec92a1cb7f81e

    Download Submit

  • /data/data/com.carrybuild4/cache/txwpunphgcavnew
    Filesize

    448KB

    MD5

    251f5be95aad11c7a231d88b37b0154d

    SHA1

    6e694c35ff718a617e9999aae12a63711c8e7c1c

    SHA256

    09272d112558b22a70359becd2a292cb110b9e2f33202cb5cb491bd08c8bd6c2

    SHA512

    2f63110429eff2ac05d18f40d80ce26909f1071fc1bff75a1d1b2603b0b61a37794b7f2ba1da6d37000c1b20dd7c22881ac1c7adf201ce7523c6e6d37822558f

    Download Submit

  • /data/data/com.carrybuild4/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/data/com.carrybuild4/kl.txt
    Filesize

    237B

    MD5

    fee067b1c1aec0d97fb44a785683b5f3

    SHA1

    ca2d7e5eab00107a29f2f221dd8276df350e39f6

    SHA256

    4240386cc03594b7cc631c33f5fe2a7e9c1e342dd4b0fa39d22ffbc57cda9482

    SHA512

    6f2e753807b9947216905af722f55c47f314e9477f9eabed31994af146b5d4e479b195cc7b2af24ac0607c8cf4bf2a0014b403f4f92de3d6b78e680e8760e894

    Download Submit

  • /data/data/com.carrybuild4/kl.txt
    Filesize

    54B

    MD5

    631856e78e90087d2aa3821bd56a66d3

    SHA1

    1104596960bfbcdd2cf5bdb5e7e4110e742732fd

    SHA256

    8050780fce25d109e63281eabf2b2355a2ab40cbaeb70a28ad14722febc2ef21

    SHA512

    7e03485cf90e7c2a6b5be605f96850a477a5a1f5735f304574dbfffe8bdc3822117d00b8b68ead99e21f0aa47d61e31261086f4d2202f1ace15375ccbdf9d905

    Download Submit

  • /data/data/com.carrybuild4/kl.txt
    Filesize

    63B

    MD5

    fffa5d25c7619dc1a863d66bfd3eba13

    SHA1

    603eaa27ee62a4046de3d14d6992bb5bc7c985e0

    SHA256

    af34ee19e83a05220c13715ee1841047884fe5d7f5e1197d88f03a6bd289abb0

    SHA512

    f14739a089c27249941e96d4dfcd5b61dd6b2806fe54cffc7f2c6d1b3d4f56f60827db837d73ba3189adbf8a2c5d1b01237da3df123d16bd3fe0648cbe85835a

    Download Submit

  • /data/data/com.carrybuild4/kl.txt
    Filesize

    437B

    MD5

    3f57f04e269561b76c3d54d98cfbe729

    SHA1

    871e75d3b5a259147fff4151c5214f1bb1eed4a6

    SHA256

    20c5edd0712517ea513562394e8b3276a141f4f1aa278e502a1ffac59064d693

    SHA512

    a4863a75a2c93f98aa2a8e593c5e9b14a72ba17ccfb0e1ba09f4efadee5dd17c9c1af09db4c162e7350f008a7952e4ca2418ca9224b088a0b0764f5a14925139

    Download Submit

  • /data/user/0/com.carrybuild4/app_DynamicOptDex/UtCj.json
    Filesize

    5KB

    MD5

    8f1f2f6b45f9369e93ac5b44769ee061

    SHA1

    0f743529c007b0539a85e3fbba737f28a960d9b1

    SHA256

    fb06246892d73af62075cf4fbc461af5e77970398b885f3a7af0e71c714460e9

    SHA512

    3d5ba9626c7884e18e4c900b0d40f9ce23312d569b900068de205e684d3839b121c23f6b45796995b81900bd4f3658f8021867f35c4f2e85a6ed6cbe32b1302b

    Download Submit

  • /data/user/0/com.carrybuild4/app_DynamicOptDex/UtCj.json
    Filesize

    5KB

    MD5

    11a3b3fc2b85c30bdeb8ce89f5b2d568

    SHA1

    1fc9f3d1ae372011bcc2303d2de88630965b1535

    SHA256

    0811480d39d338a846fee5db302b07d598edec4ea9ef4c2a361d181299172649

    SHA512

    53490fd84c941e88c140cf0baf146322b943e8aff003e389840938c4146cabb06061daa3c9aa5687418bc52dea0ed2453d746069363f90f1947ac04dd836b3c4

    Download Submit