Overview

overview

10

Static

static

6

01e6cb93ee...9e.apk

android-9-x86

10

01e6cb93ee...9e.apk

android-10-x64

10

01e6cb93ee...9e.apk

android-11-x64

10

197359a4d8...d7.apk

android-9-x86

10

197359a4d8...d7.apk

android-11-x64

10

2427241add...70.apk

android-9-x86

10

2427241add...70.apk

android-10-x64

10

282a7cfccb...bd.apk

android-9-x86

10

282a7cfccb...bd.apk

android-10-x64

10

284d74a6fb...fa.apk

android-9-x86

10

284d74a6fb...fa.apk

android-13-x64

10

3221126c35...63.apk

android-9-x86

10

3221126c35...63.apk

android-10-x64

10

3f3ab2cd7e...bf.apk

android-9-x86

10

3f3ab2cd7e...bf.apk

android-10-x64

10

43e48ed5f6...fc.apk

android-9-x86

10

43e48ed5f6...fc.apk

android-11-x64

10

616c4ad548...8a.apk

android-9-x86

10

616c4ad548...8a.apk

android-13-x64

10

74aca9fcfb...e6.apk

android-9-x86

10

74aca9fcfb...e6.apk

android-13-x64

10

753c262257...1d.apk

android-9-x86

10

753c262257...1d.apk

android-13-x64

10

83684d8fa6...97.apk

android-9-x86

10

83684d8fa6...97.apk

android-13-x64

10

84b4b256e4...0f.apk

android-9-x86

10

84b4b256e4...0f.apk

android-13-x64

10

865e193b3c...3d.apk

android-9-x86

10

865e193b3c...3d.apk

android-11-x64

10

8734504205...3f.apk

android-9-x86

10

8734504205...3f.apk

android-11-x64

10

950867a96c...32.apk

android-9-x86

10

Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    23-11-2024 11:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8734504205b5cdf1ea4c0e2d62a0dcf8500dc73f.apk

  • Size

    1.8MB

  • MD5

    f8f55308787894637f25d60b36f9cd85

  • SHA1

    8734504205b5cdf1ea4c0e2d62a0dcf8500dc73f

  • SHA256

    a740e47017159d8907da0d9752479ee28e7246104e6332a6f654ccaf846366d9

  • SHA512

    051d35251a63e0d11b84f45da8fb41e2a7f6c28564ff8b1401d4615bc6976d8694db6ebdcae7c665eb2dd4ad6acc2b6cdb7fe6073d5cde62e883cb3401a0e7a8

  • SSDEEP

    49152:7Nq2/4HF0X8HT5P4wOamxUGpeatOlvGkJ6g6ZX7Xq:BqHF0X81PPOnOGptkM0

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://jungjungju.com/M2EyOTM2M2FlY2My/

https://junggvbvqqqqqq.com/M2EyOTM2M2FlY2My/

https://lajunggvbvqq.com/M2EyOTM2M2FlY2My/

https://junggvbvqqgroup.com/M2EyOTM2M2FlY2My/

https://junggvbvqqnet.com/M2EyOTM2M2FlY2My/

https://bestjunggvbvqq.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.top/M2EyOTM2M2FlY2My/

https://sabgggsabgggsabggg.top/M2EyOTM2M2FlY2My/

https://nisiqnisiq.top/M2EyOTM2M2FlY2My/

https://abgggpoh.top/M2EyOTM2M2FlY2My/
rc4.plain

Extracted

Family

octo

C2

https://jungjungju.com/M2EyOTM2M2FlY2My/

https://junggvbvqqqqqq.com/M2EyOTM2M2FlY2My/

https://lajunggvbvqq.com/M2EyOTM2M2FlY2My/

https://junggvbvqqgroup.com/M2EyOTM2M2FlY2My/

https://junggvbvqqnet.com/M2EyOTM2M2FlY2My/

https://bestjunggvbvqq.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.com/M2EyOTM2M2FlY2My/

https://sabgggsabggg.top/M2EyOTM2M2FlY2My/

https://sabgggsabgggsabggg.top/M2EyOTM2M2FlY2My/

https://nisiqnisiq.top/M2EyOTM2M2FlY2My/

https://abgggpoh.top/M2EyOTM2M2FlY2My/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.underonlyipt
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4435

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.underonlyipt/app_DynamicOptDex/DQg.json
    Filesize

    2KB

    MD5

    7e81aa11ee3a4bd55e349c456dbcf945

    SHA1

    e5c839c470dcbf216a6f0a724e0790b37cd7c9eb

    SHA256

    f29d4025ec6b0fcc27108a4ea2f2ce2042dad83ff86951fc95cfc27990517e8e

    SHA512

    2c6b668d54b387f3bcf6116eed93c64821366fd505975061fb096e4c97cf66d9f965fced7175a16835b60e6dca318f5e8ffb37c6b9e069c8052d686dadb5a38c

    Download Submit

  • /data/user/0/com.underonlyipt/app_DynamicOptDex/DQg.json
    Filesize

    2KB

    MD5

    9b5465d55f1f563fb8da0a3788bd372e

    SHA1

    b8e4735c9a13194f0f79b161cb69a2433f0a7b06

    SHA256

    cd9ec8232db8bae9d7730dde4615997b6d062846e0461cb19f6a35c17e1b0d40

    SHA512

    30337a04d7489b5c849bf6e826f037a997d4596a8a892df2795bc5d8bd186beb441d7c770f08263ca07fde3bcc9157f8264ac2cccfb3d9c51ae8e8be8c752c47

    Download Submit

  • /data/user/0/com.underonlyipt/app_DynamicOptDex/DQg.json
    Filesize

    6KB

    MD5

    392d3a7dd4bdabc1d11a5d1706682c0c

    SHA1

    d4f1145c05f25f820fe577418eb1c6e77f70b50a

    SHA256

    f24e8e583bc29586541200403227961fe218bf7b3a992049ee254e9553d74b89

    SHA512

    616c0efc733c0d47ef63429f2e95db605da70ec49d96204df4196a52931a1ed707ec77fd22e77cde8a55b2cb877b7bb671bd59804adfa258a421f477ab10aaeb

    Download Submit

  • /data/user/0/com.underonlyipt/cache/adebqcl
    Filesize

    449KB

    MD5

    5b9369862cb950593943886e0cafb9d9

    SHA1

    cc5f9e9d48656aab49b7798ad69777893ed4ba1c

    SHA256

    6dfe0b14edd51eed690a582599e93393962d1b9a365510c823e875d9ba117eb9

    SHA512

    e641849f91e125187584205e7e30fbfc4153762693ad2ae810d6bbc563ff2e0e960b4b04f35a51e4f058a480b66d82a0e39ae8af97c200a829582784a3263479

    Download Submit

  • /data/user/0/com.underonlyipt/cache/oat/adebqcl.cur.prof
    Filesize

    309B

    MD5

    46ee3383a45b8dce39054fc020da6397

    SHA1

    684bc47a62bad1004dc2bc7678927426b4fe3749

    SHA256

    bf8846bf85a00130e7760807c944dbc9b5b676fe7d569521484361afd009ab9c

    SHA512

    6c376477de5521ccc8a68e8ecb61f4ecec9ee6f2b61c9268cf15cab0eae9eea9f6d378d3aaf88c6f66cc9a93ff8f58c9a98603ae3dcdcf252edebc8d8e9d6c3a

    Download Submit