Overview

overview

10

Static

static

6

212491ce40...22.apk

android-9-x86

10

212491ce40...22.apk

android-10-x64

7

Analysis

  • max time kernel
    140s
  • max time network
    137s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    24-11-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    212491ce406b81c68c0c4e18e093205313d8a43491d1303933833f386e969422.apk

  • Size

    4.7MB

  • MD5

    9c911b5309414db759543c9b0fdf8699

  • SHA1

    f2e32f4596aa8f2675c6283be1dd3f6397dbedc5

  • SHA256

    212491ce406b81c68c0c4e18e093205313d8a43491d1303933833f386e969422

  • SHA512

    99c4de7a4f8892f3f53a97ff44f7abe52befb3876f62d1bd18339661e71943b97a905684af641709244527b347773eb85f6bdbb30a60047fa0bbd4d17d420e8f

  • SSDEEP

    98304:Y2gFU1HCjKJiCaByHYFMtVS8knFlGxQq/6kINw09N8/fGC5QXsDK9McjM5xLBtcW:Y2gFU8FqWEVS8kneDyrNCfngDjMfc1bc

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://94b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b641390330721556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/
rc4.plain

Extracted

Family

octo

C2

https://94b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b641390330721556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://74b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/
DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.stoodmight8
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4396
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.stoodmight8/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.stoodmight8/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4421

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.stoodmight8/app_dex/classes.dex
    Filesize

    3KB

    MD5

    fae425dc7aaede6ad37c847598df21aa

    SHA1

    0a0a7bb0be6a4e9961d71b26ccc58b260c99efa3

    SHA256

    86c334c10d0e0fa9431b60c2b827973cc48d82646e9c852dba8a45fec675df0c

    SHA512

    e195d5c92acd2a9ac92507b50fd4c92cec93ba9458933752178455ae7dfa1aa9a1e24e455edc70d2294ff62f9b3a94a3eee7169a283344d318c60029cffc6844

    Download Submit

  • /data/data/com.stoodmight8/cache/classes.dex
    Filesize

    1KB

    MD5

    0a178c2f4bd0d111ccc489673a274286

    SHA1

    7d27fc5792c304b070bdfd04debc09f9f24f3bb4

    SHA256

    645754fc0a1c9cd9372ae54309a0534dda552e66fc3afe355bd52e2293f95f68

    SHA512

    cf6338b6238bc0780fefbd0bf995b18c02e8e21e7223692a3609bcb8e7b10e3afa2685fa5990e1e8e2f216db108d474c6498560a387dd79d8bdcf9bd4744142c

    Download Submit

  • /data/data/com.stoodmight8/cache/classes.zip
    Filesize

    1KB

    MD5

    ba79e3badcddb01637d082250a7dc74e

    SHA1

    d511cfaa770371591bad09bde0cc8fb6b1aa29de

    SHA256

    4645a761db0771e0d0d769ca75f84cfd1423431f594cece3889a4ba864cafa5a

    SHA512

    ab3a350f7c66ca9bf135f445e3e9deec4fc471da00a23962e519e45c0e452fec28db523f402af6a2d163dbcfd5c5fe736234bf9186b5f011303b52ecb3e55396

    Download Submit

  • /data/data/com.stoodmight8/cache/etyyuklvhaisv
    Filesize

    1.4MB

    MD5

    104fc8b80e243fdc97eb07583eab2943

    SHA1

    c4b1f8c4047e80bc3cf416c0bd6c70b6efa302d3

    SHA256

    aaddb753f6272588f3deafaf996c990965994ca37590b4fab30149e11031b467

    SHA512

    32269dfedcffe19f331da2f804dd6d76a601e803dd4272677afa33a34707e775b0ed127fac3523f39144750f54c9e5a1b68d10eab1b2d0025f6f845859f97c94

    Download Submit

  • /data/data/com.stoodmight8/cache/oat/etyyuklvhaisv.cur.prof
    Filesize

    509B

    MD5

    98f671be4a9ea0299829cd6b39df2fce

    SHA1

    f6c77ef552d5d39ff5465e4477f3c260137c6c40

    SHA256

    3c2fc554716ad02b8a02106b827905b72f837a76b326ee8959884cdc20d029c2

    SHA512

    918a2049f3c354da8db18a8010874c5a965e394afc91c8460f9b13ce919a9a33221c9e01cd2401c2aed7ba8b71ed902cfe84f288f4a78d25cfc8e2e1b97b46cf

    Download Submit

  • /data/user/0/com.stoodmight8/app_dex/classes.dex
    Filesize

    3KB

    MD5

    b6e9ec14cc9125004f88d7dfad8a3aa7

    SHA1

    4beaff00f9d6c83a98d19afc563862c7ad0d9ff1

    SHA256

    61266402eb57f0efd99a2794630fbc812f88c59a8ce84951abadc0a3b361ec71

    SHA512

    f17067e56d71560d952a87319ba831c51cdef003ba6bf6ac9a1408eb176926bfcb32c6eaa28ee5db805f590ef63786c41a8fbad043f318df82c298e332f12185

    Download Submit