Overview

overview

10

Static

static

6

98f3784104...c9.apk

android-9-x86

10

98f3784104...c9.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    24-11-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98f3784104fe89747c4a37f68abbe9f1c0c27736307c0715b45354e652b0c3c9.apk

  • Size

    2.4MB

  • MD5

    c9800089692a8241a6bf867c9208dc29

  • SHA1

    2ce522e48a6e77f3c0829e8ee35518b08649ba5a

  • SHA256

    98f3784104fe89747c4a37f68abbe9f1c0c27736307c0715b45354e652b0c3c9

  • SHA512

    5c57d481724e8f6cc208c59fca50640adcba8090f7dd0d59e53af1ca8fe6ed7c1424c2b42a37c509a3ac74fb9e878824f45bd083175955e74ac660b99bbcb875

  • SSDEEP

    49152:35vvgEJQoEWgVl+u0PycdVTE7crFYC6RjUnx0OGDwcKLU04/PymZ:3xC1rUu0Py+TEYraCcM1Gs4/V

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://sunshinexy.top/YTZhZjliODdlYTI4/

https://rainbowpz.top/YTZhZjliODdlYTI4/

https://dreamerql.top/YTZhZjliODdlYTI4/

https://butterflyjw.top/YTZhZjliODdlYTI4/

https://fireworksmn.top/YTZhZjliODdlYTI4/

https://starlightfb.top/YTZhZjliODdlYTI4/

https://oceanicrl.top/YTZhZjliODdlYTI4/

https://freedomgz.top/YTZhZjliODdlYTI4/

https://harmonytk.top/YTZhZjliODdlYTI4/

https://mountainwb.top/YTZhZjliODdlYTI4/

https://whisperjq.top/YTZhZjliODdlYTI4/

https://velocitypw.top/YTZhZjliODdlYTI4/

https://twilightxz.top/YTZhZjliODdlYTI4/

https://adventureht.top/YTZhZjliODdlYTI4/

https://serenityzc.top/YTZhZjliODdlYTI4/

https://mysticgk.top/YTZhZjliODdlYTI4/

https://galaxyud.top/YTZhZjliODdlYTI4/

https://sapphireqv.top/YTZhZjliODdlYTI4/

https://crystalhr.top/YTZhZjliODdlYTI4/

https://twinklels.top/YTZhZjliODdlYTI4/
rc4.plain

Extracted

Family

octo

C2

https://sunshinexy.top/YTZhZjliODdlYTI4/

https://rainbowpz.top/YTZhZjliODdlYTI4/

https://dreamerql.top/YTZhZjliODdlYTI4/

https://butterflyjw.top/YTZhZjliODdlYTI4/

https://fireworksmn.top/YTZhZjliODdlYTI4/

https://starlightfb.top/YTZhZjliODdlYTI4/

https://oceanicrl.top/YTZhZjliODdlYTI4/

https://freedomgz.top/YTZhZjliODdlYTI4/

https://harmonytk.top/YTZhZjliODdlYTI4/

https://mountainwb.top/YTZhZjliODdlYTI4/

https://whisperjq.top/YTZhZjliODdlYTI4/

https://velocitypw.top/YTZhZjliODdlYTI4/

https://twilightxz.top/YTZhZjliODdlYTI4/

https://adventureht.top/YTZhZjliODdlYTI4/

https://serenityzc.top/YTZhZjliODdlYTI4/

https://mysticgk.top/YTZhZjliODdlYTI4/

https://galaxyud.top/YTZhZjliODdlYTI4/

https://sapphireqv.top/YTZhZjliODdlYTI4/

https://crystalhr.top/YTZhZjliODdlYTI4/

https://twinklels.top/YTZhZjliODdlYTI4/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.sgakagak.agakagabs
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4256
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sgakagak.agakagabs/app_begin/kNU.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.sgakagak.agakagabs/app_begin/oat/x86/kNU.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4280

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.sgakagak.agakagabs/.qcom.sgakagak.agakagabs
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.sgakagak.agakagabs/app_begin/kNU.json
    Filesize

    152KB

    MD5

    ffab2a4eee9c1591f7a6ad00810fef9d

    SHA1

    acdb7a68792216bc654cb66f0c79668a1dfe4ede

    SHA256

    bc17c3e5d1890f7316e4e2bb18b1932ed7e76778edb3e20e4b0f8bd0237310ef

    SHA512

    010179537009c492c8c1e8a360fd0e8ad8d52fe476b3f11e463934ae638339d9d071d7a8c78902d2836e58bdda6f82a32fb814e7e5becf2107972b86b3965074

    Download Submit

  • /data/data/com.sgakagak.agakagabs/app_begin/kNU.json
    Filesize

    152KB

    MD5

    54ed30f28c7e436d61ee7b3d7d92ccd4

    SHA1

    636533dd58d37b9671bc0c5776902c6780ec7837

    SHA256

    afcd72cc8160657a0f587a378d4ff165a37b1580c44056d2c77f6a88fe877857

    SHA512

    0e739b0d49d68ac5c4ded1e2f79cc91b5a4df115e2474a00d5f2c95bb61a71a9f65b057266b999aad2b8cd4c01ae16758d218ecf287814bc46d21dc107d1b586

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    63B

    MD5

    b56f01e7cbb7cd4a9117347dd8f694ae

    SHA1

    15cbb7e6e50256bedca335c674a0fc63f4a36b26

    SHA256

    81b383e2c87a1bb171cd038e63dfceff7ff0c26ceb7aa3c077b797674b5223fb

    SHA512

    22a5f173fafccda9b94444e85cc8f32d3deb3567ebc018b21112b2b8b3740a4860b1ee7620c40b9b949fa675ca88a2b57145e56bea72777399aa0d26adddf432

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    423B

    MD5

    d259eae09ccc965f39a1041d2f7b2c32

    SHA1

    565d8b7472941b04064cf55452c44a1254435a9d

    SHA256

    4fa202c439fa80842b876b39cece283e8d84e5ac1b21387a26639d9743120ebf

    SHA512

    4ed6c9040aeb2b325cb53ce045f68862d10c90be72708ab0a31dfe9a456dbe6f57fa4d643f20c08f5bdb323001223878d7b4e6a877fec4d0df0c2580da71af97

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    230B

    MD5

    e59b145e54fae3e873b3f281dfe1f5dd

    SHA1

    cb0e4bd46fc7f43fd7591f3dedd11123a5b40d58

    SHA256

    cd3ee0618d499399d53672ed28f96db89e2dc83635060e60cfa77b6b4ef6155f

    SHA512

    357b3aab5f5acbbe195a17f79e715d6c3c817ee9b737377c98e6d6aaf8f8f60dcb3e30285a68cd3a858c987b79a207d8cd35daa81fdc2b5491eed2aa9f582001

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    63B

    MD5

    0ece26832342c35ecc92c50843a9d877

    SHA1

    5cf4e923b8785c9e53a74411e4e0dd0bff847511

    SHA256

    4755d15ab26b875c5bcd7571e5a30c045e64932702537a2dd0c469f45b52c1ab

    SHA512

    5e67faaf6e5d5c3798a73124b83f6912f93e29104a8ec27084160fff01772120e679086560a3ad5b5458d2201adb2ce4f2eaa517510823337010c3e5163ea0fe

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    45B

    MD5

    8a2d3b4e2a256d65c7058e9cd6d68746

    SHA1

    37e9e3c494cd2d8f7a5b32757f51bac449292409

    SHA256

    24685ed737764adac7c2cc5e08c6f444ceaec7068c2245299cd9ba1081661acf

    SHA512

    d8cd91e8aa8a8c0a14daa15c512819e2ff5edfcb75c2dfabb5ceb48a358f8365918afbe548fdf5a1aee5de34c1a06e538fc90501068cb87e7aa5edacd3bc78b7

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/app_begin/kNU.json
    Filesize

    450KB

    MD5

    448a8e166a33a6788af73e97563863c2

    SHA1

    9b229571c7eb3dd5f0d5c23347b2b0f9fdb593bf

    SHA256

    d6b1f349a78604f830bcb914c1b89f106a86fcf75360263e8df3b0f64ae31b06

    SHA512

    cc7f93ad1d3ed45cb06bab8117cdbcca9d7b717c2eda74e4e215817b34e8f0796d152b71177f8e2c93da07725dd1523c2438aefd89de98954ab9689cf17c94d2

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/app_begin/kNU.json
    Filesize

    450KB

    MD5

    7134c26c8a18b484fb00e41293537369

    SHA1

    e4d41638dacf8167e2e6def1fbf760565149b6e8

    SHA256

    0ca3354ad7a7dc960353c41e1e335b902a063446b1bb532109794faaa66bd83e

    SHA512

    1a89ec54a98b786e9bf4e27882e670dcc2771180bf5696c59cb929933b3f19979ab003097491caaafbf439ba14f1601decdd0d415ca9121b09e1fea9486ca76a

    Download Submit