Overview

overview

10

Static

static

6

6739506697...b4.apk

android-9-x86

10

6739506697...b4.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    25-11-2024 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67395066972d0da17cedb8e587edd1acf45086ecad97c493ff3a6083e825cab4.apk

  • Size

    2.0MB

  • MD5

    4671deaf5b498168ed7a1d9a38a48870

  • SHA1

    4dec1f00d4cbb93ac4ca20d9988e07a95c72c40c

  • SHA256

    67395066972d0da17cedb8e587edd1acf45086ecad97c493ff3a6083e825cab4

  • SHA512

    ffad9211fd403f960753fedd256c455e76ba41e0306375dac6b75983ae9b691e6ff7be804599f25b972b79b45ddd6af04d849ae482b09d77e95da148a86989fa

  • SSDEEP

    49152:gTGnYpWKtoc/uid0YqpSXfhj34/Q+mEOsEv62LE3Mj0/oyLCyYnRJmXR2r1vQRm/:znYp1Oau60YqpAoIEgNLWoyGyYnGh2Zn

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://bunaseiranahui.top/ZmU2YzQ2NjZlNjc2/

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/
rc4.plain

Extracted

Family

octo

C2

https://bunaseiranahui.top/ZmU2YzQ2NjZlNjc2/

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.decidehundred2
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4517

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.decidehundred2/app_DynamicOptDex/FPJ.json
    Filesize

    1KB

    MD5

    03e35597d5813ca929d5da337c930173

    SHA1

    d2ec456ea556d80a59a9d0ba3879c6857fa4a5c3

    SHA256

    f86b9b496e719df5c5bbeb9141aad8d628c6f9cb8bb1f721c635bfaedd13ba2b

    SHA512

    7fe355a7915325b45c851e82ba7c82fa364d04e73815184d10ddc70f16ccdc5e4b930137e1d839aed6b8e4661cc01455e17ddf347b8a65a0461adf51c8e1aef6

    Download Submit

  • /data/user/0/com.decidehundred2/app_DynamicOptDex/FPJ.json
    Filesize

    1KB

    MD5

    5332b91e7346cd1c6636ad10e2641000

    SHA1

    e58a68e63832609b86d0a3802880625ce341e24f

    SHA256

    75d9165625912005d0efc0c624c32a8c10e9ceef27fba4e275c2be136baa8fc4

    SHA512

    b8cedcc0748b7dd17c4b775141c3aa79571af6220846ebc5b73006b4416793b46a569e39cd91e4503a788ed613cb19b17f562949196f08576deb403ee35d725c

    Download Submit

  • /data/user/0/com.decidehundred2/app_DynamicOptDex/FPJ.json
    Filesize

    2KB

    MD5

    6b57f0c1dc2f26587de7a5c86abc0f5c

    SHA1

    013181a0a8b3bf638e89d19c8e5841319de177e6

    SHA256

    ed17830e8fc9b4f65379a534733f947862ce110a7609c813c82d56f6f696d01d

    SHA512

    c5b91013b3ff2d8bd0b764ca10308252e8e907eaa2e16f65a8d5e0a65cafbe139c826b5883dc8b172ae43f64dcf24805b3de59239137308a4b262f4515f9fbd8

    Download Submit

  • /data/user/0/com.decidehundred2/cache/oat/zhxkcsiqkhfvf.cur.prof
    Filesize

    404B

    MD5

    ebd0cb66e4caaceeb9e769f4cf220e5a

    SHA1

    6081ff6718c1e7270f6395248fbf0da327bf53fd

    SHA256

    4c6d22efc6f3b814bd3a92589d5d464f8a6f8bbc86f0e501ea67a94b1dac33b6

    SHA512

    39a5b0caccf489d153af5e82c059cd9bdb9fffe94646dff58925d15d2464f23a5258f80a5ba4e07b48a3cdc67bc9fc4d4365666112567f95b6b2aa740d046556

    Download Submit

  • /data/user/0/com.decidehundred2/cache/zhxkcsiqkhfvf
    Filesize

    449KB

    MD5

    8ce2b5ea03883011ffdd8ef53fb4ab20

    SHA1

    d0ea0488924eed67cda20a0d275c44b9d054f99e

    SHA256

    b4276c301751e1a398c5f64fe1f48401c0e7f483e0cc99a6752fcd1c6d26f681

    SHA512

    c1229d099d0101e9519eb1f2ea17f5687b866a59f99c60cb282ca84c01be4e70d8f29090d1446c72d2b4a0c484125050d9afdd60fcbc5b10e2b4d7c703586f08

    Download Submit

  • /data/user/0/com.decidehundred2/kl.txt
    Filesize

    54B

    MD5

    c7d2cff4f4aa625782ccd1ec720ff5c0

    SHA1

    1b6794407b89b0bf98f25d1e2e48185ad3fb4bcc

    SHA256

    5a7771fed93fc682b5e9f551fa1f3f717bef202331c6112e57ace4567bfff969

    SHA512

    ab211cb094b995f08edb962e6cf441a14d9368d6eea418c5c9b7b08d35b567b8b70ea5363a61e5e0897eef781747fe3bbce0f97c50044b1c1cb1544b8ff31280

    Download Submit

  • /data/user/0/com.decidehundred2/kl.txt
    Filesize

    76B

    MD5

    945a2c4f08ac6168112f5c8756fd5334

    SHA1

    d8fa8c97391da7fa6f1e22b90132839234eb0403

    SHA256

    fa86c909622bb4328ee933e843b812941e07632d13fde1bac93a4d90f8f1fc50

    SHA512

    cfa7ef9a9d33c4bc8e5bbdccc24b81b0c5f565c5181e828f5c57ea8d230d6b3bdc61f679b6f105f18175bf3e40635b7bf2dd9f9b2718d97b58f4722863073f53

    Download Submit

  • /data/user/0/com.decidehundred2/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/user/0/com.decidehundred2/kl.txt
    Filesize

    221B

    MD5

    f32bac3c8532f4b731b731ad6edacc6e

    SHA1

    257db05c447bc52985b8c529c4fe22661f8d6bc1

    SHA256

    eec9928982887581dd8f87de626310c8d5d7b43e817bba4d122b4f6a120d8628

    SHA512

    917b1da7bfc7ce6f730cd3ee2789b8af138e0210d3516db851c28d7351af6a9a95447122992fe099e8e4e1f2e497707266f129998d8ec748bd0c668bce56f15d

    Download Submit

  • /data/user/0/com.decidehundred2/kl.txt
    Filesize

    64B

    MD5

    fb672e9ee0ab4d470463799cba6aa4b9

    SHA1

    0bc62e6f3f1161d17aeb1e379a1f3404ae1a9693

    SHA256

    67fde0ece7db3bb39bdebada14d5256a4f3863a7417d841d30ae6d60467dfad2

    SHA512

    c2621d111f13caf821df764a534c388cb3c386000c87f0a4110e5a425e66b6d3bed7f4ed5727db621660017aee7fdb8c3bc5ca89b1fa21a624f4615b7266fb48

    Download Submit