Overview

overview

10

Static

static

6

66b9c7721f...e4.apk

android-9-x86

10

66b9c7721f...e4.apk

android-11-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    162s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    25-11-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66b9c7721f219ec48312d8b02db8b68c4d4129f5724a93d27d73bf0c7cf34be4.apk

  • Size

    4.7MB

  • MD5

    04a296d15ee7d9434fbcb2df8a910dad

  • SHA1

    b3efab1601128434efd1f5800aa0e967c64ae7df

  • SHA256

    66b9c7721f219ec48312d8b02db8b68c4d4129f5724a93d27d73bf0c7cf34be4

  • SHA512

    6ce3b1c5f7273c75e547e60c06cfe5631a93ae9fc74df27258a5405c1633f5e5c18a27e99b974edbb1f4d33c3a46eec3176007f9c67cefbed485600ac500e76a

  • SSDEEP

    98304:GW7XALqwKZH2vCHMCh+2TfJmGRgxBDkS/gGxA/FRJd7OPL3Nb8I8y:RcxKZH2vCHMCM4gbDkVP/FHtOj3R8I7

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://94b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b641390330721556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/
rc4.plain

Extracted

Family

octo

C2

https://94b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b641390330721556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://74b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/
DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.bookjust7
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4272
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bookjust7/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bookjust7/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4298

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.bookjust7/app_dex/classes.dex
    Filesize

    3KB

    MD5

    69192bf18834f87f0e2cf876a7422357

    SHA1

    4551783d3b735c138ad67cb040b34ea38d3721ad

    SHA256

    da8c08ef5847e9597904af73e61472781f5d92e0866abfe1d89342a58e98c1ac

    SHA512

    157ae1ce6ca44db2e4cf1386d7716baba60d8ad566e32bf48370057eeaa29e14384ad38331334b624d08a7643393f868eacb545f0130f2f5d527ef3ccaae5db7

    Download Submit

  • /data/data/com.bookjust7/cache/classes.dex
    Filesize

    1KB

    MD5

    37b331af9f0b7823c157a8c62da1995c

    SHA1

    38aee8856b2287ca261830e0a92243b5d7b68f8c

    SHA256

    feee67d2f3a59a6e7c8516c3ec81d424ca0fc1af15c0d8f5595a6645c6d65fff

    SHA512

    2a8ea26b6c4f6df557021c5270c0eef6dac647e285e38f03ac2c834e95a1020fefb2b9f852f9c8a5a30d241b670438442440ca68fd2f700962bdb207687daec1

    Download Submit

  • /data/data/com.bookjust7/cache/classes.zip
    Filesize

    1KB

    MD5

    71479d237b1ca017d27c7c72eea49119

    SHA1

    9ea740364667ec726f9abec628fca66a8bdd593a

    SHA256

    636a6a48f5c4e2fee45b945f49096a336fdd0f207b623d301af3544f84d45d07

    SHA512

    a2db0620f40ba9d75dd2faa00210a32de51640b500dca7ef41d30f14e96348d62d571f9b148946724f9ff300ead7ecaa05a5d2477ba991f6f826ff81499fa5f3

    Download Submit

  • /data/data/com.bookjust7/cache/oat/srbjrxznjcjv.cur.prof
    Filesize

    422B

    MD5

    75816f5a79bb01a154dd5afb71a6e64d

    SHA1

    b3d4c67f545cf306441610eb89a64c16ddcfb019

    SHA256

    004b7810c03877c71c9e02596e93c4596077bca0279b8babbba9b8704bd5470e

    SHA512

    6974cfad51da8c55954ab88f67527433a2986d755cddb3f649037fedd97db0c2aa94205dd58c1cac5bc838a0c844ba8d98802d30eeb2e73c858649b0ed831b6d

    Download Submit

  • /data/data/com.bookjust7/cache/srbjrxznjcjv
    Filesize

    1.4MB

    MD5

    012e4e7b2c7cfbc183c648f3c2fbbae2

    SHA1

    6d7cb419e18fe321b67c3a9cdef67f885421e50d

    SHA256

    45439725b62c64ee4b312ab5c4b062ba7a2882d4d9be7a44a1dfd1f63465d04f

    SHA512

    cdc7e4877917748281a17abaafe8dd2f5585e3a0ffcaa65e3f22d91f777227b34e5399e75cee2226736a0b56ca52b2deb1248b7177d645d96b4b9e137a6b7e30

    Download Submit

  • /data/user/0/com.bookjust7/app_dex/classes.dex
    Filesize

    3KB

    MD5

    bd5e894ed3712a5e41839d9deb9ec5e5

    SHA1

    354fbf2e35c8c586dd8d316fb1e36c02ab11a194

    SHA256

    5c1661ca8b843012db8cf5f2adbd5c6f97c8eff28a67885301d3e314ae31d857

    SHA512

    896070bfd7796a52e5ac3e7abbf29779cc9142463a60fc12243ef3dcd114eebab4657722d96b743c8c094ac84e0b8ef3c5d7164704989a531c58f20e4935a15d

    Download Submit