Overview

overview

10

Static

static

6

117101d135...76.apk

android-9-x86

10

117101d135...76.apk

android-10-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    25-11-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    117101d135b6c86d733d07b3c7f7acf11ab4048e6c1d9437777301f85e29bd76.apk

  • Size

    4.7MB

  • MD5

    99968e13662d3b71e2100be41ba12e51

  • SHA1

    d949eceb7d63169dbeccb0f50a2fdda2dfc671f9

  • SHA256

    117101d135b6c86d733d07b3c7f7acf11ab4048e6c1d9437777301f85e29bd76

  • SHA512

    e2ebc209e8d22cce33736877b0687764e0f2feade2c2eb8021b747b5f8670330cbba228fc14ee0c90f71bcdaaaef2ab427accf53999d3725962b330bb02f2b25

  • SSDEEP

    98304:lQmC7E8S3X7EFZyCoeHXU51YQTm77BGTN8QRAdJEaqK0vowqYJxIkWVnyU9PnqZs:mmC7nS3X7EFb7uCE+YTN3AmNvowTJx8J

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://94b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b641390330721556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/
rc4.plain

Extracted

Family

octo

C2

https://94b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b641390330721556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://94b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92146d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://694b64c9b41c17a229d92156d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://994b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://4394b64c9b41c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/

https://74b6c9bebf541c17a229d921556d14a4ffd4.com/MWZjODg0YjhhMWVi/
DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.inoftenljby
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4275
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.inoftenljby/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.inoftenljby/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4299

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.inoftenljby/app_dex/classes.dex
    Filesize

    3KB

    MD5

    097714133606e1cd6e6db1c1e4eab4b8

    SHA1

    9878f217f67952220fa609c03276f4cfbc21cc14

    SHA256

    c945a16d2b001fdd92573a377769305f2390ffa112685406ccdce23eac3d79d4

    SHA512

    970d1605329cedb3de6fb72a7e1751168ffe3bbce82fc299a49e3662f9e0cc340eb4f9131c5a2ddd7cce31cff528c3a8a104885c540612269b0a76cb22aaad5f

    Download Submit

  • /data/data/com.inoftenljby/cache/classes.dex
    Filesize

    1KB

    MD5

    04d8a756d9fd61cc96043208d34c6593

    SHA1

    903a3b5060ee94f7d72b263733875586b2380ea9

    SHA256

    3ac6b1972819ec4659327bda88b5c48376cfdb8e15b11f1768f2f8f4af47dd58

    SHA512

    46c1d7ab6e81fe56f7e7d7edd8017b8cbacd008655e0642a0ad663150b2e445505821f010b0c74a02bd2e027e4af17c3389af3ed0c114c611d8b904750d1bf20

    Download Submit

  • /data/data/com.inoftenljby/cache/classes.zip
    Filesize

    1KB

    MD5

    39c72b44174a40e93ae19b627d0ef90e

    SHA1

    40e9c2416672574cc072916636fda3ec04f33a6d

    SHA256

    87bb8884c2b94d726a0ae4e4ef3721d8d47685d731ae13f4fcaa263e35d35eed

    SHA512

    84b64b18cba0b37c341a8eb2a6a314a64bbeb3b789f6dcdae308e14fb6e089bbf57e7f5245e41c416feaac3a5a5dd5f2c97091ff0a351b49e429eaa319cfee78

    Download Submit

  • /data/data/com.inoftenljby/cache/oat/vskqmoh.cur.prof
    Filesize

    495B

    MD5

    39735c7134e3fc4a0026c45cc55699a0

    SHA1

    879c72aeb649c11a53e5dc4ffd47e2a151079a87

    SHA256

    0fecdcef468d87248249105cbf0dcd066aa4147ef70f9883b9656fc71172f020

    SHA512

    907cd51c400561002a2ebc0180c747df26d4360f3fefe9791700c19858bf8ad6fde2fe6a6d4fff6eb25fbb5afe4a2e80695db890727b7ed249bf61e901685d37

    Download Submit

  • /data/data/com.inoftenljby/cache/vskqmoh
    Filesize

    1.4MB

    MD5

    543f4af73d7ffe245a153604ae9b7698

    SHA1

    378b24a54ae8e6c0045c3730d984139146763c2b

    SHA256

    0fd48d8cfd99e8f2e9d5ff00922ec2705db9c267e539fa1095382b714cf724bc

    SHA512

    2d4e90ee060222030217bdd0bdde0c3c57675c8a9388c74c2033dbb2f318c3d7450083217cb8ae44c14582abc60e58302509b79c24d1436af7f70c9f3e2470de

    Download Submit

  • /data/user/0/com.inoftenljby/app_dex/classes.dex
    Filesize

    3KB

    MD5

    d518c92e50e6177dc7f388f6b4f18cc8

    SHA1

    fc087d45ad375a8c5025d566d1a190c958f2b9ec

    SHA256

    4960fb8944be2e0b555fd7d78a589fdc87570b9dafaa653882bddc0d2c77b4aa

    SHA512

    569f430401aa356b5514d77c4ac51ae7b279737b162b2527fd8967e3a4eacce0069c9450f0a456ad9426ee977bdf5510358356df852d97281a7fff2c70a90b1f

    Download Submit