Overview

overview

10

Static

static

6

4d3c48d83b...66.apk

android-9-x86

10

Analysis

  • max time kernel
    29s
  • max time network
    35s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    25-11-2024 12:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d3c48d83b2a979a01385238c10c0fbce4b876aed0069f4d7ac89f5ae4b5e066.apk

  • Size

    4.5MB

  • MD5

    1d8378b553666920dec9c42d1d57ff91

  • SHA1

    a51ed9f8ad05054e638bf3dc9413cbef8f2097d5

  • SHA256

    4d3c48d83b2a979a01385238c10c0fbce4b876aed0069f4d7ac89f5ae4b5e066

  • SHA512

    e4e4abf4828ec44e3de9ba94c1befe9a13bd170e3db192ad6c789c3ef2c5e2039419ff5bf83df11caf976f6b894c985ea51df08e26e8770416854983f37ad200

  • SSDEEP

    98304:V30nCLLStMhOCIzWmNPKERulxpKAM8jSzs8yqtEQOr5YW/fzQcVI:V3WCqtMhOkmlK0urpV8yYOyArQf

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://equisdeperson.space/MDI0ODlhNzAxYzg2/

https://rigorichbroker.com/MDI0ODlhNzAxYzg2/

https://personification.top/MDI0ODlhNzAxYzg2/
rc4.plain

Extracted

Family

octo

C2

https://equisdeperson.space/MDI0ODlhNzAxYzg2/

https://rigorichbroker.com/MDI0ODlhNzAxYzg2/

https://personification.top/MDI0ODlhNzAxYzg2/
AES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 7 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.landeasttu
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4250
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.landeasttu/IewdUUjUff/ukfgGh69fGG6fTh/base.apk.ifuyFHt1.IIU --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.landeasttu/IewdUUjUff/ukfgGh69fGG6fTh/oat/x86/base.apk.ifuyFHt1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4280
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.landeasttu/app_ded/XZonAUbNkwdQKubjq8BaH9IRAXmyD20y.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.landeasttu/app_ded/oat/x86/XZonAUbNkwdQKubjq8BaH9IRAXmyD20y.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4306
    • rm -r/data/user/0/com.landeasttu/app_ded/oat/x86/XZonAUbNkwdQKubjq8BaH9IRAXmyD20y.odex
      2⤵
        PID:4332
      • rm -r/data/user/0/com.landeasttu/app_ded/oat/x86/XZonAUbNkwdQKubjq8BaH9IRAXmyD20y.vdex
        2⤵
          PID:4345
        • rm -r/data/user/0/com.landeasttu/app_ded/XZonAUbNkwdQKubjq8BaH9IRAXmyD20y.dex
          2⤵
            PID:4363

        Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Persistence

        Event Triggered Execution

        1
        T1624

        Broadcast Receivers

        1
        T1624.001

        Foreground Persistence

        1
        T1541

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Hide Artifacts

        2
        T1628

        Suppress Application Icon

        1
        T1628.001

        User Evasion

        1
        T1628.002

        Input Injection

        1
        T1516

        Virtualization/Sandbox Evasion

        2
        T1633

        System Checks

        2
        T1633.001

        Credential Access

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        Software Discovery

        1
        T1418

        Security Software Discovery

        1
        T1418.001

        System Information Discovery

        2
        T1426

        System Network Configuration Discovery

        3
        T1422

        Lateral Movement

        Collection

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Encrypted for Impact

        1
        T1471

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.landeasttu/IewdUUjUff/ukfgGh69fGG6fTh/tmp-base.apk.ifuyFHt8398081816682622906.IIU
          Filesize

          19KB

          MD5

          664602ddb544a7f9eae76eb6964e564b

          SHA1

          ea53c29657bf27e3124550725a5b7d8ea8ca578e

          SHA256

          ea8976350c82e6fad26b1a632dd0823efc0cd80e690615704af3d03f24b135fc

          SHA512

          9da16baa77ac49c80ed3f57701a1433dd5d252c4eaf532386b74011d3b9e96b3a94c2a1d3a92cd650d396bfeb34d4c419b82bbda506016dc8756e9d3cd05135a

          Download Submit

        • /data/data/com.landeasttu/app_ded/XZonAUbNkwdQKubjq8BaH9IRAXmyD20y.dex
          Filesize

          2.3MB

          MD5

          6ac1e13c5738020692736ad688868dce

          SHA1

          f65549a550aecd7a1e170554d3df069057424075

          SHA256

          858be8616df9509c6bb1ac31c566f9e7dafaf9b5c12b09266b25438be13e6e02

          SHA512

          17853e981dfa523e047b88eade9e7450c60ca14873ec525726373bc4e4e0730ce481a5731f40dd1ffe96acaea193da5ddbd928ed424431ca20b1767d133391ce

          Download Submit

        • /data/data/com.landeasttu/cache/ocbwxepcprwgduo
          Filesize

          159KB

          MD5

          9234712ecad25ab33376a9ab88cc7ccb

          SHA1

          c8be44c43d00b31ffcc3a519b5c8c3cc03fa6c1b

          SHA256

          61e9f4a66c2e3c5a736712e266898c1c7791bb464aefceac23822fc379c83c0b

          SHA512

          10efd5363d039c12e46dd87cb98fae05c4dfeecd0fe8211755a969e08b06fbd82020f6890518b7f88ef541700205220e66a5122640b7e1f9d5a6c4f5ee51b232

          Download Submit

        • /data/user/0/com.landeasttu/IewdUUjUff/ukfgGh69fGG6fTh/base.apk.ifuyFHt1.IIU
          Filesize

          41KB

          MD5

          52f068630ab5af3833f2c2b2cbe51f17

          SHA1

          caf7b65a9f2cce6539dfd09b6714853b9bce0266

          SHA256

          7039b02e2e075a98101dbe21c8d76b063a8e146eaf99f6f0aa105ad88f321c05

          SHA512

          276eb020721d0d733c33f3c3bac0a861b10d4c18fb37c4ed249b24e25f2824de6287101945127f0b49b201a0f912e4e95b75038b0e32f1ec12dfb276b4bf3450

          Download Submit

        • /data/user/0/com.landeasttu/IewdUUjUff/ukfgGh69fGG6fTh/base.apk.ifuyFHt1.IIU
          Filesize

          41KB

          MD5

          18330ebede6ca6ab1f4102ee1b513708

          SHA1

          a63794a12eef0028b1c7ca345c6c6b8b4fae14f0

          SHA256

          427412e846613907fbb2aa46e2752e68f167d1d786a04a1a6e4337658831d4c1

          SHA512

          4fe699bf04169708a567cf30c0a45612c7220b29b5133bb2241bde8de7d9661577507eb2b8bfc9ec0c27ab9310ed2c5fd61734251a9766df659c3aa2b533cf04

          Download Submit

        • /data/user/0/com.landeasttu/app_ded/XZonAUbNkwdQKubjq8BaH9IRAXmyD20y.dex
          Filesize

          2.3MB

          MD5

          cd888c0f056a494fbbb51fbcd504097e

          SHA1

          60e32013572ceccb882c017d503e98d4a269143e

          SHA256

          68194c32dd0ce6a6e180f29045a9e4432b51fd9c45a4b82d5228eee679cd6776

          SHA512

          44808e0ec5feb31d076c8cd962d21b93e1e769e987b106824088af02080ffe7f905bfa5839e349bdbf0d657f340afdb1d17f2985bc504cbe67771ebe627672f1

          Download Submit