Overview

overview

10

Static

static

6

4d3c48d83b...66.apk

android-9-x86

10

4d3c48d83b...66.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    25-11-2024 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d3c48d83b2a979a01385238c10c0fbce4b876aed0069f4d7ac89f5ae4b5e066.apk

  • Size

    4.5MB

  • MD5

    1d8378b553666920dec9c42d1d57ff91

  • SHA1

    a51ed9f8ad05054e638bf3dc9413cbef8f2097d5

  • SHA256

    4d3c48d83b2a979a01385238c10c0fbce4b876aed0069f4d7ac89f5ae4b5e066

  • SHA512

    e4e4abf4828ec44e3de9ba94c1befe9a13bd170e3db192ad6c789c3ef2c5e2039419ff5bf83df11caf976f6b894c985ea51df08e26e8770416854983f37ad200

  • SSDEEP

    98304:V30nCLLStMhOCIzWmNPKERulxpKAM8jSzs8yqtEQOr5YW/fzQcVI:V3WCqtMhOkmlK0urpV8yYOyArQf

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://equisdeperson.space/MDI0ODlhNzAxYzg2/

https://rigorichbroker.com/MDI0ODlhNzAxYzg2/

https://personification.top/MDI0ODlhNzAxYzg2/
rc4.plain

Extracted

Family

octo

C2

https://equisdeperson.space/MDI0ODlhNzAxYzg2/

https://rigorichbroker.com/MDI0ODlhNzAxYzg2/

https://personification.top/MDI0ODlhNzAxYzg2/
AES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.landeasttu
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4456

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.landeasttu/IewdUUjUff/ukfgGh69fGG6fTh/base.apk.ifuyFHt1.IIU
    Filesize

    41KB

    MD5

    18330ebede6ca6ab1f4102ee1b513708

    SHA1

    a63794a12eef0028b1c7ca345c6c6b8b4fae14f0

    SHA256

    427412e846613907fbb2aa46e2752e68f167d1d786a04a1a6e4337658831d4c1

    SHA512

    4fe699bf04169708a567cf30c0a45612c7220b29b5133bb2241bde8de7d9661577507eb2b8bfc9ec0c27ab9310ed2c5fd61734251a9766df659c3aa2b533cf04

    Download Submit

  • /data/user/0/com.landeasttu/IewdUUjUff/ukfgGh69fGG6fTh/tmp-base.apk.ifuyFHt6227975497895370377.IIU
    Filesize

    19KB

    MD5

    664602ddb544a7f9eae76eb6964e564b

    SHA1

    ea53c29657bf27e3124550725a5b7d8ea8ca578e

    SHA256

    ea8976350c82e6fad26b1a632dd0823efc0cd80e690615704af3d03f24b135fc

    SHA512

    9da16baa77ac49c80ed3f57701a1433dd5d252c4eaf532386b74011d3b9e96b3a94c2a1d3a92cd650d396bfeb34d4c419b82bbda506016dc8756e9d3cd05135a

    Download Submit

  • /data/user/0/com.landeasttu/app_ded/nKUGm6Qn1tLorUwfN39pJeolaBookirc.dex
    Filesize

    2.3MB

    MD5

    6ac1e13c5738020692736ad688868dce

    SHA1

    f65549a550aecd7a1e170554d3df069057424075

    SHA256

    858be8616df9509c6bb1ac31c566f9e7dafaf9b5c12b09266b25438be13e6e02

    SHA512

    17853e981dfa523e047b88eade9e7450c60ca14873ec525726373bc4e4e0730ce481a5731f40dd1ffe96acaea193da5ddbd928ed424431ca20b1767d133391ce

    Download Submit

  • /data/user/0/com.landeasttu/cache/oat/ocbwxepcprwgduo.cur.prof
    Filesize

    300B

    MD5

    36de839c7267206d64fa93b73a376e7a

    SHA1

    a49ec63c47b4574776f0e99ba2bd6afdfdb201ff

    SHA256

    4b67ce72acc253ecc84f2d8c65e51cb0be2235dea167e1f8f82bb22762961bbd

    SHA512

    6a9788e962a2ee505a4e1dbf7aeaba82c5cb5310b7a072fd7bf767fc58ac9f31b7b50ce101f16de1945ed8613b2472abe33902ffdc2978d9d8ddf58045b3393a

    Download Submit

  • /data/user/0/com.landeasttu/cache/ocbwxepcprwgduo
    Filesize

    159KB

    MD5

    9234712ecad25ab33376a9ab88cc7ccb

    SHA1

    c8be44c43d00b31ffcc3a519b5c8c3cc03fa6c1b

    SHA256

    61e9f4a66c2e3c5a736712e266898c1c7791bb464aefceac23822fc379c83c0b

    SHA512

    10efd5363d039c12e46dd87cb98fae05c4dfeecd0fe8211755a969e08b06fbd82020f6890518b7f88ef541700205220e66a5122640b7e1f9d5a6c4f5ee51b232

    Download Submit