Overview

overview

10

Static

static

6

17bbcb24ce...8e.apk

android-9-x86

10

17bbcb24ce...8e.apk

android-10-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    28-11-2024 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17bbcb24cee94d468bd9728ec6d21d5f3ed04f4fe4b3773c84a9b759b891488e.apk

  • Size

    2.4MB

  • MD5

    23f76042625cad2043639116f62fdfb7

  • SHA1

    e39c42e019dd6500dcce835f59abcf8110e099d4

  • SHA256

    17bbcb24cee94d468bd9728ec6d21d5f3ed04f4fe4b3773c84a9b759b891488e

  • SHA512

    95fa7d76cf7e0f02e8ee59c086c7ed075d919c66f01e48f85f3634f34012a36bebf050d93692c4e3b31154a05a3ce31fff6a3e8c64efc3946844d62bd52c2379

  • SSDEEP

    49152:06fkLgCnb489OrF2NsbzDwKuDrZKKGWZjF0Ng1lB5jSuzANffr:0+kLgCnpOJ2NnKQrZKKD5F0a1lBKNr

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/
rc4.plain

Extracted

Family

octo

C2

https://lauytropopo.net/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.feetthink1
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4256
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.feetthink1/app_DynamicOptDex/Ed.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.feetthink1/app_DynamicOptDex/oat/x86/Ed.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4282

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.feetthink1/app_DynamicOptDex/Ed.json
    Filesize

    1KB

    MD5

    9ea74bee2f57d39ad34acdfb62fe9868

    SHA1

    16e89b1bd0ee6523aafc1174e7d3ff9603c3b391

    SHA256

    21e5ac5b7d8645a5a6b7978a3a54c0e91cb9ab2b26090025abcb824e787eed50

    SHA512

    3cdad66e72db0779e1bc05f6719929a33377ee395b0648f0e792dccf04980c1b44a91a4ff7456b908e3df7de3a4770f8ae1fb5f048b053a4e4ba41552ef3bab6

    Download Submit

  • /data/data/com.feetthink1/app_DynamicOptDex/Ed.json
    Filesize

    1KB

    MD5

    307fc588f6589ee5922360200fffe89c

    SHA1

    a654fd912eded5d4a04cec322873bdaf7083ce87

    SHA256

    efcb71f29ef1a21bcfb73a44f0628d3a62561cffaaf3691e7ce9adf4dbfa7fda

    SHA512

    6ed769869b1f1b6a1fdabfa6ea43155851f940d0819b7cc3f08548d6ba55263c920f4e0a52e20e2d0eddc039bd779e192bf4738a67e792ca0eabd9d69bc35454

    Download Submit

  • /data/data/com.feetthink1/cache/oat/yoqgm.cur.prof
    Filesize

    447B

    MD5

    9b4bf510687268a41dbd5b03c71f00fb

    SHA1

    ff84ddf562b78ab985377622b4090d287a045e72

    SHA256

    3b74a666294d2061fef34bd79816313effd05050a4801581d0cd6939df633294

    SHA512

    1b84439485cf4b54ae60afa8bb1e44faa62538d26d70c6413029506b18835a37b444ba0a221c942e9d83e803a84f94dc52d3fa20a5171c8e8e5157807e44a96a

    Download Submit

  • /data/data/com.feetthink1/cache/yoqgm
    Filesize

    448KB

    MD5

    9e2844fade7cfb86f017a9ecfc7ed075

    SHA1

    df2fb9ef780d333bf69d7042abe22b10037902f6

    SHA256

    10d41a7e4946971e583c131686249872c45cd8968c7647641dabfc0a360daff5

    SHA512

    97a77a5afe53d8733fab2bf6989e83d27959b9fcae6b8c22114c0fe41984c94054ee9de3c29492f9ed5dbe5110d55dafafeae84d5654e879f8c964c46fe69de1

    Download Submit

  • /data/data/com.feetthink1/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/data/com.feetthink1/kl.txt
    Filesize

    63B

    MD5

    d09c5e960ff8720303fbe54a55668b98

    SHA1

    5a478d61665f24f9c74630e9f786ec657dcfe866

    SHA256

    c2e5721541a7837faf4f5b44ce857f66c03cb5a5d3efdee0c3de6fcb7d4fb81f

    SHA512

    bded705ef39f0e7ab1b6170966f3d8c06386c7aeb3f78bb2b0b42b7501ce481a1252921aca9c14fe19cc8c134208c9a4c2874baf3487a07b3051111760005d25

    Download Submit

  • /data/data/com.feetthink1/kl.txt
    Filesize

    237B

    MD5

    5e4589562883eb5c21f5c0d267bf5c16

    SHA1

    a122bb72fae1f742bb027059a497449822fde8b3

    SHA256

    3966cb59c633b3ce91a3e32e36401cdd62a4c7339a5a83dd84a772dce87ba97d

    SHA512

    dadd6131c3900f5ac2d646b84599a4912be055f0c2f088b876ad62edc24b274b99c49adfb2163cb08a2f208654c3118bd6b35950908befaac9eaf0e5d2d56494

    Download Submit

  • /data/data/com.feetthink1/kl.txt
    Filesize

    54B

    MD5

    d8278991847351e3cf6654a9b6e683e6

    SHA1

    7d9ab4e837a53b96c078478745de6d725c5f283b

    SHA256

    e212544cf2d1e435306af767f10ff0a2b339f7d741fddb1fe42ad6eb0957f11c

    SHA512

    0f2593ab1159a24aac9ba30de76bc8af8ba96d13353ce41daa15e31415d3f9cde6dc6177678ff7c0a23362d6a7eb6b6c1cc00f44915bef83fc5d3f30e0defd23

    Download Submit

  • /data/data/com.feetthink1/kl.txt
    Filesize

    437B

    MD5

    0c99c67936a72150140f09ef03c18b80

    SHA1

    b1b473bbe68d153f92d378a5987648b1b18c5d2b

    SHA256

    69ccd24ca3da031fdce7a1f8efe26f7af62d8e5822d124f300a279df02c30df2

    SHA512

    a8072a40c455bed81670098b1594ed402952857b04838dc617b20c584c76ed69a7203c485f9585c0f4120b6a7cd6856c22751d77063e6aba851e3a3f28e34b48

    Download Submit

  • /data/user/0/com.feetthink1/app_DynamicOptDex/Ed.json
    Filesize

    2KB

    MD5

    142728ca9a10d06c0300bff54973df86

    SHA1

    4c95164e9470e28040e0d3779a15e4e2f6d0d166

    SHA256

    61cd9f3cc445ca6f4b8bad5adce3b381759b9ecd5cab69e8cdbfad644e97021f

    SHA512

    eb9e30c92d5285bbfd5535aadda123014bc96746c893b5cc6ff946412b70309404dca4e6dcefb0be104b5a7fc42551f931515c7f5c4c1c1d6bbf2299144356b4

    Download Submit

  • /data/user/0/com.feetthink1/app_DynamicOptDex/Ed.json
    Filesize

    2KB

    MD5

    42d4291d06bbf8570bb262b5dae88afa

    SHA1

    7aef566efaad4da6168cf7fef9809b420de44f0a

    SHA256

    19479a793d5ccff0da6a43824bf239ca90ffbd561209d546a2cd7c32706f1521

    SHA512

    98a9dc8658b4c88a59d9018e957aca86579feb539df13213eb5bf781a4243c7a0a4bdebcae19a9cb4bfc829529aa676f514b8eb3ad3306acd6d84efa2972242c

    Download Submit