Overview

overview

10

Static

static

6

d3dd9d9aa5...6e.apk

android-9-x86

10

d3dd9d9aa5...6e.apk

android-11-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    28-11-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3dd9d9aa509a0987c99af209726290f64c39a2b593baa84320285d917068d6e.apk

  • Size

    1.4MB

  • MD5

    b5b145480f3e0820d263fe7a5ace02d8

  • SHA1

    891b7efad97fae170f387f887887bcb0c973c8a3

  • SHA256

    d3dd9d9aa509a0987c99af209726290f64c39a2b593baa84320285d917068d6e

  • SHA512

    064e166ac43094eb0c803700623be1ccf957122343d72fe1ef81095d0eec62aa434fdefd1a5e7f9d2ac9c65adc0714aa1bcfae026f461787c4fbe97721e27ddd

  • SSDEEP

    24576:isFmKxhBL/OtrIRQuZ6X1MhpCRXxx92nxu7rTSgs5DwQV0ac9x47JnFU:HFjhV/1imVoRfsMrzs5EQV0Z8Ja

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://skylinejr.top/YTZhZjliODdlYTI4/

https://forestnx.top/YTZhZjliODdlYTI4/

https://moonlightvg.top/YTZhZjliODdlYTI4/

https://seabreezehf.top/YTZhZjliODdlYTI4/

https://riverflowbd.top/YTZhZjliODdlYTI4/

https://starbursttc.top/YTZhZjliODdlYTI4/

https://wildspiritzm.top/YTZhZjliODdlYTI4/

https://dreamcatcherly.top/YTZhZjliODdlYTI4/

https://goldenpathrw.top/YTZhZjliODdlYTI4/

https://sunbeamfc.top/YTZhZjliODdlYTI4/

https://stormchaserqt.top/YTZhZjliODdlYTI4/

https://cloudburstkp.top/YTZhZjliODdlYTI4/

https://nightshadewm.top/YTZhZjliODdlYTI4/

https://earthboundxl.top/YTZhZjliODdlYTI4/

https://fireblazeqh.top/YTZhZjliODdlYTI4/

https://oceanviewjk.top/YTZhZjliODdlYTI4/

https://silverstreamph.top/YTZhZjliODdlYTI4/

https://mountainpeakyd.top/YTZhZjliODdlYTI4/

https://blueskytm.top/YTZhZjliODdlYTI4/

https://greenfieldzc.top/YTZhZjliODdlYTI4/
rc4.plain

Extracted

Family

octo

C2

https://skylinejr.top/YTZhZjliODdlYTI4/

https://forestnx.top/YTZhZjliODdlYTI4/

https://moonlightvg.top/YTZhZjliODdlYTI4/

https://seabreezehf.top/YTZhZjliODdlYTI4/

https://riverflowbd.top/YTZhZjliODdlYTI4/

https://starbursttc.top/YTZhZjliODdlYTI4/

https://wildspiritzm.top/YTZhZjliODdlYTI4/

https://dreamcatcherly.top/YTZhZjliODdlYTI4/

https://goldenpathrw.top/YTZhZjliODdlYTI4/

https://sunbeamfc.top/YTZhZjliODdlYTI4/

https://stormchaserqt.top/YTZhZjliODdlYTI4/

https://cloudburstkp.top/YTZhZjliODdlYTI4/

https://nightshadewm.top/YTZhZjliODdlYTI4/

https://earthboundxl.top/YTZhZjliODdlYTI4/

https://fireblazeqh.top/YTZhZjliODdlYTI4/

https://oceanviewjk.top/YTZhZjliODdlYTI4/

https://silverstreamph.top/YTZhZjliODdlYTI4/

https://mountainpeakyd.top/YTZhZjliODdlYTI4/

https://blueskytm.top/YTZhZjliODdlYTI4/

https://greenfieldzc.top/YTZhZjliODdlYTI4/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.sgakagak.agakagabs
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4253
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sgakagak.agakagabs/app_dune/qMQwDnf.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.sgakagak.agakagabs/app_dune/oat/x86/qMQwDnf.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4277

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.sgakagak.agakagabs/.qcom.sgakagak.agakagabs
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.sgakagak.agakagabs/app_dune/qMQwDnf.json
    Filesize

    152KB

    MD5

    01869e66bd90971c40a7095cf595861c

    SHA1

    0844754b303cfa8eeb368ba23f385748288ddd00

    SHA256

    97de788b84c01e7725c72060a9b34deb75dc91a858ab885460c39887046dab51

    SHA512

    09ac5ec43ecdbc96f9b9c2024406eb5fceeaaeaa5e75090978d0bfb186616740ee9828b6ac33309007ec77ac0d79229bb83b638947e96b4c4f532974e2048250

    Download Submit

  • /data/data/com.sgakagak.agakagabs/app_dune/qMQwDnf.json
    Filesize

    152KB

    MD5

    9cf153b2afdc09fbf62778716ded32f9

    SHA1

    41987157cf1da6b06a67e013125c63882f9ab013

    SHA256

    12c86a876ce11aa28dd956d0911a05179f03bc6ddd4a4addc2928d296d54e4bf

    SHA512

    c8a0243a8b047e090cc7ca2afa12d369925f84b05646e9b1aa8b77334f22cc0e6ed33d9ede827742ca4f35749c390594f13e19d7017cf03ec3565dafd0b22160

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    63B

    MD5

    424eee42a4fa54dd3ea56f343fbef8b6

    SHA1

    5abf56c58ab469bd1c9d20da479edea1a9272822

    SHA256

    d787fb1c459fa37810128739e3acc3843bc7baa2e0937f46a6efedf7b97ba56e

    SHA512

    6b574c767172956499a8990ce1dda7a944f2c310de8ad9d3b7e168db321a1ae6fa8e75b1272fddb9a5eb0c8c38fbec8a8b2004dac2d3c5a4cddc7a2d46ca58bb

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    423B

    MD5

    48a303137509b3a4715c512efdedff02

    SHA1

    e1fc4dc47fcb736e470595cc5e439439ddf84933

    SHA256

    cdd5758ef3c4e9df103273755b0cfa24402e78cd3a4d42150fd30d18700c8807

    SHA512

    5ef99a103f6eb9c7dc7598a622d8974aa74709135e0b7945ae083a2299d6d29c4c6f4ae3f728572833cf37d6cbf71bfaae2954c061ba421a92967b6344f17f56

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    230B

    MD5

    4dabe08b21e0cba8dee5f5c451681ca7

    SHA1

    2b59ff83980c6c0f9d55dabea034fbc6ea3e0d48

    SHA256

    d9340128e068dfee72014ac90c1372dd83308abdcad14530e2478e6f4ff7899f

    SHA512

    aa96ce2dd9812071d447290a8ad12dab09188efa39f49d2be02b8e77b6cc8b483cb6e8ecda6e01b1446ed47a3445e0304bf45e7a1bbea7b67f323dc570076d66

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    54B

    MD5

    4ff8846efb8a8fb0b06c9b839dde22ec

    SHA1

    c35d645c39834a14dacee3158868859b87faf457

    SHA256

    c5a9077fa1e3a142f194f0ac98d3ff735d414da41aa90f652ced03358bbbcc4e

    SHA512

    4f612325f8a625ada1eb1b2440fba6c0c74cf07de130f8af6e5ae0c32cc0d640a9ebfd2849b38be7531649b886af8fd42dff6509d7e7d33e33e7a5733642a658

    Download Submit

  • /data/data/com.sgakagak.agakagabs/kl.txt
    Filesize

    68B

    MD5

    623e3310ee82edef60da0157807f8ccb

    SHA1

    7c5327cefd6374c1fc40b9a98526581d74487a6c

    SHA256

    e67b3df3a49325555857d1268981555df8589166df2966138616d1d0ee8c1dcb

    SHA512

    52651f447c60bc17d8b227fcdbf1ac60ed622c1c6f3e5ff903a75984adf731a61ee8fcc3a15cfa68a84f203a9f840ef89e1c05a0b88f1532930e8e20b93d15b9

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/app_dune/qMQwDnf.json
    Filesize

    450KB

    MD5

    c2744e5d3cd3cff4bcb885eb911de4af

    SHA1

    e5cc3d04aaabd77e28c7c2e317232fff21741ecf

    SHA256

    ba6a90cb7b7f028754502c79cb9e4229896aebe09b1e411818990a51c16c21b9

    SHA512

    b1c5b552ac4024a39b7c2eb1ad3ea21f46e01d5a421adb0b912bfa799803ea22ba027e26bfb1520bbd9618aca849b540926ff2d9014dc8cf3570745d6a39c4b7

    Download Submit

  • /data/user/0/com.sgakagak.agakagabs/app_dune/qMQwDnf.json
    Filesize

    450KB

    MD5

    bc90db222486493acb28d4e520345e1f

    SHA1

    8c073d5dcc7599fad248877aa339b65e0744906a

    SHA256

    3d2b417ff612b2affd728a69ae62135adb592e38a33184bff9870bef7dbb3d49

    SHA512

    6df389d8a347d34d6593fb13b84a4a428d9cefbe129aac628d32d86a2a3663b197a618b80281d6beb4e48376eb0723829c44546c4864627b9cb50d1b60979835

    Download Submit