Overview

overview

10

Static

static

6

d76308ed2d...d0.apk

android-9-x86

10

Analysis

  • max time kernel
    18s
  • max time network
    30s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    01-12-2024 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d76308ed2df89318eafa1e7aaa0512331b6e174ea2f5d0a93b149f0f0cf11ad0.apk

  • Size

    8.7MB

  • MD5

    0a065474e3a518bdca7f103606e94d84

  • SHA1

    64d7e18ad5ee88609993630603370498eb587182

  • SHA256

    d76308ed2df89318eafa1e7aaa0512331b6e174ea2f5d0a93b149f0f0cf11ad0

  • SHA512

    a61c80cedf70111510148764a870ba3d74dccbae2f4410f5882ee6d0695a57fedc52e003e04a3201388ec1c905b0dfa7d627d26695a2f8cbcbb45f342401cd77

  • SSDEEP

    98304:TiYMPmISrQZbMhbULwKbYCHXqwc5iSRG+jVK90IKjXTesoN1Yso+3X6Rsds/0Mcd:XVOX2rXUqXT/sp3X6R0s8P

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

AES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.naccess_mobilex
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4218
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.naccess_mobilex/app_mind/ikNDBY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.naccess_mobilex/app_mind/oat/x86/ikNDBY.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4244

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.naccess_mobilex/.global.com.naccess_mobilex
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.naccess_mobilex/app_mind/ikNDBY.json
    Filesize

    1009B

    MD5

    654f78145130d2e4489a18b5b46acd3e

    SHA1

    a878fb27303605d6b3075b4246ec81aa3df57791

    SHA256

    b395dc29ecf0e3043e2245e2e1cf65fe3dd3bf8b7e2399abc40bcba37cbffa32

    SHA512

    c1de9430410a5ca50a80d1a58a095cdb3f67c232b1dc8e8885955d709dc2ccea0c685fb5cf4d0df4dd14dac02a2df3457db2b73f04a288aa3141f6975bddcfc0

    Download Submit

  • /data/data/com.naccess_mobilex/app_mind/ikNDBY.json
    Filesize

    1009B

    MD5

    c8c8196c57e61ecf22312141b703ebc1

    SHA1

    ba61184fc66563a36c333196007fcacc993a88d8

    SHA256

    2620d0569d3e2488ef651b77358071bd619096a4efa33ea2a90287472e5b2a64

    SHA512

    8db818ab8611df1eba0e4c65bb12a2ca3b9afdded906f8bb3c7012daf6ea322cbd66963dcbc47c928f3607499ec71d4f425b15a7f2c53366fdf03ba4663b81cf

    Download Submit

  • /data/data/com.naccess_mobilex/files/.u
    Filesize

    307KB

    MD5

    4e73947cabb5db3f92ca85004981b754

    SHA1

    6d9667fdb0280ed2dcb782b4683e422a51bdc601

    SHA256

    6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c

    SHA512

    be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

    Download Submit

  • /data/user/0/com.naccess_mobilex/app_mind/ikNDBY.json
    Filesize

    1KB

    MD5

    844b31d2ffef9072c3a7fdad136eba20

    SHA1

    2174f28eae825a138f6916208dbb7973ef9220a5

    SHA256

    70d7561ee6a19cdd4c74f3858af31193841813e903ce239857e31548058929e5

    SHA512

    eebb6fc101999c801c18deeaeb2c532b8ff4508a2365933d9096b30d6be988eef4ed8ed410f30c958b23cfe3e7ceb0ddf2dd3c6efe83be3aa00de18f5753b0ce

    Download Submit

  • /data/user/0/com.naccess_mobilex/app_mind/ikNDBY.json
    Filesize

    1KB

    MD5

    615927411c0856c9fc37f9785436cb64

    SHA1

    529b38f5af96d8a92d3981c72980761c4840c5dd

    SHA256

    efd631fe2480beef992c338850ac5e7670bc0f7dc5d924f2695cafb8806a184b

    SHA512

    8b5c7c0c0e5dd9b0542e78599d8a172f48b877f37023ffb15e7e020299e1b7b92cba3eb7cbd1b35348653633bb03841c2d93cfd4a1701acd5c77c77432487b0d

    Download Submit

  • Anonymous-DexFile@0xd23f8000-0xd247b700
    Filesize

    525KB

    MD5

    0a1cdbb538a2e95429511d4ff96fcf03

    SHA1

    3642c505b9ca2caeb83c85a68462cd74b051116a

    SHA256

    9c21607184313ddbdd0ebfa86b0df47fd3f2e39074e2ae9870a1064087ff53ea

    SHA512

    e2bdee1ff6e4cc0450fe44d86277dc2b5f2e75814068be875f65d0ef857a260053492b5b27581c1f475073def4930bc4cfbe206660157608634b2e0eb522b2e3

    Download Submit