Overview

overview

10

Static

static

6

8d47670f9f...e0.apk

android-9-x86

10

8d47670f9f...e0.apk

android-10-x64

10

8d47670f9f...e0.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    05-12-2024 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d47670f9ff63c59c9b419e3ee8b7aaa03acb8b78084bcce4d574deb9bdaa9e0.apk

  • Size

    224KB

  • MD5

    d5bfb98d212223d1a2a59441ccca542d

  • SHA1

    afcb10b32e8c821b962af2ff225dcbd20f4fb34b

  • SHA256

    8d47670f9ff63c59c9b419e3ee8b7aaa03acb8b78084bcce4d574deb9bdaa9e0

  • SHA512

    52b0babe6549c728484fe41e470e9306ca633df3ea9ec3ad813e5dda04a8a1a8a72500ce40f9c0f4408f1c07ddf5aef215b57feef59e787fb201f1239ece0564

  • SSDEEP

    3072:zNUZ0F0980sGvq9HW6lvgWDoW6kiMgDOFVcn/NBgfyaedZyll3cchpvpR:zU0F0FjOplvglf2V4/NiySl19lH

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://154.216.17.178:7117/gate/

rc4.plain

Extracted

Family

octo

C2

https://154.216.17.178:7117/gate/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.adaxffsfzfada.zbsvxgsvbxhdgs
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4657

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/app_apkprotector_dex/classes-v1.bin
    Filesize

    451KB

    MD5

    cb004b201c567db64910e65b984c9447

    SHA1

    c64724627f791c91ef1fc11e0504106f843da186

    SHA256

    8aba800e4caf3ea5442f0fee7a584361129518d04c465fc52b9e96954dd9c757

    SHA512

    ab53cc64802d9dde3f3221621467d8f7200aea6e76a3e8fdbeac531c207dca1098bc5e47a1e7d8f02fd9e12a9f3252acbe6c6d253a337dfb365ff917b5425ffa

    Download Submit

  • /data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt
    Filesize

    64B

    MD5

    38df28264b530cd50111db7dd2126514

    SHA1

    37c474250d1a72bcb721ab96b97a9240be3f6dd5

    SHA256

    2b04587d1d045d02dc6fa089e1bac9e5033ee76e88caaee37e2f671165fe1fb3

    SHA512

    ae6c0fac29dd8f4d9444524da25c2d95e7e5b828c9313319354d5e0d9da3836949d2069758b1d6f6e66d13f5364a96175f340d960a56f9b54cdd606918acc54b

    Download Submit

  • /data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt
    Filesize

    45B

    MD5

    22e2ee880ef5d1067cf9501804873d74

    SHA1

    fe9774bf58f179efbd9e33c06f0b0747240a5938

    SHA256

    0d8ab2995e97e22d4f65cd686ea4714237f58dcfdee1a50dfb300f4440b4d4b1

    SHA512

    85fe046a96671990df7512ce3247d483a1e6c008d2cf2060b1c75423e1db6016d40aad2843ec5d58c057154c649f138a2c1fe3699e0c437f3991cb13e4bc73e6

    Download Submit

  • /data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt
    Filesize

    63B

    MD5

    351895c18763fcabeeb20b82e250bc6c

    SHA1

    93feef0102efdd3c32a925654919ea9342243e6a

    SHA256

    06c478e4853bcc55298a0588a20cc6519b9ac145b9dc4bc483bd6fcbdf5a1c79

    SHA512

    54ea0c2cc35e88aade035ba6836cab98f7e5dd21a376d899330e5258a2430fd8b4043f6e084c51d49e6e2b1d006516160adcd2c2690ed7c204982e7acc13958f

    Download Submit

  • /data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt
    Filesize

    470B

    MD5

    b584d45ff941983d614ce62c62de0e98

    SHA1

    7ac27b0e311fdf2a7a75935350f45816149117a9

    SHA256

    b2b45610096dc0ba96c111015a52f91d176e77e36e81cba684853264a3ef3c62

    SHA512

    c54dde825b277e537b988a6e81d43175d10dca80cd1d6629793507b54214cfe3e3323f8160929a225508ac7beab3d99f3ca830bfda3ef9bce90c126c66fc4603

    Download Submit