Overview

overview

10

Static

static

6

2bb42c2da5...c6.apk

android-9-x86

10

2bb42c2da5...c6.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    07-12-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2bb42c2da58ea8b9e65176371ab1db520b174c413a95b41abda3b1d049c081c6.apk

  • Size

    2.2MB

  • MD5

    34e7db88d47a03d6078bda36e8c5668c

  • SHA1

    fc057d0ac8347d3310faca54708fcd482600c335

  • SHA256

    2bb42c2da58ea8b9e65176371ab1db520b174c413a95b41abda3b1d049c081c6

  • SHA512

    948f3c818e157c53125f2dc14cf3f84fbb3a50555ddb8eab01fe03d47f5692ba152c98dcf24eeef7d029996c667174034d2ef4f6fdfce253909f22727bf76c77

  • SSDEEP

    49152:coMwE08Fw9oryftpAHXb/BucBB9aw5+k50GRLUCw:1E0RGsT2kuew5+QUZ

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://topflowow.top/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/
rc4.plain

Extracted

Family

octo

C2

https://topflowow.top/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.groupsureepdu
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4255
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.groupsureepdu/app_DynamicOptDex/yxwb.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.groupsureepdu/app_DynamicOptDex/oat/x86/yxwb.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4280

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.groupsureepdu/app_DynamicOptDex/yxwb.json
    Filesize

    1KB

    MD5

    322db753cad51ad26413900bcdb67ac6

    SHA1

    979e87ed78f19f7c6c05bfa3b6062a62d585b269

    SHA256

    a3170e050ae4668d5ddd0e0e8441848bc1cc4dd4fb6c63fb09035f0c8052c875

    SHA512

    d2b4e0a4223246559ab98c3f0ee6bc51774bf3475ef6ea44237b00e4b5261857a2fd433ae52c86f68b1ae3fecd06f71f9330cbcaa9c7652d5aa2b70b9db06175

    Download Submit

  • /data/data/com.groupsureepdu/app_DynamicOptDex/yxwb.json
    Filesize

    1KB

    MD5

    9cb326d028a7037b8572a50176a3f1b5

    SHA1

    0dbb28afb007ffaf89eaedd116a0043680760e47

    SHA256

    e08ac6d3517585d2a725a78da5166a80329ebe90e5bcdab78d487e714d2bd43a

    SHA512

    2f80eef13eca1edcfc6c367e14a82f2e011e6139060249994705425114ed3ad0b94f79a6b987d3ab87afb50335e6ceef84bcc343517d5a46305643bea7b027aa

    Download Submit

  • /data/data/com.groupsureepdu/cache/cjgxpplvxddsq
    Filesize

    448KB

    MD5

    5e0372635b0359dff49538a00dee37d1

    SHA1

    13231cb16f0aa2d185988270c05264d8e4d9984f

    SHA256

    13439e04255290c46cb3eb6f2e0f93b997c485a94b021d492e3937373350e643

    SHA512

    dacb8a65fd82e812f4db59909658c3fb1b74f58933a6a7af1da8340496b1fd80bb56d1c2c58a932dc072730c2d530b0264c2b02ab74888cf02fb76b63c1f1ced

    Download Submit

  • /data/data/com.groupsureepdu/cache/oat/cjgxpplvxddsq.cur.prof
    Filesize

    476B

    MD5

    cc5d1a78e410cc5d3bb858f945926b48

    SHA1

    80c55c15d52875bd82b8516c645745871f39ee2f

    SHA256

    c905e34a12f2ae6eb68ec653b588741e8f8b68caf65fc5eaf8042f25bd6db8a5

    SHA512

    80fcc8a47603598ecaa1a3f682e46368c15a2ba847d404d9e8e4ce1d043d6350ab7e7dd192c773576435681c4e5f8a717cc492e2e6eb8836c86bfa1e387874a4

    Download Submit

  • /data/data/com.groupsureepdu/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/data/com.groupsureepdu/kl.txt
    Filesize

    237B

    MD5

    48ba242f0b6127762ceef7940b69db49

    SHA1

    cb1218926c5996cc1dbde4bab8095f2fbc6010a7

    SHA256

    f03f66c20e396baf3093241017033f16116d3f80f1b886d5694c1ebb2ce17bad

    SHA512

    cc4b48d1b2957d138a40513e43cf528f9c286a061838944f2ac8b2ffae4da1e82041f5797ca2a408458149763451c1c38b085ce614af3f51c9f17cb4cbc09dbd

    Download Submit

  • /data/data/com.groupsureepdu/kl.txt
    Filesize

    54B

    MD5

    90a74fb2fe111a7830aad31229430c15

    SHA1

    579e9ecedac97390ae7f17c21459a699677e2c50

    SHA256

    1b58bea3e662349bfb8ec6158bfa10a92849c83d163b36104c7016838b734934

    SHA512

    9a4dff13d43befb5bb9921090e2bcaba3eefbf693b659395d69cc564f4174555e21b0f66bbba6d524ef8633dc2af280508391b40ad420ab07688e62fcedbe57e

    Download Submit

  • /data/data/com.groupsureepdu/kl.txt
    Filesize

    63B

    MD5

    d165205f94e3c032b3196253456add34

    SHA1

    e351999ea51f46da84a0b7134ddba23b6f3f3565

    SHA256

    b84a723772ea0722f6a22eebcdecfa67d78fbe31824ffadda58c44896c509701

    SHA512

    3026ea3332b1aa607486967c913bdf76e743db776e6a112e5fe2cdfb069ea92aa960611c731d290b2a8f9087d660b71619efbed568007ff0ff01a5f068219034

    Download Submit

  • /data/data/com.groupsureepdu/kl.txt
    Filesize

    437B

    MD5

    70b9924bb1ba2bf6c3b73719d421b198

    SHA1

    91e09975431de2ae1711cb1cc5a180707a03b93f

    SHA256

    4d53056041feeb714cd088f664a340d278f28485b4cdbc7b8e9579b00438321c

    SHA512

    3bd617e08f3e71a53861448ab90fb8875d6d504734db65038f45e10a2cc46a15cc5b14ecc35a03caeac741487f3609a2a2307be0ce4c11432ad2b84317cd34ba

    Download Submit

  • /data/user/0/com.groupsureepdu/app_DynamicOptDex/yxwb.json
    Filesize

    2KB

    MD5

    7cc2bd05badc7a2c16689a9a13ee7788

    SHA1

    890492dd4bc2943a8db0195cd14badee3d30df61

    SHA256

    7808892e72c2e4d091a6e061ff4358e8daf4d02861474945a6d18716a88418ce

    SHA512

    2afd64e6f1a6b78912beab057fa41b38e4441df395238e24e1db0d1ca9fbc92dcb3cb85013043d1e03ea62f5030bae108c414cc8f99bd0c2e597f4474486f73a

    Download Submit

  • /data/user/0/com.groupsureepdu/app_DynamicOptDex/yxwb.json
    Filesize

    2KB

    MD5

    22c48fbedef405939d8b49ea6390d5af

    SHA1

    8b8929a1a2b8be40522a7df997259d83594eedd4

    SHA256

    751b07eb881e09a79f0e999e4690a3aa251ca93ba3a1387e480419b47dcdb0cc

    SHA512

    a7a0e33c89d4a40faf5f531046ab3120f2c1e16dba93b9bdf844534fd25483897fc6da4d80a000fd0d7c2a1f06ab8fe50794b16ddc965bed05503107ff0d61ff

    Download Submit