Overview

overview

10

Static

static

6

2bb42c2da5...c6.apk

android-9-x86

10

2bb42c2da5...c6.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    07-12-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2bb42c2da58ea8b9e65176371ab1db520b174c413a95b41abda3b1d049c081c6.apk

  • Size

    2.2MB

  • MD5

    34e7db88d47a03d6078bda36e8c5668c

  • SHA1

    fc057d0ac8347d3310faca54708fcd482600c335

  • SHA256

    2bb42c2da58ea8b9e65176371ab1db520b174c413a95b41abda3b1d049c081c6

  • SHA512

    948f3c818e157c53125f2dc14cf3f84fbb3a50555ddb8eab01fe03d47f5692ba152c98dcf24eeef7d029996c667174034d2ef4f6fdfce253909f22727bf76c77

  • SSDEEP

    49152:coMwE08Fw9oryftpAHXb/BucBB9aw5+k50GRLUCw:1E0RGsT2kuew5+QUZ

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://topflowow.top/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/
rc4.plain

Extracted

Family

octo

C2

https://topflowow.top/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.groupsureepdu
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4612

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.groupsureepdu/app_DynamicOptDex/yxwb.json
    Filesize

    1KB

    MD5

    322db753cad51ad26413900bcdb67ac6

    SHA1

    979e87ed78f19f7c6c05bfa3b6062a62d585b269

    SHA256

    a3170e050ae4668d5ddd0e0e8441848bc1cc4dd4fb6c63fb09035f0c8052c875

    SHA512

    d2b4e0a4223246559ab98c3f0ee6bc51774bf3475ef6ea44237b00e4b5261857a2fd433ae52c86f68b1ae3fecd06f71f9330cbcaa9c7652d5aa2b70b9db06175

    Download Submit

  • /data/user/0/com.groupsureepdu/app_DynamicOptDex/yxwb.json
    Filesize

    1KB

    MD5

    9cb326d028a7037b8572a50176a3f1b5

    SHA1

    0dbb28afb007ffaf89eaedd116a0043680760e47

    SHA256

    e08ac6d3517585d2a725a78da5166a80329ebe90e5bcdab78d487e714d2bd43a

    SHA512

    2f80eef13eca1edcfc6c367e14a82f2e011e6139060249994705425114ed3ad0b94f79a6b987d3ab87afb50335e6ceef84bcc343517d5a46305643bea7b027aa

    Download Submit

  • /data/user/0/com.groupsureepdu/app_DynamicOptDex/yxwb.json
    Filesize

    2KB

    MD5

    22c48fbedef405939d8b49ea6390d5af

    SHA1

    8b8929a1a2b8be40522a7df997259d83594eedd4

    SHA256

    751b07eb881e09a79f0e999e4690a3aa251ca93ba3a1387e480419b47dcdb0cc

    SHA512

    a7a0e33c89d4a40faf5f531046ab3120f2c1e16dba93b9bdf844534fd25483897fc6da4d80a000fd0d7c2a1f06ab8fe50794b16ddc965bed05503107ff0d61ff

    Download Submit

  • /data/user/0/com.groupsureepdu/cache/cjgxpplvxddsq
    Filesize

    448KB

    MD5

    5e0372635b0359dff49538a00dee37d1

    SHA1

    13231cb16f0aa2d185988270c05264d8e4d9984f

    SHA256

    13439e04255290c46cb3eb6f2e0f93b997c485a94b021d492e3937373350e643

    SHA512

    dacb8a65fd82e812f4db59909658c3fb1b74f58933a6a7af1da8340496b1fd80bb56d1c2c58a932dc072730c2d530b0264c2b02ab74888cf02fb76b63c1f1ced

    Download Submit

  • /data/user/0/com.groupsureepdu/cache/oat/cjgxpplvxddsq.cur.prof
    Filesize

    338B

    MD5

    d44f62bd3570a7432538f2d1a785dcee

    SHA1

    a0dc00e51d35c8422041bd67b752f8b5040f8be8

    SHA256

    1ac8d8d41c6487e12f26d7a88a787b1a7489ce514eba438355fd76e5cd31a680

    SHA512

    79f75b0273f7e43e1f28b70e47e67cffd0bd27392c63747db1eedd296930e79c62743e12ebda2ef0138bc8ac0326afca338dd638355f04f203bb0ad94c9e8439

    Download Submit

  • /data/user/0/com.groupsureepdu/kl.txt
    Filesize

    75B

    MD5

    f72db84cf1298d5b0abd6c7c46bc1e54

    SHA1

    74647271223f47ddfe2f7c84fb3c459e91313d18

    SHA256

    fd392b323ec9aa2ac5b4198ab57a4abb1a34719c9d9a1b02e02cc128eb08db59

    SHA512

    3511c8b3ba5d895d204dbec46d2e48d684253a6c867c0dead06ac4ff525438ff84138925f76133f10348bc09ce70643ff5d0512dff3272389a5d3993022d4773

    Download Submit

  • /data/user/0/com.groupsureepdu/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/user/0/com.groupsureepdu/kl.txt
    Filesize

    237B

    MD5

    8ffd4687a5caf8cde583d6dac24c850a

    SHA1

    0f94ae34464be0e07330bdc27f66fe2a17afd065

    SHA256

    7baa8f6ebc0036f3037ba66aaa94f70556352122c4b73c12c059ed2d71b74329

    SHA512

    f5f2a0777a6f84b82e01702bf0e88e7d523c979737c94721eb41b0275151a957dbb7fd071889ee0975e806bcb6e68d5c59f1008fb38dc58de249a8f361663d78

    Download Submit

  • /data/user/0/com.groupsureepdu/kl.txt
    Filesize

    63B

    MD5

    98094fc99e6abec1bf7bdb241eab8541

    SHA1

    f39ad1b9019eed1a2e60bf725dac0fcc0825b6de

    SHA256

    3b1fd61ed0de825741845f2611f04ec0ce074cae77814d588afacfaca918651f

    SHA512

    ad9239811adcec0d7a8bb44437c2eb89b4893d54a13ca60ae5a0d9597609bd02f91f76faafc5c55a75da61fa4aa4e0c5404eb42702fffdb944e9884bef90d3ff

    Download Submit

  • /data/user/0/com.groupsureepdu/kl.txt
    Filesize

    45B

    MD5

    1e2e3c16775a796fb0098a913cb0d532

    SHA1

    ec9505f9fb0795b1bf165ab6ff29ae11e6dc8934

    SHA256

    1c1496757705c288227df9606f40b8daae1c35a9d9757d1a8e8641a92ef31660

    SHA512

    0464465950764477820ce608577c05208f735a9df56210b34e9978a153cc125b464b10da4fcce086918c44895f57e36c4c856c4357cdc6ac56b2cec73330476c

    Download Submit