Overview

overview

10

Static

static

6

601ddb8829...04.apk

android-9-x86

10

601ddb8829...04.apk

android-10-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    09/12/2024, 22:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    601ddb882988e6d19c752639e1ea31ffe2609a5ac5adb73cd7f85d5610894404.apk

  • Size

    2.4MB

  • MD5

    12c352203278ca8f3a14435fbc12435e

  • SHA1

    b62081e458a41c158314a2a7faa5df3740470566

  • SHA256

    601ddb882988e6d19c752639e1ea31ffe2609a5ac5adb73cd7f85d5610894404

  • SHA512

    7754ebbaedff1eedede9732df652820f4692e34dde0b883851db3650c022c70b1ced4dff448dff3955e1b3630d015baf9a13e02c78656129c05529e913bdb127

  • SSDEEP

    49152:8nQ8OFW5jj4W9eh5cdsPT5JVDIB5670lbfDIfzDB+estMrMAiWlqLn9/WN:R8tjj4OehKdsLp8SoFfOfYsrMAiWE9/8

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://zzd768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://22d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://34d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://as4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://44768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://466db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/
rc4.plain

Extracted

Family

octo

C2

https://zzd768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://22d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://34d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://as4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://4d768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://44768db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/

https://466db37e5e2f5a7fbc0fe1fee5b311.com/YzhkZjQwNDRkN2Uy/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 7 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.noteablesai
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4248

Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Persistence

        Event Triggered Execution

        1
        T1624

        Broadcast Receivers

        1
        T1624.001

        Foreground Persistence

        1
        T1541

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Hide Artifacts

        1
        T1628

        User Evasion

        1
        T1628.002

        Impair Defenses

        1
        T1629

        Prevent Application Removal

        1
        T1629.001

        Input Injection

        1
        T1516

        Virtualization/Sandbox Evasion

        2
        T1633

        System Checks

        2
        T1633.001

        Credential Access

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        Software Discovery

        1
        T1418

        Security Software Discovery

        1
        T1418.001

        System Information Discovery

        2
        T1426

        System Network Configuration Discovery

        4
        T1422

        Lateral Movement

        Collection

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Encrypted for Impact

        1
        T1471

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.noteablesai/cache/ecycppbzgargk
          Filesize

          2.3MB

          MD5

          a9764d2fbd116bf5599f4547979f2099

          SHA1

          06ba29a83d19f141888e0e4cd74bf50373ed2bc8

          SHA256

          f355b3ab56eb0874b48b4fbc01f2284b262763297bf7f383dca64b284d058aec

          SHA512

          f53ba7588d61d2d98e4afd902f21b1bbe1e5f7af47c72b4589c1a89ec7463454857acf061a363c3784c2f6da4726845ec55d44b3b830df7b4a3c259b769cae3c

          Download Submit

        • /data/data/com.noteablesai/cache/oat/ecycppbzgargk.cur.prof
          Filesize

          535B

          MD5

          7f37f59b18c37511ed7a5a26c93c8988

          SHA1

          987bbfba4d94a038bfabb77aba977a5c6bed51ae

          SHA256

          bc66441a24a6724546629e6cc40f37a3055fed6714591121e43c19e9d84037da

          SHA512

          d0403cdf6c8f21f1e9ba8aec56cb6238ddccd00a68a43f2f562d9fdec74d06c216c87ba45d34d9b8d6e78115bb04dc2c0502392b689de17ba272c6e3948fdff0

          Download Submit

        • /data/data/com.noteablesai/kl.txt
          Filesize

          28B

          MD5

          6311c3fd15588bb5c126e6c28ff5fffe

          SHA1

          ce81d136fce31779f4dd62e20bdaf99c91e2fc57

          SHA256

          8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

          SHA512

          2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

          Download Submit

        • /data/data/com.noteablesai/kl.txt
          Filesize

          237B

          MD5

          3ceb008e45cc2ec80376e4574167ecf6

          SHA1

          4df15e747a76c2004d49e730140930182dcbbc7d

          SHA256

          cdbc05d781fb4fc355f69fe14c049f70651d771f4476dfca3d68f21de02ca34d

          SHA512

          1432f1714a4daec93d6ea2a54083865bfd9f157bf45a35081ba980519b0b9047708589ce2cd8a213b3a5a1190fe16dec89a453c6a96945103d0c0eb8f427d8b3

          Download Submit

        • /data/data/com.noteablesai/kl.txt
          Filesize

          63B

          MD5

          8eb177fabed4f8d9bab04595bce7188a

          SHA1

          3a379ad7f832e08770a4da8c1466165b80b94587

          SHA256

          20bda042c4cb71cde36e1ced9823188fcd939472c0ff98777fd767c68b0f639b

          SHA512

          51fec1cf90543e3d47629139720e18c6dcc55e82b8589aa0b68bdfb4b5c59c6de41549cf66e9c3c09ef6eacc74cd2b002f074589b63cd6c7b139f60ac8dd9e33

          Download Submit

        • /data/data/com.noteablesai/kl.txt
          Filesize

          54B

          MD5

          b5e4f5860bafd46ba72813af37a82346

          SHA1

          1be188b04a736683fab9c72e77a5f179aa0ea3f4

          SHA256

          38c4ba77248de254e855ac3775f4a3f917852c308ff8549ed3f7379279bc0a5a

          SHA512

          2ac2b90e6f4094b61d45656212d41db05d8f518f9d12c56d45aa73006f3f290afcd91d56e1ea2a10700592f5badbd5caf66cc1e3bbd58de42b70b3591e39a009

          Download Submit

        • /data/data/com.noteablesai/kl.txt
          Filesize

          437B

          MD5

          f1d0c294edcb401d76c26ce2183636af

          SHA1

          acc4ee6d993ca43daeb270db41f74cbc780e930d

          SHA256

          a38805a383e0625be74c8351e98ad53a5acb1aa72cb30001046a002538c0ea85

          SHA512

          23de8b451d1f5e1ba84c1d41af9d8164d330b70058c0310f062330d95b09e8b3592e184d6c3c95286157f9ad8b2c6b733eb463b53f596148fb39b68e4991cf99

          Download Submit