Overview

overview

10

Static

static

6

c2c5514cb9...c3.apk

android-9-x86

10

c2c5514cb9...c3.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    10-12-2024 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2c5514cb93f1e2818f1c7d2dc7f9668929b8524787d721f90d0d35a95fdc7c3.apk

  • Size

    4.7MB

  • MD5

    795c3e57a81a57c695f2755f579032b0

  • SHA1

    934d48f6cfb531bbe0774e1df761a8647299e01a

  • SHA256

    c2c5514cb93f1e2818f1c7d2dc7f9668929b8524787d721f90d0d35a95fdc7c3

  • SHA512

    a9a741569987f97083dfcadec93cd4a32d4aa2a0c183c3e33a8811765c5169dfe93f8e732a4a469ccd910d6572cb0ed30aa3d35e3ef902da65986053931adc5e

  • SSDEEP

    98304:9tU9Xgw+Ru1j8KwD7vzPBmvFDwpBfepzeBNEZrVAGLgi4OxNoswDSkG:9t+gw+84D77PKFDwGavEtVxLHxzoSkG

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://pildirpirpir34.com/ZTZkODUzMTBjYTA3/

https://pidlirmidlir23.com/ZTZkODUzMTBjYTA3/

https://pigav233.com/ZTZkODUzMTBjYTA3/

https://tavaekemk42com/ZTZkODUzMTBjYTA3/

https://pifvafaf42e42.site/ZTZkODUzMTBjYTA3/
rc4.plain

Extracted

Family

octo

C2

https://pildirpirpir34.com/ZTZkODUzMTBjYTA3/

https://pidlirmidlir23.com/ZTZkODUzMTBjYTA3/

https://pigav233.com/ZTZkODUzMTBjYTA3/

https://tavaekemk42com/ZTZkODUzMTBjYTA3/

https://pifvafaf42e42.site/ZTZkODUzMTBjYTA3/
DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.eatheklh
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4213
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.eatheklh/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.eatheklh/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4239

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.eatheklh/app_dex/classes.dex
    Filesize

    3KB

    MD5

    68ae4e00f7d247b3b3695e6ac2b5b917

    SHA1

    68111b1232d38e6d00379be1173a16dac0bb90d6

    SHA256

    4cebb7fd2e3a80e70e619fb0698aeedb277b350213cb16b3bb3a14ed1488c98a

    SHA512

    8c07c0e688fd3a211948bec28c4ef2f6b430749c39737c871b0762f22f9a396afadf9290efd42ffcbe87662b0f7e9b92c3b0be22ebffce544bf17f7440f9ba24

    Download Submit

  • /data/data/com.eatheklh/cache/classes.dex
    Filesize

    1KB

    MD5

    81a3b72beedc2debcaa853c46c677404

    SHA1

    b84c64a9dfacd7f04b8be3c42cf2b60b6789ab56

    SHA256

    f143546db91c77f2bea067eac56f4b014f3a6e87b9589071be9e0d25f420e5b4

    SHA512

    7d02c5fd28fd166addd62b3f508426de91846c73bc02a353ae63cbeeda07927aea7dbc958c1eb1459c066480382f46fa2eb62d86b4791b8e99a11267741d3a2f

    Download Submit

  • /data/data/com.eatheklh/cache/classes.zip
    Filesize

    1KB

    MD5

    5fd6dca947bbeb7775e52d3dbb36c1a7

    SHA1

    db771a3016904ce995c601fb9c10cf449c1b5b97

    SHA256

    d7c09fe671f7f73207434b57ae03ec5a89b9f0133f3fea37c8e8524adc461a35

    SHA512

    4456b061e2d4b5ff064e3db977011b0db5ceaef4f6077eb5dbefb421ed48312040fd95e3886bf7b8109de2d841ce2e3ac15ccb4b1dd44aee354ddb84daff0dbb

    Download Submit

  • /data/data/com.eatheklh/cache/oat/youtrsxzlbh.cur.prof
    Filesize

    525B

    MD5

    fcc0f28291425a8f60932f93be5bca5a

    SHA1

    46dfa0cbda116fc82bee763295be58ec458b0cc6

    SHA256

    2a201cd6b3ba662736eb7ab40071e4a0e59d77690f9f3c9fab233a9b77adbbd2

    SHA512

    24e8e0657fb9d3bd60d9dbde8f3e9250e1e852e909b582b259394709951555c84eb5249d8fe238a3080e4345f51badc13cf7cac2603a3475878cfb0592f84e1f

    Download Submit

  • /data/data/com.eatheklh/cache/youtrsxzlbh
    Filesize

    1.4MB

    MD5

    6fdbea3338e70302787d0639bab10b7b

    SHA1

    5f04cd3d00b4dc9fea87044e68901e112335a122

    SHA256

    20594ff3e2b4f2143cbdf60f534bbecfc312da8c8af1ea4c0311e81f07b58201

    SHA512

    ef5a9dde6dd53791980cc762c7d2dc9bed7daca7d997205c4436f8273ce67a030d884600359b71967bbb9141f16d328e493536e823ec736a3cfaa3641a6fddbc

    Download Submit

  • /data/user/0/com.eatheklh/app_dex/classes.dex
    Filesize

    3KB

    MD5

    4b8d451fef0103254e88c1d48d946b02

    SHA1

    af652c341443e303ea1aa4e7ed222c35d2e6dea1

    SHA256

    265cc6c9c95e9ebe368df63158b9279dabe12e319481f7f5c00661fade91bc2c

    SHA512

    39d8bb808e0f0c52b541d16eae49c08122570a87fd1368c21ddc440356b09490fbce3a646ef2e9bc475390e12d25be1f31849a5e8f8abbcf2be05dad2d9ab059

    Download Submit