Overview

overview

10

Static

static

6

87dcf8af2e...6d.apk

android-9-x86

10

87dcf8af2e...6d.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    16-12-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87dcf8af2e6985eed966f639136c8c1c3c422c08d4dec31885b2731e518afd6d.apk

  • Size

    1.6MB

  • MD5

    1d6209f4329cabfa0466b1a01439e75b

  • SHA1

    9d37f209c76c247933822b61b2ff00f1990e3eff

  • SHA256

    87dcf8af2e6985eed966f639136c8c1c3c422c08d4dec31885b2731e518afd6d

  • SHA512

    2f90994e5f8412be3f3c71bf810f08c64a9397f6c9ca0290516b64ae577ed97c0796e3272624d684d3a440ef6628d8caeecce6ac1b6b0de7e638ce29a3840d99

  • SSDEEP

    24576:/qUUxcc8RwQ1ml8HgXZbloLBR0PzxEKtWJRHlFtizxJrSczQywuJatW5tj9dFUCy:O8RwMml8HgXboNGdoJSwMyEV998R+bg

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://r85d4kbe5729.vip/MTU2OWE0NzJjNGY5/

https://a87rvat46c50.com/MTU2OWE0NzJjNGY5/

https://juxtaglomerular.hk/MTU2OWE0NzJjNGY5/
rc4.plain

Extracted

Family

octo

C2

https://r85d4kbe5729.vip/MTU2OWE0NzJjNGY5/

https://a87rvat46c50.com/MTU2OWE0NzJjNGY5/

https://juxtaglomerular.hk/MTU2OWE0NzJjNGY5/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.gametry45
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4508

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.gametry45/app_DynamicOptDex/jqyPmK.json
    Filesize

    1KB

    MD5

    44608f92ba099cfdbe63b5d13e002861

    SHA1

    d641a4715f722f41dcf02b319ae657728d2ebc5d

    SHA256

    c33b58f09808b241890daf51b0e015a796e5b563702ce38709f05e51c97483d4

    SHA512

    03861932b1765dcb63a8b8c63dab78b9b3533f1bc1cfefdc5f6486579f971db1212d1531d83d5322cc684015c8f1d4f17d259ee05157007fd6ca3ba9ad0180e7

    Download Submit

  • /data/user/0/com.gametry45/app_DynamicOptDex/jqyPmK.json
    Filesize

    1KB

    MD5

    74e0f2097bb2ed3f759513f4d437bde1

    SHA1

    200c81437e0943765dfab1045b06db6a6e476530

    SHA256

    16245e4d83032dd18a67d40e87038bc6a1ab86d066fd18b3e5464585d5ed7738

    SHA512

    2d81edd7c3c699247355d3bc4ccf241a067c09403980431319eebe52e4e6123d7bff4d0ce0b052a57f86a2f6ade1cbe7cba939202d8092c03ef57a06f1fe0832

    Download Submit

  • /data/user/0/com.gametry45/app_DynamicOptDex/jqyPmK.json
    Filesize

    2KB

    MD5

    63cb50b7cb76bc35c155147c136aeb5c

    SHA1

    e07deec705b3ceaf4427832d8fb06e31d1ffb016

    SHA256

    42254032988cf3e6af83d80799133b9e4bb71692d59d04281ba8509fddfcc5a6

    SHA512

    7f359eb08ea6a17c692f47b0cde87cc0ae479987cc695b05e42208b63a0992478e3f83b7fdf7280774916fb49f3869616318a57a327d30986cbfb307e9b0c879

    Download Submit

  • /data/user/0/com.gametry45/cache/kfcrr
    Filesize

    456KB

    MD5

    377cc75d09f94255e0edbb42044d378e

    SHA1

    efa2bd009b4d0522d74eb971ea3f57adaed95852

    SHA256

    7b1e29516e1c3ad1b3f04a7c62261ad60577ae23468f926f5259a850fcfe16db

    SHA512

    618339d127754675801d08c2f9c6b5a0b3b156e5a1ec95e1329e1d75064372d37d5054e20c0b1e481df9d57a7ef70b5f112d589f8d6575eb1fd76c7dd244956a

    Download Submit

  • /data/user/0/com.gametry45/cache/oat/kfcrr.cur.prof
    Filesize

    402B

    MD5

    01995bd8c56b674e176367c805ea933c

    SHA1

    c980ff3315c88fdc636254cd5a6d1a8c729aaee5

    SHA256

    099f29e6f0c963c783cdc693850370a7118ef1419ff1c2f19e49cc1c360c1a2b

    SHA512

    5487ea3b931bcf3436354fc6f0b9b93f338c7ca2cf726d481e1615c88ed60358c536ed29cb3386875fc5040beac71079242008e96971c0f84d9d02cc6e55420d

    Download Submit

  • /data/user/0/com.gametry45/kl.txt
    Filesize

    68B

    MD5

    4ee3abd644c307ea66a4e601c2f2870a

    SHA1

    56e8a106b44c6c100f67224c852b4bc0d34596be

    SHA256

    bad0232eb468814d52e9a7d35efa6f1ad389590883bc18ab8eada8ec6381eb2f

    SHA512

    2daa20f40aecf36e72dd92b1a0a193bd161d6e3eca43c707b31eeb86e7a44fbf4263e9604ebf50cf0e6511cae5b4cdb518afd17977e9304f1938342f06ceb057

    Download Submit

  • /data/user/0/com.gametry45/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/user/0/com.gametry45/kl.txt
    Filesize

    214B

    MD5

    d631680e098f836d4ada1bc7d956e6dd

    SHA1

    adad25183d16782e08e135ddb4ce0c85cb302133

    SHA256

    d9590c883aa29239c57875783a0fcc424ea9ab603817a41b6d495d2ff9e3d863

    SHA512

    b81a04d0e5e2a1ddad412f4019325c5d223238443ccb14ac109203ed765c0f796e0a894fa1a0b42212dcb6e5a1b61f982652332617d600a6b055f0868abc6d1c

    Download Submit

  • /data/user/0/com.gametry45/kl.txt
    Filesize

    64B

    MD5

    b638e2c4f804dc355e0566bb64359f32

    SHA1

    6431ec1518b9b46ae086990b685741573b1b00b0

    SHA256

    089300002a08e40a85f470c562daf8600f8fe6bbf1193c351be1a9f8341d5c38

    SHA512

    5d52ad949a8a81b4820d71109b5cf6408a7c4fb8f84a6f78bbf5e3005a6b7ee9607db82295eb12b6f8128cfebfc0bac4be5f2809012fcc5de8d567a140f0fedd

    Download Submit