Overview

overview

10

Static

static

6

0df8c60431...27.apk

android-9-x86

10

0df8c60431...27.apk

android-13-x64

10

Resubmissions

16-12-2024 22:36

241216-2h9hwssrgl 10

16-12-2024 22:35

241216-2hwa9ssrem 10

13-12-2024 22:04

241213-1y5n7s1ndr 10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    16-12-2024 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0df8c6043105779bbbd483c9d07613716e509e311bbe7a2c62652390f5f00727.apk

  • Size

    1.9MB

  • MD5

    b2bed9d03f63b338427fc93bb7aafc30

  • SHA1

    5a57ca52b038ec6c6d20baf3d8003b831501cca9

  • SHA256

    0df8c6043105779bbbd483c9d07613716e509e311bbe7a2c62652390f5f00727

  • SHA512

    b9635ef374bce803eae60c5c5dd895aeeaaa2c6dec73fc1344f5d8a5afadc97cfea1fc43d72c74208e555a3ed4ec42629d1ebe52f47ee5109a95bb82efec3583

  • SSDEEP

    24576:bw6/b3VoUh3u8yzPaJB0MnWiq+6jiWVcdEQhl0cedK6EMmfR0/4NE30p7:bX5h3ubOwAqjx2OQI7KNMmZ0/4N205

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://recordsimo.top/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/
rc4.plain

Extracted

Family

octo

C2

https://recordsimo.top/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.uswholekybb
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4221
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.uswholekybb/app_DynamicOptDex/GWB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.uswholekybb/app_DynamicOptDex/oat/x86/GWB.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4245

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.uswholekybb/app_DynamicOptDex/GWB.json
    Filesize

    1KB

    MD5

    b060e8a1ba9fdb9eb738c028afffe71f

    SHA1

    d35091bab8d0cef482315673bc2c4ad723d9c532

    SHA256

    ed71d381007be28c6af5dad9417230e2ca249dd7ce75703af62e008baa5f5829

    SHA512

    e01ae32ef74e7ceb4c907a9cd8d323ab83b8561854b4fa30a2a64703500ee22b7370584caf590a7483c52722b5cd0ce059fc73e1b2abb7c2a270c0916343d7e8

    Download Submit

  • /data/data/com.uswholekybb/app_DynamicOptDex/GWB.json
    Filesize

    1KB

    MD5

    c64d93e354c25ac7ee8886f6c5d8103f

    SHA1

    d1a976b91e0603d289bafb9047baa318f5ba92cc

    SHA256

    052d26e009ee53b91956501a8b5e4ad40ca9c457f7b875a45ffae15f1ce09460

    SHA512

    5b36807fd72952f87c0914fb9458f746859307c0bfe76cd96823bc8d6fd2cade543f600988c5e1ff241263346bf066c952181c8e6b15fddad543338cf9cba5e9

    Download Submit

  • /data/data/com.uswholekybb/cache/bzwdgemlg
    Filesize

    448KB

    MD5

    b609292c76c45ed701da8e4b5fd2915b

    SHA1

    a43c2c5310a7d3b0931805ab2596385739e203c2

    SHA256

    7ca55d15bc884b9f7d79aaa175f087fb0198947dc16458a6ead1194141c49d0e

    SHA512

    1132f00da5ebaeb64d731a75d3d878da0f6fc8b6e5045ca7e1fdc8ff46a4e10f5483f94d7c2010aaafac909bf0b95f603fa7d8b426fc5684b49203ad190e5ca1

    Download Submit

  • /data/data/com.uswholekybb/cache/oat/bzwdgemlg.cur.prof
    Filesize

    489B

    MD5

    56d89b1b598b2f32ec4417ed94f47807

    SHA1

    0ac51d2c432566bdb77db857fa08ca2f1a56895a

    SHA256

    bd3e6a1d8dc4a6c5908cda6686fe89f294c29dd39e8d7651935319f8338f4be6

    SHA512

    8d6ec401bf8b62e2e78d0989a05cb775dc4e4ebc9b0687cf5a535a7e471413646d5c03948ccc083d142fbb01e487946eafea4f978eb689e9a600433653a2e770

    Download Submit

  • /data/data/com.uswholekybb/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/data/com.uswholekybb/kl.txt
    Filesize

    237B

    MD5

    de9ce9bc2504d3e88c710921aecd1a9c

    SHA1

    3ffffa0efdf313c53ece54980fab54f90feaa508

    SHA256

    bb019d8df4a8f92a09540696fe2bec73a245029e995656cb90d49b4c93f766cc

    SHA512

    8b8b84e106888afa4de9a82ea228fe3bd55ba5dfdca13265c5473421d966a0bb902db7b741cf9ca3d00b5165d6f5201e6e162dff9dd3927d1696d2d518f703ad

    Download Submit

  • /data/data/com.uswholekybb/kl.txt
    Filesize

    54B

    MD5

    286f0111eecab84fc1c8233e538ec7bc

    SHA1

    e4b3ab323e21a3f5afd33786434c1ef28be82623

    SHA256

    b7325e4bc600d7f40ec28e94bf09ab631e27498ff074bb048e2f523b8883c595

    SHA512

    23cfcdaaa2085ff2c2ca7ed9a2c087022219aa865cb4bd2d15530e8dcd3a873fa8ccc67a9f86492fda85091994a3725ea3da1680ddbec67fe65af98222b35e25

    Download Submit

  • /data/data/com.uswholekybb/kl.txt
    Filesize

    63B

    MD5

    928b64744387a54307a2787cc30029f9

    SHA1

    e80e2bf1622637be032f3a7d93f5769983a9f40b

    SHA256

    13bc3262cf17e5917145cc657e3e0ddcdbc0d6b6246db0484fac6361b86a4e45

    SHA512

    660a4586cf597955c181fbe8d7141aa543187d2d07bc9204fae7b5f0638a53cd63205eeae32ec999a77e45e139c079d4e660191f9761844695d4a5ad3486ef9a

    Download Submit

  • /data/data/com.uswholekybb/kl.txt
    Filesize

    437B

    MD5

    ae79a5d1cd5a29366ae81c247fe7bba9

    SHA1

    a949166afedb2c0a2064edab3b00c8b46ff5535e

    SHA256

    0e2483a76f18a22ff5d755b7ba2c26c1179839cf3d24a9f1949811822bcff3a3

    SHA512

    4d47889767026e6e3eba01df01de16599759e0de038f63d6d1db021d5478c08291401ced971503afab2a69561553da938254c112320f8359ed5a7511519b9f41

    Download Submit

  • /data/user/0/com.uswholekybb/app_DynamicOptDex/GWB.json
    Filesize

    2KB

    MD5

    cc2c3daf782a5f4e1b5c2aceae80b402

    SHA1

    77803e14388738bc39d0480e5d05f0d9141a977c

    SHA256

    14144fea73dd5182839f17dc28024999ac641f54adc1209ebc98a7e6e3323b31

    SHA512

    5f7b0d3167d2d4ad28b1c5eaa043d03c529cfa523f6559d19caa252ff451bcdb7c0b976a458209247bf16ad78c9d2f08b83a8a7646d825cd47b3ee4811f4ea39

    Download Submit

  • /data/user/0/com.uswholekybb/app_DynamicOptDex/GWB.json
    Filesize

    2KB

    MD5

    ed058f5d6e67ef83cc9c3d1e907fa1cc

    SHA1

    f42b93ee85e862ff77ae823a261ecc72bb1f94c1

    SHA256

    7a334f7684668373b1404a6c801bd421c06fe051374173caaccf51eb75e4dd7b

    SHA512

    b6823b4fffb6e95ce58cf07af1bab1efb42e88cd4993fe78049428de94b50f68f6f5e4ac565d8068bd4518230f13c5568e73088659056be21424196d547f2323

    Download Submit