Resubmissions

16-12-2024 22:36

241216-2h9hwssrgl 10

16-12-2024 22:35

241216-2hwa9ssrem 10

13-12-2024 22:04

241213-1y5n7s1ndr 10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    16-12-2024 22:35

General

  • Target

    0df8c6043105779bbbd483c9d07613716e509e311bbe7a2c62652390f5f00727.apk

  • Size

    1.9MB

  • MD5

    b2bed9d03f63b338427fc93bb7aafc30

  • SHA1

    5a57ca52b038ec6c6d20baf3d8003b831501cca9

  • SHA256

    0df8c6043105779bbbd483c9d07613716e509e311bbe7a2c62652390f5f00727

  • SHA512

    b9635ef374bce803eae60c5c5dd895aeeaaa2c6dec73fc1344f5d8a5afadc97cfea1fc43d72c74208e555a3ed4ec42629d1ebe52f47ee5109a95bb82efec3583

  • SSDEEP

    24576:bw6/b3VoUh3u8yzPaJB0MnWiq+6jiWVcdEQhl0cedK6EMmfR0/4NE30p7:bX5h3ubOwAqjx2OQI7KNMmZ0/4N205

Malware Config

Extracted

Family

octo

C2

https://recordsimo.top/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/

rc4.plain

Extracted

Family

octo

C2

https://recordsimo.top/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo family
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.uswholekybb
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4274
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.uswholekybb/app_DynamicOptDex/GWB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.uswholekybb/app_DynamicOptDex/oat/x86/GWB.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4300

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.uswholekybb/app_DynamicOptDex/GWB.json

    Filesize

    1KB

    MD5

    b060e8a1ba9fdb9eb738c028afffe71f

    SHA1

    d35091bab8d0cef482315673bc2c4ad723d9c532

    SHA256

    ed71d381007be28c6af5dad9417230e2ca249dd7ce75703af62e008baa5f5829

    SHA512

    e01ae32ef74e7ceb4c907a9cd8d323ab83b8561854b4fa30a2a64703500ee22b7370584caf590a7483c52722b5cd0ce059fc73e1b2abb7c2a270c0916343d7e8

  • /data/data/com.uswholekybb/app_DynamicOptDex/GWB.json

    Filesize

    1KB

    MD5

    c64d93e354c25ac7ee8886f6c5d8103f

    SHA1

    d1a976b91e0603d289bafb9047baa318f5ba92cc

    SHA256

    052d26e009ee53b91956501a8b5e4ad40ca9c457f7b875a45ffae15f1ce09460

    SHA512

    5b36807fd72952f87c0914fb9458f746859307c0bfe76cd96823bc8d6fd2cade543f600988c5e1ff241263346bf066c952181c8e6b15fddad543338cf9cba5e9

  • /data/data/com.uswholekybb/cache/bzwdgemlg

    Filesize

    448KB

    MD5

    b609292c76c45ed701da8e4b5fd2915b

    SHA1

    a43c2c5310a7d3b0931805ab2596385739e203c2

    SHA256

    7ca55d15bc884b9f7d79aaa175f087fb0198947dc16458a6ead1194141c49d0e

    SHA512

    1132f00da5ebaeb64d731a75d3d878da0f6fc8b6e5045ca7e1fdc8ff46a4e10f5483f94d7c2010aaafac909bf0b95f603fa7d8b426fc5684b49203ad190e5ca1

  • /data/data/com.uswholekybb/cache/oat/bzwdgemlg.cur.prof

    Filesize

    487B

    MD5

    44c72a9fbc5724924bbc475137d65b83

    SHA1

    6386f557d4d35587aec5fdd0173c912b55bd5c43

    SHA256

    f29573378987cc301499f51940c44be93ee013c2b032ff66f8ca400e3b769d31

    SHA512

    f9105bbd159cf231786e5fbbba757ac43e6258a939352a62e43bb69f73f84238aa795b35e31b955f3078986d23efff5f0e129fc531ef89c01afa177de03af7cf

  • /data/data/com.uswholekybb/kl.txt

    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/data/com.uswholekybb/kl.txt

    Filesize

    237B

    MD5

    638a34f14776aa12578fbb2a7aa05be0

    SHA1

    26a3a0857b5c5b45a82769309ef23507f1f568c8

    SHA256

    4b15fee1ace4410010cc840a90051d5c3bf8efee8678cbc1a2adc02a2fdc53c3

    SHA512

    2dd3f8a71f35cc4910a61bccbef975282e93cb3d8e5d44e2e0d68727f5912e1922a0384cc948d9b67673088e2444ccdbc773d6d2dbfae8a5fb2e4b565da08507

  • /data/data/com.uswholekybb/kl.txt

    Filesize

    63B

    MD5

    d753c990f78621ec8e1f4ed51907588d

    SHA1

    509c141eeea153a6c6753e48629079018152020d

    SHA256

    031e47d899428ceabc13e1e876efc46c73912faa5387a28de2186e69e7097cda

    SHA512

    924c9df578cf20f6e163906dc8d0081cf8ad78e347efa755f95ebc947e8b1ffa5a601d2f321839a4fd92c43eaf08b75b72ccd703e5ebd614d8b081881185dd4c

  • /data/data/com.uswholekybb/kl.txt

    Filesize

    54B

    MD5

    22d473b1dec136554a4826f50fb11d76

    SHA1

    3262276e186cca5cb17a6ff11658adab62fc5f8f

    SHA256

    72f2592b55ac4d788854e0523f773654841e958bab26121ac6b3bc9181451b6b

    SHA512

    0600ef53b9a5e8fbdfde3e294d81ea145564065de3e068b72593c011c5bfd76800e563705397d335617d9e9e5f130ff6f3b882633e8ec437ae18533260655c91

  • /data/data/com.uswholekybb/kl.txt

    Filesize

    437B

    MD5

    ddabaa681bf9186f518c1203be620f85

    SHA1

    ad72ed6a28ed03fa2a868e1f263772d7eb28decf

    SHA256

    3323ac743bcc681b27a83ffda9b84d9d6879b78680c1aa391469781b56e5ca04

    SHA512

    3b355b80bcc97ebd721ea0f45f9fd06940559130db4e335da5c1f63d0f7d5a57eb35014160a5281f3cdeab4232355b40a5d248b63100c859103189ffed94e187

  • /data/user/0/com.uswholekybb/app_DynamicOptDex/GWB.json

    Filesize

    2KB

    MD5

    cc2c3daf782a5f4e1b5c2aceae80b402

    SHA1

    77803e14388738bc39d0480e5d05f0d9141a977c

    SHA256

    14144fea73dd5182839f17dc28024999ac641f54adc1209ebc98a7e6e3323b31

    SHA512

    5f7b0d3167d2d4ad28b1c5eaa043d03c529cfa523f6559d19caa252ff451bcdb7c0b976a458209247bf16ad78c9d2f08b83a8a7646d825cd47b3ee4811f4ea39

  • /data/user/0/com.uswholekybb/app_DynamicOptDex/GWB.json

    Filesize

    2KB

    MD5

    ed058f5d6e67ef83cc9c3d1e907fa1cc

    SHA1

    f42b93ee85e862ff77ae823a261ecc72bb1f94c1

    SHA256

    7a334f7684668373b1404a6c801bd421c06fe051374173caaccf51eb75e4dd7b

    SHA512

    b6823b4fffb6e95ce58cf07af1bab1efb42e88cd4993fe78049428de94b50f68f6f5e4ac565d8068bd4518230f13c5568e73088659056be21424196d547f2323