Overview

overview

10

Static

static

6

033b4397cc...bf.apk

android-9-x86

10

033b4397cc...bf.apk

android-10-x64

10

033b4397cc...bf.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    18-12-2024 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    033b4397cc88de8ab1be120ed77f4c0d9485d11580fc06ae47125a9568527cbf.apk

  • Size

    3.6MB

  • MD5

    0117be2e1470648b40305597f94fe756

  • SHA1

    9a232364940a5c79fe6949df489b35d662421ed7

  • SHA256

    033b4397cc88de8ab1be120ed77f4c0d9485d11580fc06ae47125a9568527cbf

  • SHA512

    a9596dafbb2b38b63448498632ee49b9defd57eddb72befa517e1427c26227cb7b5ebdd955951f8f6f59d045efeeedab32c7e69cc7a1fa8d27f1b5d0a492f7aa

  • SSDEEP

    98304:O0E2p7iAgJ6nG+tk8/SWHyzn64fpXU0Mn5nRI+n73:O0lliAWUhtpHyzn6KpX05ne+n73

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://154.216.18.131:7117/gate/

DES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.stjppafdx.uzdydpiiq
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4258
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.stjppafdx.uzdydpiiq/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.stjppafdx.uzdydpiiq/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4284

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.stjppafdx.uzdydpiiq/app_dex/classes.dex
    Filesize

    819KB

    MD5

    ae599bdc42739b7bca0f546c3a5fcb97

    SHA1

    b4113acbe8ccdcd7b8bc016da6f1b7f3c3f0155e

    SHA256

    b35a752ec1a2f763a5211d6537f9b8d30a2f7601b54634aa713337924cc83c8f

    SHA512

    26a99a8c6e4156083673e3ab80cc06f7be688543c7849c3170b9910c093e38fcc9316ef084dd4e60c1a1bd6ff34e266d5d9ef6ace904c9dec1d7249baec7740e

    Download Submit

  • /data/data/com.stjppafdx.uzdydpiiq/cache/classes.dex
    Filesize

    207KB

    MD5

    97378f5ed29bd1678fc57c02326810e3

    SHA1

    95cd310d834bd07d7baf98cc84cc1f71d70f967a

    SHA256

    2d03892b2ba46a4809e777f2e154f9717848200b993e67dd29d132d77ac98e59

    SHA512

    b3cc70d0b1cc0a62ff864d414ca58ad07369f6a45397c795453b62d6e5b523a742c637cacee0e0be43bac21f3d1177b06f1185395a613fff0bea4eac9430e8ff

    Download Submit

  • /data/data/com.stjppafdx.uzdydpiiq/cache/classes.zip
    Filesize

    207KB

    MD5

    e8a31ba69419ba55b87b8deae4a696a0

    SHA1

    e7588770b82763f4df450dce1a5b3ee22a0989cb

    SHA256

    9f37b023fba74e692df534fad8aeb9d93f4c15459d5191df369e0650016e84d5

    SHA512

    d3fa44204c7dcbfae6d29b93cd534ba4366c9593f2488d54600adaa7663d54d831568b9234e7bc5f2c5fa274b459445ebf980af316c86ef06c0b7565b01f5f9e

    Download Submit

  • /data/data/com.stjppafdx.uzdydpiiq/kl.txt
    Filesize

    63B

    MD5

    f5fdf3093313fa0ce549bef297975ca4

    SHA1

    3b770f5c06ef29e8a33fd5d968375581c71fcfab

    SHA256

    eb7b9ecfdf3c9aedbd9996b4b26d540e3585fef8cbb224553b121921a972d082

    SHA512

    42c728d9cf8d6eb29ba485251e2f19d2c8156cf675b2c3e0708e72147714138e2d6580f65972aa81237f456d8a45cc8ba1a77797239ac942ce029685b4116ec1

    Download Submit

  • /data/data/com.stjppafdx.uzdydpiiq/kl.txt
    Filesize

    54B

    MD5

    23cbff5a3162f9d3e522281665d59179

    SHA1

    bb2196af70ffc016fb6b0bd7fc3fe6829be52c04

    SHA256

    2128ba1f51a323017da2ce7ad301340e9a855ad8a55630b836f83a27cfff86de

    SHA512

    48d7e895455bc081635aa705257eb4c8a852e340ad90b274e475733af2419c880621df64a1cd06de14d4cdd3093fe70ffdc66738dde4208e4898b0e3238e5af2

    Download Submit

  • /data/data/com.stjppafdx.uzdydpiiq/kl.txt
    Filesize

    423B

    MD5

    74af632509e740aab15532bf20eb4d43

    SHA1

    9fb16fc62e960b11477a2743959c15cabf636caa

    SHA256

    7449714d0d24134f7c7758b5eed9aa1e847734162604fc1c80ecd923974a7917

    SHA512

    a3d63484247a1b79735371025caeb4994c9fffa6a744552f437943376f000bb7fa99266b5a49ca854a8e33548f6830fd6968720b00f26efe0f1a15f91fc41904

    Download Submit

  • /data/data/com.stjppafdx.uzdydpiiq/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/data/com.stjppafdx.uzdydpiiq/kl.txt
    Filesize

    230B

    MD5

    e7d7cb13cd1030ae8a4918c277c64158

    SHA1

    bf5d2c2344a252a7d74431eb4629ed7d3f869c0c

    SHA256

    4577e7ebcb51d67fc1132202031c3ff9e5adc1fe610a5427197cef00bac8016f

    SHA512

    9088b9906ae214952e86e620b8d9641b6d924f85347f1ffefeda275690056c682753a0b1feafb5c3961b18ca18476daf6128dc63271651f56ba44c45394277f7

    Download Submit

  • /data/user/0/com.stjppafdx.uzdydpiiq/app_dex/classes.dex
    Filesize

    819KB

    MD5

    44bc5a629f32b8c6706ab5aef87b1fc2

    SHA1

    5a0f46df9012acf41160bbbd164c6af8a6df3e8f

    SHA256

    52fd3634ca533c271ec9d3b05cbf0e305dc59c9bf4bf7b72348c21c15786b8c0

    SHA512

    8b2dd3668385f7a16e1bddede9fafd281922e975c89f6890ad380658c8d51bf71706e23dc1074f38c02f4bdd20b8f751c1409681c6c0a96cf32e963e0b4a1e97

    Download Submit