Overview

overview

10

Static

static

6

9723d225ad...1f.apk

android-9-x86

10

9723d225ad...1f.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    21-12-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9723d225ad048caf2fa4f83ff7cd8feab9221befe09c9759b7e393ee38e04b1f.apk

  • Size

    3.2MB

  • MD5

    d14cc83768293dcc3743b14b16fd8693

  • SHA1

    81b0e7a46e6139c6b06b2a3267cd5a59c8788cf2

  • SHA256

    9723d225ad048caf2fa4f83ff7cd8feab9221befe09c9759b7e393ee38e04b1f

  • SHA512

    d85850f5dd4da19acb3a10e0a95f0d8ab0b933642b84820319c348ddfc13c6c78a6be61c68b6d648261b5972f966731cab5f9510642223ecf81a699439708d2a

  • SSDEEP

    98304:8hvaFW9Agk+r98RwP7sji8pFkCstMAxn83g7yPn:WCFWq+rGwP7sjrktMAxn833

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://185.196.9.197/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass2.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass3.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass4.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass5.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass6.net/MTQ4MmUxODBhMTVi/
rc4.plain

Extracted

Family

octo

C2

https://185.196.9.197/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass2.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass3.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass4.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass5.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass6.net/MTQ4MmUxODBhMTVi/
AES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.wantbook61
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4220
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wantbook61/app_ded/FZHmnAyA3FhzzktKlfk7NzRQ5nnWtFac.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.wantbook61/app_ded/oat/x86/FZHmnAyA3FhzzktKlfk7NzRQ5nnWtFac.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4245
    • rm -r/data/user/0/com.wantbook61/app_ded/oat/x86/FZHmnAyA3FhzzktKlfk7NzRQ5nnWtFac.odex
      2⤵
        PID:4270
      • rm -r/data/user/0/com.wantbook61/app_ded/oat/x86/FZHmnAyA3FhzzktKlfk7NzRQ5nnWtFac.vdex
        2⤵
          PID:4286
        • rm -r/data/user/0/com.wantbook61/app_ded/FZHmnAyA3FhzzktKlfk7NzRQ5nnWtFac.dex
          2⤵
            PID:4304

        Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Persistence

        Event Triggered Execution

        1
        T1624

        Broadcast Receivers

        1
        T1624.001

        Foreground Persistence

        1
        T1541

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Hide Artifacts

        2
        T1628

        Suppress Application Icon

        1
        T1628.001

        User Evasion

        1
        T1628.002

        Impair Defenses

        1
        T1629

        Prevent Application Removal

        1
        T1629.001

        Input Injection

        1
        T1516

        Virtualization/Sandbox Evasion

        2
        T1633

        System Checks

        2
        T1633.001

        Credential Access

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        Software Discovery

        1
        T1418

        Security Software Discovery

        1
        T1418.001

        System Information Discovery

        2
        T1426

        System Network Configuration Discovery

        4
        T1422

        Lateral Movement

        Collection

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Encrypted for Impact

        1
        T1471

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.wantbook61/app_ded/FZHmnAyA3FhzzktKlfk7NzRQ5nnWtFac.dex
          Filesize

          3KB

          MD5

          1dd01c5264c4740bfc756416d24696e4

          SHA1

          231aa64e4e0481fe1fac940eea9366cc12e42ebc

          SHA256

          1a49419a05e1f0464873561a796304573554462a28ae0fcc354f793f339de7c1

          SHA512

          cfcca3f3732313a0798788c7313c0f567a7159c4275be1c351830a4d454c96578eb18328184d3c1f34b7ab8e2beea272a41ded07cee6b366fe7e3b4ffa86e0ff

          Download Submit

        • /data/data/com.wantbook61/cache/dbchtznxtpd
          Filesize

          449KB

          MD5

          f2a57d8c209b0cb07c0ba26352b1ac66

          SHA1

          8e6116e542e7a408329c326661a0cec271ecabbf

          SHA256

          c9f3344e3181a8b4825a800a78b0e5f7761a9da3dafa34659b2bb021ac108257

          SHA512

          314a3684aedebf49f0771b4a04c94efbfea1d2067db96aacb53bc4617c215429fd5acd10d9a7e0cf776b426bb9421f1c9a5def20cdd2746a41de83ce13be06b4

          Download Submit

        • /data/data/com.wantbook61/cache/oat/dbchtznxtpd.cur.prof
          Filesize

          474B

          MD5

          55af4d80fb221d6be1d80d2286e96bf1

          SHA1

          12c8fdb597cab0340cde4e12ccb3ae41cebd304c

          SHA256

          4695cd78e4a07d034c084b142dc9785f6574933b73754c4e43a40baaad643ca1

          SHA512

          07ac259a38db91fb553aca5eea0a9ba0092180be0fef79106e0cc07c06901fee808ece1829996a3e4acd0fea4777f022d22dcf8e76d98e18d0779a93f201dab3

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          230B

          MD5

          c74bf695748f7175f7a89d15d3a941b8

          SHA1

          1d525937ce9fb0697b1157868775b3766ff0fbcb

          SHA256

          b4bf64f02c82f600acd02558d46937cc2a05c24c80a2e419181e617507499619

          SHA512

          6c2d553c4522573d33710745b1de61bc4bd24da59b4d6bd97db361a3c4025d6481e2eba9fc636cfc4230b2d1f354439265cf615da7e0dffbdb46aeb9734dd206

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          54B

          MD5

          ffc39b322a0340f7aa8582a565121a12

          SHA1

          2e617565dac3400d40d492d717ffb7cafd9abd11

          SHA256

          5385aa0cdd87cd6ad145df1ddf32644a18c95e8eb3ac979cbb8f3efb0e2e4aeb

          SHA512

          443040f2f04e11ca6f21d6789cc31e629530aeb66af8cb416a7efc913b5fa6299d441ee428dcd0017c4fec2e2e15a09cbfb0ef15f355ed773624d152bf3c0c98

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          63B

          MD5

          465faa20418d4d5d3f0e6437c92c42db

          SHA1

          21d58c5471edd738e35d0734a48c56d23f0fbaee

          SHA256

          e75e699106ee3609c2d0659c679e6bf91443657a9a18a2c1a632bbb085093548

          SHA512

          992cd045094932c071b39dcb6f42c21df910c709fba63249c68d074dba98dd90fb77cee6ad2602d7eeb8a3108a4e8e5ff406626046ea6ff11e205ce20a430a08

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          423B

          MD5

          bca3c321a7470c45dc83174d7d9b00dd

          SHA1

          118fd6da8371f0891e1fe7629e8a9dbfb8559411

          SHA256

          3adbb0d530703f1dfa0c782b3f9ae454e390c7889281fca8058d99975e2265f8

          SHA512

          c30d7cd61ee8586399296a0764baabff36a017a82db24db8d38cbba3657eb5909a41c8a461b80bb82db98b4bc0442f6e7d87dc800e901bb090bfb60858252721

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          28B

          MD5

          6311c3fd15588bb5c126e6c28ff5fffe

          SHA1

          ce81d136fce31779f4dd62e20bdaf99c91e2fc57

          SHA256

          8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

          SHA512

          2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

          Download Submit

        • /data/user/0/com.wantbook61/app_ded/FZHmnAyA3FhzzktKlfk7NzRQ5nnWtFac.dex
          Filesize

          3KB

          MD5

          3e6691684593a0b24ae967a8e120c0c0

          SHA1

          a22b96cbfef13b68f7ed3aa8f4324513e5f88217

          SHA256

          fbc554a2e3c431e9877b93e9969ad11b11f1ab997e02f4b05f5d6f872906e65b

          SHA512

          a373a91d351aa10ab9c843f73294e7c0f53508f9e2698d7afee700bb36e50d93b9d42136c6e388c16db3586af664c1115ccfb473f30594342fd94d35fc2335ae

          Download Submit