Overview

overview

10

Static

static

6

c1dbbc3369...4e.apk

android-9-x86

10

c1dbbc3369...4e.apk

android-13-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    21-12-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1dbbc3369667c39a029839dcf9746491ec11e5d1c76b169d86cae9a0532534e.apk

  • Size

    1.8MB

  • MD5

    622ca30d3baa9fdbf9a1c9d93f3d6a1f

  • SHA1

    c0a5a9d8aefd9b241b77ae263585f0adbb72c75f

  • SHA256

    c1dbbc3369667c39a029839dcf9746491ec11e5d1c76b169d86cae9a0532534e

  • SHA512

    16359d10e7442b2e8df6383e9ec129ea1dc1b5f54b2e5643bb833ac5c7130ee1918bf5a8737d0f917fa135dff7aef74d24834b8f6857e85e1f669ac979d74bc6

  • SSDEEP

    49152:qUl4wa58BlautegFxqxWIU6I3D9M461MexMW5VW8oX:qam8BlNlFxFIU6IpM461MAWnX

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://recordsimo.top/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/
rc4.plain

Extracted

Family

octo

C2

https://recordsimo.top/ZmU2YzQ2NjZlNjc2/

https://bobnoopopo.org/ZmU2YzQ2NjZlNjc2/

https://junggvrebvqqpo.org/ZmU2YzQ2NjZlNjc2/

https://junggpervbvqqqqqqpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqgrouppo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvqqnetokpo.com/ZmU2YzQ2NjZlNjc2/

https://junggvbvq.top/ZmU2YzQ2NjZlNjc2/

https://junggvbvq5656.top/ZmU2YzQ2NjZlNjc2/

https://jungjunjunggvbvq.top/ZmU2YzQ2NjZlNjc2/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.simpleeast5
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4259
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.simpleeast5/app_DynamicOptDex/payOt.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.simpleeast5/app_DynamicOptDex/oat/x86/payOt.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4284

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.simpleeast5/app_DynamicOptDex/payOt.json
    Filesize

    1KB

    MD5

    da424898c02d301b0a419abbf5c817ed

    SHA1

    6c7ff8b272f387912576df4ad55118c74a34df94

    SHA256

    bad38ec88a04f76ca76590a414af0eaf9806955d597fd17fa1058e7d8e3d7e6c

    SHA512

    d4742087e2039cbfdc9ff055a1b00f58459e8e240aeb73ac9c8fab2a81736f86059fb7e2eee32072af2763ec1a00aa702f865bdfdb3847c6b926e571ffc9be03

    Download Submit

  • /data/data/com.simpleeast5/app_DynamicOptDex/payOt.json
    Filesize

    1KB

    MD5

    cc93e40c220c63f9f642704fee5093b8

    SHA1

    5b921bbfbf9ba702632b509053e6714744324f58

    SHA256

    9306ed1e8741674d90223ad56f634a6e0f221a2e0b11104c1eb22300782e0682

    SHA512

    12570a02abe90172a929e7ed5f971c9752b785b0898809a798d94ab4e103d786fd01eba2446480ee4264f3d07eed6084173900d7438d3cdb28afb44d692bb126

    Download Submit

  • /data/data/com.simpleeast5/cache/oat/zdewqpckklykdlg.cur.prof
    Filesize

    506B

    MD5

    06afd1c9e5f01294ad2fd4f11e1b5469

    SHA1

    ed93c1d0c6f53b1a9f3fb17c3c180039c9b63294

    SHA256

    470285ccf349ba3ffb91f062db4466457c1f324db1d59d29abf0c15b4adf44ba

    SHA512

    93862597f1108b222d2bca2ce1226ec2572051368c6a44bcd7fe6e4034f243b4a192b646dea7bd3966db2e211e282282167e2353352cee214be904bc92e77182

    Download Submit

  • /data/data/com.simpleeast5/cache/zdewqpckklykdlg
    Filesize

    448KB

    MD5

    acd00731f96f7a3d5c558a4e48203d8e

    SHA1

    c788859a427b86544f87e1af5d4a431d39966a7a

    SHA256

    ee3efca77b4e65501cdeb00b9760fa55d0ee7dd525936c2895cf798ee4b8f380

    SHA512

    674b3a85d5a93fd70884c42c3e1314c55a1c90eb7895b6d4025f5a7a4ae6b3fbdf1b3d377490d7c7d86150019e6e8b8a8ac94a201d5f52c390767f58e5d8e082

    Download Submit

  • /data/data/com.simpleeast5/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/data/com.simpleeast5/kl.txt
    Filesize

    237B

    MD5

    592b6535a948a114598a2ccc094bc2d7

    SHA1

    454c8086eff8194a875b5f9742a1b6b8ccf03508

    SHA256

    436d323e0fb1525ec9b2bcc1f6904557d6bb9ddf5f0361776e8f1549e800faaa

    SHA512

    e5d93a3c848e2d2b519b590c79a1f9d007b6f0a7c82bde18ca5e7e155c649bdea45ec0be8ad60b68a0c6e21378afc1244db0ec5f77110d5ee57840d4a922c5c2

    Download Submit

  • /data/data/com.simpleeast5/kl.txt
    Filesize

    54B

    MD5

    80c64f51568203bd8d669d2198e6fac7

    SHA1

    6eff265719befec6a00e7b6f39eaccba3650bb72

    SHA256

    3c979685f84782a2e270d9d1400f748afcfa8d0f976a16b36f264bf9ac26539d

    SHA512

    01e3b2cae4e1a31173b6027a82f47929d7be72caef89c303c0e258791be4779ef026aa155357bc0b6d2dc87f4f5108539e6a023afc628751d2f0154a1d1f950d

    Download Submit

  • /data/data/com.simpleeast5/kl.txt
    Filesize

    63B

    MD5

    2726a0d15580567270b9a34816a55284

    SHA1

    5273e0a19f3561a09e8b331b49f1a25bd7c7569d

    SHA256

    847007d683e8c0b73aab1c0dc0700774bc3185ef171c3cdd3a63d6714bff2699

    SHA512

    fc447e4e1752c14a0fd314b37a87d69946c19aa6fef0e7db78895bd4b3c6d752bddf31ce5719e37b1055783c21e9502a5b97f56e6d7886efb4299f740e114b88

    Download Submit

  • /data/data/com.simpleeast5/kl.txt
    Filesize

    437B

    MD5

    5d345ab94209527bfc3400edb8c5f286

    SHA1

    0527fc19973488c48c958a85514edb71f6d035a4

    SHA256

    1a4c1e74925ddacc52e67e46fb93faf1a4c8ec0d3c8c2f04a983305924cc559c

    SHA512

    579f31959a688ca8116bb42012273f37d6c878c7b9b031bcc7b781a6e441691e7e136041460143a26d75dee8ae73fe6793b0ab486793263ccc390ad82eac7cf9

    Download Submit

  • /data/user/0/com.simpleeast5/app_DynamicOptDex/payOt.json
    Filesize

    2KB

    MD5

    5017121d3a72bc20bec654c8337f5e0c

    SHA1

    1726f0c4f7dd0d54420ae88d76be3ce7f7dc768e

    SHA256

    d4c641d927759d2fd0515701d09134beaff486d8b4725b04de5e96a7206887a4

    SHA512

    f0de3e8fc64a9a6e93e87cd47ace5090f611aa1dabf65de1973bf40fa3612f2400328abd2ca9501d26ac2764a650c21c8e992cd7ed372c8fd48851d16f1146c3

    Download Submit

  • /data/user/0/com.simpleeast5/app_DynamicOptDex/payOt.json
    Filesize

    2KB

    MD5

    7cc1319f4eb86b3fa60cf655c49e1e03

    SHA1

    f64b4e69d44e18bab192e51dfbbca9667acc022f

    SHA256

    1b1a4b0c9df620b89c7acd1c152e7846ed382de8d10687cbb06e65446ee70cc1

    SHA512

    15b673842d6ccb4d75b2249e93c40e3bb7bcdf69f8861f4f8b8080a89a52572cb548bafe1da21c6ea868288d2dbbe6504076419d5d686b8801a83f3a7ad40f13

    Download Submit