Overview

overview

10

Static

static

6

1dfd6d7233...23.apk

android-9-x86

10

1dfd6d7233...23.apk

android-13-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android-13_x64
  • resource
    android-33-x64-arm64-20240910-en
  • resource tags

    arch:arm64arch:x64arch:x86image:android-33-x64-arm64-20240910-enlocale:en-usos:android-13-x64system
  • submitted
    22-12-2024 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1dfd6d723300730bfbc35d1f52f3a4c091ab6b87b093ea9dea28017985351923.apk

  • Size

    2.2MB

  • MD5

    832e4f3aa43c1ad52a1c84ef21af2f16

  • SHA1

    4785024a8a8a6a2b91bdd6bf783cab804ff98514

  • SHA256

    1dfd6d723300730bfbc35d1f52f3a4c091ab6b87b093ea9dea28017985351923

  • SHA512

    9ef866f3b54e5a32ac4181a48992ae5796664be8db154961c9054043360213c88eaf8da78bc8d76a30e5b514f0f0484bc20bb7b35c6c02ff80e32a1700acaf46

  • SSDEEP

    49152:wTBKw/sDJC0SGX1IZkh+90Kjhc5ZGZbmqy2YcYZP5YTO5GxZPsnAE4KoSBcEDGK/:eBKw6JTnX2kh+boZQ/y/cYZ2CALAkKME

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://bukkub.top/Y2U5ZjYxZTA5Zjcw/

https://bobnoopopo.org/Y2U5ZjYxZTA5Zjcw/

https://junggvrebvqqpo.org/Y2U5ZjYxZTA5Zjcw/

https://junggpervbvqqqqqqpo.com/Y2U5ZjYxZTA5Zjcw/

https://junggvbvqqgrouppo.com/Y2U5ZjYxZTA5Zjcw/

https://junggvbvqqnetokpo.com/Y2U5ZjYxZTA5Zjcw/

https://junggvbvq.top/Y2U5ZjYxZTA5Zjcw/

https://junggvbvq5656.top/Y2U5ZjYxZTA5Zjcw/

https://jungjunjunggvbvq.top/Y2U5ZjYxZTA5Zjcw/
rc4.plain

Extracted

Family

octo

C2

https://bukkub.top/Y2U5ZjYxZTA5Zjcw/

https://bobnoopopo.org/Y2U5ZjYxZTA5Zjcw/

https://junggvrebvqqpo.org/Y2U5ZjYxZTA5Zjcw/

https://junggpervbvqqqqqqpo.com/Y2U5ZjYxZTA5Zjcw/

https://junggvbvqqgrouppo.com/Y2U5ZjYxZTA5Zjcw/

https://junggvbvqqnetokpo.com/Y2U5ZjYxZTA5Zjcw/

https://junggvbvq.top/Y2U5ZjYxZTA5Zjcw/

https://junggvbvq5656.top/Y2U5ZjYxZTA5Zjcw/

https://jungjunjunggvbvq.top/Y2U5ZjYxZTA5Zjcw/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.teachvery73
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4484

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.teachvery73/app_DynamicOptDex/Yw.json
    Filesize

    1KB

    MD5

    242192f6df97240e80e2d4b8973b4899

    SHA1

    777acd712e8b3df0c1e3383edc76420756b060db

    SHA256

    e71eea378bfa38b1d8afd4931be62f76aaaa65f6522ca6d04c839797148cdc93

    SHA512

    bf510f76eed948e14d8f7a18bbffa685ca15930f1d2081f9b4a061f8fc96dc224a5352acf938a4087bdc69eca1e982a177e5bfb63a3edcda23e781e37b5b3200

    Download Submit

  • /data/user/0/com.teachvery73/app_DynamicOptDex/Yw.json
    Filesize

    1KB

    MD5

    57174662b9c8f8f3d66accf272196e8f

    SHA1

    1da5ca630bd19702bd76f3926e2dafed0683533b

    SHA256

    319355be4adb36b80760a68ec62f33649470f2a07239ff172da4d73d4d4cdc3c

    SHA512

    0f66d970f249220a7fb99b5eba9d6d76ea8fb02967da8f16fcd6dc22e56c58d8bb1e1c78e9237c9e4036337f83b5504605cd9b6554f0ec012d22f672e90fe3ea

    Download Submit

  • /data/user/0/com.teachvery73/app_DynamicOptDex/Yw.json
    Filesize

    2KB

    MD5

    308da6966f1facdd629080f5f5acde51

    SHA1

    fa147254117114ad05b4bd658cf29107efd71099

    SHA256

    49b9e65192af241c6a99326ab37235d3145631b7f28848c76c0e4e6eae321310

    SHA512

    3ba545ef31a971ac144a99821f93e0c41fed5a862d509634973e0dd920549e3839a4a85173c9bde298f5f50ca7bd508dade16ac2e96f5113ef7e456bd1ddf471

    Download Submit

  • /data/user/0/com.teachvery73/cache/fvtdomk
    Filesize

    448KB

    MD5

    9ee318062514b7f71261d6fc72667749

    SHA1

    a7fd53306207a2cd540987187b35ea552dbd8b42

    SHA256

    08e30e95a576ec6e889b91c2088413353508bd81e5c3a73d1e28623094a5e778

    SHA512

    6e5b7505d8b67c892a7967de473231a4635082be210f6d3a40f90dbd89ade5874eb7e384dc6e70833f6aec943430504a7cf9698fc543c16cbb005311e89ec4e1

    Download Submit

  • /data/user/0/com.teachvery73/cache/oat/fvtdomk.cur.prof
    Filesize

    385B

    MD5

    6ad47ed29895c57db34ac47c404088a5

    SHA1

    d8f9029fd6da6389bc736219ab60ad98c1498b2c

    SHA256

    9108fb476ed31018ba66d8e68bb39d756141f30fea039102e03aabd01afa23b2

    SHA512

    a3d08b76ede418650d5b7e8d5f3229266a618e4e71f6a7002979c6b833b3c69769f48170761574b2b5f2cffc45e3a0c07fa238e072cb552727d375487277ab9e

    Download Submit

  • /data/user/0/com.teachvery73/kl.txt
    Filesize

    52B

    MD5

    d1c25213f96975f092e975eb1b80f77c

    SHA1

    8d24e2c9cc2a96cd53d46daa069b25266e0b740b

    SHA256

    31f04e0ad9301887fa30cc7607e04f27c6162646d3857a48a99c288fb0e1df06

    SHA512

    a5c03d02d630e640de75aedbf4763f83f6a1164b5dde5e4602eab558f6046b1d92cadbf0e9433e078b7f7dd77a538ff8f99dbc6976651a8e9ce5fd4a354ed20a

    Download Submit

  • /data/user/0/com.teachvery73/kl.txt
    Filesize

    76B

    MD5

    57ed01b93202055db2aa48f2db482183

    SHA1

    0413dd72e89d9ff591de5dfc377f9719e1586e64

    SHA256

    6a5a56badfe4286c9e93462b6a7b47db404aeeb5f5fd7f9286adaa8da74dc42a

    SHA512

    ea2343d88bea0f7045308817df253e349caaaf088d39ae75fa43940ae945a4021e1f543ea8989711e4a1f86d9ed650a4a6a07b5b0b7f59587b0807371c49d2b6

    Download Submit

  • /data/user/0/com.teachvery73/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/user/0/com.teachvery73/kl.txt
    Filesize

    221B

    MD5

    1cef35c4d5725cb989ef402c5ac8c001

    SHA1

    16caca8054c44fa8d1419c1ae6693fb7551701ca

    SHA256

    b635240c96790567ef9226312da5653f04abe42c75620c427bb28bc758f9b55a

    SHA512

    46fa7e5f5875cca4edd9791e899d49a579bc4f9b97e16c021da9cb04c192017734cd488dc4f2e65a631fcc42c6f8c96818214056161b9d729774460787444639

    Download Submit

  • /data/user/0/com.teachvery73/kl.txt
    Filesize

    64B

    MD5

    c18349031878c5ba976655cba4ded885

    SHA1

    325eb067ee12bf18d48f2abf5ef7245fb69105ed

    SHA256

    a2e77152f34b6879e18acc6c8a0ba8aafb3c718ef70167c3f63bfae7b7fd0580

    SHA512

    1950d3c9e3c6e8061e7013a67d9d54bfc2e353a48aa948e45b44e29161790805eab803da378164b125e688b9dc5ead1c86e5cbea5eeb1718d7323d702b7da3dd

    Download Submit