Overview

overview

10

Static

static

6

7b7d3bf5ac...e3.apk

android-9-x86

10

7b7d3bf5ac...e3.apk

android-10-x64

10

Analysis

  • max time kernel
    37s
  • max time network
    153s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    29-12-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b7d3bf5ac910556326def9ff907df7fbe5429f8a2257dee03a351f393c1b7e3.apk

  • Size

    1.7MB

  • MD5

    fd9a4e91c5be0c46849080780d9bfd13

  • SHA1

    9b29e9dbdd25f52bdd05df64027bbfa41832bdbf

  • SHA256

    7b7d3bf5ac910556326def9ff907df7fbe5429f8a2257dee03a351f393c1b7e3

  • SHA512

    f0ef46cfb7495c3bd71719984c321b2aac1214276af17fd9e19b1b69a6fc6f71ca80a37687462ddaab063bed2deb6db93b8636b1a87375d5cb9aba60d0ec2806

  • SSDEEP

    49152:ESbEk4C5q3zDd+DMSEJrSqiVM4HIbO3w2LLNCaF5:ESbEXkqungRGNb5

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://sariyisevenlerinhikayesi.xyz/YzNlNTRkYjIzODRi/

https://sevgininsaridoslari.xyz/YzNlNTRkYjIzODRi/

https://sariyinkalbeetkisi.xyz/YzNlNTRkYjIzODRi/

https://mutluluksarirenklerde.xyz/YzNlNTRkYjIzODRi/

https://sarihayatveduygular.xyz/YzNlNTRkYjIzODRi/

https://sarininetkileyicigucu.xyz/YzNlNTRkYjIzODRi/

https://saridostluksarkilari.xyz/YzNlNTRkYjIzODRi/

https://hayatisaridenizinde.xyz/YzNlNTRkYjIzODRi/

https://saritutkunuinsanlar.xyz/YzNlNTRkYjIzODRi/

https://sarisevgininkuvveti.xyz/YzNlNTRkYjIzODRi/

https://saridunyaanlamlari.xyz/YzNlNTRkYjIzODRi/

https://sarisevgiileyenilik.xyz/YzNlNTRkYjIzODRi/

https://renklisarihikayeler.xyz/YzNlNTRkYjIzODRi/

https://sarigunlerinkesfi.xyz/YzNlNTRkYjIzODRi/

https://sarisessizlikvebaris.xyz/YzNlNTRkYjIzODRi/

https://hayatsarisemalari.xyz/YzNlNTRkYjIzODRi/

https://saridostluksohbetleri.xyz/YzNlNTRkYjIzODRi/

https://sarisevincindunyasi.xyz/YzNlNTRkYjIzODRi/

https://sarisanatvenotalar.xyz/YzNlNTRkYjIzODRi/

https://sariruyalarnincizimi.xyz/YzNlNTRkYjIzODRi/
rc4.plain

Extracted

Family

octo

C2

https://sariyisevenlerinhikayesi.xyz/YzNlNTRkYjIzODRi/

https://sevgininsaridoslari.xyz/YzNlNTRkYjIzODRi/

https://sariyinkalbeetkisi.xyz/YzNlNTRkYjIzODRi/

https://mutluluksarirenklerde.xyz/YzNlNTRkYjIzODRi/

https://sarihayatveduygular.xyz/YzNlNTRkYjIzODRi/

https://sarininetkileyicigucu.xyz/YzNlNTRkYjIzODRi/

https://saridostluksarkilari.xyz/YzNlNTRkYjIzODRi/

https://hayatisaridenizinde.xyz/YzNlNTRkYjIzODRi/

https://saritutkunuinsanlar.xyz/YzNlNTRkYjIzODRi/

https://sarisevgininkuvveti.xyz/YzNlNTRkYjIzODRi/

https://saridunyaanlamlari.xyz/YzNlNTRkYjIzODRi/

https://sarisevgiileyenilik.xyz/YzNlNTRkYjIzODRi/

https://renklisarihikayeler.xyz/YzNlNTRkYjIzODRi/

https://sarigunlerinkesfi.xyz/YzNlNTRkYjIzODRi/

https://sarisessizlikvebaris.xyz/YzNlNTRkYjIzODRi/

https://hayatsarisemalari.xyz/YzNlNTRkYjIzODRi/

https://saridostluksohbetleri.xyz/YzNlNTRkYjIzODRi/

https://sarisevincindunyasi.xyz/YzNlNTRkYjIzODRi/

https://sarisanatvenotalar.xyz/YzNlNTRkYjIzODRi/

https://sariruyalarnincizimi.xyz/YzNlNTRkYjIzODRi/
Attributes
  • target_apps

    at.spardat.bcrmobile

    at.spardat.netbanking

    com.bankaustria.android.olb

    com.bmo.mobile

    com.cibc.android.mobi

    com.rbc.mobile.android

    com.scotiabank.mobile

    com.td

    cz.airbank.android

    eu.inmite.prj.kb.mobilbank

    com.bankinter.launcher

    com.kutxabank.android

    com.rsi

    com.tecnocom.cajalaboral

    es.bancopopular.nbmpopular

    es.evobanco.bancamovil

    es.lacaixa.mobile.android.newwapicon

    com.dbs.hk.dbsmbanking

    com.FubonMobileClient

    com.hangseng.rbmobile

    com.MobileTreeApp

    com.mtel.androidbea

    com.scb.breezebanking.hk

    hk.com.hsbc.hsbchkmobilebanking

    com.aff.otpdirekt

    com.ideomobile.hapoalim

    com.infrasofttech.indianBank

    com.mobikwik_new

    com.oxigen.oxigenwallet

    jp.co.aeonbank.android.passbook

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Requests modifying system settings. 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.chicken.remove
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4258
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.chicken.remove/app_meadow/MJcYdf.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.chicken.remove/app_meadow/oat/x86/MJcYdf.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4283

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.chicken.remove/app_meadow/MJcYdf.json
    Filesize

    153KB

    MD5

    284bcdf5e765be8ca711a2793a601f56

    SHA1

    be2d79a4c65675b1c86eba03e94fffb5f7be1404

    SHA256

    86029769bfa2ce392db83c118bd97f946ffd477cf2c74fe03aba559366592ca3

    SHA512

    2e13188f1f9ccd32bf8ee92a6e82340c67fbd1ce69b5cc6ab59172faf736990080480ceb0478bc4251ddd190eb371fe1ed63578e270a54e2220c11bf3cbdab1f

    Download Submit

  • /data/data/com.chicken.remove/app_meadow/MJcYdf.json
    Filesize

    153KB

    MD5

    dfcc2842ccbaa7b2d531b2b0355b6d26

    SHA1

    b0db9a6519c9697795d25e8a645d4068645f8dc6

    SHA256

    2b276a66a3198bfe27ed1e81833a4e06705299c5c2e9e38e6c7e1ad13c448138

    SHA512

    8f855074d0a1891b899fcbb48c3a39da0bcfae072eddf77dda9577096c9af72d5ffeea5e58578b5fc720f0a5dbf66b9de01b0e41936ca7667e0b2eed5b25fcc3

    Download Submit

  • /data/data/com.chicken.remove/kl.txt
    Filesize

    45B

    MD5

    c355f76902e2121dcd97f7070f7fa0d7

    SHA1

    d880ec2d656e7ff8c315bdf131d2808b69c4e0ee

    SHA256

    83747c69f6cb3f055eb8136a69f8500253f3d302863808ffd83f7251421e767f

    SHA512

    f646f2ed841aca0226ef8629855fdf238d7f95bed7a8d5f6b98f76d5da1e41e6725307821887f35a73f1010ac1b55a36e4ad0544395f3c35084e6dff126b67ff

    Download Submit

  • /data/data/com.chicken.remove/kl.txt
    Filesize

    423B

    MD5

    bf5679d915aa4d2abe1e9695aa95237e

    SHA1

    d2fa4f057acbf1405023b39cd918be73ba4a495a

    SHA256

    cfa92331806066c63995ff471f1a04c66369147a9e60455bd2374126f8c67ae4

    SHA512

    a11a6f38b802255a8f1af64264a9e25209f0e5722d9f83db7eb960f098a0d357d4e44513e5ecd6f0d8444a52a6e2b026d45821c185cb5719933ce921a0b081c6

    Download Submit

  • /data/data/com.chicken.remove/kl.txt
    Filesize

    230B

    MD5

    e48b03da116ce5f5a6c3a786ef42d7f2

    SHA1

    e369a9003085293f5a7be912eef9548ac862d0a5

    SHA256

    fcd94a502a140990de38ce0be5f86b42f16b088897c9a651c91f6bad5dd87368

    SHA512

    5d654b40a11414081d1a7f565848f81f42ed608a82e53889666f82e973919bceb7f1a8b96df6b8095d4ad9244de5b182dea771236c51ab76bfa49833d8f6d28e

    Download Submit

  • /data/data/com.chicken.remove/kl.txt
    Filesize

    54B

    MD5

    deab7788da7f11b54d24290686e131ad

    SHA1

    07158caa79d1e1be67e22fb4accba6786bca4eb5

    SHA256

    ae680f9a75bb17fce65ed76d85461becd5a42185f7874b4d2bf94454cec61209

    SHA512

    5b1aa04ebd3d90cc74360fd73fb50e92720068b8caec2166babc5c361c2f280c8047a4cccb5448d34e51a11242b7541de3b87b50cae36992cdd574eefc7eaf19

    Download Submit

  • /data/data/com.chicken.remove/kl.txt
    Filesize

    63B

    MD5

    f53a1c52a47615ad45e01420b3572c9b

    SHA1

    d7887ad59626002d75d3800e6143664eb6a015a3

    SHA256

    9ca1548c8bbd94fef06a0e35fa0871ee3d8714f3eaac04e96b3af1f9b0d4261c

    SHA512

    31360b8300a7086c51f6805f70c97260fb2aec4ef38a84a0b0f0b9d3e7a20fc12a7d280c759990de35e8958f30acef6f2e3fd9af30f2cd237a4916bb1512f6ea

    Download Submit

  • /data/user/0/com.chicken.remove/app_meadow/MJcYdf.json
    Filesize

    450KB

    MD5

    dce74cfcd9e21ca8a22c7dd0a3736ab5

    SHA1

    57c59df5bfc39da083d076d1001044891ab6d6ba

    SHA256

    b2758d82842174f06a0ebcbd16dcc6eb685d0b112440ecdcaf3573eb358f9e50

    SHA512

    d24038cc8bc49462f10450aa31dfb887703251b698b47bf3f2773d4cb492f35f9f375564951710ef6f39884892b9f2c724f136b28e52220e96505e8531f3a890

    Download Submit

  • /data/user/0/com.chicken.remove/app_meadow/MJcYdf.json
    Filesize

    450KB

    MD5

    32c78161753c879186162363b1ac82c6

    SHA1

    cd703b5876cfcc0bd535fa56fe46d54e7b4fc4ae

    SHA256

    401ff31818da087be2a4afd096015f5ac7e66e622b308b2f789a95e68b975daa

    SHA512

    c195b976e7e2e3c40f48818d138a4c2cc9095dd20a87c779f1067d67f1a36c024841a20e8af2ae54aea67cd450b8c319bfd0bbe869d93c9121f3a6eb1003bec8

    Download Submit