Overview

overview

10

Static

static

6

0863e9bcfc...28.apk

android-9-x86

10

0863e9bcfc...28.apk

android-10-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    31-12-2024 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0863e9bcfc662061fd407de0558ae1744512d299d95dd4470643e76827461f28.apk

  • Size

    3.1MB

  • MD5

    1b5b97c7333039b7ca0ff39f93784450

  • SHA1

    b06124b3121fc32092789da4b849a63d2c79ad00

  • SHA256

    0863e9bcfc662061fd407de0558ae1744512d299d95dd4470643e76827461f28

  • SHA512

    bf9c603104ae83b603ab65c559229cf34e5c548d7bfdee0df1e3fe92a3c9549245472088f5ffc8b09cffd434394d7b4d8824fae1ef713784ccb6ca4d65f4b1d3

  • SSDEEP

    49152:UaAZ7rNcrxEpmgVCinHSrXfXUJjXfVKHxOxCRloDAur+Bj30cKwqMRb5MhEkT:O7r0Kpm8bnHSrQX+8UR2curnB3MB5LkT

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://185.196.9.197/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass2.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass3.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass4.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass5.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass6.net/MTQ4MmUxODBhMTVi/
rc4.plain

Extracted

Family

octo

C2

https://185.196.9.197/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass2.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass3.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass4.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass5.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass6.net/MTQ4MmUxODBhMTVi/
AES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.produceforcebgd
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4210
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.produceforcebgd/app_ded/iX2S5ZYmfFEkYXws9BYOLQygU672lyxh.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.produceforcebgd/app_ded/oat/x86/iX2S5ZYmfFEkYXws9BYOLQygU672lyxh.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4237
    • rm -r/data/user/0/com.produceforcebgd/app_ded/oat/x86/iX2S5ZYmfFEkYXws9BYOLQygU672lyxh.vdex
      2⤵
        PID:4260
      • rm -r/data/user/0/com.produceforcebgd/app_ded/oat/x86/iX2S5ZYmfFEkYXws9BYOLQygU672lyxh.odex
        2⤵
          PID:4274
        • rm -r/data/user/0/com.produceforcebgd/app_ded/iX2S5ZYmfFEkYXws9BYOLQygU672lyxh.dex
          2⤵
            PID:4292

        Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Persistence

        Event Triggered Execution

        1
        T1624

        Broadcast Receivers

        1
        T1624.001

        Foreground Persistence

        1
        T1541

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Hide Artifacts

        2
        T1628

        Suppress Application Icon

        1
        T1628.001

        User Evasion

        1
        T1628.002

        Impair Defenses

        1
        T1629

        Prevent Application Removal

        1
        T1629.001

        Input Injection

        1
        T1516

        Virtualization/Sandbox Evasion

        2
        T1633

        System Checks

        2
        T1633.001

        Credential Access

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        Software Discovery

        1
        T1418

        Security Software Discovery

        1
        T1418.001

        System Information Discovery

        2
        T1426

        System Network Configuration Discovery

        4
        T1422

        Lateral Movement

        Collection

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Encrypted for Impact

        1
        T1471

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.produceforcebgd/app_ded/iX2S5ZYmfFEkYXws9BYOLQygU672lyxh.dex
          Filesize

          3KB

          MD5

          065c38f41490659ca92a15831545bb0e

          SHA1

          e9ec44f59a443bc9339b25f1538927f7f248df64

          SHA256

          8af935d3544c756aef6ec7d4b83e53ab4a6513f61a38c3423d83941204fc443e

          SHA512

          745fa61eab89da9dfa910c9451f45c204184c96ff1e3e844d7800dc185ad4a2c170ce3062b43cc37992cfd546154763c0c49d40f9848e71904884d20b60ae209

          Download Submit

        • /data/data/com.produceforcebgd/cache/cjzrztpl
          Filesize

          449KB

          MD5

          2cca564eef30979a1b478f68a89dd85e

          SHA1

          07a9eae2ba1c564f66c3a3850e4618b938acf02f

          SHA256

          eaa382cfb4688501f46fe4acaa303455c65d53647c565b37143e71a76de4c7de

          SHA512

          5ebc0d07c78b6e099eeb7f41e0e4db27fb93e4e1bfbdf92fa69502a8a8cec555d9da9815733ea2c02e7cc330a9a8e57376c13eb30f4952dd66148f6e6bf24ef7

          Download Submit

        • /data/data/com.produceforcebgd/cache/oat/cjzrztpl.cur.prof
          Filesize

          467B

          MD5

          6d36ce108f80a846bfd1ff2d8397dfc4

          SHA1

          0515b0f405f2820bff0a1cb51fdb2b30f851c47f

          SHA256

          2f03e4a654fd8f3c0037f2b1d0448e8fe8eb92c0538aa1a5874bfad53fd50fa2

          SHA512

          8d5aa669f3a4331ede1e4863548080f0e85ae8845f7b293addc7c27b8cf290af7fb2746c0d53ca14b263e2479c006c6a95c19560e7404677cde3b533adf8cabb

          Download Submit

        • /data/data/com.produceforcebgd/kl.txt
          Filesize

          230B

          MD5

          29a17c36ad0788d2a20083b65260840c

          SHA1

          106b44945c353b321a71d221665db930724e410a

          SHA256

          28df0756d7ca27bec395763753cf2dcad821bb437894501e3d0342db203df9fa

          SHA512

          2102ebc5be6474fab55e7560bf999d54122144c64e8824f1e031ba7a6d3a140b6bdfd594298495fcea27f8a4e1556088ab35bb693a550912dbc8c305e3edcdde

          Download Submit

        • /data/data/com.produceforcebgd/kl.txt
          Filesize

          63B

          MD5

          42bd263cd8741ab22b785a2e7819a96f

          SHA1

          9cd4b8d0f36e236ad2592ee332b20812fca74f45

          SHA256

          76650d015a7e25129abd6d65a94455ebb32272149a7b6c2e1278a796172f21af

          SHA512

          914ddd8a6bbe687d361c7aa31c7b070ebfc6f3d282a7932818b1c6af0548d75611d0b80175debfbe9823f19bb4b849ecca6e7ae2552b02a856e7b4d5572936ee

          Download Submit

        • /data/data/com.produceforcebgd/kl.txt
          Filesize

          54B

          MD5

          f4c55e6cdc34282b7b5add2904032b13

          SHA1

          7c3a34c624bbd33ddea4bc38e380fcec9141d739

          SHA256

          12331bb50a785efc9e25d903400687151238ef8b01aedea9ab7c0939d2d86631

          SHA512

          f4805dd965713ef1f64a654377f448bbd7bd1e93bf6bfa87f8cbf81ce37cc238e051a313f0f8ca8bd8a122a00946dbeadd180665cce6ad8e44a71c889cdf17a9

          Download Submit

        • /data/data/com.produceforcebgd/kl.txt
          Filesize

          423B

          MD5

          db149410455b2eed61333af149eb66a2

          SHA1

          f39de9e5194b169c75bf1b24f4cd563e51d90798

          SHA256

          a86d50fcf85a7185c8992b98b6a9e3f887f134e2f90e7d07951c84d67efe300c

          SHA512

          67877e64c5b9378767f981b98ace18ed7916a54513a7fb9a59be598eab90aecdfb1fb0db6ae824823f10809f861cf4eb4fd36aca1505261db3a506de30c58b74

          Download Submit

        • /data/data/com.produceforcebgd/kl.txt
          Filesize

          28B

          MD5

          6311c3fd15588bb5c126e6c28ff5fffe

          SHA1

          ce81d136fce31779f4dd62e20bdaf99c91e2fc57

          SHA256

          8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

          SHA512

          2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

          Download Submit

        • /data/user/0/com.produceforcebgd/app_ded/iX2S5ZYmfFEkYXws9BYOLQygU672lyxh.dex
          Filesize

          3KB

          MD5

          7f11efaa7a28fc8d5e7c8ea7cc9cb378

          SHA1

          d9a055acefce41650f943c3c4097f4e00dcb87f6

          SHA256

          adfec36034be00f91890b05521b64ad6c278ef1211bbec3a797ca6b9d6d22e17

          SHA512

          3155aec009c67876b5d9f96a978da287caa14f848e0a477413198a14366676d039d05c5c1a59559d5edd2aad50ac32e6cd86993bbbd18f2524a2e885fccadb48

          Download Submit