Overview

overview

10

Static

static

6

1faf6e8191...0d.apk

android-9-x86

10

1faf6e8191...0d.apk

android-10-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    02-01-2025 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1faf6e8191e6ad0ba53b500556cc59713774ece7079e87586ef62494c409cd0d.apk

  • Size

    1.6MB

  • MD5

    5de0c7a3d9b5821fa3473a43921dbd2f

  • SHA1

    1ddd46a98a09f11d70a1298cc7eb65be44002382

  • SHA256

    1faf6e8191e6ad0ba53b500556cc59713774ece7079e87586ef62494c409cd0d

  • SHA512

    95f7e66ba5639030a713dea1dd0a9da6937db9a39d16435c1403f463ed40926ffa2fedd90837bf77d2e34e1073374a90cdea077125670624b3a452c70905d1da

  • SSDEEP

    49152:v7/a8MEUuhjRiG41mrNhY6/xcIrO9B6wa931U+eY:vnUp1mQqcsAgjB

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://worldscanipbest.xyz/NmE0N2YwOWEzMTM3/

https://bestworldscanip.xyz/NmE0N2YwOWEzMTM3/

https://bestipworldscan.xyz/NmE0N2YwOWEzMTM3/

https://scanbestworldip.xyz/NmE0N2YwOWEzMTM3/

https://newfastcheckdns.xyz/NmE0N2YwOWEzMTM3/

https://newfastdnscheck.xyz/NmE0N2YwOWEzMTM3/

https://newdnsfastcheck.xyz/NmE0N2YwOWEzMTM3/

https://fastnewcheckdns.xyz/NmE0N2YwOWEzMTM3/

https://fastnewdnscheck.xyz/NmE0N2YwOWEzMTM3/

https://fastchecknewdns.xyz/NmE0N2YwOWEzMTM3/

https://fastcheckdnsnew.xyz/NmE0N2YwOWEzMTM3/
rc4.plain

Extracted

Family

octo

C2

https://worldscanipbest.xyz/NmE0N2YwOWEzMTM3/

https://bestworldscanip.xyz/NmE0N2YwOWEzMTM3/

https://bestipworldscan.xyz/NmE0N2YwOWEzMTM3/

https://scanbestworldip.xyz/NmE0N2YwOWEzMTM3/

https://newfastcheckdns.xyz/NmE0N2YwOWEzMTM3/

https://newfastdnscheck.xyz/NmE0N2YwOWEzMTM3/

https://newdnsfastcheck.xyz/NmE0N2YwOWEzMTM3/

https://fastnewcheckdns.xyz/NmE0N2YwOWEzMTM3/

https://fastnewdnscheck.xyz/NmE0N2YwOWEzMTM3/

https://fastchecknewdns.xyz/NmE0N2YwOWEzMTM3/

https://fastcheckdnsnew.xyz/NmE0N2YwOWEzMTM3/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.horsework8
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4375
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.horsework8/app_DynamicOptDex/PlrTmR.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.horsework8/app_DynamicOptDex/oat/x86/PlrTmR.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4400

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.horsework8/app_DynamicOptDex/PlrTmR.json
    Filesize

    1KB

    MD5

    0a2899289a9c3539db77c18efae96d2e

    SHA1

    7f4f849933d374866c0248eac5c0a7fb6eac497d

    SHA256

    75c4e7a5eed221d2b7099536887dcf750b2ae46ce2429f38f57b4ddf480d4b92

    SHA512

    88db735259a24fda51a53d246f79c596b73af1608a0cca86fb8ea08035d48cb4f4b24764dc18ba73ce386cf3853c96997affbcd2d76819035930c08e07532d62

    Download Submit

  • /data/data/com.horsework8/app_DynamicOptDex/PlrTmR.json
    Filesize

    1KB

    MD5

    11eb8813bb78ce6eb0fb1cfc778c6a58

    SHA1

    4b19933eab2b27efa836bf606dd293ff95dc0b1a

    SHA256

    07caaa48341909153ead7c183b6c619ba0dc85f8ba9cbc56eceab2946972717e

    SHA512

    a4bb8e713f30b64ca415c6f9e11f16f3d17c554ccd2f7d48cf4cb06a375ca6e1ff3602f4b53e87d97792ddd2e13e2c0476db848198fee8e84f2ce77ecbf840e3

    Download Submit

  • /data/data/com.horsework8/cache/ggqwbtoqiwzus
    Filesize

    448KB

    MD5

    2a1a45cba2ace6d1361259f6856eeb90

    SHA1

    b87be57707fb3bec015d437a1421aab9046a68db

    SHA256

    91120dd1c6e674498a32f6a915a11d1da1e79d4a11d8e83cc6e7b16081d9d58e

    SHA512

    eb84fc7568bb92030e1b6760756b4b2ca324383cf99dc701f3b1949fdd28bccc5a053bc505c13066bfd81b6a3068d9e364029bb8798f0689c097e71c762a12be

    Download Submit

  • /data/data/com.horsework8/cache/oat/ggqwbtoqiwzus.cur.prof
    Filesize

    495B

    MD5

    2d6c17b0566167c90eb1e1e86b450db7

    SHA1

    4f955e8ae0759c3b1613e85b2f0cfbc0397e5864

    SHA256

    05ad16c3b8c43ea7712060037ff646ac4eb699ebffd5acfea7c7c61eeb59ff6c

    SHA512

    6c142aa905638396c8901be017a715f5a0eed6c69d91e1df7f2e6c8ee72ec4a5640ab06fdbcd0798932ef5ddf65d53abfe8bf1c746bbfbcb5d67b676da4f1ceb

    Download Submit

  • /data/data/com.horsework8/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/data/com.horsework8/kl.txt
    Filesize

    63B

    MD5

    ef6284fb460c38b85d0a56118a39d75b

    SHA1

    4a6594d1d5b8c714a48df57a0dff97f8fc680c6e

    SHA256

    93188b7bb427d55c4e45027a7dc12758fc5dd96640168c10f2cf74b7d53a2cc6

    SHA512

    1f5e450ffcb170d0a27da427d1e6dcd60507618f5a472707f8fbb9474987d88ffc08ea874342789900267e308d0bbd70b83e5f4431d1a99112fd1b3fa314d156

    Download Submit

  • /data/data/com.horsework8/kl.txt
    Filesize

    54B

    MD5

    e2d15bde0be17221b5554462d41b3d91

    SHA1

    e2c13296960a1a20440150a077de81ced2028d9a

    SHA256

    46ad9b847b0f3dfbeca6ed6cc710301e4962e962a8926759e9ac897f499a49f7

    SHA512

    f7a2833207363ca05027a81e541b3cb04bea1e1aea8503f91d72daa03d3cff692cc832092bd41554fd8af02ad1d7d3e9fdb818865222c109003c807f8c216366

    Download Submit

  • /data/data/com.horsework8/kl.txt
    Filesize

    63B

    MD5

    6c63d5943e0fc59fd30e56eabefd3f71

    SHA1

    ca2b8078b2724de2536fde57d98e5a0361d1c754

    SHA256

    21f33102ac111540e1b468b786019961409cedb8ceadf6eccf53e75772872c2c

    SHA512

    20c252fe6832602704b49e1b2face6c0db41e807a4013d7872e8f8888e573dbd79fbdcff19efd124a608a2b9b44adf1c5b68270962822e70562b21e42fe1440c

    Download Submit

  • /data/data/com.horsework8/kl.txt
    Filesize

    423B

    MD5

    c206d2e9fd6ecd492ba03213accceeb8

    SHA1

    cb38dd668450d5d04ee416ec966aa59e51308fc5

    SHA256

    e8ffef729a4f3fd933228fefa76abff19627a1a21d0eb0a0172d5cf677ed4770

    SHA512

    e23a5c8aac6fefa7ed494ca5aab1409d1c7e7c5f78a3be45a13a7d41e63934771f47712522b86e58babcd102f680f769a1c336affe1eb93cbb35c1983f0514e4

    Download Submit

  • /data/user/0/com.horsework8/app_DynamicOptDex/PlrTmR.json
    Filesize

    2KB

    MD5

    2075df862c03b2ee4826a186673052bc

    SHA1

    67ed8aef5cc53ee865881ba01023dc87a27a7d43

    SHA256

    9d7d82216325cc76606f3b180da3281436d73c1b8bef8909724b4f5fd3cecf11

    SHA512

    687baa00df5a5a1cb509df9f05b36548dabef6583a61a99d0ca9e608ebb82cc3cf28e4820437efb4c8dca16656c10845bdcf1bc94e61301f884aa4da8feb9cf5

    Download Submit

  • /data/user/0/com.horsework8/app_DynamicOptDex/PlrTmR.json
    Filesize

    2KB

    MD5

    83da672df4634b33a46a0e34bbe509f1

    SHA1

    91cb2075a6c2e1fe2c0208d7104e703cb93258f1

    SHA256

    dc55839849103efe9ad167dd05ab12ef18cfa8bf46f5522fb07d0f13b1ba0dc6

    SHA512

    9f6c806686a0beb1639ea0f48ab6e4bd301be1c87d3c1d539df3521724e6215abaaec53d14800a07fd2721e793c8c5c83f511c6e2ea23b5d95f31dc23a6e7bb1

    Download Submit