Overview

overview

10

Static

static

6

a19ee03cfe...2e.apk

android-9-x86

10

a19ee03cfe...2e.apk

android-13-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    03-01-2025 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a19ee03cfe63cdb5f8ebf3e4b6c66ae563fe6ac502fc292b407a79857eeff62e.apk

  • Size

    3.2MB

  • MD5

    35c940cd360ee23faf8d00e3a530ee45

  • SHA1

    2f062113403730fe20eac726aeca36e6383017cb

  • SHA256

    a19ee03cfe63cdb5f8ebf3e4b6c66ae563fe6ac502fc292b407a79857eeff62e

  • SHA512

    84705450cd3a4bc288b5553bfcdfb0485d620ee4015233aff4f94737539db2d30c4fe4baa347ec2438ab00e9a0fb21263109aaee9eaf156d93df1bf9188a6e87

  • SSDEEP

    98304:FdH4Fy/on7R07rhtyiFE0gu8qgzXiFCU88B93g7cF:bH4Fy/8RGX/FE0gbqgTHUh3T

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://185.196.9.197/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass2.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass3.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass4.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass5.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass6.net/MTQ4MmUxODBhMTVi/
rc4.plain

Extracted

Family

octo

C2

https://185.196.9.197/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass2.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass3.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass4.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass5.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass6.net/MTQ4MmUxODBhMTVi/
AES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.wantbook61
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4275
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wantbook61/app_ded/mHWNVzLdzgWbRSPuS64FZQ4DYSbogRmp.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.wantbook61/app_ded/oat/x86/mHWNVzLdzgWbRSPuS64FZQ4DYSbogRmp.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4302
    • rm -r/data/user/0/com.wantbook61/app_ded/oat/x86/mHWNVzLdzgWbRSPuS64FZQ4DYSbogRmp.vdex
      2⤵
        PID:4326
      • rm -r/data/user/0/com.wantbook61/app_ded/oat/x86/mHWNVzLdzgWbRSPuS64FZQ4DYSbogRmp.odex
        2⤵
          PID:4340
        • rm -r/data/user/0/com.wantbook61/app_ded/mHWNVzLdzgWbRSPuS64FZQ4DYSbogRmp.dex
          2⤵
            PID:4359

        Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Persistence

        Event Triggered Execution

        1
        T1624

        Broadcast Receivers

        1
        T1624.001

        Foreground Persistence

        1
        T1541

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Hide Artifacts

        2
        T1628

        Suppress Application Icon

        1
        T1628.001

        User Evasion

        1
        T1628.002

        Impair Defenses

        1
        T1629

        Prevent Application Removal

        1
        T1629.001

        Input Injection

        1
        T1516

        Virtualization/Sandbox Evasion

        2
        T1633

        System Checks

        2
        T1633.001

        Credential Access

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        Software Discovery

        1
        T1418

        Security Software Discovery

        1
        T1418.001

        System Information Discovery

        2
        T1426

        System Network Configuration Discovery

        3
        T1422

        Lateral Movement

        Collection

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Encrypted for Impact

        1
        T1471

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.wantbook61/app_ded/mHWNVzLdzgWbRSPuS64FZQ4DYSbogRmp.dex
          Filesize

          3KB

          MD5

          d582163ab8949a7287efd9fdb88bbe23

          SHA1

          931cb80f84d951b45d85fed40e39e726ae7e1f36

          SHA256

          fabc23d5ca1396e61e8a72aef1c60e465d51e73b8dcb0a31e3fd64cb4290f72e

          SHA512

          2e5aca12223ddf9667e345213823be8d0a432fd8fac5ef087823bc93ee8518d0587a58391359c743dee9385efd1d343a02c40ec42db53089d6154522a88033c2

          Download Submit

        • /data/data/com.wantbook61/cache/dbchtznxtpd
          Filesize

          449KB

          MD5

          f2a57d8c209b0cb07c0ba26352b1ac66

          SHA1

          8e6116e542e7a408329c326661a0cec271ecabbf

          SHA256

          c9f3344e3181a8b4825a800a78b0e5f7761a9da3dafa34659b2bb021ac108257

          SHA512

          314a3684aedebf49f0771b4a04c94efbfea1d2067db96aacb53bc4617c215429fd5acd10d9a7e0cf776b426bb9421f1c9a5def20cdd2746a41de83ce13be06b4

          Download Submit

        • /data/data/com.wantbook61/cache/oat/dbchtznxtpd.cur.prof
          Filesize

          474B

          MD5

          55af4d80fb221d6be1d80d2286e96bf1

          SHA1

          12c8fdb597cab0340cde4e12ccb3ae41cebd304c

          SHA256

          4695cd78e4a07d034c084b142dc9785f6574933b73754c4e43a40baaad643ca1

          SHA512

          07ac259a38db91fb553aca5eea0a9ba0092180be0fef79106e0cc07c06901fee808ece1829996a3e4acd0fea4777f022d22dcf8e76d98e18d0779a93f201dab3

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          230B

          MD5

          5bc109cf7a7028969f323c5116521222

          SHA1

          e443fcf4730684d06ad9e9c5e1b9d10d5d4152d8

          SHA256

          c33d7addcbb41630cab23c591ee8a5d514713ecfbc1e9c99bd51880bc8eeadea

          SHA512

          9f01b638b317f70eedcd367dde4467d3c1de62a9e99c48a1ccb68ed7eb653c451cc80f3f60f7c80826cdbe7fef48ca9e6a819ca129912add7638c222bf809b0e

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          54B

          MD5

          20ab583efdcf7883b6450716d8d49dd6

          SHA1

          19000e7339bfcb4193969fd919afbdf506f997d7

          SHA256

          befeb6bd1b9289345322e30edde7c2ad271924fde89de955c2b9d5fe6ed71ab6

          SHA512

          778fb9bafa02bd8f083def8aa2bc4bc1c009adce64920a992ce32931392ef3aab72a3fbefc5adf3d0bede270cb37d7055c40a757ed1ca701008ee0a35af7825d

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          63B

          MD5

          20292c21e1e546efc55be43e9fdf38ef

          SHA1

          db84d24498e63183666fcfd02224480964ea9f27

          SHA256

          34b14f5d1956b8841a5ce747cfdad60789dd5cab278b5617e7b633a90132aa24

          SHA512

          75f126d1ef28ab81cb7b276493f5ed74c5b8d59af2c49dceaec8ec41b33cb0dcf722aa46a46f91640fe16df9ce588e2ddb9e1afa568c822f320c8ad0b2c35c79

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          423B

          MD5

          a190511b3f49ba675e8ea2975b136a0e

          SHA1

          e9e7f4c894f8bba725f3c958706eeb75b39046c3

          SHA256

          f1bde72ed7554e6454b2f4a3275303dec00bb276f5b1c6f6fa0d9c46d58a65aa

          SHA512

          8dc9be87e4f5153f84277a189dbfbee56a46047fb1ff74f3db37e5113aa3bb29c0a79b4352a0915f37473794fa14a1b0b973ac3725b16227888e03cf02b82c4d

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          28B

          MD5

          6311c3fd15588bb5c126e6c28ff5fffe

          SHA1

          ce81d136fce31779f4dd62e20bdaf99c91e2fc57

          SHA256

          8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

          SHA512

          2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

          Download Submit

        • /data/user/0/com.wantbook61/app_ded/mHWNVzLdzgWbRSPuS64FZQ4DYSbogRmp.dex
          Filesize

          3KB

          MD5

          525abb3415d412d37308be80c8e4ba32

          SHA1

          a99a5a7a56621335126805f8879cb5e2438fec96

          SHA256

          cefc350b1c73ee0fca980dfa94464f93d5285d61d7b32e95db53e97b850e8514

          SHA512

          a617ca9df708c28c5347a9e9af6f4ab73386d1cb5306fe59615a08147a37731b6cf1202e092587edbdcbd0edd0a8d0a5c784feca7fd7ba9c761efeee60dc7210

          Download Submit