Overview

overview

10

Static

static

6

035fa5650e...ef.apk

android-9-x86

10

035fa5650e...ef.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    06-01-2025 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    035fa5650ea10a63653b194578148fdff04ad7fd093a36fc72427f9588945def.apk

  • Size

    589KB

  • MD5

    e4b1fe392aedfd7006f977d8937e6876

  • SHA1

    e77ba3ee039dd477cf3f28ecfbba04d71ff28ebc

  • SHA256

    035fa5650ea10a63653b194578148fdff04ad7fd093a36fc72427f9588945def

  • SHA512

    5095134d7d56f4f95347431493c5542d5dc1a95ca569dadc5c76c962f0d782a74a8bbbf05b11668e6ffb657d74f9015bb26f0b63db188ca7ee9dbd733530e25b

  • SSDEEP

    12288:GSiVGakgqJu7G78+O+2fO4Rs79Y4twan4fjL0op0chQGQFlyXE/gl6Us2:rdgqJu7aElO42q4twrMciTyXE/glBs2

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

C2

https://93.123.85.21:7117/gate/

rc4.plain

Extracted

Family

octo

C2

https://93.123.85.21:7117/gate/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.adaxffsfzfada.zbsvxgsvbxhdgs
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4477

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/files/arm/classes.dex
    Filesize

    448KB

    MD5

    f75c8735be3c4a009fa0719d595b3fb1

    SHA1

    64f22a19331d99c8e2b8c13cda290e3af934b570

    SHA256

    72dc7fd81b66c21dd5df21452cccf0a28a391c5c0ba1225ebc67223856996f0e

    SHA512

    bca74d55d9ad49fa533382457c069442955750ae4c8c36efaa9b21f1a7cf5e9dc8f30287877470cd8b4d9ae74d4af4cfcddc26715c7be47f816f403f1022b735

    Download Submit

  • /data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt
    Filesize

    228B

    MD5

    346081e841ba3a0d511a3b7d7cce854b

    SHA1

    24fb2f6468cee339151508d0ce734643fdd87df8

    SHA256

    a1f76efbc0d56e0300bb043858d0012ca9f8f25922199992f971b3f3928dd018

    SHA512

    5dbe45fb3e51f2532ee912f475f905fdaf9a631fb40ac7c5cffaf8d78f801dd22f26d582126d6ed1378864d7ffcda6841bf7b175f8a75dbf505474d598fd3f6e

    Download Submit

  • /data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt
    Filesize

    64B

    MD5

    162489ed96b792b9b6cdabcf6a4fa4cf

    SHA1

    4c3c5d54ad1a70659857ec5ceea67c456f67c5c6

    SHA256

    42c99e1994a36f9fa1fe0628d00522d24ad05cd48bdd44e2adcfa5a808887797

    SHA512

    fb166040518f69c8ab48458a3f244df832fbce47f3d6f3efcea6405ee021b2d5b2e1fb7cca16944db330ec0471f1c00bcc4db970de220a6ee868d64955c751eb

    Download Submit

  • /data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt
    Filesize

    45B

    MD5

    71462525f3b4162c5ebf33d0ae1fe794

    SHA1

    62763be6cb386a558843689afb84df8fcf194d73

    SHA256

    f290763449a4e72ff02d9eceb82a85326bd01d5e94835b0af224ed6ddf2f2939

    SHA512

    267a3b89692f50ebfbf552b8d2930790d9db3f0230ae20f43db94eb66a0808ae17d06ab1670dbae9b1738fd30c084332dc6f229e08b6f5336d222db50f8469e9

    Download Submit

  • /data/user/0/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txt
    Filesize

    462B

    MD5

    8e8f092f73cdf735cc819b064ee145a0

    SHA1

    778a3f9b162f8f4bcec60c4bea7d76ef57109f3a

    SHA256

    1aafed299e6b37cd7c273b82442c950ec0193d62349210906def5697b02d25ad

    SHA512

    81318b8e14c6eb365f3912007952480fd98462879ad43cbe0b528995425c7d00b74d2068cfd8cd2b6349923fded8f48bfbd6248b564a0e0cd177b580cbd45e8a

    Download Submit