Overview

overview

10

Static

static

6

275e493612...c0.apk

android-9-x86

10

275e493612...c0.apk

android-13-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    11-01-2025 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    275e49361237833cdec20921929fe0cf9f76552d77d8fae601cfd29d2d2532c0.apk

  • Size

    3.2MB

  • MD5

    bf2a2f3b770a9981c697f26cd0870f2a

  • SHA1

    67a65c7fe1eb75495a63dd2bcda8f8795f9e6c8d

  • SHA256

    275e49361237833cdec20921929fe0cf9f76552d77d8fae601cfd29d2d2532c0

  • SHA512

    fc25a59b347ab42e97c977159644f49780aa1127b5278298c44988694b177caa2611bd86a00e8ac851765b9ee1a502141c9aaa5c20668b791d0fb8f5baba829c

  • SSDEEP

    49152:O+NcRCY35qK6xWOKzR4gu0xNV7yGE4ZTYb3XCXsyT9hTtjoTdx6Gg7Li:BNcQY35qKksegP7pVYb3XCXLJn83g7Li

Score
10/10
octobankercollectioncredential_accessdiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://185.196.9.197/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass2.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass3.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass4.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass5.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass6.net/MTQ4MmUxODBhMTVi/
rc4.plain

Extracted

Family

octo

C2

https://185.196.9.197/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass2.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass3.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass4.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass5.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass6.net/MTQ4MmUxODBhMTVi/
AES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.wantbook61
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4248
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wantbook61/app_ded/tdWf90HIGTdsd8PoTBYoGWR4E1u5MJor.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.wantbook61/app_ded/oat/x86/tdWf90HIGTdsd8PoTBYoGWR4E1u5MJor.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4273
    • rm -r/data/user/0/com.wantbook61/app_ded/tdWf90HIGTdsd8PoTBYoGWR4E1u5MJor.dex
      2⤵
        PID:4296
      • rm -r/data/user/0/com.wantbook61/app_ded/oat/x86/tdWf90HIGTdsd8PoTBYoGWR4E1u5MJor.odex
        2⤵
          PID:4309
        • rm -r/data/user/0/com.wantbook61/app_ded/oat/x86/tdWf90HIGTdsd8PoTBYoGWR4E1u5MJor.vdex
          2⤵
            PID:4329

        Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Persistence

        Event Triggered Execution

        1
        T1624

        Broadcast Receivers

        1
        T1624.001

        Foreground Persistence

        1
        T1541

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Hide Artifacts

        2
        T1628

        Suppress Application Icon

        1
        T1628.001

        User Evasion

        1
        T1628.002

        Impair Defenses

        1
        T1629

        Prevent Application Removal

        1
        T1629.001

        Input Injection

        1
        T1516

        Virtualization/Sandbox Evasion

        2
        T1633

        System Checks

        2
        T1633.001

        Credential Access

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        Software Discovery

        1
        T1418

        Security Software Discovery

        1
        T1418.001

        System Information Discovery

        2
        T1426

        System Network Configuration Discovery

        3
        T1422

        Lateral Movement

        Collection

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Encrypted for Impact

        1
        T1471

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.wantbook61/app_ded/tdWf90HIGTdsd8PoTBYoGWR4E1u5MJor.dex
          Filesize

          3KB

          MD5

          d9590dee477c8a3176d9192c534a27e1

          SHA1

          4f60dc5a697d4b7e9c1961c41adf7a57d1383f08

          SHA256

          feea1704a54966b6c60be61185bd0dac9d5d3a243d55abb8f10d80598a63f5fd

          SHA512

          1c545ed4ff50df66c168748240b1b9fe5ed3a94fc7abdd3d6137737502c5135539bc8fc0a27b8a29de6832c5987212ec0222f81ef33b2fdf8ecb273c49bea20f

          Download Submit

        • /data/data/com.wantbook61/cache/dbchtznxtpd
          Filesize

          449KB

          MD5

          f2a57d8c209b0cb07c0ba26352b1ac66

          SHA1

          8e6116e542e7a408329c326661a0cec271ecabbf

          SHA256

          c9f3344e3181a8b4825a800a78b0e5f7761a9da3dafa34659b2bb021ac108257

          SHA512

          314a3684aedebf49f0771b4a04c94efbfea1d2067db96aacb53bc4617c215429fd5acd10d9a7e0cf776b426bb9421f1c9a5def20cdd2746a41de83ce13be06b4

          Download Submit

        • /data/data/com.wantbook61/cache/oat/dbchtznxtpd.cur.prof
          Filesize

          459B

          MD5

          e1c8b8b151d2a217aad8981efb48fe91

          SHA1

          2c746e0bb875bb75c5e9287513f83cb0036f847d

          SHA256

          2cdacd56595af8c1ec9d630c4a0df9c604f20e41049bd8f6ef1ed405e59f6207

          SHA512

          4134b41d8e5be82ab08b353340ae3ea1de4996214b4c9d111e5f6feb03d5eed3bd3cda0ece1f6739e35d6e006a0cef6fe19ef9446f3b91fa1e2e2e5452152274

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          63B

          MD5

          80c4c6a946827a0c964133410a4c889f

          SHA1

          ab6cba5bb2e8c55bc3c7f844e567de0229f89862

          SHA256

          7d8a8fdceb3f0a038d350fcff613e1bbb24974fab93bff29619464f5d697de9e

          SHA512

          a60b09690b96e24d4f203be7a2ebe67831fe175e05815dbb3c330d61ef020aebfd7635f76f3dba9f14561f30d90d8bef6247db57cc545e76f630e7b7d8d36387

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          230B

          MD5

          e3072648e203c9792cee60c4a4b02adc

          SHA1

          5487abea8d5e3a2d62c321db445176314c167d49

          SHA256

          6d1ccda34b90a5245fa7c011e25ae76ee64213d0449e59036211fd5977ea99cc

          SHA512

          fc33dee8fa3289432f4c517ca50b95393919693dee79617d88090421cc22d0edf84675ef6928b3a7c8fdccfc377a3fc551c81bb65510cdb7d0c38095c01fc7bd

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          54B

          MD5

          98bbef55e38db6f4d071c46bc8bf9a23

          SHA1

          63f62af9a829b87c3d65c32245800bd2e13af8b9

          SHA256

          684421134fa802c8cfb8cb6215df8f1922e825c4f30b9d49b8c273f466eccc47

          SHA512

          d5210dd40a57eb649411193c82c38263c7fdab4f8c60e541f58ee7431c2fe93f62a622582b80e4f38a415806746566710d66d15b514f1e9f558cf9bc96f46c66

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          423B

          MD5

          242812dd0e3f3409573332705f602f8b

          SHA1

          4247ec33d05a6c8256a173a42f9b33254a306f9d

          SHA256

          0cb932939f15a83c8fb81c317b730afe1013a05fe7ba3c6a37dd96f102d65eb6

          SHA512

          fbd85fa8d01c60e5b908cd973961da54049a7f9e71df127370de67cef68e35bc4f444fa4e1b294c2874382130bbe2dce7d0214bb39fd368cef9a6215b59469f1

          Download Submit

        • /data/data/com.wantbook61/kl.txt
          Filesize

          28B

          MD5

          6311c3fd15588bb5c126e6c28ff5fffe

          SHA1

          ce81d136fce31779f4dd62e20bdaf99c91e2fc57

          SHA256

          8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

          SHA512

          2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

          Download Submit

        • /data/user/0/com.wantbook61/app_ded/tdWf90HIGTdsd8PoTBYoGWR4E1u5MJor.dex
          Filesize

          3KB

          MD5

          a2a6d02cac2de4d73801c48544afc86d

          SHA1

          f0b60615cb6020a3ef8ef82a5abbddd077a2656c

          SHA256

          e0266db5b341c3a153072c147a9b6bcdfbb84a321387640fea1682dc94cc52ef

          SHA512

          cefd48f8b44cd7c9ccf36d50921fa96182ca5edceb3b6ef98ca1ba6c2f8b1e754bd759a59b8cb175609df6f33fc375ff996451a064b0e8cc6db9669e0737101c

          Download Submit