Overview

overview

10

Static

static

6

file.apk

android-9-x86

10

file.apk

android-11-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    153s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    21/01/2025, 07:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.apk

  • Size

    4.9MB

  • MD5

    43f9eeac1c179a77aea280a58395c62d

  • SHA1

    6fba4e8760950633ae7cf1f95b59683327de200a

  • SHA256

    11cb449075fc408540e0c03733c296739373098ce998033ce5b2dee2e6188e50

  • SHA512

    359cc66b5a85fc40b965f75c4cbb1cf41009fa00ada2bdce39b9898063a521518b257aaa6053506c1209bfa02cb48ade8d1c767a4660e803b0403d36cf371dd0

  • SSDEEP

    49152:PRsEXLOLKrsj7A45iS7xrGovp8dpjjVKScIyj/JVP0c6vf5sCxxpT0:PRsxisj7Z5iSRG/fVKFbPP6vftx0

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

AES_key
1
30333262373139306533623635396363
AES_key
1
35373834323938326434653839313939

Signatures

Processes

  • com.fksource_api0
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4474

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.204.78
  • flag-us
    DNS
    fce400ee5ee2692a18f4b26bac549135.xyz
    Remote address:
    1.1.1.1:53
    Request
    fce400ee5ee2692a18f4b26bac549135.xyz
    IN A
    Response
    fce400ee5ee2692a18f4b26bac549135.xyz
    IN A
    188.40.187.129
  • flag-de
    POST
    https://fce400ee5ee2692a18f4b26bac549135.xyz/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: fce400ee5ee2692a18f4b26bac549135.xyz
    cache-control: no-cache
    packets-sent: 4222356183
    content-type: application/octet-stream; charset=utf-8
    content-length: 10101
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:01:58 GMT
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.200.40
  • flag-de
    POST
    https://fce400ee5ee2692a18f4b26bac549135.xyz/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: fce400ee5ee2692a18f4b26bac549135.xyz
    cache-control: no-cache
    packets-sent: 6549106183
    content-type: application/octet-stream; charset=utf-8
    content-length: 10101
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:02:12 GMT
  • flag-de
    POST
    https://fce400ee5ee2692a18f4b26bac549135.xyz/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: fce400ee5ee2692a18f4b26bac549135.xyz
    cache-control: no-cache
    packets-sent: 4222356183
    content-type: application/octet-stream; charset=utf-8
    content-length: 10101
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:02:58 GMT
  • flag-de
    POST
    https://fce400ee5ee2692a18f4b26bac549135.xyz/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: fce400ee5ee2692a18f4b26bac549135.xyz
    cache-control: no-cache
    packets-sent: 6549106183
    content-type: application/octet-stream; charset=utf-8
    content-length: 10101
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:03:01 GMT
  • flag-de
    POST
    https://fce400ee5ee2692a18f4b26bac549135.xyz/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: fce400ee5ee2692a18f4b26bac549135.xyz
    cache-control: no-cache
    packets-sent: 6549106183
    content-type: application/octet-stream; charset=utf-8
    content-length: 10101
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:03:13 GMT
  • flag-de
    POST
    https://fce400ee5ee2692a18f4b26bac549135.xyz/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: fce400ee5ee2692a18f4b26bac549135.xyz
    cache-control: no-cache
    packets-sent: 4222356183
    content-type: application/octet-stream; charset=utf-8
    content-length: 10101
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:03:59 GMT
  • flag-de
    POST
    https://fce400ee5ee2692a18f4b26bac549135.xyz/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: fce400ee5ee2692a18f4b26bac549135.xyz
    cache-control: no-cache
    packets-sent: 6549106183
    content-type: application/octet-stream; charset=utf-8
    content-length: 10101
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:04:01 GMT
  • flag-de
    POST
    https://fce400ee5ee2692a18f4b26bac549135.xyz/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: fce400ee5ee2692a18f4b26bac549135.xyz
    cache-control: no-cache
    packets-sent: 6549106183
    content-type: application/octet-stream; charset=utf-8
    content-length: 10101
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:04:05 GMT
  • flag-de
    POST
    https://fce400ee5ee2692a18f4b26bac549135.xyz/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: fce400ee5ee2692a18f4b26bac549135.xyz
    cache-control: no-cache
    packets-sent: 6549106183
    content-type: application/octet-stream; charset=utf-8
    content-length: 10101
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:04:13 GMT
  • 142.250.180.14:443
    tls, https
    1.5kB
     40 B
     1
    1
  • 142.250.180.14:443
    tls, https
    1.5kB
     40 B
     1
    1
  • 216.58.204.78:443
    android.apis.google.com
    tls
    4.7kB
     7.8kB
     19
    19
  • 188.40.187.129:443
    https://fce400ee5ee2692a18f4b26bac549135.xyz/
    tls, http2
    12.0kB
     3.1kB
     18
    17

    HTTP Request

    POST https://fce400ee5ee2692a18f4b26bac549135.xyz/

    HTTP Response

    404
  • 142.250.200.40:443
    ssl.google-analytics.com
    tls
    1.3kB
     6.3kB
     9
    9
  • 188.40.187.129:443
    https://fce400ee5ee2692a18f4b26bac549135.xyz/
    tls, http2
    12.0kB
     1.7kB
     18
    17

    HTTP Request

    POST https://fce400ee5ee2692a18f4b26bac549135.xyz/

    HTTP Response

    404
  • 142.250.179.228:443
    tls, https
    846 B
     40 B
     2
    1
  • 142.250.179.228:443
    www.google.com
    tls
    11.2kB
     12.4kB
     31
    39
  • 188.40.187.129:443
    https://fce400ee5ee2692a18f4b26bac549135.xyz/
    tls, http2
    22.6kB
     2.5kB
     25
    30

    HTTP Request

    POST https://fce400ee5ee2692a18f4b26bac549135.xyz/

    HTTP Response

    404

    HTTP Request

    POST https://fce400ee5ee2692a18f4b26bac549135.xyz/

    HTTP Response

    404
  • 188.40.187.129:443
    https://fce400ee5ee2692a18f4b26bac549135.xyz/
    tls, http2
    12.2kB
     1.8kB
     21
    20

    HTTP Request

    POST https://fce400ee5ee2692a18f4b26bac549135.xyz/

    HTTP Response

    404
  • 188.40.187.129:443
    https://fce400ee5ee2692a18f4b26bac549135.xyz/
    tls, http2
    44.0kB
     3.3kB
     45
    39

    HTTP Request

    POST https://fce400ee5ee2692a18f4b26bac549135.xyz/

    HTTP Response

    404

    HTTP Request

    POST https://fce400ee5ee2692a18f4b26bac549135.xyz/

    HTTP Response

    404

    HTTP Request

    POST https://fce400ee5ee2692a18f4b26bac549135.xyz/

    HTTP Response

    404

    HTTP Request

    POST https://fce400ee5ee2692a18f4b26bac549135.xyz/

    HTTP Response

    404
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.204.78

  • 1.1.1.1:53
    fce400ee5ee2692a18f4b26bac549135.xyz
    dns
    82 B
     98 B
     1
    1

    DNS Request

    fce400ee5ee2692a18f4b26bac549135.xyz

    DNS Response

    188.40.187.129

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.200.40

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.fksource_api0/.global.com.fksource_api0
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.fksource_api0/files/.s
    Filesize

    322KB

    MD5

    77dc50489b9323274732d27dc8a4e803

    SHA1

    0e02a3595b62489d0739d771881da8604d117c65

    SHA256

    c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820

    SHA512

    0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

    Download Submit

  • /data/data/com.fksource_api0/oat/x86_64/Anonymous-DexFile@669734141.vdex
    Filesize

    346B

    MD5

    d644603b48044a18e9518b993413f2cc

    SHA1

    d35960a278191bcdd649bbc5d9acc9d95103213b

    SHA256

    c63f90ca2bbc1cfde0e8d25150c81a5ecffdba75ed478be1591a7e80114f1d12

    SHA512

    6ba2123576030f9aecf22c70424f52f2c8c85ed31595fce0367c96a818257a40f7025aa855dec5d07ed5414d5e54a122d24b2f519cc4fc6f72ebf71442f6caef

    Download Submit

  • /data/user/0/com.fksource_api0/Anonymous-DexFile@669734141.jar
    Filesize

    525KB

    MD5

    1af93a1d8c39ce6955ea47fcf9a12cb2

    SHA1

    9e8b1cdb6746e9932d39bdf55888574c334ee73f

    SHA256

    1db8be5876f4285996950f0a5cb4d56c2df01ae99bc3361dc600f7fc95786845

    SHA512

    9e1ffb8b4fd3df802f9c08f4a1c87bd4549cb7b72c1cd57c2c703a716ba9a47ba7e01794325c108442decca26666ea7e23cbefe06836925e908638576970f082

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.