Overview

overview

10

Static

static

6

file.apk

android-9-x86

10

file.apk

android-11-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    161s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    21/01/2025, 07:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.apk

  • Size

    7.8MB

  • MD5

    d76876cd4f845e5c9e918106031e2e45

  • SHA1

    91cf8d27a740afcc6ee76eef1fc2bf55229d496f

  • SHA256

    2a2d23597c07df2304c553fa45723c0b53413b017b5116a70d6902ebc8266b91

  • SHA512

    e6108596d871a30db74cb8a06cb62a5cabd476b353a1b3e1eb0078baeb309a3423af8d89e8c4797ef1d3c6d4f2b71c9cc7ebaeb5fbddbec8e431a6eac7e01881

  • SSDEEP

    49152:Lesqd0n8YK64j7XRRsEX9fxM45iS7xrGlrGOWRGaVjVKScbRgMoaK7m7NuA6fQtH:D35T4j7BRsmxF5iSRGEtVKsADfVvvRT

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

octo

AES_key
1
61653930383432656337333731386138
AES_key
1
61623863646139323832373130626338

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.teadapters_path45
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4225
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.teadapters_path45/app_garlic/BBNaAep.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.teadapters_path45/app_garlic/oat/x86/BBNaAep.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4253

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.234
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
  • flag-us
    DNS
    539e390ba300dd15cf97c2119b16cc11.in
    Remote address:
    1.1.1.1:53
    Request
    539e390ba300dd15cf97c2119b16cc11.in
    IN A
    Response
  • flag-us
    DNS
    1e0eda6a7528f7044b8d846266b720ec.info
    Remote address:
    1.1.1.1:53
    Request
    1e0eda6a7528f7044b8d846266b720ec.info
    IN A
    Response
    1e0eda6a7528f7044b8d846266b720ec.info
    IN A
    188.40.187.129
  • flag-de
    POST
    https://1e0eda6a7528f7044b8d846266b720ec.info/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: 1e0eda6a7528f7044b8d846266b720ec.info
    cache-control: no-cache
    packets-sent: 0633494081
    content-type: application/octet-stream; charset=utf-8
    content-length: 4805
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:01:59 GMT
  • flag-us
    DNS
    0d1c7aaea9b235936c0f882b5144b5fa.top
    Remote address:
    1.1.1.1:53
    Request
    0d1c7aaea9b235936c0f882b5144b5fa.top
    IN A
    Response
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    172.217.16.238
  • flag-de
    POST
    https://1e0eda6a7528f7044b8d846266b720ec.info/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: 1e0eda6a7528f7044b8d846266b720ec.info
    cache-control: no-cache
    packets-sent: 2950344081
    content-type: application/octet-stream; charset=utf-8
    content-length: 4784
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:02:12 GMT
  • flag-de
    POST
    https://1e0eda6a7528f7044b8d846266b720ec.info/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: 1e0eda6a7528f7044b8d846266b720ec.info
    cache-control: no-cache
    packets-sent: 0633494081
    content-type: application/octet-stream; charset=utf-8
    content-length: 4805
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:03:00 GMT
  • flag-de
    POST
    https://1e0eda6a7528f7044b8d846266b720ec.info/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: 1e0eda6a7528f7044b8d846266b720ec.info
    cache-control: no-cache
    packets-sent: 2950344081
    content-type: application/octet-stream; charset=utf-8
    content-length: 4784
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:03:03 GMT
  • flag-de
    POST
    https://1e0eda6a7528f7044b8d846266b720ec.info/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: 1e0eda6a7528f7044b8d846266b720ec.info
    cache-control: no-cache
    packets-sent: 2950344081
    content-type: application/octet-stream; charset=utf-8
    content-length: 4784
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:03:12 GMT
  • flag-de
    POST
    https://1e0eda6a7528f7044b8d846266b720ec.info/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: 1e0eda6a7528f7044b8d846266b720ec.info
    cache-control: no-cache
    packets-sent: 0633494081
    content-type: application/octet-stream; charset=utf-8
    content-length: 4805
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:04:00 GMT
  • flag-de
    POST
    https://1e0eda6a7528f7044b8d846266b720ec.info/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: 1e0eda6a7528f7044b8d846266b720ec.info
    cache-control: no-cache
    packets-sent: 2950344081
    content-type: application/octet-stream; charset=utf-8
    content-length: 4784
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:04:04 GMT
  • flag-de
    POST
    https://1e0eda6a7528f7044b8d846266b720ec.info/
    Remote address:
    188.40.187.129:443
    Request
    POST / HTTP/2.0
    host: 1e0eda6a7528f7044b8d846266b720ec.info
    cache-control: no-cache
    packets-sent: 2950344081
    content-type: application/octet-stream; charset=utf-8
    content-length: 4784
    accept-encoding: gzip
    user-agent: okhttp/4.12.0
    Response
    HTTP/2.0 404
    content-type: text/plain; charset=utf-8
    x-content-type-options: nosniff
    content-length: 19
    date: Tue, 21 Jan 2025 07:04:13 GMT
  • 188.40.187.129:443
    https://1e0eda6a7528f7044b8d846266b720ec.info/
    tls, http2
    6.3kB
     3.0kB
     15
    17

    HTTP Request

    POST https://1e0eda6a7528f7044b8d846266b720ec.info/

    HTTP Response

    404
  • 142.250.200.46:443
    tls, https
    858 B
     40 B
     1
    1
  • 172.217.16.238:443
    android.apis.google.com
    tls
    4.7kB
     8.6kB
     14
    22
  • 188.40.187.129:443
    https://1e0eda6a7528f7044b8d846266b720ec.info/
    tls, http2
    6.5kB
     1.5kB
     15
    15

    HTTP Request

    POST https://1e0eda6a7528f7044b8d846266b720ec.info/

    HTTP Response

    404
  • 188.40.187.129:443
    https://1e0eda6a7528f7044b8d846266b720ec.info/
    tls, http2
    16.5kB
     2.3kB
     21
    25

    HTTP Request

    POST https://1e0eda6a7528f7044b8d846266b720ec.info/

    HTTP Response

    404

    HTTP Request

    POST https://1e0eda6a7528f7044b8d846266b720ec.info/

    HTTP Response

    404

    HTTP Request

    POST https://1e0eda6a7528f7044b8d846266b720ec.info/

    HTTP Response

    404
  • 188.40.187.129:443
    https://1e0eda6a7528f7044b8d846266b720ec.info/
    tls, http2
    16.3kB
     2.5kB
     18
    26

    HTTP Request

    POST https://1e0eda6a7528f7044b8d846266b720ec.info/

    HTTP Response

    404

    HTTP Request

    POST https://1e0eda6a7528f7044b8d846266b720ec.info/

    HTTP Response

    404

    HTTP Request

    POST https://1e0eda6a7528f7044b8d846266b720ec.info/

    HTTP Response

    404
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
     288 B
     1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    142.250.200.10
    216.58.201.106
    142.250.180.10
    142.250.200.42
    142.250.178.10
    216.58.204.74
    142.250.187.202
    172.217.16.234
    216.58.212.234
    142.250.179.234
    216.58.212.202
    216.58.213.10
    142.250.187.234

  • 1.1.1.1:53
    539e390ba300dd15cf97c2119b16cc11.in
    dns
    81 B
     134 B
     1
    1

    DNS Request

    539e390ba300dd15cf97c2119b16cc11.in

  • 1.1.1.1:53
    1e0eda6a7528f7044b8d846266b720ec.info
    dns
    83 B
     99 B
     1
    1

    DNS Request

    1e0eda6a7528f7044b8d846266b720ec.info

    DNS Response

    188.40.187.129

  • 1.1.1.1:53
    0d1c7aaea9b235936c0f882b5144b5fa.top
    dns
    82 B
     152 B
     1
    1

    DNS Request

    0d1c7aaea9b235936c0f882b5144b5fa.top

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    172.217.16.238

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.teadapters_path45/.global.com.teadapters_path45
    Filesize

    48B

    MD5

    046a414913add6f5bb60072c7db819b6

    SHA1

    451ee4f6809260aec622d772fd329c7d0297a842

    SHA256

    b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a

    SHA512

    4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

    Download Submit

  • /data/data/com.teadapters_path45/app_garlic/BBNaAep.json
    Filesize

    1009B

    MD5

    0cc6c267237c06bc1612b50a60049a4c

    SHA1

    d66af1f79aedb70da413e2dbbb7aacfdf9d3cca9

    SHA256

    5ab3e54647a51e39d48f02ca8bf56241215892de51b89f49710ac4ef088bff85

    SHA512

    491d37902d9a6ec4d452694079281b81a8487a94a39035098f99900711fe5454069ac0194cdb9d1bfcb302fa857654a060a033ea2b79932c1ebcded006dc8616

    Download Submit

  • /data/data/com.teadapters_path45/app_garlic/BBNaAep.json
    Filesize

    1009B

    MD5

    f07eb67870cfe304f03a14512c625704

    SHA1

    a760b58fbf71b004cc0e06b0fb70a8a3c2bc0f7a

    SHA256

    b1895b068aa91861ff91a5ff921acf4122e38103333860016da942ee2cb628c6

    SHA512

    cd95470e18bfe341455a1a4d9856176472fae60df0cf61647bd1b1f5ab56bd4dc814e9fc92963edc3ddd47df56ef4505c3e49fbe402868c0d9ca76729884ee56

    Download Submit

  • /data/data/com.teadapters_path45/files/.p
    Filesize

    307KB

    MD5

    4e73947cabb5db3f92ca85004981b754

    SHA1

    6d9667fdb0280ed2dcb782b4683e422a51bdc601

    SHA256

    6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c

    SHA512

    be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

    Download Submit

  • /data/user/0/com.teadapters_path45/app_garlic/BBNaAep.json
    Filesize

    1KB

    MD5

    f943a5768869fc683e15f08d945b2af5

    SHA1

    54aa20c6071e690c80558780025a74de2e80afc2

    SHA256

    feca459846894ee7dc1bc16df835e7122a749f093ab405f94c7ddcefd595f129

    SHA512

    27f8101376fc88902575c50e675240d3245ecc33829af8da1c56ba7077b3ecf50a0e582c665c8b446f6a7975fc2af6550405b0771394ce80725b0773578c107a

    Download Submit

  • /data/user/0/com.teadapters_path45/app_garlic/BBNaAep.json
    Filesize

    1KB

    MD5

    1b6b23a83d5bb26ec1bf26b85fed2055

    SHA1

    c60b832dcec3353cfa55b99b6cfa78f0edb1eb24

    SHA256

    c6a2053aadc92dc58191754113c90aff39af2b6f7c83892326ce3430257ba19b

    SHA512

    fb6ea451f8c0d8cb042fd1648c0833775c37a419c257e8d74d96025576e05f1e47445a3c578d848a16db3f3abf6c38e38480f72468ff31d3418c6c6483ac244b

    Download Submit

  • Anonymous-DexFile@0xcf978000-0xcf9fb6a8
    Filesize

    525KB

    MD5

    6dcf7ae4b969f0614d220458b9fa3b7c

    SHA1

    01cb66a7da6b7f5a51ef77c8daa59870516c89e4

    SHA256

    15183d5e809cd3376b6494ba30428e6f9b6a65c6ea87fcc031bfd295d8e15a54

    SHA512

    74d961a43d309dc6addfdc1b26446beefea9e90b77741811aa8ccf7b39e0c104a947bf54ae58da27e2f2f833c33514732c0936f07d46b7d2118aaa26733cbf43

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.