Overview

overview

10

Static

static

6

9631e0caff...88.apk

android-9-x86

10

9631e0caff...88.apk

android-10-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    22-01-2025 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9631e0caff800bb316000df99497f081dac72a3345814364f2dcead772e86588.apk

  • Size

    2.3MB

  • MD5

    0ed0a0d0afa3073d31f6ee23b5e9f387

  • SHA1

    ca90d700cf3c1b69530237bf17c1c1d33a68aac2

  • SHA256

    9631e0caff800bb316000df99497f081dac72a3345814364f2dcead772e86588

  • SHA512

    0b6bd0a278864aa10dbb85ea56f44f17f9bc8191274cc21640939ba7268bcf6e81a2946007f1c5d5102ca18c4ec41ad330d2bd2befefab5b397ce7e82cb9adb9

  • SSDEEP

    49152:wVl2o/wVPHUTZgihjssAdcG90K1hcmZGZbmqA2YM2ZP5VSFggcZPsNAE4KoSENE7:CIHUmEjh9GbpZQ/A/M2ZLCsVh8KMgQZn

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://vippivok.top/ZTZkNTJjNTkwYzk3/

https://bobnoopopo.org/ZTZkNTJjNTkwYzk3/

https://junggvrebvqqpo.org/ZTZkNTJjNTkwYzk3/

https://junggpervbvqqqqqqpo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvqqgrouppo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvqqnetokpo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvq.top/ZTZkNTJjNTkwYzk3/

https://junggvbvq5656.top/ZTZkNTJjNTkwYzk3/

https://jungjunjunggvbvq.top/ZTZkNTJjNTkwYzk3/
rc4.plain

Extracted

Family

octo

C2

https://vippivok.top/ZTZkNTJjNTkwYzk3/

https://bobnoopopo.org/ZTZkNTJjNTkwYzk3/

https://junggvrebvqqpo.org/ZTZkNTJjNTkwYzk3/

https://junggpervbvqqqqqqpo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvqqgrouppo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvqqnetokpo.com/ZTZkNTJjNTkwYzk3/

https://junggvbvq.top/ZTZkNTJjNTkwYzk3/

https://junggvbvq5656.top/ZTZkNTJjNTkwYzk3/

https://jungjunjunggvbvq.top/ZTZkNTJjNTkwYzk3/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.partchildreny
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4214
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.partchildreny/app_DynamicOptDex/leqwOb.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.partchildreny/app_DynamicOptDex/oat/x86/leqwOb.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4239

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.partchildreny/app_DynamicOptDex/leqwOb.json
    Filesize

    1KB

    MD5

    ac4629c4ac6652f2ff3bf6ec86fb6d40

    SHA1

    0cfe157072398959cfcfc8ddcd3b1bc0137f87aa

    SHA256

    395c9993327e02d090eeeff1f292111d711c930edb710d1c2e1c5cc726631f80

    SHA512

    a91fb05f2a56c811ac0826987769720bbdc41e4cf0ae47cec509e66baed86d48270d6b50ff0858619583c66b3d17a4ffadef5a3b3a1047b6dac14ddf81b48258

    Download Submit

  • /data/data/com.partchildreny/app_DynamicOptDex/leqwOb.json
    Filesize

    1KB

    MD5

    26ed72bf37b30f750068fc58c4bb33c1

    SHA1

    b703274b48fa6958009202a53de70ef2709f4550

    SHA256

    47644b6ae298d27959787cc3e0d53b236074c427d8bdaf5df019c6161f9dc80e

    SHA512

    63edbbc5efc01e22a72f96d65006c36d2a9230f8370fc7301c603743c8b713de79e465f2fec7d37afd00d5954dd7441a435b7f3be4746cd58faef2bb49421a5e

    Download Submit

  • /data/data/com.partchildreny/cache/ftqkncc
    Filesize

    448KB

    MD5

    71d7f546e0aa7feb8b5610052766ff0d

    SHA1

    9be6acd137c796c676f63ff3bfd835d48d6ccca4

    SHA256

    0e3d7d3013a257de4c1656036ef786100a5a66ff53a4244fbe829467c49345f5

    SHA512

    7481242d6e2fe5e4437bc3dc9f161df4b0a9641b571cb0a6baa093af8ad26fae63622b02b8dd83fcc15b3dc9ea8ccd00134f075031381b93b3793d591c509a87

    Download Submit

  • /data/data/com.partchildreny/cache/oat/ftqkncc.cur.prof
    Filesize

    494B

    MD5

    9bf3b7549889e0384287cffd3539e241

    SHA1

    0b54ecce0cfd2a7135e355ba22261003b2de9365

    SHA256

    a2a27b222ba1d88af118eed26da785b5e361a79fbae355c9f9a8597a470318c0

    SHA512

    21804fc885008f21ada3e8929c5cae8711fdedcdff1f104e66304367c90f8441621a4467114b38122272eca56b6a567e2b1b75cff6e44959ef795013d6939818

    Download Submit

  • /data/data/com.partchildreny/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

    Download Submit

  • /data/data/com.partchildreny/kl.txt
    Filesize

    237B

    MD5

    9f51bf25dd07912e1d13c23c0c4fac60

    SHA1

    c6f327edb7ed9bc518a04d7719cbda9138c08dde

    SHA256

    deaa7299a141a6b93639e90e42d68d256fd2cb802c1ee1b274f0e56c5e6f0be4

    SHA512

    a494799904bb7410c076b1f1ab7c29f1183257076d01be6ce852baacabaa274759f7331508cce17416ad1a340cafd68bbde3b2a2ddfa22ba8552567222baa7ba

    Download Submit

  • /data/data/com.partchildreny/kl.txt
    Filesize

    54B

    MD5

    75e64c0ea45564f5ab32a1ecd73d194a

    SHA1

    df538fe3098e38d8d87989eaa65a82f74ae6f15b

    SHA256

    a65b33c0a196503875c1192b33a8c38de58e5cf9eedbb3a89a580936bb920ca7

    SHA512

    69160b4b32d827b382038d36f5ba2b06ac13fdbb5994bc1a9e0b0f227ef4212a9580aae692de77bba52640e6b9579ea9c39eb15a730824b7e11bca46013c5ebb

    Download Submit

  • /data/data/com.partchildreny/kl.txt
    Filesize

    63B

    MD5

    81e0ac084b9b5e567c6b344053786b65

    SHA1

    e87609d03957aa40fcab0581720f1ec26dd71e5b

    SHA256

    3009086d4021b1effbaa83be3d984109113659eb1c814680983292910729b802

    SHA512

    8880f158e534a05b8f148ddabf590733620051192cc63efefb1382828430b4c770ebfc1c96ca0cfedd4a26e15c68c000fb6224ea51fb9fa45078de5985da14ee

    Download Submit

  • /data/data/com.partchildreny/kl.txt
    Filesize

    437B

    MD5

    abe13bc02d393c618af824695c6f14bc

    SHA1

    f92cfe0ab49dbd3087cd9096156ed035a7d2ed18

    SHA256

    4929472223c67ac5cb65bbdf1c065dd852329d4d62ec9219b9abefc14970d83f

    SHA512

    e6cd077800b27c37eb1e9a3c88ecdadf1a0f36e79eb4d2f768f865910dc495363274a2e0b3fdbd4bfdb79706b079f89713336273237b5b7b894678b6c5e1fb1b

    Download Submit

  • /data/user/0/com.partchildreny/app_DynamicOptDex/leqwOb.json
    Filesize

    2KB

    MD5

    28f7f73f9f1712afb5a8f1d2f0f321ba

    SHA1

    3399ead2f1b5f1eea16a906bf8c6cbe219d8c5aa

    SHA256

    f5f0d84ac04381467b1bb5fe03313ff5175e88e4fee6374f12392f0a475818f6

    SHA512

    f40d8c3952c6eecccc7011dee68a05d366c67a0f215976dab3ebcb721bfeaa94177774afd088f4e9431cb0858b43b8d139e88ce6607d2783a485aba5297bf751

    Download Submit

  • /data/user/0/com.partchildreny/app_DynamicOptDex/leqwOb.json
    Filesize

    2KB

    MD5

    94a37570a6ad7d7c4cf52701e441ea59

    SHA1

    8933f5345481404b26f01d048731b8c9a45ec8bb

    SHA256

    f21e111bca4dd245be46e019829339d3c71619b6a30be94dc19a5f2f46095e1d

    SHA512

    0614911af7c953e36ce23dfc3b82e7b0edcb7077671b339263ed657549a1e519fccef8230a88951af8ee343aecb842c3d18256e5af83bb3e2baa8736dee17d1b

    Download Submit