Overview

overview

10

Static

static

6

4961670c62...21.apk

android-9-x86

10

4961670c62...21.apk

android-11-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    22/03/2025, 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4961670c629f6bae3f820572cd00fed6199d9342c509e5eeaa36e26b8ada1421.apk

  • Size

    3.2MB

  • MD5

    9331e8cb5d5a282fc173e2e917262dbf

  • SHA1

    8e76e8ad5c5e6fae60bc54a56ac1e32ad8b72b18

  • SHA256

    4961670c629f6bae3f820572cd00fed6199d9342c509e5eeaa36e26b8ada1421

  • SHA512

    11e0de040f33799a3e97418598b32a67bd20189ea9ac1b01e2d1bd6792bb4d5f0c341ad30597e67672df6ec8c8ed2b25f081f138b9534379839edd4ac8b8d57f

  • SSDEEP

    98304:A4jyBT/BShXIT8WCych5DTiNMBU/zDRJNGKFn:byBT/cXU8acyNf/zDRyKN

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://185.196.9.197/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass2.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass3.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass4.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass5.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass6.net/MTQ4MmUxODBhMTVi/
rc4.plain

Extracted

Family

octo

C2

https://185.196.9.197/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass2.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass3.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass4.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass5.net/MTQ4MmUxODBhMTVi/

https://xxxpakunatationclass6.net/MTQ4MmUxODBhMTVi/
AES_key
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.studybut8
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4213
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.studybut8/app_ded/LaGh3WtGcglTlS4YpmYtbxEzQjuuJUfY.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.studybut8/app_ded/oat/x86/LaGh3WtGcglTlS4YpmYtbxEzQjuuJUfY.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4239
    • rm -r/data/user/0/com.studybut8/app_ded/LaGh3WtGcglTlS4YpmYtbxEzQjuuJUfY.dex
      2⤵
        PID:4262
      • rm -r/data/user/0/com.studybut8/app_ded/oat/x86/LaGh3WtGcglTlS4YpmYtbxEzQjuuJUfY.vdex
        2⤵
          PID:4278
        • rm -r/data/user/0/com.studybut8/app_ded/oat/x86/LaGh3WtGcglTlS4YpmYtbxEzQjuuJUfY.odex
          2⤵
            PID:4296

        Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Persistence

        Event Triggered Execution

        1
        T1624

        Broadcast Receivers

        1
        T1624.001

        Foreground Persistence

        1
        T1541

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Hide Artifacts

        2
        T1628

        Suppress Application Icon

        1
        T1628.001

        User Evasion

        1
        T1628.002

        Impair Defenses

        1
        T1629

        Prevent Application Removal

        1
        T1629.001

        Input Injection

        1
        T1516

        Virtualization/Sandbox Evasion

        2
        T1633

        System Checks

        2
        T1633.001

        Credential Access

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        Software Discovery

        1
        T1418

        Security Software Discovery

        1
        T1418.001

        System Information Discovery

        2
        T1426

        System Network Configuration Discovery

        4
        T1422

        Lateral Movement

        Collection

        Access Notifications

        1
        T1517

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Encrypted for Impact

        1
        T1471

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.studybut8/app_ded/LaGh3WtGcglTlS4YpmYtbxEzQjuuJUfY.dex
          Filesize

          3KB

          MD5

          f5cffe3307b1ed7e6c7d563117f97684

          SHA1

          3b4fef0a524d1e29bfe6c1ca3fd57feee566fc9b

          SHA256

          3309e981bc83f443e2b156dcaab1b6277399b03793eec1c062092eca83e92f2d

          SHA512

          8f48467b62abb8d99428fecf8b99f7b4d075a2831c36e790769186dcda5c480c4d9a52db5b2ea77de25b114bc6e515fe876898587e8cdd2589c636871fb343a7

          Download Submit

        • /data/data/com.studybut8/cache/oat/qmjaqyixgeuxsyy.cur.prof
          Filesize

          478B

          MD5

          d6818f790b18878ab36de0b41d2a4ae7

          SHA1

          1e2b827acc73845f3c9f6338c684a2f6b5b6862d

          SHA256

          655c9ba91b5ab88318e70c635e59ff9e017c3d43100c16608dde62e57cba1b3c

          SHA512

          ec359c1d1250e411e11773e868c39de4d7c8ec4b6306442042b8e7e52c1ce2073ef693d5825b13360ec73fef51990941183501935ddb77fea08c15b26de4e984

          Download Submit

        • /data/data/com.studybut8/cache/qmjaqyixgeuxsyy
          Filesize

          449KB

          MD5

          101eee30f6075f0d785255d80a1865b6

          SHA1

          9814bccdf5b2545e571ba27fa4a32caab506d072

          SHA256

          285dfa67f866f80ed32e0cecdcb2aa1ad4506025dda179164feadf59ce564cf9

          SHA512

          e807d83b7796b5d30a3760fcb3fbd276e97547d40083cecedf0c08e3b03299879e79ff247988675d2ac2d11aa8d7ed7daba0bd5c5180a60f27998d7fa76c5664

          Download Submit

        • /data/data/com.studybut8/kl.txt
          Filesize

          230B

          MD5

          8a71bfebae3861fde048d1115954fdcf

          SHA1

          b4c475f156902b367854092babbb933927e1f9d1

          SHA256

          9356d44caf19911276245c972ff013c3f033115d75fc0d597a9d14f6d1d6857e

          SHA512

          5709edf62ed3bb312fee812ad7ad1872d7214e6b7dacb3388fe51091c65f00ff9fc8ef262b30813dd500918923ddc80c4b27c79d68e7b73967eebb19974a66ba

          Download Submit

        • /data/data/com.studybut8/kl.txt
          Filesize

          54B

          MD5

          f1f4ab8f569ae1364e563788aa88d23a

          SHA1

          2aed8e53c93e008ed1283cb2b205698a81e6c206

          SHA256

          46e65329e6b6cf3e028b718510980fc484c5594ee4367b533b8fe166c7be5ec5

          SHA512

          22f8dcb3c743d030688b69bd6bad2e664e49cf8dc7ad117a6c34e977ce149c5617e64e065917dcd5e381d97f769039674d9bbc8c7f8dcb366e6454a15c09d7d2

          Download Submit

        • /data/data/com.studybut8/kl.txt
          Filesize

          63B

          MD5

          1c30a0d79ad473e4c5c72803c64f2ba7

          SHA1

          29049831a08981e417a516b4f0e10a3afac75543

          SHA256

          a4bb56ef1768bf32d4b84d13b7bab78d2f9aa7187ae09b0f89047473d8aa645c

          SHA512

          553ca103c6b9bbe7b4ea345e7fb349338e7206ecf866db9bed401c81599073438f521c2b1a239aabfa12e3ce4918f443a17af4f600c46371a09a7ebddcf2a39a

          Download Submit

        • /data/data/com.studybut8/kl.txt
          Filesize

          423B

          MD5

          ebd808ef5b39b1f89b293a306bf85e48

          SHA1

          f4c9b0926031e27a748e809baa4b1c4e46b289f8

          SHA256

          d67870a2c87e557bd7187651e123b0fbcedd30463d8bb3c3cbf3db9248dacf0d

          SHA512

          d6d935dfa26995a57e1224d04011f39266bf164cd4240ed6559917880a721e2b821870177179f60083e9405fbe23ec71fffe5d582f7cee6310faa75fcee6f1ee

          Download Submit

        • /data/data/com.studybut8/kl.txt
          Filesize

          28B

          MD5

          6311c3fd15588bb5c126e6c28ff5fffe

          SHA1

          ce81d136fce31779f4dd62e20bdaf99c91e2fc57

          SHA256

          8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

          SHA512

          2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

          Download Submit

        • /data/user/0/com.studybut8/app_ded/LaGh3WtGcglTlS4YpmYtbxEzQjuuJUfY.dex
          Filesize

          3KB

          MD5

          e946205f719766096fc95fdc1674dfb6

          SHA1

          02a1a305cb0c2871d9e3c5744a1b28d028dc695e

          SHA256

          664cbf2f937075202872e81c637709c6bc43c2dbc4cb951bd48bf9cb41ace146

          SHA512

          3adba88a66a5057b92ad17ca1c0fb70d51f5e79c76e875e6ada79f9f18a2e837740ec3f29c3e72990f3bd175fb154d8e5891a83901b1a836fc639a4c8de760c6

          Download Submit