Overview

overview

10

Static

static

6

55db758f64...36.apk

android-9-x86

10

55db758f64...36.apk

android-10-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    14/04/2025, 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55db758f644c40295e6ad4346fa75ed668ce566c4365d04aa0a068d55f034c36.apk

  • Size

    4.0MB

  • MD5

    f1b69530c612771512a2f671efdef2f7

  • SHA1

    87a44c66273296239fe20ff9356a46aa61fefae1

  • SHA256

    55db758f644c40295e6ad4346fa75ed668ce566c4365d04aa0a068d55f034c36

  • SHA512

    9a194450ad4a30da45042b50a8fbaf261a3cb5fcf789d99e3d7a29eea761911e3a6fd3e9f6b131e4efb10954e6221572be6b3e482e94a3c5e5042b79a6f87097

  • SSDEEP

    98304:/gBJdP+4BnL3mvkZ2peeYnM6K9RF++4JgthajcM0iJUnT:IxPZp6vBeecMd++IOz

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://zoecozum.com/ZGZlZTNiYThiMjcx/

https://adilemutlubirhayat2.com/ZGZlZTNiYThiMjcx/

https://naber25naber.com/ZGZlZTNiYThiMjcx/

https://kelimecozm2u.com/ZGZlZTNiYThiMjcx/

https://naberk1rvee34.com/ZGZlZTNiYThiMjcx/
rc4.plain

Extracted

Family

octo

C2

https://zoecozum.com/ZGZlZTNiYThiMjcx/

https://adilemutlubirhayat2.com/ZGZlZTNiYThiMjcx/

https://naber25naber.com/ZGZlZTNiYThiMjcx/

https://kelimecozm2u.com/ZGZlZTNiYThiMjcx/

https://naberk1rvee34.com/ZGZlZTNiYThiMjcx/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.completenew9
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4212
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.completenew9/app_two/scgF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.completenew9/app_two/oat/x86/scgF.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4237

Network

MITRE ATT&CK Mobile v16

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.completenew9/app_two/scgF.json
    Filesize

    1.0MB

    MD5

    8a6234489d029af8b08320aef57621a8

    SHA1

    920b575023405230d034f6f6256f88189cfa5190

    SHA256

    2752ff87cd7c12265d0a7b373fb719c0b2b223d78309733cf9bf734b2601489c

    SHA512

    acbc7642cbde88bb9928dded4c34a9514fed70da4f214440b1be609ff4d007aed723119255b6931392c5a88b793d5d2b300efc85f4b9937a1f9804be7bdf12e4

    Download Submit

  • /data/data/com.completenew9/app_two/scgF.json
    Filesize

    1.0MB

    MD5

    0f66c7050594edc7eed83d7c36893f90

    SHA1

    6333c335c811364fb39163896b4f8a616a758dfa

    SHA256

    979563741d1b34149ca53cd6edaf1e49c18f653f166bd2f951aeed7d4b80b1ec

    SHA512

    7d189efe4fb80e3f0eb1397013d572666a5857a902e17fc39a5baf69bf81817ba5f6f6b479ef152e9022c9fb41829e6ee5dca3dc8dd10567857482135d85770e

    Download Submit

  • /data/data/com.completenew9/cache/bfrkeuqn
    Filesize

    976KB

    MD5

    ce825e821df06b681c0e424e0bebcf20

    SHA1

    05ad66e6d27035cbb7b9ab0df02c74abe75856bc

    SHA256

    948200f2549e6effc98c998e9258431660b4c6c0ec1a14ab44dd4a0c4d587da7

    SHA512

    c2310fb851815405aff5b615d878d5e8225a1ef9cb95b13a2cfb308c1be9cd603ad28cf8f557cce125b99bd0c3967d13df40d2eaf5029f2df1c076bc5d6d076f

    Download Submit

  • /data/data/com.completenew9/cache/oat/bfrkeuqn.cur.prof
    Filesize

    497B

    MD5

    806629d20b3a57edba1c73a247e198e7

    SHA1

    938b28f941f0d6dcb83ee41f552f6b8d1d1e37ce

    SHA256

    db25a1507aca1aaf6bf1c5185bbbbdd557bb7c70076dff2624e36d15f5d008fd

    SHA512

    75e7b3715910ba359e8fce81a3cdd7ccc143fee82bed138f7f1212081ca1f863a29ee931797de8be670c201de1f7c8d4f920a5c6f1708b427950ec0ed60fc595

    Download Submit

  • /data/user/0/com.completenew9/app_two/scgF.json
    Filesize

    3.0MB

    MD5

    1d41cd7e3b289f6dbeef5876493d4ece

    SHA1

    aefcafb36c2536ce1a5fea6436b6380e06832fd0

    SHA256

    feac28d6149db9aa31ffbaaa93d837855490f5c1e34c9a133553847fb35455c1

    SHA512

    aab6d817983c63b070f8cd9a26977edad44e4bc89c2600f66612e7e3b1c7b490b1275f84c770aa3f926e3c68571a98aaf05bf086f27087dc91c035fe69edb25c

    Download Submit

  • /data/user/0/com.completenew9/app_two/scgF.json
    Filesize

    3.0MB

    MD5

    1d43548599e365587a8bffc117df52f5

    SHA1

    08b5ae088481bee8f92b4ef7557d2472a8255c5f

    SHA256

    2c6e5a0b672da88cfc790546fa59c8c865cc5764cef422f23e6d8c228115817e

    SHA512

    0d8d65d724aa72ff9617f5b1d3b66434b7a905ba649ed5ab984681c7387c1c790643c414d9c81db9d72432259f90a663a4509be6cafd4037fbbe1f71a26e1444

    Download Submit