Overview

overview

10

Static

static

6

a378825d42...38.apk

android-9-x86

10

a378825d42...38.apk

android-13-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    14/04/2025, 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a378825d426606a0a86ec7ec357fcd5c205eaa84d890248f527b8847e3d48538.apk

  • Size

    2.9MB

  • MD5

    1a1e1b1556052aaedc9f5956b84ab20d

  • SHA1

    4f1ffb72eec4256cef3c6484690cd898b6f62e06

  • SHA256

    a378825d426606a0a86ec7ec357fcd5c205eaa84d890248f527b8847e3d48538

  • SHA512

    76b2930ce9f5326978655ae0e32a6969c8c9ac5e6f8b31841fe5ab91234498544018d37eaced82786a37ea2d911a1609383ba55ac14fc466e349d4ca8419f627

  • SSDEEP

    49152:ZwsGvebxR3lemg6yCHT5+8fCd8BmbWvxeqPff8tZWI7nX7wYz2nl9P6fXJoxQ+9C:CgN5vHT5RCd9SMW8t17X7wvv6vJD+9Xy

Score
10/10
octobankercollectioncredential_accessdefense_evasiondiscoveryevasionimpactinfostealerpersistenceratstealthtrojan

Malware Config

Extracted

Family

octo

C2

https://zoecozum.com/ZGZlZTNiYThiMjcx/

https://adilemutlubirhayat2.com/ZGZlZTNiYThiMjcx/

https://naber25naber.com/ZGZlZTNiYThiMjcx/

https://kelimecozm2u.com/ZGZlZTNiYThiMjcx/

https://naberk1rvee34.com/ZGZlZTNiYThiMjcx/
rc4.plain

Extracted

Family

octo

C2

https://zoecozum.com/ZGZlZTNiYThiMjcx/

https://adilemutlubirhayat2.com/ZGZlZTNiYThiMjcx/

https://naber25naber.com/ZGZlZTNiYThiMjcx/

https://kelimecozm2u.com/ZGZlZTNiYThiMjcx/

https://naberk1rvee34.com/ZGZlZTNiYThiMjcx/
AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

    bankertrojaninfostealerratocto
  • Octo family
    octo
  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 4 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Requests modifying system settings. 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact

Processes

  • com.lovebeen6
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4382
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lovebeen6/app_blame/XquD.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.lovebeen6/app_blame/oat/x86/XquD.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4407

Network

MITRE ATT&CK Mobile v16

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Configuration Discovery

4
T1422

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.lovebeen6/app_blame/XquD.json
    Filesize

    1.0MB

    MD5

    b422640e0b5a946fcd225b0fba3ca596

    SHA1

    40d2bf5e80fc38543039cdcff3b7cb62fce720e3

    SHA256

    ec161d8b15f6ddeb86ed7b555d00e8f048bdb176f297c47379ca0ccae2c2d552

    SHA512

    88b607b717f763827466ace3bb2ebef4fc0798a376fe2f8d744d29b76e386f2a1ee5bbc2dfc85a2b3ae2d217a03e713fc6840fe95da3d5d952b6eefb8350abdd

    Download Submit

  • /data/data/com.lovebeen6/app_blame/XquD.json
    Filesize

    1.0MB

    MD5

    540982ecb78450ffa126230612014511

    SHA1

    2ab3ad7510c6970d345f70bafa2930fbc0a8877a

    SHA256

    9f06626a19926caee47b4a40cc008df018ec965b016ed1d36976a41f82371386

    SHA512

    0651aadeef455ed60012b0a1ce7491ea9c6edb33127796e358bbbaa2c6d61d5145f58c5e33516bb22d96e5772d1b252f2a68e2e46611d689394d5e1f09ac9cc5

    Download Submit

  • /data/data/com.lovebeen6/cache/oat/vgwdaoenp.cur.prof
    Filesize

    486B

    MD5

    385a313819709f4bb919fa6cde3c5490

    SHA1

    688c2bea937a09bbea691ca16062ba663caa1661

    SHA256

    56fbb6696a26d467099acf84574541a3e9199636d134258ee7b4bc81d25dfde9

    SHA512

    3594b86b4e8440d749ef4a184ec8c6f1fff06f05102c925a112a225005e4bac24486068213701536558c0bdd1c18813a7d35e92018aeeb56b06e08cecb3ce316

    Download Submit

  • /data/data/com.lovebeen6/cache/vgwdaoenp
    Filesize

    976KB

    MD5

    a7a73eafced0271a95002b7fc00f6ddf

    SHA1

    ceb49c5e703543141c7176c13d0a95aa1ec7a52d

    SHA256

    09478b63577df00fd96a82e179a128407baf237fe911e0743b55479710edf128

    SHA512

    d7f0644446e6def9366cfde090e5277626abf871c3c016ce343616667035995b6dac0ea2a52a371f7156366085885add1d768295f114a80fd7dc1a4a3db36e01

    Download Submit

  • /data/user/0/com.lovebeen6/app_blame/XquD.json
    Filesize

    3.0MB

    MD5

    43098dfef13a41742a5ef57d02dc3e75

    SHA1

    ff2abb3067f6693d8a39186a1fc324d9dc83ffd8

    SHA256

    1fa81e8261a76da0ffd98a3cbc061f25c67303cc1e46e1525b440e576847e6d1

    SHA512

    7be3a9327fbf58de7134662b21e4d8b144c2f414cbb77820e54c4f7f8976aa44c61f4ff6c4daa80780ecb7b7ce695d5b43eb6d073f061a3a5374877e454630b8

    Download Submit

  • /data/user/0/com.lovebeen6/app_blame/XquD.json
    Filesize

    3.0MB

    MD5

    26a1a00475d96d561e814d196aa11c45

    SHA1

    5c15d1dbbc2cc7dec2ecab065562ac0164aa854a

    SHA256

    40d1d8115b20bb9ac5f55094911f98db584fd0bfa8be9ee578d9062050d4ae9e

    SHA512

    bb85fc5b1a473e6ed63bb2f7ed855d1b1692b082e7471ff12000633c892e1469169bd283a5e5c18854d3371830b73097efc24c27affb8859d44e14efe3a294ad

    Download Submit