Analysis
-
max time kernel
150s -
max time network
151s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
01-04-2024 22:01
Behavioral task
behavioral1
Sample
cd015af6ccb1dbb0bdd84f1e1db4ac90c12b94599fd6fd858d5d7059549021f9.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
cd015af6ccb1dbb0bdd84f1e1db4ac90c12b94599fd6fd858d5d7059549021f9.apk
Resource
android-x64-20240221-en
Behavioral task
behavioral3
Sample
cd015af6ccb1dbb0bdd84f1e1db4ac90c12b94599fd6fd858d5d7059549021f9.apk
Resource
android-x64-arm64-20240221-en
General
-
Target
cd015af6ccb1dbb0bdd84f1e1db4ac90c12b94599fd6fd858d5d7059549021f9.apk
-
Size
187KB
-
MD5
3da3657870504f47cb638a90d1dd88bc
-
SHA1
5ad6937aba10af75cb27b6db0b4cf45f743150bd
-
SHA256
cd015af6ccb1dbb0bdd84f1e1db4ac90c12b94599fd6fd858d5d7059549021f9
-
SHA512
010329852877716915b240e943e468b9ceb363876a5dca6462abde12162166270dec2ede6fd9b20d810049e936325bb1afb5ed562cb3d51f3e3a3a17103bf9d6
-
SSDEEP
3072:H1g4oULzaTN14aHZ1F4jwTVizAbqMbMvZM9ajwOBNtzP13jGXRXFQq4FPAVfCNsf:HLoLFceSAbqli9+HNtz93jYR1Q3FIANA
Malware Config
Extracted
octo
https://94.156.66.116:7117/gate/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Makes use of the framework's Accessibility service 2 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.adaxffsfzfada.zbsvxgsvbxhdgsdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.adaxffsfzfada.zbsvxgsvbxhdgs Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.adaxffsfzfada.zbsvxgsvbxhdgs -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs 1 IoCs
Processes:
com.adaxffsfzfada.zbsvxgsvbxhdgsdescription ioc process Framework service call android.content.pm.IPackageManager.getInstalledApplications com.adaxffsfzfada.zbsvxgsvbxhdgs -
Processes:
com.adaxffsfzfada.zbsvxgsvbxhdgspid process 4257 com.adaxffsfzfada.zbsvxgsvbxhdgs -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.adaxffsfzfada.zbsvxgsvbxhdgsdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.adaxffsfzfada.zbsvxgsvbxhdgs -
Acquires the wake lock 1 IoCs
Processes:
com.adaxffsfzfada.zbsvxgsvbxhdgsdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.adaxffsfzfada.zbsvxgsvbxhdgs -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.adaxffsfzfada.zbsvxgsvbxhdgsdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.adaxffsfzfada.zbsvxgsvbxhdgs -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
Processes:
com.adaxffsfzfada.zbsvxgsvbxhdgsdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.adaxffsfzfada.zbsvxgsvbxhdgs
Processes
-
com.adaxffsfzfada.zbsvxgsvbxhdgs1⤵
- Makes use of the framework's Accessibility service
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
- Removes its main activity from the application launcher
- Makes use of the framework's foreground persistence service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txtFilesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txtFilesize
233B
MD5a556b50fa50df0db637932090148f46a
SHA119c54b3ebc856b4607ea0766e65dbfa798e45342
SHA256d8e4f07e178f15e3787208702e9bab95cc4698b213f716ff731c0cd29398a286
SHA512974f9a08da99e8262d6df1d747bd98775dc7cdcbe83682c0af6f91a6d4b1f89ed734035c2e6dd47a49ec3b15e4fc2fa0c65a5ab6503621996915682e9cb4c71a
-
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txtFilesize
54B
MD5753caf59f001835f2287bd7da1a21c27
SHA1d3d828a710456bd6e161810a2fbaf4d21ed96a82
SHA2563e740a713b831b27d578db1cc2f5f8a07eac84463040e07ef8d03356ac1cf92d
SHA51248915a48945814b0f6901ecb74f787ed100c949e55962e4f010c2267c06a41465ebb5e9c9a20a20e3942846d0ece25d8cacd20059f9aacb57ce31f1c9cc30187
-
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txtFilesize
63B
MD5ed75c78207a975e1e37171cf38aeef81
SHA1ca88d4cbcc8781e07670aa63488f72aa7bd30bae
SHA2564b313bc531ac49a11d47eeb8a6e51a55552190e57efb1e4b60bc8a52ba387863
SHA5125b7e635dc5cca6158d8005dddffabc81907a0d256f24734844cf6ca1be784a7402ffbaec374fa1ce52f6ceee1b2b1d20d570cc9ca0a26aba7a69d60ad34d47d4
-
/data/data/com.adaxffsfzfada.zbsvxgsvbxhdgs/kl.txtFilesize
429B
MD576b8017451df4516f6ff307e0430d325
SHA1f5e90ad93338d6113101d91f80547a12601356e5
SHA256edcea856d53b796eb26fa87962bdb44eceffea0751ec611fb3749e3b96faabc2
SHA512a6a23b84ecffa08b08b31f71658d8196c79a0b29abd6de3d298b4848f808ecd110f66a3042e9d4b7c39f83bcba03a21904a389270c616a4ea6233e0c9cdbcdaf