Analysis
-
max time kernel
150s -
max time network
150s -
platform
android_x86 -
resource
android-x86-arm-20240221-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system -
submitted
23-04-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
df096deb86121239ee8332be356cb47a3c47398cbf8bca775e009e2342cfae3a.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
df096deb86121239ee8332be356cb47a3c47398cbf8bca775e009e2342cfae3a.apk
Resource
android-33-x64-arm64-20240229-en
General
-
Target
df096deb86121239ee8332be356cb47a3c47398cbf8bca775e009e2342cfae3a.apk
-
Size
1.5MB
-
MD5
cc1274948304fda99d0e10a01e1fb671
-
SHA1
9b33a91f5c8b0ea17dde921bcefcbfc7d2481601
-
SHA256
df096deb86121239ee8332be356cb47a3c47398cbf8bca775e009e2342cfae3a
-
SHA512
d93375752ac21b4faaae5a34567fa0eefedec8239f08f449954dccafc5e5cea3628b271fb3918a4f1b999684df9c932e15889f8d04b46c7f43b92f25108510e2
-
SSDEEP
49152:KCki/x3DikWtF9Nav4cXkYUm2QAE4KoSTkX+ZGZbmq7:KCp12kW39NoCFz1X+ZQ/7
Malware Config
Extracted
octo
https://musherpicka.live/MTU2OWE0NzJjNGY5/
https://golevasi800.top/MTU2OWE0NzJjNGY5/
https://cm603lzeyxdw.site/MTU2OWE0NzJjNGY5/
https://cm603lzeyxdw1.site/MTU2OWE0NzJjNGY5/
https://arw2he7x57wp.pw/MTU2OWE0NzJjNGY5/
https://9r8i1u84t2gp.online/MTU2OWE0NzJjNGY5/
https://cm603lzeyxdw.biz/MTU2OWE0NzJjNGY5/
https://arw2he7x57wp1.pw/MTU2OWE0NzJjNGY5/
https://9r8i1u84t2gp1.online/MTU2OWE0NzJjNGY5/
https://cm603lzeyxdw.space/MTU2OWE0NzJjNGY5/
https://5a9udxg6l6gd.su/MTU2OWE0NzJjNGY5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.turnexample15/cache/lvseceqyhd family_octo -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.turnexample15description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.turnexample15 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.turnexample15 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.turnexample15/app_DynamicOptDex/KdWGMKn.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.turnexample15/app_DynamicOptDex/oat/x86/KdWGMKn.odex --compiler-filter=quicken --class-loader-context=&com.turnexample15ioc pid process /data/user/0/com.turnexample15/app_DynamicOptDex/KdWGMKn.json 4256 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.turnexample15/app_DynamicOptDex/KdWGMKn.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.turnexample15/app_DynamicOptDex/oat/x86/KdWGMKn.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.turnexample15/app_DynamicOptDex/KdWGMKn.json 4228 com.turnexample15 /data/user/0/com.turnexample15/cache/lvseceqyhd 4228 com.turnexample15 /data/user/0/com.turnexample15/cache/lvseceqyhd 4228 com.turnexample15 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.turnexample15description ioc process Framework service call android.app.IActivityManager.setServiceForeground com.turnexample15 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.turnexample15description ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.turnexample15 -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.turnexample15description ioc process Framework service call android.app.IActivityManager.registerReceiver com.turnexample15 -
Acquires the wake lock 1 IoCs
Processes:
com.turnexample15description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.turnexample15 -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.turnexample15description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.turnexample15 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.turnexample15description ioc process Framework API call javax.crypto.Cipher.doFinal com.turnexample15
Processes
-
com.turnexample151⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.turnexample15/app_DynamicOptDex/KdWGMKn.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.turnexample15/app_DynamicOptDex/oat/x86/KdWGMKn.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.turnexample15/app_DynamicOptDex/KdWGMKn.jsonFilesize
2KB
MD50650bf185606e7cc01e7c4466f25e212
SHA189a8ddbfac4348a67a5af895ad33d56b4d58e090
SHA25659c46e834a5b0f4d33e4a6c84fb01fdab554c212ca7ec0c7d3acb1cc951b01a4
SHA512a3c1dd5cba20190589769e55124aef28ed124a048babf5252c008c3b85b7a2781d7e0276863a7346170929edcce9b336d988b2e2588ec70c68805529b890313d
-
/data/data/com.turnexample15/app_DynamicOptDex/KdWGMKn.jsonFilesize
2KB
MD5870bc7b6b33cc3383021cb941c9bdb0f
SHA18ef83733a941f70e30d3610153dee5b4e72a59b5
SHA256ebce94a14cae9c422c4a07ddea1bcb83895d66913d05ab29957f1c42477129a0
SHA512c00483728fb319ece3682a03d1086c09942454a91ecd09764a164a9e1647345ca163a2c3be320d8c51c66e6ffcba548398fa73dee3f1c859e9c679c1af7ab229
-
/data/data/com.turnexample15/cache/lvseceqyhdFilesize
271KB
MD56f3cf16d8a64cda396cf0e14be0dee13
SHA1b99ff2737cdd8244e3cd7b616279b3e6a138526a
SHA256f85d16490d4a5725516476ff48bece912ae923f132f42cd88a22197929f2cfc6
SHA512fffbe48dbb14fec6435ca28556a1ff2e01f4e9259194fe6c85e76329c23f94e8344e2a780aa44d931b6dbf04f9d210cfed0ce5e9b9746539fe04983142b9173a
-
/data/data/com.turnexample15/cache/oat/lvseceqyhd.cur.profFilesize
457B
MD515aac8b61f7d3e6221fc68446514acad
SHA1bbd1ac06b8d45fcdebdfb206d0ead2c08ef8466d
SHA2560bf4dd4701b9fd4cd3ddcf96632b265f55a66eb6bc2526112584afdc516463c3
SHA512a8b9ba499cab56a5ae6cc154337817e1dc9e028e2342cf35351fd230a5ebbecc8b5ccf81275d95f16f8f30b9f6e79f115e346fa309679f19e27ee7ba4a3adf4f
-
/data/data/com.turnexample15/kl.txtFilesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
/data/data/com.turnexample15/kl.txtFilesize
230B
MD58bf06b74168b3c589f9d39a4ea6fbfa5
SHA15651410734f4fee6fafbe9c33e2cf73ec18a9504
SHA25657c06b823ca2e5a1afb9e249c428509990ca5a6c5f2fb9c3f7b99361fc3cf960
SHA512ebc500e5c5b7f68aab5b3d43390fe1379d5a7263eb227219d64a714b853add3d38195787b4157e5b8305efc15cfa3aa6b2a2a40d5054f8066bbd7f307fe53cee
-
/data/data/com.turnexample15/kl.txtFilesize
69B
MD5dfbef8507863b7012fb246d21de9ffc5
SHA175bf9d1cdd30090143abb5c23da73d8490fc550f
SHA256458319366181d83cd36f508dd619a4d955f30050fc18d8e6a46985f6d01af354
SHA512b3c11ac818220595523b8567c6bceca5dc7e7e22ecdf9cb9ac07dac1666e0ec4da009716da52fe52d2d6eefff4dd2e1041bda135d1cf8394c9b5dd354995ae3e
-
/data/data/com.turnexample15/kl.txtFilesize
63B
MD597c80ab67ecfccf4eaffb9830c81f10c
SHA1df592610835acff7ed5a04ffb82d40d620e1d0d4
SHA25669603fadbc667d3385d0272aa5ff999be70a9cd9d273df23265787377ea04972
SHA51260a45ebb744025f4ea325e1ffff4ec50aece88047beecb21e851918add054d171ddbd9b5a790bfcef63c7c617595e3cfc959bd4f54e5091e1903162b0b18a173
-
/data/data/com.turnexample15/kl.txtFilesize
423B
MD59124097651ebc9330a3e5535941c0a76
SHA16e8bf072a91a61c84193bb5e2e89276bbd7d7a81
SHA256c56dc7e9cbf1ec9cc50ca9ed437b5dfea87ea397bc68a645810fb7f34db2e31f
SHA512985d0372e3648e7918dc6fc15499584273353e8d9ef177bc783a125c6f1f5981efc13988de13aa9e3f2e166e20c7cb06bdc1f5e14e367cfc099606c7cbb62c24
-
/data/user/0/com.turnexample15/app_DynamicOptDex/KdWGMKn.jsonFilesize
6KB
MD583fb60c128e122eae540598672627cc8
SHA1ba16e1bddaa119dc48defb1d10117a72196edec6
SHA25653f5c5e9a62ed3bc3080b13c2bf6ee80003ec0322a3a4655cf9ee90b9abe192e
SHA512c4a30500fc1c528933e69aab4be93f3509e96d999865187dc339baa669f86e19f0c8092aa61a111382684a3dfa1d7ca7c8da73340bd252fe703523e1f97c25af
-
/data/user/0/com.turnexample15/app_DynamicOptDex/KdWGMKn.jsonFilesize
6KB
MD55ae419f42981cff6894434c9f79467c3
SHA100c55eadd6fc960a89f6d6e27f6f8b02431e0f55
SHA256eca7f673d1be3ef858c03ec4f79c07467fe4dd9f37e47c4a325ca433f09d594b
SHA512314438b93ee9bb03cf49ef2a3339a5ece79dc6bbdb7f681770e418e5349a991e9b98c4e290814959deb1d4b3979dc51e0254adcb2da9727ea2b69e3929d6f762