Analysis
-
max time kernel
66s -
max time network
140s -
platform
android_x64 -
resource
android-x64-20240221-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240221-enlocale:en-usos:android-10-x64system -
submitted
03-05-2024 05:43
Static task
static1
Behavioral task
behavioral1
Sample
e862c84af8803294b1e643dfb44addf23b2b53b8c244cf94c5d51c8fa5e24c40.apk
Resource
android-x86-arm-20240221-en
Behavioral task
behavioral2
Sample
e862c84af8803294b1e643dfb44addf23b2b53b8c244cf94c5d51c8fa5e24c40.apk
Resource
android-x64-20240221-en
General
-
Target
e862c84af8803294b1e643dfb44addf23b2b53b8c244cf94c5d51c8fa5e24c40.apk
-
Size
541KB
-
MD5
28e2484845cf97b42b5edbcffaf17974
-
SHA1
0d3db50f2f872982bf28df12c372516906682969
-
SHA256
e862c84af8803294b1e643dfb44addf23b2b53b8c244cf94c5d51c8fa5e24c40
-
SHA512
49346e97f59c6713f43ac5d7fcb90a5a763c26a01efa2854ee7acce4dc76dd45d3cbf16d1cf74579a5053eed3763d4395f54f04abb99a19534fc74dfeb28abf5
-
SSDEEP
12288:jCSFFN5BcjnK9LoNLhE0+nBZfNYyDgPzXbCmqJUySXUlPwKheNNnR:jzFuK9ELhEXZYycPbbClSXUOK0rnR
Malware Config
Extracted
octo
https://33moneycshlazim33.shop/MmExODA3MDAzZjA5/
https://moneycsasfasfh.shop/MmExODA3MDAzZjA5/
https://moneymaskalandd.shop/MmExODA3MDAzZjA5/
https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.broughtusfi/cache/esshglmxtck family_octo -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.broughtusfidescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.broughtusfi Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.broughtusfi -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.broughtusfidescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.broughtusfi -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.broughtusfiioc pid process /data/user/0/com.broughtusfi/cache/esshglmxtck 5091 com.broughtusfi /data/user/0/com.broughtusfi/cache/esshglmxtck 5091 com.broughtusfi -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.broughtusfidescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.broughtusfi -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.broughtusfidescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.broughtusfi -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.broughtusfidescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.broughtusfi -
Acquires the wake lock 1 IoCs
Processes:
com.broughtusfidescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.broughtusfi -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.broughtusfidescription ioc process Framework API call javax.crypto.Cipher.doFinal com.broughtusfi
Processes
-
com.broughtusfi1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.broughtusfi/cache/esshglmxtckFilesize
450KB
MD596cc41d8ac4dfd0dfd302772b1e6160e
SHA1f7600b2fc002b90290b692240558a6cf5a030551
SHA256f2c549f4f82fb00d8852c5aaeb6ad71e873548730592ab64f6ee6edaa379de49
SHA51235fe6a4e2ced3d5df096c6b3aea54df305f0c4758b7c514d3743a98b092976dfe2feaa4edbf369209f83ca6990a068c5550d014ed7070b669576df596da0712a
-
/data/data/com.broughtusfi/cache/oat/esshglmxtck.cur.profFilesize
548B
MD52845304a1e9a42963d28dcb75ef16e77
SHA18952d8713efd2c5a82735fb93e18f66b5819643e
SHA256845b5dd736e89a31f08b07d7bbe74de1e0884892730e864057f2c06ef961b0c6
SHA512aa13ea3ae7c08a18abd4abd670d5510bf65298674097332c012598495c4ba283a307ab12bef4b6a6f42a723453f70cc49ec03a8ed152a2a22b1212833110dbc6