Analysis
-
max time kernel
152s -
max time network
156s -
platform
android_x64 -
resource
android-x64-arm64-20240506-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240506-enlocale:en-usos:android-11-x64system -
submitted
09-05-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
23a78510f80cbf49012fb6093b484e7651cc13f20efc08f2e8a7ec84a75793a0.apk
Resource
android-x86-arm-20240506-en
Behavioral task
behavioral2
Sample
23a78510f80cbf49012fb6093b484e7651cc13f20efc08f2e8a7ec84a75793a0.apk
Resource
android-x64-arm64-20240506-en
General
-
Target
23a78510f80cbf49012fb6093b484e7651cc13f20efc08f2e8a7ec84a75793a0.apk
-
Size
509KB
-
MD5
b1b37e25084c81c627b5f03d56cd8bb1
-
SHA1
ac57bed54205b8a50c4806759abfda2e2ebefa23
-
SHA256
23a78510f80cbf49012fb6093b484e7651cc13f20efc08f2e8a7ec84a75793a0
-
SHA512
6dcdc56c08b0185d2a4df615f0b6229ae16b2dd5fef1c3cc8b629d4f5dcd4d9d1f7914350c907327c779111e85e721f66ef8e613ad86f7bd3433fa424be9f88a
-
SSDEEP
12288:REjQYPfqf5eFsAvbp2Vo35kJu9LaaWe6X/I0nb:REsYSeFhYVe5VDdR0nb
Malware Config
Extracted
octo
https://moneyeuroland.net/MmI1M2ZiMGRmODEy/
https://moneyeuroland7.com/MmI1M2ZiMGRmODEy/
https://moneyeuroland.com/MmI1M2ZiMGRmODEy/
https://moneyeurolandcamp.net/MmI1M2ZiMGRmODEy/
https://2moneyeuroland.net/MmI1M2ZiMGRmODEy/
https://2moneyeuroland.com/MmI1M2ZiMGRmODEy/
https://3moneyeuroland.com/MmI1M2ZiMGRmODEy/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/user/0/com.portnightu/cache/rpgkkjmnowtrjdp family_octo -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.portnightudescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.portnightu Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.portnightu -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.portnightudescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.portnightu -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.portnightudescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.portnightu -
Requests modifying system settings. 1 IoCs
Processes:
com.portnightudescription ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.portnightu -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.portnightuioc pid process /data/user/0/com.portnightu/cache/rpgkkjmnowtrjdp 4891 com.portnightu /data/user/0/com.portnightu/cache/rpgkkjmnowtrjdp 4891 com.portnightu -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.portnightudescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.portnightu -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.portnightudescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.portnightu -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.portnightudescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.portnightu -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.portnightudescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.portnightu -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.portnightudescription ioc process Framework API call javax.crypto.Cipher.doFinal com.portnightu
Processes
-
com.portnightu1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests modifying system settings.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.portnightu/cache/oat/rpgkkjmnowtrjdp.cur.profFilesize
308B
MD574ca4a089472daf69ee80b927e822594
SHA160b9e17e25f5c4f8bab36b176b85da1265d03c16
SHA256dfd4e4af76159874cf7b19432baebefce0d3df3e2504ad73ba045ace9b04dca6
SHA512663fdcce96abcd20ba71ca95c9b39e05d93244eda011c9a03714f1ca5ff0fce36cd4806f3bb166066b54210bbaae32d1c3f88a338954a10e7f2bbe4893117cc0
-
/data/user/0/com.portnightu/cache/rpgkkjmnowtrjdpFilesize
449KB
MD5c4d91af24e4a3b926cca12b765db6425
SHA19ddbe60f004738c7e755e8863a5fe7dcfa57b82a
SHA256408495c42c16e577ab01ea4fceb8881004ba5b0481a78e083a137055d3298d02
SHA51243ce24fe234aeb6c9a794bf33d64b3fd113cd470a2ea2203e63604b4930961df3a3467cedc0229c2e40bc322d1575f42c0f1c96a2f72ed7ca1e6c18bbb0d4c0a