Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240506-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240506-enlocale:en-usos:android-11-x64system
  • submitted
    09-05-2024 22:01

General

  • Target

    23a78510f80cbf49012fb6093b484e7651cc13f20efc08f2e8a7ec84a75793a0.apk

  • Size

    509KB

  • MD5

    b1b37e25084c81c627b5f03d56cd8bb1

  • SHA1

    ac57bed54205b8a50c4806759abfda2e2ebefa23

  • SHA256

    23a78510f80cbf49012fb6093b484e7651cc13f20efc08f2e8a7ec84a75793a0

  • SHA512

    6dcdc56c08b0185d2a4df615f0b6229ae16b2dd5fef1c3cc8b629d4f5dcd4d9d1f7914350c907327c779111e85e721f66ef8e613ad86f7bd3433fa424be9f88a

  • SSDEEP

    12288:REjQYPfqf5eFsAvbp2Vo35kJu9LaaWe6X/I0nb:REsYSeFhYVe5VDdR0nb

Malware Config

Extracted

Family

octo

C2

https://moneyeuroland.net/MmI1M2ZiMGRmODEy/

https://moneyeuroland7.com/MmI1M2ZiMGRmODEy/

https://moneyeuroland.com/MmI1M2ZiMGRmODEy/

https://moneyeurolandcamp.net/MmI1M2ZiMGRmODEy/

https://2moneyeuroland.net/MmI1M2ZiMGRmODEy/

https://2moneyeuroland.com/MmI1M2ZiMGRmODEy/

https://3moneyeuroland.com/MmI1M2ZiMGRmODEy/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.portnightu
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests modifying system settings.
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4891

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.portnightu/cache/oat/rpgkkjmnowtrjdp.cur.prof
    Filesize

    308B

    MD5

    74ca4a089472daf69ee80b927e822594

    SHA1

    60b9e17e25f5c4f8bab36b176b85da1265d03c16

    SHA256

    dfd4e4af76159874cf7b19432baebefce0d3df3e2504ad73ba045ace9b04dca6

    SHA512

    663fdcce96abcd20ba71ca95c9b39e05d93244eda011c9a03714f1ca5ff0fce36cd4806f3bb166066b54210bbaae32d1c3f88a338954a10e7f2bbe4893117cc0

  • /data/user/0/com.portnightu/cache/rpgkkjmnowtrjdp
    Filesize

    449KB

    MD5

    c4d91af24e4a3b926cca12b765db6425

    SHA1

    9ddbe60f004738c7e755e8863a5fe7dcfa57b82a

    SHA256

    408495c42c16e577ab01ea4fceb8881004ba5b0481a78e083a137055d3298d02

    SHA512

    43ce24fe234aeb6c9a794bf33d64b3fd113cd470a2ea2203e63604b4930961df3a3467cedc0229c2e40bc322d1575f42c0f1c96a2f72ed7ca1e6c18bbb0d4c0a