Analysis
-
max time kernel
179s -
max time network
130s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
19-05-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
400d1dde99702a445e268843bd54a7fcc7659a80a8abd0abe95c950098a7d03a.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
400d1dde99702a445e268843bd54a7fcc7659a80a8abd0abe95c950098a7d03a.apk
Resource
android-x64-20240514-en
General
-
Target
400d1dde99702a445e268843bd54a7fcc7659a80a8abd0abe95c950098a7d03a.apk
-
Size
509KB
-
MD5
415a7fc313cd5cab0e6d716b4a6b77e3
-
SHA1
826b40506de7f9af6e2b2ec00b80d20cde8192d0
-
SHA256
400d1dde99702a445e268843bd54a7fcc7659a80a8abd0abe95c950098a7d03a
-
SHA512
49e329e8c420df1ec154d69d633d98d602948d74dc873434d2b76bbbaa225893a20f6102377cbc0751b26f8c3a69279f36e12d4ba6c65981f3d0f0a6c58d1b1f
-
SSDEEP
12288:vwDoqu0s7vIEFZLPck2Iz4efsRvh1o79XB:vwy0s7QEDKDAX
Malware Config
Extracted
octo
https://moneymaskalandd.shop/MmExODA3MDAzZjA5/
https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/
https://moneycsasfasfh.com/MmExODA3MDAzZjA5/
https://moneycsasfasfh.net/MmExODA3MDAzZjA5/
https://2moneycsasfasfh.net/MmExODA3MDAzZjA5/
https://2moneycsasfasfh.com/MmExODA3MDAzZjA5/
https://3moneycsasfasfh.com/MmExODA3MDAzZjA5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.sitstatef/cache/sibxeju family_octo -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.sitstatefdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.sitstatef Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.sitstatef -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.sitstatefdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.sitstatef -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.sitstatefdescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.sitstatef -
Requests modifying system settings. 1 IoCs
Processes:
com.sitstatefdescription ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.sitstatef -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.sitstatefioc pid process /data/user/0/com.sitstatef/cache/sibxeju 4333 com.sitstatef /data/user/0/com.sitstatef/cache/sibxeju 4333 com.sitstatef -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.sitstatefdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.sitstatef -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.sitstatefdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.sitstatef -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.sitstatefdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.sitstatef -
Acquires the wake lock 1 IoCs
Processes:
com.sitstatefdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.sitstatef -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.sitstatefdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.sitstatef -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.sitstatefdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.sitstatef
Processes
-
com.sitstatef1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests modifying system settings.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.sitstatef/cache/oat/sibxeju.cur.profFilesize
488B
MD5602fdb112c861ba00ceb86d47d4bc44b
SHA1999a8e7404b50a559a3dd5d016e0772fcc2c211f
SHA256357c140addd6cd4e6e849aea5a76800c1bec90d98e43daecdd382da23fa81565
SHA512ceff0e0c0cb984e9ddee61b1ac1a66c2b39558ac604b7eda75d804f301be941a152566e983b12d0b8453cdabcaba1bbfa028d6e6d28a91bd71067763da00b421
-
/data/data/com.sitstatef/cache/sibxejuFilesize
449KB
MD5b7ae4559fca9c84a585e54654564bb4b
SHA1cefc9fe2b197ab7a02ba50ed53906590cef6c621
SHA2562304542d716738e70d89fef86abbff7959cecd592fa26c6db861f3f83da54dca
SHA5120a07f78f80f28b0b9a4a7857253094f7eed52839fc4468061c5ffbb996e0ee6780569f525bdcc061efda0ccb3e5eccb817b45b1ea9a1f4cd778e576ab5ab175e