Analysis
-
max time kernel
178s -
max time network
136s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
19-05-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
400d1dde99702a445e268843bd54a7fcc7659a80a8abd0abe95c950098a7d03a.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
400d1dde99702a445e268843bd54a7fcc7659a80a8abd0abe95c950098a7d03a.apk
Resource
android-x64-20240514-en
General
-
Target
400d1dde99702a445e268843bd54a7fcc7659a80a8abd0abe95c950098a7d03a.apk
-
Size
509KB
-
MD5
415a7fc313cd5cab0e6d716b4a6b77e3
-
SHA1
826b40506de7f9af6e2b2ec00b80d20cde8192d0
-
SHA256
400d1dde99702a445e268843bd54a7fcc7659a80a8abd0abe95c950098a7d03a
-
SHA512
49e329e8c420df1ec154d69d633d98d602948d74dc873434d2b76bbbaa225893a20f6102377cbc0751b26f8c3a69279f36e12d4ba6c65981f3d0f0a6c58d1b1f
-
SSDEEP
12288:vwDoqu0s7vIEFZLPck2Iz4efsRvh1o79XB:vwy0s7QEDKDAX
Malware Config
Extracted
octo
https://moneymaskalandd.shop/MmExODA3MDAzZjA5/
https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/
https://moneycsasfasfh.com/MmExODA3MDAzZjA5/
https://moneycsasfasfh.net/MmExODA3MDAzZjA5/
https://2moneycsasfasfh.net/MmExODA3MDAzZjA5/
https://2moneycsasfasfh.com/MmExODA3MDAzZjA5/
https://3moneycsasfasfh.com/MmExODA3MDAzZjA5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.sitstatef/cache/sibxeju family_octo -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.sitstatefdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.sitstatef Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.sitstatef -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.sitstatefdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.sitstatef -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.sitstatefioc pid process /data/user/0/com.sitstatef/cache/sibxeju 5117 com.sitstatef /data/user/0/com.sitstatef/cache/sibxeju 5117 com.sitstatef -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.sitstatefdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.sitstatef -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.sitstatefdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.sitstatef -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.sitstatefdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.sitstatef -
Acquires the wake lock 1 IoCs
Processes:
com.sitstatefdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.sitstatef -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.sitstatefdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.sitstatef
Processes
-
com.sitstatef1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.sitstatef/cache/oat/sibxeju.cur.profFilesize
479B
MD577a98d0cc18c88c963b004882702e62e
SHA1572605c8a1d1f6d9fa0d156e552d495d9dce88f8
SHA25628111c186f6e55d4edd7e4e91ffe16c2e01ff77bee5193879855b411f68b362e
SHA512b7af1773d4ec0a2b3d38313a1a916bf82bd6c5730ddf42895d4d78ce2c97a136396eb78f0ed031c9645e0bcaf02d8f80fa06339c7e6f998bd569512d8996c2d5
-
/data/data/com.sitstatef/cache/sibxejuFilesize
449KB
MD5b7ae4559fca9c84a585e54654564bb4b
SHA1cefc9fe2b197ab7a02ba50ed53906590cef6c621
SHA2562304542d716738e70d89fef86abbff7959cecd592fa26c6db861f3f83da54dca
SHA5120a07f78f80f28b0b9a4a7857253094f7eed52839fc4468061c5ffbb996e0ee6780569f525bdcc061efda0ccb3e5eccb817b45b1ea9a1f4cd778e576ab5ab175e