Analysis

  • max time kernel
    178s
  • max time network
    136s
  • platform
    android_x64
  • resource
    android-x64-20240514-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system
  • submitted
    19-05-2024 22:00

General

  • Target

    400d1dde99702a445e268843bd54a7fcc7659a80a8abd0abe95c950098a7d03a.apk

  • Size

    509KB

  • MD5

    415a7fc313cd5cab0e6d716b4a6b77e3

  • SHA1

    826b40506de7f9af6e2b2ec00b80d20cde8192d0

  • SHA256

    400d1dde99702a445e268843bd54a7fcc7659a80a8abd0abe95c950098a7d03a

  • SHA512

    49e329e8c420df1ec154d69d633d98d602948d74dc873434d2b76bbbaa225893a20f6102377cbc0751b26f8c3a69279f36e12d4ba6c65981f3d0f0a6c58d1b1f

  • SSDEEP

    12288:vwDoqu0s7vIEFZLPck2Iz4efsRvh1o79XB:vwy0s7QEDKDAX

Malware Config

Extracted

Family

octo

C2

https://moneymaskalandd.shop/MmExODA3MDAzZjA5/

https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/

https://moneycsasfasfh.com/MmExODA3MDAzZjA5/

https://moneycsasfasfh.net/MmExODA3MDAzZjA5/

https://2moneycsasfasfh.net/MmExODA3MDAzZjA5/

https://2moneycsasfasfh.com/MmExODA3MDAzZjA5/

https://3moneycsasfasfh.com/MmExODA3MDAzZjA5/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.sitstatef
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:5117

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.sitstatef/cache/oat/sibxeju.cur.prof
    Filesize

    479B

    MD5

    77a98d0cc18c88c963b004882702e62e

    SHA1

    572605c8a1d1f6d9fa0d156e552d495d9dce88f8

    SHA256

    28111c186f6e55d4edd7e4e91ffe16c2e01ff77bee5193879855b411f68b362e

    SHA512

    b7af1773d4ec0a2b3d38313a1a916bf82bd6c5730ddf42895d4d78ce2c97a136396eb78f0ed031c9645e0bcaf02d8f80fa06339c7e6f998bd569512d8996c2d5

  • /data/data/com.sitstatef/cache/sibxeju
    Filesize

    449KB

    MD5

    b7ae4559fca9c84a585e54654564bb4b

    SHA1

    cefc9fe2b197ab7a02ba50ed53906590cef6c621

    SHA256

    2304542d716738e70d89fef86abbff7959cecd592fa26c6db861f3f83da54dca

    SHA512

    0a07f78f80f28b0b9a4a7857253094f7eed52839fc4468061c5ffbb996e0ee6780569f525bdcc061efda0ccb3e5eccb817b45b1ea9a1f4cd778e576ab5ab175e