Analysis
-
max time kernel
177s -
max time network
177s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
19-05-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
83c851c41d0e2efaf1c75fdb8073d53a5dbc78a79bf0fa100940656c09eb6cd5.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
83c851c41d0e2efaf1c75fdb8073d53a5dbc78a79bf0fa100940656c09eb6cd5.apk
Resource
android-x64-20240514-en
General
-
Target
83c851c41d0e2efaf1c75fdb8073d53a5dbc78a79bf0fa100940656c09eb6cd5.apk
-
Size
509KB
-
MD5
4b633651db90b888064c6c25a0a5cbfd
-
SHA1
5dd568bc6947c84801adecd47940119db8408404
-
SHA256
83c851c41d0e2efaf1c75fdb8073d53a5dbc78a79bf0fa100940656c09eb6cd5
-
SHA512
b30ee60a1d03bc9bc03fb5099a5648f48e12d1ea8a2395b13f8344d9a6a65f54cf76839ad03fbfc3f8956cc6db07afa84b3ff8c13618962f95b6f0272ccf99ba
-
SSDEEP
12288:7LZA4kznBtxmP/70UQfJe0CkNscmNkGfSA3aXmvf2jo6HTS9oolJ95:xeznBtxmHi+zkGqKaYf96H+9oAl
Malware Config
Extracted
octo
https://marabaragnarsyba.shop/MDM5OTk4ZjZkZjZl/
https://marabarakaracadal3.shop/MDM5OTk4ZjZkZjZl/
https://marabmabetderbana2.shop/MDM5OTk4ZjZkZjZl/
https://marabarlartartan3.shop/MDM5OTk4ZjZkZjZl/
https://marabatarakgelde.com/MDM5OTk4ZjZkZjZl/
https://yaprakkanatlarda.shop/MDM5OTk4ZjZkZjZl/
https://karacayaprakler.shop/MDM5OTk4ZjZkZjZl/
https://hediyeverbana1.shop/MDM5OTk4ZjZkZjZl/
https://mesafekalarak334.shop/MDM5OTk4ZjZkZjZl/
https://karayamakasatda.shop/MDM5OTk4ZjZkZjZl/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.msmsyappeo/cache/emtbh family_octo -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.msmsyappeodescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.msmsyappeo Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.msmsyappeo -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.msmsyappeodescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.msmsyappeo -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.msmsyappeoioc pid process /data/user/0/com.msmsyappeo/cache/emtbh 5241 com.msmsyappeo /data/user/0/com.msmsyappeo/cache/emtbh 5241 com.msmsyappeo -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.msmsyappeodescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.msmsyappeo -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.msmsyappeodescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.msmsyappeo -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.msmsyappeodescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.msmsyappeo -
Acquires the wake lock 1 IoCs
Processes:
com.msmsyappeodescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.msmsyappeo -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.msmsyappeodescription ioc process Framework API call javax.crypto.Cipher.doFinal com.msmsyappeo
Processes
-
com.msmsyappeo1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.msmsyappeo/cache/emtbhFilesize
450KB
MD5f4125e3b6e6cdee1ae7eae45786559eb
SHA16855270dfa118a7ef05ffb8db810a23be407cba8
SHA25694c82b07a25b6982fb15d812a9a4a9088974aeace423151c02c9e5285f685c54
SHA5121ed81b8d3278fdf21fac277cc48e2b05574714ae4ca366545e61b74a77802795f715396379a31fbbdea5f46f1ef4ca4886c60faaf0e520d27c6845247f143dd2
-
/data/data/com.msmsyappeo/cache/oat/emtbh.cur.profFilesize
500B
MD5a57069af34fe595871ce65ac40631c77
SHA1e32e1d98eab688e281bbf1c3a1838787e9856d50
SHA256a2cda558ed751fe85c63b2f02ac9229d5154c523cbfb35029704fb73148e4945
SHA51218c6cdb85234a78328bb2a55240b1788b80744e45be90956426bdcc71c612ff33ff30a16e45226d881a3e6bebea45a0a11c1ef91bbfcf4646595f719ac152587