Analysis
-
max time kernel
179s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
23-05-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
426954e0a7644e35830b79367caefe01f3e7e365c0eb47313a11ed2e66eaf085.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
426954e0a7644e35830b79367caefe01f3e7e365c0eb47313a11ed2e66eaf085.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
426954e0a7644e35830b79367caefe01f3e7e365c0eb47313a11ed2e66eaf085.apk
-
Size
541KB
-
MD5
ad9f988e42064efd0f4d03ae235aa840
-
SHA1
a1f6a009e09b1b7b87c086738651b90e40cdf6a0
-
SHA256
426954e0a7644e35830b79367caefe01f3e7e365c0eb47313a11ed2e66eaf085
-
SHA512
eb8a1a9fcf83281a701d5d24bf1a74c4547e710775fc60af08dd23e0388771741bb08d1608843f9432994e6ce442c0923a3a03a2b3160e625e133a139de1598b
-
SSDEEP
12288:C5X+PS4Cmmw2ZOU5YqRE5ZXuhmxbpEtv5k3Mr8E7:sX94ARZ7yRhPxbeFom8M
Malware Config
Extracted
octo
https://jey6mjdyerh82k.online/NmFkZTc4YWM3ZTk2/
https://frewgewhy6fg.top/NmFkZTc4YWM3ZTk2/
https://54ggter6ujfgt.site/NmFkZTc4YWM3ZTk2/
https://kdehrweuybvfrer4.xyz/NmFkZTc4YWM3ZTk2/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.songcuttme/cache/dyokgf family_octo -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.songcuttmedescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.songcuttme -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.songcuttmedescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.songcuttme -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.songcuttmeioc pid process /data/user/0/com.songcuttme/cache/dyokgf 4217 com.songcuttme /data/user/0/com.songcuttme/cache/dyokgf 4217 com.songcuttme -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.songcuttmedescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.songcuttme -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.songcuttmedescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.songcuttme -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.songcuttmedescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.songcuttme -
Acquires the wake lock 1 IoCs
Processes:
com.songcuttmedescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.songcuttme -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.songcuttmedescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.songcuttme -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.songcuttmedescription ioc process Framework API call javax.crypto.Cipher.doFinal com.songcuttme
Processes
-
com.songcuttme1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.songcuttme/cache/dyokgfFilesize
448KB
MD5f8381cf8f86cec2fe023ef7c7ea1eef3
SHA1900d231469096258522fe835c3db86db626d8134
SHA256c7ee41ba68b8e9b5a89223c6c47735cdde4ed8576b04c1d9f45e9f4e20232f5c
SHA5120e4c34efa8ee76023e42e81062f83d284e60b842d5029d1e2d7b4de6181edc1e4654fdda3fb50a3550d4e82c5298315b8cd5cb82f120f06c36f969cf7918269e
-
/data/data/com.songcuttme/cache/oat/dyokgf.cur.profFilesize
461B
MD5275da2219f325eae580e1b8578a29f7d
SHA1ca25029c11440287fd4ee9656675b7e36a86b11f
SHA256711c04967a5fc15a5caa43c22f83c1814bb84028bdd438ae8bafa5f317e17808
SHA512b25abd4aa5a28fbaa94d75a251773c148adf21d8e22218e18daf81710797f3150321a8f6870945290fc8998fee30297fe134c0f30abab160208a8f8f9df2a835
-
/data/data/com.songcuttme/kl.txtFilesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
/data/data/com.songcuttme/kl.txtFilesize
73B
MD573d80bb54e8f1663a3a2e87c3aeb3187
SHA1e29e86bcf6cef04c8e6ddad6611f73ee7f492c66
SHA2569ada1a92cb15e6eae5560ebcc5e9e9fef92f1f0041c9301075ef19a9c1a64b50
SHA512cf88b792277f7b91312b55fe5508217bf67b73d96cedd3ce527abdd63b31f00fe35f6e8994454d3b2e60e35d9422561e222e0300a1f2992f0d192ed38d892194
-
/data/data/com.songcuttme/kl.txtFilesize
237B
MD52cb8877c5ab5c68c202246a4733cfc4c
SHA1a207b013106d2bb6c6dcd9dcdeed097a48963447
SHA25670905b90f608cbf83e7a9590d0b13134b94eeb121a5b283ac9df2bda69271f60
SHA5122cb1b3e9f1d9b6416f18b6887aff6e96815da344f76fe2c7cf225e32fa97e64bbbdf78513ab5c7b3559051d68a8ec58584551b4ed2b8dfb49981a013d778a1c6
-
/data/data/com.songcuttme/kl.txtFilesize
54B
MD5d7b6f387348ced5178fa3c1f7110f618
SHA1c6f39c99c5a9ed76d291c02e732455cf02c3c720
SHA256c66d4d0757cd8c9e8b3f6a537844a690e088173ed8dd8555ae3be77fea76de32
SHA5123522a88265eba3731530a913425af0a919e4992cb2cde6cedeb636e0573c9211df7219c171b6df42f28fa3b06ca51626b043f08ec629b545454c4152f8e1b972
-
/data/data/com.songcuttme/kl.txtFilesize
437B
MD5323ba8425678ad6664c9173cbc9e008c
SHA158b9dc94d14961038b98f58e7db73c3fb8ff2d83
SHA256884f28a31c83f9de1d9d0b49c54637433afd48b50b8e8cafc0e3d667a85bf05d
SHA512640b23d6dc08da6642b790e4e24e2dca98d73b157ee339fcd21eaf5ca4d64b014de6f75e75d1ba1cd7ea9655123492ed531d3cfede6cfcca951a1fa40eb90f65