Analysis
-
max time kernel
179s -
max time network
145s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system -
submitted
23-05-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
426954e0a7644e35830b79367caefe01f3e7e365c0eb47313a11ed2e66eaf085.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
426954e0a7644e35830b79367caefe01f3e7e365c0eb47313a11ed2e66eaf085.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
426954e0a7644e35830b79367caefe01f3e7e365c0eb47313a11ed2e66eaf085.apk
-
Size
541KB
-
MD5
ad9f988e42064efd0f4d03ae235aa840
-
SHA1
a1f6a009e09b1b7b87c086738651b90e40cdf6a0
-
SHA256
426954e0a7644e35830b79367caefe01f3e7e365c0eb47313a11ed2e66eaf085
-
SHA512
eb8a1a9fcf83281a701d5d24bf1a74c4547e710775fc60af08dd23e0388771741bb08d1608843f9432994e6ce442c0923a3a03a2b3160e625e133a139de1598b
-
SSDEEP
12288:C5X+PS4Cmmw2ZOU5YqRE5ZXuhmxbpEtv5k3Mr8E7:sX94ARZ7yRhPxbeFom8M
Malware Config
Extracted
octo
https://jey6mjdyerh82k.online/NmFkZTc4YWM3ZTk2/
https://frewgewhy6fg.top/NmFkZTc4YWM3ZTk2/
https://54ggter6ujfgt.site/NmFkZTc4YWM3ZTk2/
https://kdehrweuybvfrer4.xyz/NmFkZTc4YWM3ZTk2/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/user/0/com.songcuttme/cache/dyokgf family_octo -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.songcuttmedescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.songcuttme -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.songcuttmedescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.songcuttme -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.songcuttmeioc pid process /data/user/0/com.songcuttme/cache/dyokgf 4658 com.songcuttme /data/user/0/com.songcuttme/cache/dyokgf 4658 com.songcuttme -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.songcuttmedescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.songcuttme -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.songcuttmedescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.songcuttme -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.songcuttmedescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.songcuttme -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.songcuttmedescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.songcuttme -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.songcuttmedescription ioc process Framework API call javax.crypto.Cipher.doFinal com.songcuttme
Processes
-
com.songcuttme1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.songcuttme/cache/dyokgfFilesize
448KB
MD5f8381cf8f86cec2fe023ef7c7ea1eef3
SHA1900d231469096258522fe835c3db86db626d8134
SHA256c7ee41ba68b8e9b5a89223c6c47735cdde4ed8576b04c1d9f45e9f4e20232f5c
SHA5120e4c34efa8ee76023e42e81062f83d284e60b842d5029d1e2d7b4de6181edc1e4654fdda3fb50a3550d4e82c5298315b8cd5cb82f120f06c36f969cf7918269e
-
/data/user/0/com.songcuttme/cache/oat/dyokgf.cur.profFilesize
316B
MD5da74e2da32506d5db72fe18c82b19f04
SHA1a1f44e487d0a164020ea27a45f445131cb8e984a
SHA256bd28bca59ae341d111607982bbcd8cff81a9f91bcd4e4d24c47af27b260b36d4
SHA512727a97a50c403a18d797fd3e9d6fb3d442965299d9e6c5f8b033fd289417dacdaa5cca059c7dac5b85aa005892a9a3c3e1bab995b904f4d81d6e613a9ae1943b
-
/data/user/0/com.songcuttme/kl.txtFilesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
/data/user/0/com.songcuttme/kl.txtFilesize
69B
MD5a26d623c626780f04b1e2036f687c371
SHA1d51d80aefc09c777162d369aa42a1cfc1831f722
SHA256c8d374f99b3c2ab8ef59bc766067ac31b0cbfc450cadb857fc228d263f4709e5
SHA512a4c0c50787a7c8ee134ae3362619df53dcf7e452f7ed4cc0603e6c57079fb67bfc8a3dec5683b51409ad8d311e60bec3767d4ff2816061ba5979acef2bcaaa0f
-
/data/user/0/com.songcuttme/kl.txtFilesize
237B
MD5836697af65b404d908a176be160632f1
SHA13a626c9b76cd6923201166eae158b764c643aa16
SHA25677373b9eb1f1d6428e14f91c5e01d33afda408f9ae27105716d31ba7deca0c1c
SHA512f899fee5d9e449b8363d0462f300bd46f8e349b8ea5a52063c99f172db14e500604c3cbfe528648084f52986fd00b9310feb52633817f9510cd3cacfb53b218e
-
/data/user/0/com.songcuttme/kl.txtFilesize
45B
MD54d2516b2b5bf6f9c26ec082f82bcfddd
SHA1312e601f8bc3d53811e97cc7ef7e995fead37268
SHA256ffdf50205ff11ed4eeae3227ee0effeca57a63cff2ca106203a670365d0a4151
SHA5127304053ad1dd3efd5f35fc5d314f072bf55eba4269b9303bfdda4ceb37f8a0d195e4743dafd9a30d0038b1b0ae4827b3978f1ae38e9cc81848d43be200edfaa8
-
/data/user/0/com.songcuttme/kl.txtFilesize
75B
MD5e1edf3d728e8c6ae6aa07e22d7755e2f
SHA118e241109d231d6641f219de44c5642851e6419e
SHA256904bd317c05b0444504e08dcc0834b9cf10b59f507d3d458eb4e00db115af2b6
SHA51219957f26821a15fbc40b7767867ea6ad54dfc07b1e8440b1d782c4d72cff1fbae0929aaa8eea5946fbea8a9013519598c5ec0dff9a4dbfee742b6c62849c31e9