Analysis

  • max time kernel
    179s
  • max time network
    145s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240514-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
  • submitted
    23-05-2024 22:03

General

  • Target

    426954e0a7644e35830b79367caefe01f3e7e365c0eb47313a11ed2e66eaf085.apk

  • Size

    541KB

  • MD5

    ad9f988e42064efd0f4d03ae235aa840

  • SHA1

    a1f6a009e09b1b7b87c086738651b90e40cdf6a0

  • SHA256

    426954e0a7644e35830b79367caefe01f3e7e365c0eb47313a11ed2e66eaf085

  • SHA512

    eb8a1a9fcf83281a701d5d24bf1a74c4547e710775fc60af08dd23e0388771741bb08d1608843f9432994e6ce442c0923a3a03a2b3160e625e133a139de1598b

  • SSDEEP

    12288:C5X+PS4Cmmw2ZOU5YqRE5ZXuhmxbpEtv5k3Mr8E7:sX94ARZ7yRhPxbeFom8M

Malware Config

Extracted

Family

octo

C2

https://jey6mjdyerh82k.online/NmFkZTc4YWM3ZTk2/

https://frewgewhy6fg.top/NmFkZTc4YWM3ZTk2/

https://54ggter6ujfgt.site/NmFkZTc4YWM3ZTk2/

https://kdehrweuybvfrer4.xyz/NmFkZTc4YWM3ZTk2/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.songcuttme
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Obtains sensitive information copied to the device clipboard
    • Queries the mobile country code (MCC)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4658

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.songcuttme/cache/dyokgf
    Filesize

    448KB

    MD5

    f8381cf8f86cec2fe023ef7c7ea1eef3

    SHA1

    900d231469096258522fe835c3db86db626d8134

    SHA256

    c7ee41ba68b8e9b5a89223c6c47735cdde4ed8576b04c1d9f45e9f4e20232f5c

    SHA512

    0e4c34efa8ee76023e42e81062f83d284e60b842d5029d1e2d7b4de6181edc1e4654fdda3fb50a3550d4e82c5298315b8cd5cb82f120f06c36f969cf7918269e

  • /data/user/0/com.songcuttme/cache/oat/dyokgf.cur.prof
    Filesize

    316B

    MD5

    da74e2da32506d5db72fe18c82b19f04

    SHA1

    a1f44e487d0a164020ea27a45f445131cb8e984a

    SHA256

    bd28bca59ae341d111607982bbcd8cff81a9f91bcd4e4d24c47af27b260b36d4

    SHA512

    727a97a50c403a18d797fd3e9d6fb3d442965299d9e6c5f8b033fd289417dacdaa5cca059c7dac5b85aa005892a9a3c3e1bab995b904f4d81d6e613a9ae1943b

  • /data/user/0/com.songcuttme/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/user/0/com.songcuttme/kl.txt
    Filesize

    69B

    MD5

    a26d623c626780f04b1e2036f687c371

    SHA1

    d51d80aefc09c777162d369aa42a1cfc1831f722

    SHA256

    c8d374f99b3c2ab8ef59bc766067ac31b0cbfc450cadb857fc228d263f4709e5

    SHA512

    a4c0c50787a7c8ee134ae3362619df53dcf7e452f7ed4cc0603e6c57079fb67bfc8a3dec5683b51409ad8d311e60bec3767d4ff2816061ba5979acef2bcaaa0f

  • /data/user/0/com.songcuttme/kl.txt
    Filesize

    237B

    MD5

    836697af65b404d908a176be160632f1

    SHA1

    3a626c9b76cd6923201166eae158b764c643aa16

    SHA256

    77373b9eb1f1d6428e14f91c5e01d33afda408f9ae27105716d31ba7deca0c1c

    SHA512

    f899fee5d9e449b8363d0462f300bd46f8e349b8ea5a52063c99f172db14e500604c3cbfe528648084f52986fd00b9310feb52633817f9510cd3cacfb53b218e

  • /data/user/0/com.songcuttme/kl.txt
    Filesize

    45B

    MD5

    4d2516b2b5bf6f9c26ec082f82bcfddd

    SHA1

    312e601f8bc3d53811e97cc7ef7e995fead37268

    SHA256

    ffdf50205ff11ed4eeae3227ee0effeca57a63cff2ca106203a670365d0a4151

    SHA512

    7304053ad1dd3efd5f35fc5d314f072bf55eba4269b9303bfdda4ceb37f8a0d195e4743dafd9a30d0038b1b0ae4827b3978f1ae38e9cc81848d43be200edfaa8

  • /data/user/0/com.songcuttme/kl.txt
    Filesize

    75B

    MD5

    e1edf3d728e8c6ae6aa07e22d7755e2f

    SHA1

    18e241109d231d6641f219de44c5642851e6419e

    SHA256

    904bd317c05b0444504e08dcc0834b9cf10b59f507d3d458eb4e00db115af2b6

    SHA512

    19957f26821a15fbc40b7767867ea6ad54dfc07b1e8440b1d782c4d72cff1fbae0929aaa8eea5946fbea8a9013519598c5ec0dff9a4dbfee742b6c62849c31e9