Analysis
-
max time kernel
47s -
max time network
168s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
-
submitted
28-05-2024 22:00
General
-
Target
18882d9ff21a7417191421fc22bdf461d5f6f9060e947ec1030ce029476d0f3f.apk
-
Size
541KB
-
MD5
268c6c6c8a217ec870bd78cb32eb9730
-
SHA1
7de0c2c6da5fd0af39000a6ff428d4a9593ded92
-
SHA256
18882d9ff21a7417191421fc22bdf461d5f6f9060e947ec1030ce029476d0f3f
-
SHA512
567c311acbff7a1cba4321e32f198ce19a8543ab1de470a866c05be86eaa70ce0d511b1bd182dc6864369781f5f304d329074997f6688eb78b5677a8cecf6334
-
SSDEEP
12288:kmqQ6+73E9Ai6E3W6CbkuqDpGBcZvHjBuMRH7JG0/B6CinK:km0+7U9AWW6u4FGBOBuC7JbECinK
Malware Config
Extracted
octo
https://moneyeuroland.net/MmI1M2ZiMGRmODEy/
https://moneyeurolandbebek.net/MmI1M2ZiMGRmODEy/
https://moneyeurolandscans.net/MmI1M2ZiMGRmODEy/
https://moneyeurolanddelicim.net/MmI1M2ZiMGRmODEy/
https://moneyeurolandbabis.net/MmI1M2ZiMGRmODEy/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
-
Acquires the wake lock 1 IoCs
-
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.moveyear211⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests modifying system settings.
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.moveyear21/cache/oxolywjtcrxmiFilesize
449KB
MD5b96988409895ed2bc8f56c302402e13c
SHA13afc2148a0435a8352c4196d8109b853abd2385c
SHA25617aa860aee29ec109c3402b5fd65886d5cab9b4246cc6b8b7dbf484ff72eecc4
SHA512e253c8b8dbdbff663e775f6da3f74e57a25c6f74ac4906a9fae3c743bcb613f077bdbb3fff53fbe7eecea8c2ad19ec68ce58adbc793eaae86a25aea617382e6f