Analysis
-
max time kernel
179s -
max time network
187s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system -
submitted
28-05-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
9d1ce9b45a92e764359b87cfa6c882242ed6a0402a56f24832d60cbd88337459.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
9d1ce9b45a92e764359b87cfa6c882242ed6a0402a56f24832d60cbd88337459.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
9d1ce9b45a92e764359b87cfa6c882242ed6a0402a56f24832d60cbd88337459.apk
-
Size
537KB
-
MD5
2649c55dd38707ed353261b54ca0630b
-
SHA1
0e7d650230e4e8cba2006f4cbcd106733d9e9804
-
SHA256
9d1ce9b45a92e764359b87cfa6c882242ed6a0402a56f24832d60cbd88337459
-
SHA512
3de4d7db22a4201923ddc4d7f0063c0d34beb2a9bbf7d49900f0694f9536642e77ff3bcb2a1a75a713e50ea3717aaadb6de7f012b4431592f8cd5206c3807256
-
SSDEEP
12288:ZhOTOE68iehj1VuNJbFMnF/ZaDLtt/qW5YZPn5R:ZCHfiEuTuBaDJpqFlnX
Malware Config
Extracted
octo
https://94.232.249.36/MmE0ODdiNjkyNzdi/
https://89divos.art/MmE0ODdiNjkyNzdi/
https://89divos.tech/MmE0ODdiNjkyNzdi/
https://89divos.shop/MmE0ODdiNjkyNzdi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/user/0/com.whateverwhatever/cache/ntygrhadjbuptz family_octo -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.whateverwhateverdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.whateverwhatever Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.whateverwhatever -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.whateverwhateverdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.whateverwhatever -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.whateverwhateverdescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.whateverwhatever -
Requests modifying system settings. 1 IoCs
Processes:
com.whateverwhateverdescription ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.whateverwhatever -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.whateverwhateverioc pid process /data/user/0/com.whateverwhatever/cache/ntygrhadjbuptz 4652 com.whateverwhatever /data/user/0/com.whateverwhatever/cache/ntygrhadjbuptz 4652 com.whateverwhatever -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.whateverwhateverdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.whateverwhatever -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.whateverwhateverdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.whateverwhatever -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.whateverwhateverdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.whateverwhatever -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.whateverwhateverdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.whateverwhatever -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.whateverwhateverdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.whateverwhatever
Processes
-
com.whateverwhatever1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests modifying system settings.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.whateverwhatever/cache/ntygrhadjbuptzFilesize
477KB
MD565cb593886751d7394957a9da951aaf8
SHA164eedc22cbde9f912d227744f9ebe6b8e6f638f8
SHA2568a6242f184ede2ac58585af93dc550c4b7a824570bc881222afa5071fb50d4bf
SHA51213ab53b5c34be5e6a0aa93ee6d8761d8797d1626a9005c2ede2e23547daec56a58902e8e87e13ae7e4540618abbff5857233c7bfdc0601aeeabe263fc46e3766
-
/data/user/0/com.whateverwhatever/cache/oat/ntygrhadjbuptz.cur.profFilesize
340B
MD5b4433dce4ad1ef58f622d67702448941
SHA1f06abc8ed949e6732a7babd1990ed48156b6ac86
SHA2566ecc81ecef1e1071978029d78235094c9b690c9a9bc47378ccbb8da3a5e6addf
SHA512a696bed2c18b0ff36109b6b04f257b067e8407cffa0c87d8537253d42bb460907a9e0431412175014b6106d6211e85da52e3ffb9dc4197cc4e2dc4260d4e690e
-
/data/user/0/com.whateverwhatever/kl.txtFilesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
/data/user/0/com.whateverwhatever/kl.txtFilesize
237B
MD5da88236c888f6e9b1424bfd7bd570ba8
SHA164329dce7024897193415517f9954ee40e09c16d
SHA256d78029b486c91961b25143da2aa5fd464e8de1369727a9b521660db073a455f9
SHA51222a0e4260d4badfa9765f0a5825bbc703037a5b58f43f60b57f9d71175c640d914e1e0465e1e09565b2791d9c9ef99913f4389a751461f6c65d08405eac3398f
-
/data/user/0/com.whateverwhatever/kl.txtFilesize
63B
MD530203167a30b41318383750bf328e43d
SHA15cf9baa5c8aa75e41d5b93a6dbadbc652a185071
SHA2567289a152185f214397299479c2625d6588d87aad597986ba34f6cebc22c1d816
SHA512c3c526e9680053ff5f04108b52e021b4e0371d1d9c45e7cc5227564eb8672ece91a51103123cd87a6577ee0d947fb2c229d45fffabf035843df18c8693f66919
-
/data/user/0/com.whateverwhatever/kl.txtFilesize
75B
MD5d0ca935dbc3eb52b07a4a8a6724260aa
SHA1c6a2d84187faf5eb400d3983adf4dbf9113aedde
SHA25696ccc5127f78541862d18355b1c606c0b9ba36eba085a09eaea53efaf50269c2
SHA512bc43dc134a09cd98582e34f3c35b406828cdc02982038db5d9bb54d782db405983d54291138a04beb1fbcc5432dbf55302097d875c35dc526797425cfd91f981
-
/data/user/0/com.whateverwhatever/kl.txtFilesize
79B
MD5bfe22531527ac7e3caf76d67136933d8
SHA175ae6b8248dff764829d1d148d0ad39dfae164eb
SHA256d937892a87c7532934477931f63a3ea459946ba0205d3aeb270319d935e5f75e
SHA5122c5d54be5d8d7e099610e51fbb509d784a7cd21309e9f673f6d8bbd2f232e34aa387f67fba0387380c665c82cafdf148b57ac7a4087b5f7f49527b65bae60620