Analysis
-
max time kernel
179s -
max time network
185s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system -
submitted
28-05-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5.apk
-
Size
537KB
-
MD5
0e22ede9e904c6e28cda207001b993af
-
SHA1
a9edadc76597182d7bdbfc1225f569b7c98bdfe3
-
SHA256
bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5
-
SHA512
738cf0bba0c78099ec60fb79b3d4221ca8fdf31551fddacf4c2c14c1d3ad1f4ea6a8279fda2cdecd3e68d5d9d762cf076ce95bc43a7651672ec61ea8f345a7fc
-
SSDEEP
12288:shOTOE68iehj1VuNJbFMnF/ZaDLtthoW5Y9Tnv2:sCHfiEuTuBaDJjoFNnu
Malware Config
Extracted
octo
https://94.232.249.36/MmE0ODdiNjkyNzdi/
https://89divos.art/MmE0ODdiNjkyNzdi/
https://89divos.tech/MmE0ODdiNjkyNzdi/
https://89divos.shop/MmE0ODdiNjkyNzdi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz family_octo -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.whatev2erwh2ateverdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.whatev2erwh2atever Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.whatev2erwh2atever -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.whatev2erwh2ateverdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.whatev2erwh2atever -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.whatev2erwh2ateverdescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.whatev2erwh2atever -
Requests modifying system settings. 1 IoCs
Processes:
com.whatev2erwh2ateverdescription ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.whatev2erwh2atever -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.whatev2erwh2ateverdescription ioc process File opened for read /proc/cpuinfo com.whatev2erwh2atever -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
Processes:
com.whatev2erwh2ateverdescription ioc process File opened for read /proc/meminfo com.whatev2erwh2atever -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.whatev2erwh2ateverioc pid process /data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz 4488 com.whatev2erwh2atever /data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz 4488 com.whatev2erwh2atever -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.whatev2erwh2ateverdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.whatev2erwh2atever -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
com.whatev2erwh2ateverdescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.whatev2erwh2atever -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.whatev2erwh2ateverdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.whatev2erwh2atever -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.whatev2erwh2ateverdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.whatev2erwh2atever -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.whatev2erwh2ateverdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.whatev2erwh2atever -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.whatev2erwh2ateverdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.whatev2erwh2atever
Processes
-
com.whatev2erwh2atever1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests modifying system settings.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4488
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptzFilesize
477KB
MD565cb593886751d7394957a9da951aaf8
SHA164eedc22cbde9f912d227744f9ebe6b8e6f638f8
SHA2568a6242f184ede2ac58585af93dc550c4b7a824570bc881222afa5071fb50d4bf
SHA51213ab53b5c34be5e6a0aa93ee6d8761d8797d1626a9005c2ede2e23547daec56a58902e8e87e13ae7e4540618abbff5857233c7bfdc0601aeeabe263fc46e3766
-
/data/user/0/com.whatev2erwh2atever/cache/oat/ntygrhadjbuptz.cur.profFilesize
349B
MD5eb08918bcef2afa8962b5a56c602d2d7
SHA1f36cbb96055cec54b0f8586b712c41e55fd4d9fc
SHA256dfba4c970473672166bdfb2ea78ceab25b15589bbc51153af6e4952872769409
SHA5124f16d0c358e5754c89d9485362d0e3a8311763698dad1f0c2221bf62aef22459c9cff039ab6e0e5b2e0ab2cf201fc55faf8e150cdc8562350a1d28e5ff0c128c
-
/data/user/0/com.whatev2erwh2atever/kl.txtFilesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
/data/user/0/com.whatev2erwh2atever/kl.txtFilesize
237B
MD5336eff83a1359b833ef07c9297c6d3aa
SHA1a980b66f3f0818d8badf6ec3923d2cf2ae6ea3d7
SHA256dc94785197863fe5c93dab04aff78ea62db482a2725621d99b5745bc8a369bc4
SHA512155507664b3bc655c49259604465e5f2201bcd8365b58eac0988d57b947ac2f541b697dcc5badd00f13d33c0e242c546f40587c7a58129a45d76b55277abd172
-
/data/user/0/com.whatev2erwh2atever/kl.txtFilesize
45B
MD583e4c95693c4e373f180ddd71ef1e8d8
SHA1d983e53517f0288ccc339088f2c368561534e2bb
SHA256fc973707e5e620784cbaf6d44019b965a76bd9041ac636d8d7f36d5763a890df
SHA512c1d415043ee0609aa1e97a670d4a177705db0e90105870ba42c8d3aab728b5411e89e82df9cf1d314f2e9b3546caf60fc439834adbb414ce8191d0fd13c36a20
-
/data/user/0/com.whatev2erwh2atever/kl.txtFilesize
63B
MD5b3506b6d4fa1c395fc64af865ff306dd
SHA16bc4023a93a757c7e3bab0d78b3c9ca00ff7e8cd
SHA2563b6297c2f612abaa95868f75597f73dff22c36919ea7f9097ac0d4e530fd7a3e
SHA512dc4662d7393e2c42d3b7bfc113b964027c8ea11e2390f46d3099463f783473b576b3e51b8cd36c52568bc3116e4d2fc130765fa122a54b005a63d50f19023932
-
/data/user/0/com.whatev2erwh2atever/kl.txtFilesize
75B
MD50aa0e50682cfc55d25977718b1928cae
SHA1a1677f1ad0528d4d187939413c1ce257f77b41bd
SHA256dedcdf28c9e6cfe204f28947ff70da4899fe7394620b9f24fbf98691bc42f57d
SHA51261ec7e4ad585f09aa06bb7a92925d1e93d7e9aed8cc78161549c4a7b09b5b16cf5ce3e4d23fbaa5499926e23e455f0af960ee2d2e527039295926d7a754ec63f