Analysis
-
max time kernel
179s -
max time network
185s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system -
submitted
28-05-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5.apk
-
Size
537KB
-
MD5
0e22ede9e904c6e28cda207001b993af
-
SHA1
a9edadc76597182d7bdbfc1225f569b7c98bdfe3
-
SHA256
bb98625a15353ef102d20ec83b4549a067fd58b6b301e4031354661094558be5
-
SHA512
738cf0bba0c78099ec60fb79b3d4221ca8fdf31551fddacf4c2c14c1d3ad1f4ea6a8279fda2cdecd3e68d5d9d762cf076ce95bc43a7651672ec61ea8f345a7fc
-
SSDEEP
12288:shOTOE68iehj1VuNJbFMnF/ZaDLtthoW5Y9Tnv2:sCHfiEuTuBaDJjoFNnu
Malware Config
Extracted
octo
https://94.232.249.36/MmE0ODdiNjkyNzdi/
https://89divos.art/MmE0ODdiNjkyNzdi/
https://89divos.tech/MmE0ODdiNjkyNzdi/
https://89divos.shop/MmE0ODdiNjkyNzdi/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz family_octo -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.whatev2erwh2ateverdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.whatev2erwh2atever Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.whatev2erwh2atever -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.whatev2erwh2ateverdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.whatev2erwh2atever -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.whatev2erwh2ateverdescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.whatev2erwh2atever -
Requests modifying system settings. 1 IoCs
Processes:
com.whatev2erwh2ateverdescription ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.whatev2erwh2atever -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.whatev2erwh2ateverioc pid process /data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz 4488 com.whatev2erwh2atever /data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptz 4488 com.whatev2erwh2atever -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.whatev2erwh2ateverdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.whatev2erwh2atever -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.whatev2erwh2ateverdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.whatev2erwh2atever -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.whatev2erwh2ateverdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.whatev2erwh2atever -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.whatev2erwh2ateverdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.whatev2erwh2atever -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.whatev2erwh2ateverdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.whatev2erwh2atever
Processes
-
com.whatev2erwh2atever1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests modifying system settings.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.whatev2erwh2atever/cache/ntygrhadjbuptzFilesize
477KB
MD565cb593886751d7394957a9da951aaf8
SHA164eedc22cbde9f912d227744f9ebe6b8e6f638f8
SHA2568a6242f184ede2ac58585af93dc550c4b7a824570bc881222afa5071fb50d4bf
SHA51213ab53b5c34be5e6a0aa93ee6d8761d8797d1626a9005c2ede2e23547daec56a58902e8e87e13ae7e4540618abbff5857233c7bfdc0601aeeabe263fc46e3766
-
/data/user/0/com.whatev2erwh2atever/cache/oat/ntygrhadjbuptz.cur.profFilesize
349B
MD5eb08918bcef2afa8962b5a56c602d2d7
SHA1f36cbb96055cec54b0f8586b712c41e55fd4d9fc
SHA256dfba4c970473672166bdfb2ea78ceab25b15589bbc51153af6e4952872769409
SHA5124f16d0c358e5754c89d9485362d0e3a8311763698dad1f0c2221bf62aef22459c9cff039ab6e0e5b2e0ab2cf201fc55faf8e150cdc8562350a1d28e5ff0c128c
-
/data/user/0/com.whatev2erwh2atever/kl.txtFilesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
/data/user/0/com.whatev2erwh2atever/kl.txtFilesize
237B
MD5336eff83a1359b833ef07c9297c6d3aa
SHA1a980b66f3f0818d8badf6ec3923d2cf2ae6ea3d7
SHA256dc94785197863fe5c93dab04aff78ea62db482a2725621d99b5745bc8a369bc4
SHA512155507664b3bc655c49259604465e5f2201bcd8365b58eac0988d57b947ac2f541b697dcc5badd00f13d33c0e242c546f40587c7a58129a45d76b55277abd172
-
/data/user/0/com.whatev2erwh2atever/kl.txtFilesize
45B
MD583e4c95693c4e373f180ddd71ef1e8d8
SHA1d983e53517f0288ccc339088f2c368561534e2bb
SHA256fc973707e5e620784cbaf6d44019b965a76bd9041ac636d8d7f36d5763a890df
SHA512c1d415043ee0609aa1e97a670d4a177705db0e90105870ba42c8d3aab728b5411e89e82df9cf1d314f2e9b3546caf60fc439834adbb414ce8191d0fd13c36a20
-
/data/user/0/com.whatev2erwh2atever/kl.txtFilesize
63B
MD5b3506b6d4fa1c395fc64af865ff306dd
SHA16bc4023a93a757c7e3bab0d78b3c9ca00ff7e8cd
SHA2563b6297c2f612abaa95868f75597f73dff22c36919ea7f9097ac0d4e530fd7a3e
SHA512dc4662d7393e2c42d3b7bfc113b964027c8ea11e2390f46d3099463f783473b576b3e51b8cd36c52568bc3116e4d2fc130765fa122a54b005a63d50f19023932
-
/data/user/0/com.whatev2erwh2atever/kl.txtFilesize
75B
MD50aa0e50682cfc55d25977718b1928cae
SHA1a1677f1ad0528d4d187939413c1ce257f77b41bd
SHA256dedcdf28c9e6cfe204f28947ff70da4899fe7394620b9f24fbf98691bc42f57d
SHA51261ec7e4ad585f09aa06bb7a92925d1e93d7e9aed8cc78161549c4a7b09b5b16cf5ce3e4d23fbaa5499926e23e455f0af960ee2d2e527039295926d7a754ec63f