Analysis
-
max time kernel
179s -
max time network
155s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
29-05-2024 22:53
Static task
static1
Behavioral task
behavioral1
Sample
f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5.apk
Resource
android-x64-20240514-en
General
-
Target
f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5.apk
-
Size
509KB
-
MD5
95d94be9f18f9c1311f50810a495679a
-
SHA1
fa5752f396e19f085dd56c673073112d5d3aa135
-
SHA256
f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5
-
SHA512
c28ca69d77ba37cdfe84fbb787f6bd7ff3877af1218f528202a02e21aebc82e02255cf55731cfe15692524880065224c4a60e3fe95cbfc19d59a5ffc5adccbb3
-
SSDEEP
12288:aSBzSFlIIhwPpqgFKDS30JGyMXpeX2/7XoU:R0FGp3FKDA4MXgXSR
Malware Config
Extracted
octo
https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/
https://moneycsasfasfh.com/MmExODA3MDAzZjA5/
https://moneycsasfasfh.net/MmExODA3MDAzZjA5/
https://2moneycsasfasfh.net/MmExODA3MDAzZjA5/
https://2moneycsasfasfh.com/MmExODA3MDAzZjA5/
https://3moneycsasfasfh.com/MmExODA3MDAzZjA5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.snowcompletefyq/cache/lletscw family_octo -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.snowcompletefyq Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.snowcompletefyq -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.snowcompletefyq -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.snowcompletefyq -
Requests modifying system settings. 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.snowcompletefyq -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.snowcompletefyqioc pid process /data/user/0/com.snowcompletefyq/cache/lletscw 4271 com.snowcompletefyq /data/user/0/com.snowcompletefyq/cache/lletscw 4271 com.snowcompletefyq -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.snowcompletefyq -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.snowcompletefyq -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.snowcompletefyq -
Acquires the wake lock 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.snowcompletefyq -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.snowcompletefyq -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.snowcompletefyq
Processes
-
com.snowcompletefyq1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests modifying system settings.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.snowcompletefyq/cache/lletscwFilesize
449KB
MD52eb5d79a2030280606286bfdcb0c6e8f
SHA143da73a57e47b70678bfb652602af4c2ec65cad8
SHA2565d5a7dbe2e41740bf7397f905762d4f6f461f546c58f6877abf179d9eddcb7b9
SHA5128bb734e791dacb406d8ce5cacd58f22aa695608691a590f14f060bdfe8d08c4e37d0cd4ad71a0b8b5edaa769c0b5cb9ce64e7f344e7a79eb03690dbf29d29529
-
/data/data/com.snowcompletefyq/cache/oat/lletscw.cur.profFilesize
499B
MD527cc2ad111462c6318b04d68132e1a17
SHA187aa1c7919774ef8f30062a093787aff59db14c7
SHA256d9803a8334b416896cf71b6ff4e7e9f1537be7b15727630628a40e0b8d79dced
SHA5125ea908d259bbefffb4c381b03660f2d4f3e030058e96b1cecfddc384fd5b6eabe3be29c7c93b6460fa5c447b7d829620b955042c32299eb5ab13c67af1f4a512
-
/data/data/com.snowcompletefyq/kl.txtFilesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
/data/data/com.snowcompletefyq/kl.txtFilesize
235B
MD5322bb91ab14beba8f3b9dda0caa2da5d
SHA1db7e216e23074ca234ff80d578f39bceb8cccad6
SHA25697b76c2a5445e6c757e21ddc5725705786846562ed05aae07a6f55a921ce8805
SHA51264bccb50bdeb469f677db81cd57f4a8efdb695ea06096301a31db1440830509870c4f169bb87557e5cd9eda961f3873f9d2672498aa0f30d41372d1d08368e23
-
/data/data/com.snowcompletefyq/kl.txtFilesize
54B
MD577c941f801f7876b00d60725702cd4d6
SHA1b66df67a1b410d85f6dcf991af42270dfc6aae76
SHA256576b1cf15547c272b96d2b8f720bfcc7fab93883dc77a8072122bde444fba6ee
SHA512dc9171d7de34247c73816c424789e2b2da754edc22f7f220437e07fc084ac1d84ff5b7fbd54ae39b8a643e07a4f675e4106d2ac1bf361c26ba85c0754fdcc280
-
/data/data/com.snowcompletefyq/kl.txtFilesize
153B
MD5582a30fcd024361de12caffe6fdedab7
SHA1158ca2b9f6a25b71c3e5155b9729ed1690174404
SHA25646e3188c1532e162853fb3ddc75109de428f5ba27f3f47ac32caecdc307ec52e
SHA512f5c4308a9401197fccb35f74af9c3591b0cfcdb2e89d68d506ff3a96fe690448f4ae75939747bf0f7cdb331f1ba2232a5ba0a371a98d61934c5533710ab7d094
-
/data/data/com.snowcompletefyq/kl.txtFilesize
433B
MD511f3b3e384378fcb21adb021a49cd9aa
SHA19f188166b39eeb9a8f7dd50d0b39489463d0d244
SHA2563baa2b88e18c20652c4221e8534547a2bab9173bc8baf1805fdf30a262aa6d57
SHA5120523f0094cf657dda40cd4c4e7adb19ea436b244da140dd9fd2213b61b2283f647c3874f374d59f64b23ac1b4d1e4af56d66f7854c018f3cac545f221f9e45bb