Analysis
-
max time kernel
179s -
max time network
159s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
29-05-2024 22:53
Static task
static1
Behavioral task
behavioral1
Sample
f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5.apk
Resource
android-x64-20240514-en
General
-
Target
f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5.apk
-
Size
509KB
-
MD5
95d94be9f18f9c1311f50810a495679a
-
SHA1
fa5752f396e19f085dd56c673073112d5d3aa135
-
SHA256
f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5
-
SHA512
c28ca69d77ba37cdfe84fbb787f6bd7ff3877af1218f528202a02e21aebc82e02255cf55731cfe15692524880065224c4a60e3fe95cbfc19d59a5ffc5adccbb3
-
SSDEEP
12288:aSBzSFlIIhwPpqgFKDS30JGyMXpeX2/7XoU:R0FGp3FKDA4MXgXSR
Malware Config
Extracted
octo
https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/
https://moneycsasfasfh.com/MmExODA3MDAzZjA5/
https://moneycsasfasfh.net/MmExODA3MDAzZjA5/
https://2moneycsasfasfh.net/MmExODA3MDAzZjA5/
https://2moneycsasfasfh.com/MmExODA3MDAzZjA5/
https://3moneycsasfasfh.com/MmExODA3MDAzZjA5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.snowcompletefyq/cache/lletscw family_octo -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.snowcompletefyq Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.snowcompletefyq -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.snowcompletefyq -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.snowcompletefyqioc pid process /data/user/0/com.snowcompletefyq/cache/lletscw 5143 com.snowcompletefyq /data/user/0/com.snowcompletefyq/cache/lletscw 5143 com.snowcompletefyq -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.snowcompletefyq -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.snowcompletefyq -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.snowcompletefyq -
Acquires the wake lock 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.snowcompletefyq -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.snowcompletefyq
Processes
-
com.snowcompletefyq1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.snowcompletefyq/cache/lletscwFilesize
449KB
MD52eb5d79a2030280606286bfdcb0c6e8f
SHA143da73a57e47b70678bfb652602af4c2ec65cad8
SHA2565d5a7dbe2e41740bf7397f905762d4f6f461f546c58f6877abf179d9eddcb7b9
SHA5128bb734e791dacb406d8ce5cacd58f22aa695608691a590f14f060bdfe8d08c4e37d0cd4ad71a0b8b5edaa769c0b5cb9ce64e7f344e7a79eb03690dbf29d29529
-
/data/data/com.snowcompletefyq/cache/oat/lletscw.cur.profFilesize
497B
MD50a9a77bb2943a3f5fd16bdaaaae7654a
SHA13acdf57876e6f1b3ea47bcc35a40b479e42b2a04
SHA2562b4d5f3964435a7f1d4620ae9abda77bb5b5813e8b115e7bc25ad1b30ba2643b
SHA5129751931dfd80f45912b23f8a07e75e412cc24cdd249a2ce45ce2cb81da4f72f3ddef41f3765c1c366ba018a68750d1501c5d2cb4cbf1cfe2862e1838fb0110e1
-
/data/data/com.snowcompletefyq/kl.txtFilesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
/data/data/com.snowcompletefyq/kl.txtFilesize
235B
MD58d9c8327c3bcd0d22cc33d87d1dad0f4
SHA119e63ad542ae8d994fbf8eea3face3f10f817930
SHA256843e0657f1476051dcfea550047dbb8a7096b95facccf678dadd0b062540ab33
SHA51272eeee6b84b87636e984a6388ef797e7c3974e0fe9b893de7ce49b6ba83a9e1fafeb222abb9c1af3338b49bc90963e978bf03b36e3b17762a0d90b7c606a5fcc
-
/data/data/com.snowcompletefyq/kl.txtFilesize
45B
MD5689370c58f241df8e17c9a23ffbfc31f
SHA1684f5f28c8e0088913f008c079fc0fc47027c05f
SHA25687e4c29298048ef83e56d88bbdd38cae37e8f89dee008e8c740dc7acaacd1bbe
SHA512931f4e323c4da8c757daf9120b32120ed086eae7b7f3d84008b2387af19d72db73df196bf223e054a752406eb0fb55918a9eb2bcf21804d0e5a397aae75ed1f7
-
/data/data/com.snowcompletefyq/kl.txtFilesize
66B
MD5d9b733f5404134750dd0286e4525246a
SHA144f157234e411c7583a02f0afc6c2ba42cb04d42
SHA2567ddb3c470db17a839de51f17e821c596c0923371cb44f5d18482b565109e5d77
SHA512643a08f32327265127a561b1e36098dd0035cefef7242714fcd9711d266144eac5fc2efe2d38fa727a2409a1952ed377b282d3d18571f6ab8bf9ce109a1f48f2
-
/data/data/com.snowcompletefyq/kl.txtFilesize
84B
MD5039240f7c89fc00206997cdac015c577
SHA18491c2244bdd01b8ff73f39f06cd6d1980a0ef69
SHA256bed322fed7f284bf64ce51f3a45fba3438f5cb56fdc17ab1014b27a1147ba3b4
SHA512699d1e9a8d41254cabf2a35b65b6d39cccc0ed60a6428471708aa4816ad1e75cb47d971255e85c050349b170ccc1b64cd53d605cb7db9a869565c0908b9a91c7