Analysis
-
max time kernel
179s -
max time network
159s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
29-05-2024 22:53
Static task
static1
Behavioral task
behavioral1
Sample
f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5.apk
Resource
android-x64-20240514-en
General
-
Target
f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5.apk
-
Size
509KB
-
MD5
95d94be9f18f9c1311f50810a495679a
-
SHA1
fa5752f396e19f085dd56c673073112d5d3aa135
-
SHA256
f698fbb2bd46a4b6a9c8da3d74658772b47b3e43dafc494d55b4f54916db2ba5
-
SHA512
c28ca69d77ba37cdfe84fbb787f6bd7ff3877af1218f528202a02e21aebc82e02255cf55731cfe15692524880065224c4a60e3fe95cbfc19d59a5ffc5adccbb3
-
SSDEEP
12288:aSBzSFlIIhwPpqgFKDS30JGyMXpeX2/7XoU:R0FGp3FKDA4MXgXSR
Malware Config
Extracted
octo
https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/
https://moneycsasfasfh.com/MmExODA3MDAzZjA5/
https://moneycsasfasfh.net/MmExODA3MDAzZjA5/
https://2moneycsasfasfh.net/MmExODA3MDAzZjA5/
https://2moneycsasfasfh.com/MmExODA3MDAzZjA5/
https://3moneycsasfasfh.com/MmExODA3MDAzZjA5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.snowcompletefyq/cache/lletscw family_octo -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.snowcompletefyq Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.snowcompletefyq -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.snowcompletefyq -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.snowcompletefyqdescription ioc process File opened for read /proc/cpuinfo com.snowcompletefyq -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
Processes:
com.snowcompletefyqdescription ioc process File opened for read /proc/meminfo com.snowcompletefyq -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.snowcompletefyqioc pid process /data/user/0/com.snowcompletefyq/cache/lletscw 5143 com.snowcompletefyq /data/user/0/com.snowcompletefyq/cache/lletscw 5143 com.snowcompletefyq -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.snowcompletefyq -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.snowcompletefyq -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.snowcompletefyq -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.snowcompletefyq -
Acquires the wake lock 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.snowcompletefyq -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.snowcompletefyqdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.snowcompletefyq
Processes
-
com.snowcompletefyq1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:5143
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
449KB
MD52eb5d79a2030280606286bfdcb0c6e8f
SHA143da73a57e47b70678bfb652602af4c2ec65cad8
SHA2565d5a7dbe2e41740bf7397f905762d4f6f461f546c58f6877abf179d9eddcb7b9
SHA5128bb734e791dacb406d8ce5cacd58f22aa695608691a590f14f060bdfe8d08c4e37d0cd4ad71a0b8b5edaa769c0b5cb9ce64e7f344e7a79eb03690dbf29d29529
-
Filesize
497B
MD50a9a77bb2943a3f5fd16bdaaaae7654a
SHA13acdf57876e6f1b3ea47bcc35a40b479e42b2a04
SHA2562b4d5f3964435a7f1d4620ae9abda77bb5b5813e8b115e7bc25ad1b30ba2643b
SHA5129751931dfd80f45912b23f8a07e75e412cc24cdd249a2ce45ce2cb81da4f72f3ddef41f3765c1c366ba018a68750d1501c5d2cb4cbf1cfe2862e1838fb0110e1
-
Filesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
Filesize
235B
MD58d9c8327c3bcd0d22cc33d87d1dad0f4
SHA119e63ad542ae8d994fbf8eea3face3f10f817930
SHA256843e0657f1476051dcfea550047dbb8a7096b95facccf678dadd0b062540ab33
SHA51272eeee6b84b87636e984a6388ef797e7c3974e0fe9b893de7ce49b6ba83a9e1fafeb222abb9c1af3338b49bc90963e978bf03b36e3b17762a0d90b7c606a5fcc
-
Filesize
45B
MD5689370c58f241df8e17c9a23ffbfc31f
SHA1684f5f28c8e0088913f008c079fc0fc47027c05f
SHA25687e4c29298048ef83e56d88bbdd38cae37e8f89dee008e8c740dc7acaacd1bbe
SHA512931f4e323c4da8c757daf9120b32120ed086eae7b7f3d84008b2387af19d72db73df196bf223e054a752406eb0fb55918a9eb2bcf21804d0e5a397aae75ed1f7
-
Filesize
66B
MD5d9b733f5404134750dd0286e4525246a
SHA144f157234e411c7583a02f0afc6c2ba42cb04d42
SHA2567ddb3c470db17a839de51f17e821c596c0923371cb44f5d18482b565109e5d77
SHA512643a08f32327265127a561b1e36098dd0035cefef7242714fcd9711d266144eac5fc2efe2d38fa727a2409a1952ed377b282d3d18571f6ab8bf9ce109a1f48f2
-
Filesize
84B
MD5039240f7c89fc00206997cdac015c577
SHA18491c2244bdd01b8ff73f39f06cd6d1980a0ef69
SHA256bed322fed7f284bf64ce51f3a45fba3438f5cb56fdc17ab1014b27a1147ba3b4
SHA512699d1e9a8d41254cabf2a35b65b6d39cccc0ed60a6428471708aa4816ad1e75cb47d971255e85c050349b170ccc1b64cd53d605cb7db9a869565c0908b9a91c7