Analysis

  • max time kernel
    179s
  • max time network
    136s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    29-05-2024 21:14

General

  • Target

    dd2a5a043f234d30b485fdc6d4a297d07c640f4f7e2bd6b31707b7cee1f3825f.apk

  • Size

    541KB

  • MD5

    69bbaa343457f36b54e0381ad1cec22f

  • SHA1

    f2cd9031baf7f18db90ef2415f433dc4ed833bac

  • SHA256

    dd2a5a043f234d30b485fdc6d4a297d07c640f4f7e2bd6b31707b7cee1f3825f

  • SHA512

    1f8f360c37e2d1302f1df134427f052f4e7007ac4f8e88235176d3b738c2ca5c3da9a8bc70edfaf928f040c4b30f9313425c91e78be940d908086467d3a96cb3

  • SSDEEP

    12288:7vCNEGRqYMECw5ha5H+HyYUFoUhCrlJNbf6gby16B1M:G7LMECUhpHDUCDJN7TQ6s

Malware Config

Extracted

Family

octo

C2

https://adile56tasarim.com/ZDQ5M2JhM2ZkZTkx/

https://6adiletasarim.com/ZDQ5M2JhM2ZkZTkx/

https://7adiletasarim.com/ZDQ5M2JhM2ZkZTkx/

https://8adiletasarim.com/ZDQ5M2JhM2ZkZTkx/

https://9adiletasarim.com/ZDQ5M2JhM2ZkZTkx/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.hadrightbqaj
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests modifying system settings.
    • Checks CPU information
    • Checks memory information
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4281

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.hadrightbqaj/cache/jpwuwyc
    Filesize

    449KB

    MD5

    afe4ad1d723273c6a55d7357c7862184

    SHA1

    53636753c24d0e8a7553897b28dcbd1a766e6fac

    SHA256

    4be693241f3d19603717f391f36861abe86e0e4cca87aed74a9983a6048b8d75

    SHA512

    62a0b83b1d4da77991a3b9a4e1e43800629574f674f336b292e45e4cf42e3c97120ad6cbe16b75a5b26ab0d26d0fcb23e89e61ac137075edd9000d86581fd30f

  • /data/data/com.hadrightbqaj/cache/oat/jpwuwyc.cur.prof
    Filesize

    537B

    MD5

    fec9e737a69b1e38d5f006f0c6f6eb47

    SHA1

    35bbf2419d15f7dd9ddb57c48496818bbc289e69

    SHA256

    28e24f9d92ce3c01dee9fead811746ad6d3e42e45600e85054075bac779e3c5e

    SHA512

    6a88e85739d24aa01bb597fb4b36811edca85310411a24dc111264d711f7f98d3b230fc835fdbf010f29467121ed081a953037ac5bd6bcfeef81c1e2d2eaa1c7

  • /data/data/com.hadrightbqaj/kl.txt
    Filesize

    28B

    MD5

    6311c3fd15588bb5c126e6c28ff5fffe

    SHA1

    ce81d136fce31779f4dd62e20bdaf99c91e2fc57

    SHA256

    8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8

    SHA512

    2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

  • /data/data/com.hadrightbqaj/kl.txt
    Filesize

    235B

    MD5

    cd7cff75d204cd6c1c245e19a711e5a1

    SHA1

    08d109c57ed8c17ec8a8fe77f3c9acc88b30ec45

    SHA256

    2bd6e4988434e9935ac30f1c7e0f30ce7a9c6ea0b9e9de2883785ea0a0ce764d

    SHA512

    9b0bbdfe20f0f6cc04e0d2a880bda2d660c907e99a9612ed02620a26d65540c9efb2d3638e72011bd442777c14c7c124aac6eadea24d094253649ea661084bd2

  • /data/data/com.hadrightbqaj/kl.txt
    Filesize

    63B

    MD5

    870417f2834511c04464959b5ff34de1

    SHA1

    9a27eb0ec8c12309f62a106e8ad9c3bfcd8db90e

    SHA256

    0cb2da33c8f4154cae78e81089d9325a3c068e039a676ad537417b07922b3d1a

    SHA512

    279477808937a697d4deacac7731a4b9fe7f879f3e21fe1518823318bf6b6157d0a41551d0b75b833d59b9588974d031e563994c6243f6707137b4cbd4c18b65

  • /data/data/com.hadrightbqaj/kl.txt
    Filesize

    45B

    MD5

    aa001ca076015b11b56cd0426d75c36e

    SHA1

    6e1585df61dba6772c9f3d55bfdd300eb17d8c9f

    SHA256

    e76c1110d205e9a0c300614e2a5cc7aaae7a12889c7f650657c5e4e65cea735a

    SHA512

    0da373b87bbd8d12d4c5532903c195c581b607c7bda0327b41296112796007911f0799a5631e36056a3aca6661da55c3adba106d798a12f2bd2c27a69e1912ae