Analysis
-
max time kernel
179s -
max time network
145s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
29-05-2024 21:15
Static task
static1
Behavioral task
behavioral1
Sample
9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529.apk
-
Size
541KB
-
MD5
ac3ed42f2f086c8f2365dfd69e9d293f
-
SHA1
ad4de654ef5132a4d1376f029c6a9c6532e0ec85
-
SHA256
9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529
-
SHA512
6fc7e2d4d7e0d416216d009a9cf992045857394a64720be1674290701143a51bc6ca5ac27df3bcdcd7dcc068822bcf1b5a14ad0eece6bc7252da0eb2a47fe384
-
SSDEEP
12288:Nts8AzI81cC/go8OaxwAcH6kTw4xq0P6CFwoy2I22KzwHdu18T3nZ:NN+I81cF7DRkS0Pi2AH9JT3nZ
Malware Config
Extracted
octo
https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/
https://moneycsasfasfh.com/MmExODA3MDAzZjA5/
https://moneycsasfasfh.net/MmExODA3MDAzZjA5/
https://2moneycsasfasfh.net/MmExODA3MDAzZjA5/
https://2moneycsasfasfh.com/MmExODA3MDAzZjA5/
https://3moneycsasfasfh.com/MmExODA3MDAzZjA5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.objectuplz/cache/cappfw family_octo -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.objectuplzdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.objectuplz Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.objectuplz -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.objectuplzdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.objectuplz -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.objectuplzdescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.objectuplz -
Requests modifying system settings. 1 IoCs
Processes:
com.objectuplzdescription ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.objectuplz -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.objectuplzioc pid process /data/user/0/com.objectuplz/cache/cappfw 4257 com.objectuplz /data/user/0/com.objectuplz/cache/cappfw 4257 com.objectuplz -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.objectuplzdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.objectuplz -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.objectuplzdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.objectuplz -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.objectuplzdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.objectuplz -
Acquires the wake lock 1 IoCs
Processes:
com.objectuplzdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.objectuplz -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.objectuplzdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.objectuplz -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.objectuplzdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.objectuplz
Processes
-
com.objectuplz1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests modifying system settings.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.objectuplz/cache/cappfwFilesize
449KB
MD5cc924dc334167c501498c4ef40d59921
SHA188a01dff8c8b935bf69a689327b92e2e80129398
SHA2560f666170c574f1c32d3e0882f6f32706e9c231ec731dd4403806f801dfad7711
SHA512897b11c0fb4e376d002d22fd85a9c3e81173f9910d3274354ea51ed2b49897c43b0bc3f374d86654337cf887190f3c87dc2249d8f4ead86ab3d90e40b00d1803
-
/data/data/com.objectuplz/cache/oat/cappfw.cur.profFilesize
553B
MD58eb104e0dbd44e0dafe36eccae2c37bd
SHA1ae60625523d53ac4277cc6399af04517672d389c
SHA256cb2ec7d5768af1ebbfbfe6873039d015c6d925be622d8fc3710fd215605a7473
SHA51213a6011ff7a8302bee10b09b32fdd4c70928e35975699618eb5d61d5f5dbe587a962e19daf89572db4b8fd71e145c7001b03abf989dabffe013d295bb23f82bd
-
/data/data/com.objectuplz/kl.txtFilesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
/data/data/com.objectuplz/kl.txtFilesize
237B
MD512ef99db92bdc3a68449d7d9fdb51bba
SHA1bad0012807063e0e4ab5c17a67a20163aa24527e
SHA2568ef4fdebc3ee14d21454a65ac4079416e0de87581aac97f5de78876c3446ecd8
SHA5124a60c50f30a00f54e319b490be19adc85cd61cb05c20aed12617ba9f7405b2601ccfaf068f67d1fea17cf27c07af67cdcf1186b6830df228198d6d130763737c
-
/data/data/com.objectuplz/kl.txtFilesize
63B
MD5641094979f7a9fdcbd03f887fa640123
SHA11ef65f9e29143ee4824600031f705f1c589d1f27
SHA25612354593e3f27088d3c563902ce8aecbc2ea00da0edde3248c879ecafc6bd9e9
SHA512a188e3d79591ada732e65438b94cf8d7c3d9979abdb5480f7f71b7f1f854b0a2d60248dc3670cf830453564a89a61925c48c19ff8b77804b54811aedb6bee6bf
-
/data/data/com.objectuplz/kl.txtFilesize
63B
MD5f9fdb4e1ec070fcdd2c3151c14faf247
SHA134771dde42ee07aead76b0be70bfa27ee39e5591
SHA256829917f638a15050b2972dff43a25004771272fc4fab5889627016623b9a3d36
SHA5123b2851ac1ba40ad88c0ed9e0d199f3544b7b32097893103d98193e98c8e6de8a6e7a7fe9a8a791fcef05130a63f24c479e5015544515cc2af82bfad9527d88bc
-
/data/data/com.objectuplz/kl.txtFilesize
437B
MD5ee8f4f7fee56df5fe0e9f81540268924
SHA1ed01ec6aa6b2c0f260bba7c4762bc17690585732
SHA256710f97e43707cae92eddfc74ce0492badfa11cf0209d5f5d007128d1db761f14
SHA51204bbb0e95135cda2f40b378c501d9b127405727956877d55c2e85849c173d0ea5856cc954a101e8e350f37f73112ce3a3068dd261509aa2702fa32bbc45c5f8c