Analysis
-
max time kernel
179s -
max time network
132s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system -
submitted
29-05-2024 21:15
Static task
static1
Behavioral task
behavioral1
Sample
9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529.apk
-
Size
541KB
-
MD5
ac3ed42f2f086c8f2365dfd69e9d293f
-
SHA1
ad4de654ef5132a4d1376f029c6a9c6532e0ec85
-
SHA256
9209036c1ed5a6667160aff616060f2590a533bc723dc1834070d7337d37a529
-
SHA512
6fc7e2d4d7e0d416216d009a9cf992045857394a64720be1674290701143a51bc6ca5ac27df3bcdcd7dcc068822bcf1b5a14ad0eece6bc7252da0eb2a47fe384
-
SSDEEP
12288:Nts8AzI81cC/go8OaxwAcH6kTw4xq0P6CFwoy2I22KzwHdu18T3nZ:NN+I81cF7DRkS0Pi2AH9JT3nZ
Malware Config
Extracted
octo
https://moneycsffhgm7.shop/MmExODA3MDAzZjA5/
https://moneycsasfasfh.com/MmExODA3MDAzZjA5/
https://moneycsasfasfh.net/MmExODA3MDAzZjA5/
https://2moneycsasfasfh.net/MmExODA3MDAzZjA5/
https://2moneycsasfasfh.com/MmExODA3MDAzZjA5/
https://3moneycsasfasfh.com/MmExODA3MDAzZjA5/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/user/0/com.objectuplz/cache/cappfw family_octo -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.objectuplzdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.objectuplz Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.objectuplz -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.objectuplzdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.objectuplz -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.objectuplzdescription ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.objectuplz -
Requests modifying system settings. 1 IoCs
Processes:
com.objectuplzdescription ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.objectuplz -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.objectuplzioc pid process /data/user/0/com.objectuplz/cache/cappfw 4578 com.objectuplz /data/user/0/com.objectuplz/cache/cappfw 4578 com.objectuplz -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.objectuplzdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.objectuplz -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.objectuplzdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.objectuplz -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.objectuplzdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.objectuplz -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.objectuplzdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.objectuplz -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.objectuplzdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.objectuplz
Processes
-
com.objectuplz1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests modifying system settings.
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.objectuplz/cache/cappfwFilesize
449KB
MD5cc924dc334167c501498c4ef40d59921
SHA188a01dff8c8b935bf69a689327b92e2e80129398
SHA2560f666170c574f1c32d3e0882f6f32706e9c231ec731dd4403806f801dfad7711
SHA512897b11c0fb4e376d002d22fd85a9c3e81173f9910d3274354ea51ed2b49897c43b0bc3f374d86654337cf887190f3c87dc2249d8f4ead86ab3d90e40b00d1803
-
/data/user/0/com.objectuplz/cache/oat/cappfw.cur.profFilesize
323B
MD5f0c4015179869f2c089223f800cfba49
SHA100b01f52d5d695dced5a0ebb8738c7c347bbd866
SHA256c13294542091c8e3cf22612e2cb4c1c9a3504050b2ddb9dc051485855d335a1f
SHA512e1e88612cca4def1ed634cb2bf96ed459eece54b20fd243c195a15b5ac20cb23f6639d9eaeb063b524e29360cf7395c215474a9cb8574dcd95bb17d0c9e4076c
-
/data/user/0/com.objectuplz/kl.txtFilesize
28B
MD56311c3fd15588bb5c126e6c28ff5fffe
SHA1ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA2568b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA5122975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6
-
/data/user/0/com.objectuplz/kl.txtFilesize
237B
MD5fcdcc703df5b59e552dbc28d31338931
SHA1ae834033b9fd8047a95585f0cf349f2587aea4ab
SHA2560864e9e2d175a642307ef4550d6710115663cefc540c2ea06b43ded6d72171cf
SHA5124aa5caa7e42e0f058621f6b88792f9bccd027c9debf9ff9246286d8569b09c967ae4d168dc90ec52a65462b516e9d92adbba37ed6ecfae7a0dd5567c8659619d
-
/data/user/0/com.objectuplz/kl.txtFilesize
63B
MD552cf3525079e3012bba32815f4ef6895
SHA19a02fe5935bd2d4cc2b333c1b7939d4264de457c
SHA25674349c5266bab8f15f8472c482bd1f9921af331f7121c9532b730688e6e99b2e
SHA51264cf15861363a90e91c9f4376d6b285085cc214051c06f7383fea9eb6da8e8d5630d8d5c2aef639712e94c801eea090f10cff0b756cde76083636d0e931d29e5
-
/data/user/0/com.objectuplz/kl.txtFilesize
75B
MD512a624f32df756e96632a223e9d0349f
SHA15b276e9934b26d5e932660638dfbaa0d68113e3c
SHA2564bb6d565a24a52bc385598cc9e0f00af6f4fcb18901be88779a0fddcf74691f0
SHA5129b6515515ea83276291806cad1f33a3313374a78a19e2d378270226d372f98162fd6ef7dad98fb0bf4ca1bfbd2e15eb2c401e15711e890363754650cf1646d28
-
/data/user/0/com.objectuplz/kl.txtFilesize
63B
MD5db276965d15c9233dc250e0e0f0a74e6
SHA17fe752fb22bbd26b97a61a9f4689caaec757b607
SHA256b63f4c57a0e29fd3c7403c96d0db5bc45ef4bc9ddea9d78e2f1b80ae31283e8c
SHA5121a2c0f89dd345612de27694b511585b23f544cc083a6b1c10e239f35f210c71e7d5b7b5062381ca97f25c9cf720f82e9151cf14368455f2dbcefd67f0dc2bf80