Analysis
-
max time kernel
178s -
max time network
187s -
platform
android_x64 -
resource
android-33-x64-arm64-20240611.1-en -
resource tags
-
submitted
23-06-2024 00:21
General
-
Target
e2dcffa9b4452ef0d3baa1877b6a668bddac2170bdbbff3496f16b20362618c8.apk
-
Size
509KB
-
MD5
3621af837441ffe4fb3b59d5ecb6db06
-
SHA1
09e2762dcd03294f865feb94c2e736427a8d18b2
-
SHA256
e2dcffa9b4452ef0d3baa1877b6a668bddac2170bdbbff3496f16b20362618c8
-
SHA512
3e5a3549e6bf89d724a812542d03dd67dd9dce5cb458b9b51182ff7f0018bae12ef33b4995936981c3c65409d8f49fb5d592e0b3220b78f2527e88113e66e4fa
-
SSDEEP
12288:Z0wVXoWMKFXdHDET4TXAeQ2T8NvRmZLGE:yCBnFXdHDEMd8xIZLb
Malware Config
Extracted
octo
https://mamudoilekeyfyap.com/YzBlNzk4NmVlZDA0/
https://mamudoiledostadogru.com/YzBlNzk4NmVlZDA0/
https://sigaracokhojdur1.com/YzBlNzk4NmVlZDA0/
https://günde5paketsigaraiciyom1.com/YzBlNzk4NmVlZDA0/
https://dertlikaygisiz04.com/YzBlNzk4NmVlZDA0/
https://kaygisizamamutlu04.com/YzBlNzk4NmVlZDA0/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.fullbackcx1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.fullbackcx/cache/hetgmhfksaFilesize
448KB
MD512db434b4e2ba94716a6242217a53909
SHA1b92fce5391b7d6e1b82ad674b3d3f2aa0be98ce8
SHA2568a05f6119584b09ca697ef2cf35274889c47a032561e1d07599f3e8416f2f8c6
SHA512ea356079366ca2428dd56e0484430c4a420d11409e2798c52c11e8670b3733a86fb0a51b64eb717802a84cd4d7ed5262e8a0e120cef403c149300e7cbd99727b
-
/data/data/com.fullbackcx/cache/oat/hetgmhfksa.cur.profFilesize
367B
MD57242e336ec99d0d2b1c6a72a8c949a7e
SHA12cf8b3ce7df804a108d6cbbbe908950308348ece
SHA256535dc12fc35c2908b688aba6dfe4144460ad66e4c4c4fc29789f75e6737e3891
SHA512dbd01718104a49e5191d72e3cb6897147852b6ee6d40ab9164b5598537d862ee66a686334fbe72b501edf13e6ef4e4a71f8ab55c6e4038342119af0dba78e5c5