Analysis
-
max time kernel
179s -
max time network
186s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
24-06-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
60bee559e356c794ccbca7a120f1cc76460b90c68bd1c64f753ffd24abc425ba.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
60bee559e356c794ccbca7a120f1cc76460b90c68bd1c64f753ffd24abc425ba.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
60bee559e356c794ccbca7a120f1cc76460b90c68bd1c64f753ffd24abc425ba.apk
-
Size
509KB
-
MD5
7c08607aa0879fcfc4c976fe6cc3150e
-
SHA1
ffe31b078c976a8bdd6d6d4bfb526988ebac6a86
-
SHA256
60bee559e356c794ccbca7a120f1cc76460b90c68bd1c64f753ffd24abc425ba
-
SHA512
edd38df743d313a90dd1f92a7faa6eb854e21b3c9fd01f73fa490aac9811306d4ba44c9dc81ef8f6a45d3b8cc55d9de5592a31334617f68cb921688d52cbff56
-
SSDEEP
12288:w2RxAWYhWoSd44TiX1ZFEBh1NrMUDrv+yUdzvum:wNWYhWoSPiXeBh1GUDaXlp
Malware Config
Extracted
octo
https://mamudoilekeyfyap.com/YzBlNzk4NmVlZDA0/
https://mamudoiledostadogru.com/YzBlNzk4NmVlZDA0/
https://sigaracokhojdur1.com/YzBlNzk4NmVlZDA0/
https://günde5paketsigaraiciyom1.com/YzBlNzk4NmVlZDA0/
https://dertlikaygisiz04.com/YzBlNzk4NmVlZDA0/
https://kaygisizamamutlu04.com/YzBlNzk4NmVlZDA0/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
resource yara_rule behavioral2/files/fstream-1.dat family_octo -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.countryhasizh/cache/wdkkl 4332 com.countryhasizh -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.countryhasizh Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.countryhasizh -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.countryhasizh -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.countryhasizh -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.countryhasizh android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.countryhasizh -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.countryhasizh -
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.countryhasizh -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.countryhasizh -
Requests modifying system settings. 1 IoCs
description ioc Process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.countryhasizh -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.countryhasizh
Processes
-
com.countryhasizh1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4332
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
349B
MD558eecf4e0655a9cb58d12dbea96feb5a
SHA16d00859be8f59ba5cb9f00a45c1b6666d27396e0
SHA256131ae0e4b42aea3d78a3b44dffa1fe1773272e8ac0c7a926932af0a577610268
SHA5122b9c9f5e3d13b93dae4b6e13b2315577d729fa8c107d12d3017e99ad01901d68d90ca9bf8152d0cd6d939b06e9f1e6117289ec05fae60fe2f25acf556d5ee2c7
-
Filesize
448KB
MD5750ac2fe33efc899782b499de077bf26
SHA16f4715b416c1a9fb5952af368ec463fb6b9062ff
SHA256a221e3d4e45107dfd1b10d5e74e201bce1eb372df70ebd2d8471e6ed97d39f71
SHA512482cadffa75f67c08d3ae83fa324a331d653b625463da02bf637c046bf026d92fedd103603856934313eed3895d38b00f643abcd1824b232bdb969a0a98496ff