Analysis
-
max time kernel
179s -
max time network
188s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
-
submitted
29-06-2024 22:00
General
-
Target
0a42ab6887815857fdaaf0275a2f2c57532fa763bd13e1e4fe466e474a2cdac9.apk
-
Size
509KB
-
MD5
eb4721735a12e2bac8846079c5fbc06b
-
SHA1
5e7888e4f3de977827d91597966ed48d69d8ba45
-
SHA256
0a42ab6887815857fdaaf0275a2f2c57532fa763bd13e1e4fe466e474a2cdac9
-
SHA512
f7cb546e9e539de1efed6be2572c276fdcab6613ad59a963fbce82422787f5b7f958b0caa50ef35fd8db81ae5bdc41feec834938ef3892976a717e9f7cd96bb3
-
SSDEEP
12288:KcWdLyUp54OTyxah92rbNoPXc+8VkUZkiadp9bPHanKI:KcWd2sROwh92rGPp8VkUaz9T6nKI
Malware Config
Extracted
octo
https://basgaancosturuyor.com/YzBlNzk4NmVlZDA0/
https://biribasganidurdursunn.com/YzBlNzk4NmVlZDA0/
https://bassganndomaingitti.com/YzBlNzk4NmVlZDA0/
https://usomapompaliyorum.com/YzBlNzk4NmVlZDA0/
https://usomukarimyaptimbasgaaan.com/YzBlNzk4NmVlZDA0/
https://basgaaanpompaaa.com/YzBlNzk4NmVlZDA0/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.doorwent821⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.doorwent82/cache/oat/ykupphtiqb.cur.profFilesize
308B
MD5f96057f809befb30ffa5346a7b2aa3d6
SHA16a0f659566d4f5c3e35a988ac58d983188dc6ddb
SHA256d4e1a26af63255d39013351559c4942204f13fe35ffc6189677a72e89c741a1a
SHA51221fe9d3f3518bc9f1b1d086f90a95b1643ea8e5d00fdc2b3fca212ee0b75fa3a253c9c7aeb379dd0f0ae49c215109e0be76a2197207ac51063ba6416dd77a4e2
-
/data/data/com.doorwent82/cache/ykupphtiqbFilesize
448KB
MD58c952a0a3fbd41cae9892f319b16832c
SHA1b09571e00d0998140863b6049c87107e84d335c4
SHA256c46ddc0138114c6193993157ff1d429f78a5f4a4fbea9c6be713332b3e2548c1
SHA512a1bcc7579c3743628aadcbc0ab11a545600baaf8a6e6089ef69f49c71231a839395d29f35fac05115a2dea7c150ef92a21f035a6ea71c27aa66c32ffcb39f0de