Analysis
-
max time kernel
178s -
max time network
188s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
21-07-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
b9a0de99378aece2abf03ae378be7026172e46b311a7f8744a9d447185e71c31.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
b9a0de99378aece2abf03ae378be7026172e46b311a7f8744a9d447185e71c31.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
b9a0de99378aece2abf03ae378be7026172e46b311a7f8744a9d447185e71c31.apk
-
Size
298KB
-
MD5
d885e9cf0c70449771792ddedc96cc81
-
SHA1
d4ec438ee0e6035d55d7ac9f1462ad73c705493b
-
SHA256
b9a0de99378aece2abf03ae378be7026172e46b311a7f8744a9d447185e71c31
-
SHA512
309a9a48e8c99d095e2592131ec044f9d96a86157e28fae2f0e5b1c9d1e0854c67e87c4a39b5a81207f475681b623101dccc06486b6b7e5497ccab32103d44c7
-
SSDEEP
6144:fYSqVt5ol4fgb3b0+BkBUbHpDddCOdNR8pbNGnszlPIG:fYSqV/oGY/bGBmHpDddCOSpQslQG
Malware Config
Extracted
octo
https://2.57.149.238:7117/gate/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.nameown12description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.nameown12 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.nameown12 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.nameown12description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.nameown12 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.nameown12description ioc process Framework service call android.app.IActivityManager.setServiceForeground com.nameown12 -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.nameown12ioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.nameown12description ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.nameown12 -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.nameown12description ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.nameown12 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.nameown12description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.nameown12 -
Requests modifying system settings. 1 IoCs
Processes:
com.nameown12description ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.nameown12 -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.nameown12description ioc process Framework service call android.app.IActivityManager.registerReceiver com.nameown12 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.nameown12description ioc process Framework API call javax.crypto.Cipher.doFinal com.nameown12
Processes
-
com.nameown121⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)