Analysis
-
max time kernel
60s -
max time network
179s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
22-07-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
bd95907e66c93f53f9fe830ec3108e07a475964a93914dd0032f15be752fc8c8.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
bd95907e66c93f53f9fe830ec3108e07a475964a93914dd0032f15be752fc8c8.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
bd95907e66c93f53f9fe830ec3108e07a475964a93914dd0032f15be752fc8c8.apk
-
Size
509KB
-
MD5
afb2cce1bf58da154966d1387302adcf
-
SHA1
e3b9677132dd82dbd22e9d724f566f323ab675b9
-
SHA256
bd95907e66c93f53f9fe830ec3108e07a475964a93914dd0032f15be752fc8c8
-
SHA512
408a41dcdf0f9b9ac7b43a288971d1f93fdc8fef57f59b3781be64e22bab9b7522804ee9e8ce2937565e994ee8a207432c60bf36921cb8c3c8db1d4e9b51e5b8
-
SSDEEP
12288:gaaYRfl1tdN5U5yvBxK94fw09PoNVdMLJVnYiDFKSnAjb:1a4fl1o5yvWcJVnYiDFKSnAjb
Malware Config
Extracted
octo
https://kesmecekarpuz.site/NGE2Y2RjYjdmYjg3/
https://kesmecekarpuz.com/NGE2Y2RjYjdmYjg3/
https://kesmecekarpuz145.com/NGE2Y2RjYjdmYjg3/
https://kesmecekarpuz878.com/NGE2Y2RjYjdmYjg3/
https://kesmecekarpuz5446.com/NGE2Y2RjYjdmYjg3/
https://kesmecekarpuz8455.com/NGE2Y2RjYjdmYjg3/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 1 IoCs
Processes:
resource yara_rule /data/data/com.travelcomplete1/cache/ygtjrnlurznkwhf family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.travelcomplete1ioc pid process /data/user/0/com.travelcomplete1/cache/ygtjrnlurznkwhf 4250 com.travelcomplete1 /data/user/0/com.travelcomplete1/cache/ygtjrnlurznkwhf 4250 com.travelcomplete1 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.travelcomplete1description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.travelcomplete1 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.travelcomplete1 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.travelcomplete1description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.travelcomplete1 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.travelcomplete1description ioc process Framework service call android.app.IActivityManager.setServiceForeground com.travelcomplete1 -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.travelcomplete1ioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.travelcomplete1 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.travelcomplete1 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.travelcomplete1 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.travelcomplete1 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.travelcomplete1description ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.travelcomplete1 -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.travelcomplete1description ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.travelcomplete1 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.travelcomplete1description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.travelcomplete1 -
Requests modifying system settings. 1 IoCs
Processes:
com.travelcomplete1description ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.travelcomplete1 -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.travelcomplete1description ioc process Framework service call android.app.IActivityManager.registerReceiver com.travelcomplete1 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.travelcomplete1description ioc process Framework API call javax.crypto.Cipher.doFinal com.travelcomplete1
Processes
-
com.travelcomplete11⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.travelcomplete1/cache/oat/ygtjrnlurznkwhf.cur.profFilesize
440B
MD5dc18d6073847e15f2d6cd6b92ed6fb4f
SHA19e29dc434f72fbef93ec648a444f814b72deb752
SHA2562290174da49b0e3ebec09f16dbfaffe13bacaf83a5256478f70dd47f6442aa08
SHA512a8b4a13cb3a914198c7df0f3b56d71575e8dfb3b547a00ccdf4cf2d43246cbc2922c15193dbf2b0d70a20c7402850d2f1c0711f4f31a1ae7a0afffe80ef59d85
-
/data/data/com.travelcomplete1/cache/ygtjrnlurznkwhfFilesize
448KB
MD59311254a361332c925eecbf251c5abe3
SHA11a9d614d80e543d4c97d591d35f83548aa608a65
SHA2568d468f0a8ffe5d285d79350bb46ca8ab283901e48e1989a1087605a94a6621c0
SHA51239fbf6f988d0b47c567c7cbc66a7b3e22ad2472bc3147cb66e27d4b53db249b5955a3a9eba51d8873e9fd4b6b8780a2865cac2c7f0b1e60fd904ab2c21dcff24