Analysis

  • max time kernel
    60s
  • max time network
    179s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    22-07-2024 22:00

General

  • Target

    bd95907e66c93f53f9fe830ec3108e07a475964a93914dd0032f15be752fc8c8.apk

  • Size

    509KB

  • MD5

    afb2cce1bf58da154966d1387302adcf

  • SHA1

    e3b9677132dd82dbd22e9d724f566f323ab675b9

  • SHA256

    bd95907e66c93f53f9fe830ec3108e07a475964a93914dd0032f15be752fc8c8

  • SHA512

    408a41dcdf0f9b9ac7b43a288971d1f93fdc8fef57f59b3781be64e22bab9b7522804ee9e8ce2937565e994ee8a207432c60bf36921cb8c3c8db1d4e9b51e5b8

  • SSDEEP

    12288:gaaYRfl1tdN5U5yvBxK94fw09PoNVdMLJVnYiDFKSnAjb:1a4fl1o5yvWcJVnYiDFKSnAjb

Malware Config

Extracted

Family

octo

C2

https://kesmecekarpuz.site/NGE2Y2RjYjdmYjg3/

https://kesmecekarpuz.com/NGE2Y2RjYjdmYjg3/

https://kesmecekarpuz145.com/NGE2Y2RjYjdmYjg3/

https://kesmecekarpuz878.com/NGE2Y2RjYjdmYjg3/

https://kesmecekarpuz5446.com/NGE2Y2RjYjdmYjg3/

https://kesmecekarpuz8455.com/NGE2Y2RjYjdmYjg3/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 1 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.travelcomplete1
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4250

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.travelcomplete1/cache/oat/ygtjrnlurznkwhf.cur.prof
    Filesize

    440B

    MD5

    dc18d6073847e15f2d6cd6b92ed6fb4f

    SHA1

    9e29dc434f72fbef93ec648a444f814b72deb752

    SHA256

    2290174da49b0e3ebec09f16dbfaffe13bacaf83a5256478f70dd47f6442aa08

    SHA512

    a8b4a13cb3a914198c7df0f3b56d71575e8dfb3b547a00ccdf4cf2d43246cbc2922c15193dbf2b0d70a20c7402850d2f1c0711f4f31a1ae7a0afffe80ef59d85

  • /data/data/com.travelcomplete1/cache/ygtjrnlurznkwhf
    Filesize

    448KB

    MD5

    9311254a361332c925eecbf251c5abe3

    SHA1

    1a9d614d80e543d4c97d591d35f83548aa608a65

    SHA256

    8d468f0a8ffe5d285d79350bb46ca8ab283901e48e1989a1087605a94a6621c0

    SHA512

    39fbf6f988d0b47c567c7cbc66a7b3e22ad2472bc3147cb66e27d4b53db249b5955a3a9eba51d8873e9fd4b6b8780a2865cac2c7f0b1e60fd904ab2c21dcff24