Analysis
-
max time kernel
179s -
max time network
135s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
19-08-2024 22:02
Static task
static1
Behavioral task
behavioral1
Sample
59b82e078eb75cc5f5d2895dc59eecc12afd2eea7655ceec1604f8e4210b709d.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
59b82e078eb75cc5f5d2895dc59eecc12afd2eea7655ceec1604f8e4210b709d.apk
Resource
android-x64-20240624-en
General
-
Target
59b82e078eb75cc5f5d2895dc59eecc12afd2eea7655ceec1604f8e4210b709d.apk
-
Size
2.3MB
-
MD5
66cd4c47328e8748415c5fe4a8a1046b
-
SHA1
955728a38880c76822f0233641757a1c041d7735
-
SHA256
59b82e078eb75cc5f5d2895dc59eecc12afd2eea7655ceec1604f8e4210b709d
-
SHA512
b33b6b338e95e62bc42fa591bd41333c1f08772ffafc1069f7272f23af2878be5bb3d81ee733067fd98aa238ae3b614cb2073818a3755b02eb25c52d3cda321d
-
SSDEEP
49152:vCyYnlRQopKABHuv62OCVBnPhqX3dIkCtAbEHdJnMO8pLpxsIOg8T2md99QR3LO1:qyYnHQ+KAtuNlnJwdInt4E9JGtAION9Z
Malware Config
Extracted
octo
https://rasfaktsstumahozexe.xyz/MWIzNjIyMDkyZWRl/
https://zsdakurapssoymaiveno.xyz/MWIzNjIyMDkyZWRl/
https://yasweamnanass.xyz/MWIzNjIyMDkyZWRl/
https://rsocretessadazexe.xyz/MWIzNjIyMDkyZWRl/
https://trabzooskaasassuheno.xyz/MWIzNjIyMDkyZWRl/
https://zeblinaslass2a.xyz/MWIzNjIyMDkyZWRl/
https://vorlaximoza.xyz/MWIzNjIyMDkyZWRl/
https://tremaxisope.xyz/MWIzNjIyMDkyZWRl/
https://xanovirexa.xyz/MWIzNjIyMDkyZWRl/
https://gromivlexa.xyz/MWIzNjIyMDkyZWRl/
https://zivoronexa.xyz/MWIzNjIyMDkyZWRl/
https://felmaxirova.xyz/MWIzNjIyMDkyZWRl/
https://termaxuliza.xyz/MWIzNjIyMDkyZWRl/
https://kalivronexa.xyz/MWIzNjIyMDkyZWRl/
https://xerovisuma.xyz/MWIzNjIyMDkyZWRl/
Extracted
octo
https://rasfaktsstumahozexe.xyz/MWIzNjIyMDkyZWRl/
https://zsdakurapssoymaiveno.xyz/MWIzNjIyMDkyZWRl/
https://yasweamnanass.xyz/MWIzNjIyMDkyZWRl/
https://rsocretessadazexe.xyz/MWIzNjIyMDkyZWRl/
https://trabzooskaasassuheno.xyz/MWIzNjIyMDkyZWRl/
https://zeblinaslass2a.xyz/MWIzNjIyMDkyZWRl/
https://vorlaximoza.xyz/MWIzNjIyMDkyZWRl/
https://tremaxisope.xyz/MWIzNjIyMDkyZWRl/
https://xanovirexa.xyz/MWIzNjIyMDkyZWRl/
https://gromivlexa.xyz/MWIzNjIyMDkyZWRl/
https://zivoronexa.xyz/MWIzNjIyMDkyZWRl/
https://felmaxirova.xyz/MWIzNjIyMDkyZWRl/
https://termaxuliza.xyz/MWIzNjIyMDkyZWRl/
https://kalivronexa.xyz/MWIzNjIyMDkyZWRl/
https://xerovisuma.xyz/MWIzNjIyMDkyZWRl/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo payload 2 IoCs
Processes:
resource yara_rule /data/user/0/com.nameown12/app_head/CCNcNi.json family_octo /data/user/0/com.nameown12/app_head/CCNcNi.json family_octo -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nameown12/app_head/CCNcNi.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.nameown12/app_head/oat/x86/CCNcNi.odex --compiler-filter=quicken --class-loader-context=&com.nameown12ioc pid process /data/user/0/com.nameown12/app_head/CCNcNi.json 4277 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nameown12/app_head/CCNcNi.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.nameown12/app_head/oat/x86/CCNcNi.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.nameown12/app_head/CCNcNi.json 4249 com.nameown12 -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.nameown12description ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.nameown12 Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.nameown12 -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
com.nameown12description ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.nameown12 -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.nameown12description ioc process Framework service call android.app.IActivityManager.setServiceForeground com.nameown12 -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.nameown12ioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.nameown12 -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.nameown12description ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.nameown12 -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
Processes:
com.nameown12description ioc process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.nameown12 -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.nameown12description ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.nameown12 -
Requests modifying system settings. 1 IoCs
Processes:
com.nameown12description ioc process Intent action android.settings.action.MANAGE_WRITE_SETTINGS com.nameown12 -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.nameown12description ioc process Framework service call android.app.IActivityManager.registerReceiver com.nameown12 -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.nameown12description ioc process Framework API call javax.crypto.Cipher.doFinal com.nameown12
Processes
-
com.nameown121⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4249 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nameown12/app_head/CCNcNi.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.nameown12/app_head/oat/x86/CCNcNi.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4277
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152KB
MD5566ad427d1f71c551769dcd3a6b1b914
SHA1328b1951ac2ce7c21509736d3ffbb5f5062ab36f
SHA256d8c700917dcc5ab6db0e9f94ee12e1847d713092cbba550bbb166df36db87f93
SHA512220f37ab1a006c8eda3c1d1601e12dfedd8ca0aab7498dd609809e007e09ddf0c771aa6d79937303856d2d11301960e72b7f16d2afb5dafb5222f4bc53baeef5
-
Filesize
152KB
MD5468fbe32c21fd7461418d05ec58092ed
SHA1d0e562a42a682de5eee2c3ff360258dfdb8992b8
SHA25686d2d3b700e2ae875214e52b55de97ec7c75a0a9ee8f56fe97c1fd84af8a8f65
SHA5129c035f3d821cf8db79102c432d853b848fdd42ecf9f3e16656dcdc8cc202c67575ed19823e8a0815ba849b3e6e6364ef84fc22c1f568a253e4e4d0f542dc9e13
-
Filesize
450KB
MD540ea36e2dda81f4856dc5d0545a779eb
SHA1ca2d28f1a95c503cb8320d427098648c7c5ba250
SHA2560d476dcc27039cdbd53c936704a1bc2fabf53cd104aadbe7208288af436d1e92
SHA512abd3b00074ee8d22de663577e0b70a19f5ec06e05d4ad376225eb062730d21b15746df97932beaab650159b51e1cbc33fe48a1a37a2cd136edb7cabc4ec9784e
-
Filesize
450KB
MD51377d3ee7ef5c3e6bd09e92cd4d1ba8b
SHA1cf46faacb5d149b5bfcf9c3055083303f40a3c07
SHA256bf1d5ce9c65d3bf2a6a6504352ab4e94854e47dc4e687011a97ff2b3548cde1b
SHA512067e46e7eb98ef72eae2d77d4adea6cd804830d73c6be40827ccbb385415384244bb8482a43dada7864ab68ff0fdea66e2e43898a614a5a558ba265fa20c1997