Analysis

  • max time kernel
    179s
  • max time network
    135s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    19-08-2024 22:02

General

  • Target

    59b82e078eb75cc5f5d2895dc59eecc12afd2eea7655ceec1604f8e4210b709d.apk

  • Size

    2.3MB

  • MD5

    66cd4c47328e8748415c5fe4a8a1046b

  • SHA1

    955728a38880c76822f0233641757a1c041d7735

  • SHA256

    59b82e078eb75cc5f5d2895dc59eecc12afd2eea7655ceec1604f8e4210b709d

  • SHA512

    b33b6b338e95e62bc42fa591bd41333c1f08772ffafc1069f7272f23af2878be5bb3d81ee733067fd98aa238ae3b614cb2073818a3755b02eb25c52d3cda321d

  • SSDEEP

    49152:vCyYnlRQopKABHuv62OCVBnPhqX3dIkCtAbEHdJnMO8pLpxsIOg8T2md99QR3LO1:qyYnHQ+KAtuNlnJwdInt4E9JGtAION9Z

Malware Config

Extracted

Family

octo

C2

https://rasfaktsstumahozexe.xyz/MWIzNjIyMDkyZWRl/

https://zsdakurapssoymaiveno.xyz/MWIzNjIyMDkyZWRl/

https://yasweamnanass.xyz/MWIzNjIyMDkyZWRl/

https://rsocretessadazexe.xyz/MWIzNjIyMDkyZWRl/

https://trabzooskaasassuheno.xyz/MWIzNjIyMDkyZWRl/

https://zeblinaslass2a.xyz/MWIzNjIyMDkyZWRl/

https://vorlaximoza.xyz/MWIzNjIyMDkyZWRl/

https://tremaxisope.xyz/MWIzNjIyMDkyZWRl/

https://xanovirexa.xyz/MWIzNjIyMDkyZWRl/

https://gromivlexa.xyz/MWIzNjIyMDkyZWRl/

https://zivoronexa.xyz/MWIzNjIyMDkyZWRl/

https://felmaxirova.xyz/MWIzNjIyMDkyZWRl/

https://termaxuliza.xyz/MWIzNjIyMDkyZWRl/

https://kalivronexa.xyz/MWIzNjIyMDkyZWRl/

https://xerovisuma.xyz/MWIzNjIyMDkyZWRl/

rc4.plain

Extracted

Family

octo

C2

https://rasfaktsstumahozexe.xyz/MWIzNjIyMDkyZWRl/

https://zsdakurapssoymaiveno.xyz/MWIzNjIyMDkyZWRl/

https://yasweamnanass.xyz/MWIzNjIyMDkyZWRl/

https://rsocretessadazexe.xyz/MWIzNjIyMDkyZWRl/

https://trabzooskaasassuheno.xyz/MWIzNjIyMDkyZWRl/

https://zeblinaslass2a.xyz/MWIzNjIyMDkyZWRl/

https://vorlaximoza.xyz/MWIzNjIyMDkyZWRl/

https://tremaxisope.xyz/MWIzNjIyMDkyZWRl/

https://xanovirexa.xyz/MWIzNjIyMDkyZWRl/

https://gromivlexa.xyz/MWIzNjIyMDkyZWRl/

https://zivoronexa.xyz/MWIzNjIyMDkyZWRl/

https://felmaxirova.xyz/MWIzNjIyMDkyZWRl/

https://termaxuliza.xyz/MWIzNjIyMDkyZWRl/

https://kalivronexa.xyz/MWIzNjIyMDkyZWRl/

https://xerovisuma.xyz/MWIzNjIyMDkyZWRl/

AES_key

Signatures

  • Octo

    Octo is a banking malware with remote access capabilities first seen in April 2022.

  • Octo payload 2 IoCs
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests modifying system settings. 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.nameown12
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests modifying system settings.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4249
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nameown12/app_head/CCNcNi.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.nameown12/app_head/oat/x86/CCNcNi.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4277

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.nameown12/app_head/CCNcNi.json

    Filesize

    152KB

    MD5

    566ad427d1f71c551769dcd3a6b1b914

    SHA1

    328b1951ac2ce7c21509736d3ffbb5f5062ab36f

    SHA256

    d8c700917dcc5ab6db0e9f94ee12e1847d713092cbba550bbb166df36db87f93

    SHA512

    220f37ab1a006c8eda3c1d1601e12dfedd8ca0aab7498dd609809e007e09ddf0c771aa6d79937303856d2d11301960e72b7f16d2afb5dafb5222f4bc53baeef5

  • /data/data/com.nameown12/app_head/CCNcNi.json

    Filesize

    152KB

    MD5

    468fbe32c21fd7461418d05ec58092ed

    SHA1

    d0e562a42a682de5eee2c3ff360258dfdb8992b8

    SHA256

    86d2d3b700e2ae875214e52b55de97ec7c75a0a9ee8f56fe97c1fd84af8a8f65

    SHA512

    9c035f3d821cf8db79102c432d853b848fdd42ecf9f3e16656dcdc8cc202c67575ed19823e8a0815ba849b3e6e6364ef84fc22c1f568a253e4e4d0f542dc9e13

  • /data/user/0/com.nameown12/app_head/CCNcNi.json

    Filesize

    450KB

    MD5

    40ea36e2dda81f4856dc5d0545a779eb

    SHA1

    ca2d28f1a95c503cb8320d427098648c7c5ba250

    SHA256

    0d476dcc27039cdbd53c936704a1bc2fabf53cd104aadbe7208288af436d1e92

    SHA512

    abd3b00074ee8d22de663577e0b70a19f5ec06e05d4ad376225eb062730d21b15746df97932beaab650159b51e1cbc33fe48a1a37a2cd136edb7cabc4ec9784e

  • /data/user/0/com.nameown12/app_head/CCNcNi.json

    Filesize

    450KB

    MD5

    1377d3ee7ef5c3e6bd09e92cd4d1ba8b

    SHA1

    cf46faacb5d149b5bfcf9c3055083303f40a3c07

    SHA256

    bf1d5ce9c65d3bf2a6a6504352ab4e94854e47dc4e687011a97ff2b3548cde1b

    SHA512

    067e46e7eb98ef72eae2d77d4adea6cd804830d73c6be40827ccbb385415384244bb8482a43dada7864ab68ff0fdea66e2e43898a614a5a558ba265fa20c1997